ryankert01 opened a new pull request, #1375: URL: https://github.com/apache/mahout/pull/1375
## Summary Fixes all 22 `npm audit` findings (1 high, 21 moderate) in the website and upgrades Docusaurus from 3.9.2 to 3.10.1. ### Vulnerabilities fixed via npm `overrides` Both issues are transitive deps that even the latest Docusaurus (3.10.1) hasn't bumped upstream yet, so `overrides` are used to force the patched versions: | Package | Vulnerable | Fixed | Advisories | |---|---|---|---| | `serialize-javascript` (via copy-webpack-plugin / css-minimizer-webpack-plugin) | 6.0.2 | ^7.0.5 | [GHSA-5c6j-r48x-rmvq](https://github.com/advisories/GHSA-5c6j-r48x-rmvq) (RCE, high), [GHSA-qj8w-gfj5-8c6v](https://github.com/advisories/GHSA-qj8w-gfj5-8c6v) (DoS) | | `uuid` (via webpack-dev-server → sockjs) | 8.3.2 | ^11.1.1 | [GHSA-w5hq-g745-h8pq](https://github.com/advisories/GHSA-w5hq-g745-h8pq) (moderate) | Note: `npm audit fix --force` was not used as it would have *downgraded* Docusaurus to 3.5.2. uuid is pinned to v11 (not latest v14) because sockjs loads it via CommonJS, which newer uuid majors dropped. ### Docusaurus 3.9.2 → 3.10.1 - All `@docusaurus/*` packages bumped to 3.10.1 - Added `@docusaurus/faster`, now required by the existing `future: { v4: true }` config flag in 3.10 (builds use the Rspack bundler) The overrides can be removed once Docusaurus bumps to copy-webpack-plugin@14 / css-minimizer-webpack-plugin@8 and sockjs updates uuid. ## Test plan - [x] `npm audit` → 0 vulnerabilities - [x] `npm run typecheck` → passes - [x] `npm run build` → succeeds (pre-existing broken-link warnings on `/docs/0.4/download/quickstart` are unrelated content issues) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
