Prasad P. Pawar created ATLAS-5212:
--------------------------------------
Summary: ATLAS UI: Upgrade direct package dependencies to address
Dependabot alerts
Key: ATLAS-5212
URL: https://issues.apache.org/jira/browse/ATLAS-5212
Project: Atlas
Issue Type: Task
Components: atlas-webui
Affects Versions: 3.0.0
Reporter: Prasad P. Pawar
Assignee: Prasad P. Pawar
Upgrade direct package dependencies to newer versions as recommended by
Dependabot. This includes axios, d3, lodash, react-router-dom, underscore,
requirejs, grunt-contrib-htmlmin, and gh-pages. Additionally, deprecated
underscore methods (_.contains, _.pluck) were migrated to _.includes and _.map
for future compatibility.
{code:java}
Package: axios
Version Upgrade: 1.8.4 → 1.13.1
Dependabot Reference:
https://github.com/apache/atlas/security/dependabot/458
{code}
{code:java}
Package: d3
Version Upgrade: 5.14.2 → 5.16.0
Dependabot References:
https://github.com/apache/atlas/security/dependabot/353
https://github.com/apache/atlas/security/dependabot/341
https://github.com/apache/atlas/security/dependabot/132
https://github.com/apache/atlas/security/dependabot/127
{code}
{code:java}
Package: lodash
Version Upgrade: 4.17.21 → 4.17.23
Dependabot References:
https://github.com/apache/atlas/security/dependabot/348
https://github.com/apache/atlas/security/dependabot/8
{code}
{code:java}
Package: react-router-dom
Version Upgrade: 6.22.3 → 6.30.3
Dependabot Reference:
https://github.com/apache/atlas/security/dependabot/491
{code}
{code:java}
Package: underscore
Version Upgrade: 1.13.1 → 1.13.7
Dependabot Reference:
https://github.com/apache/atlas/security/dependabot/66
{code}
{code:java}
Package: requirejs
Version Upgrade: 2.3.3 → 2.3.8
Dependabot Reference:
https://github.com/apache/atlas/security/dependabot/231
{code}
{code:java}
Package: grunt-contrib-htmlmin
Version Upgrade: 2.2.0 → 3.1.0
Dependabot Reference:
https://github.com/apache/atlas/security/dependabot/326
{code}
{code:java}
Package: gh-pages
Version Upgrade: 2.0.1 → 5.0.0
Dependabot Reference:
https://github.com/apache/atlas/security/dependabot/327
{code}
h1. Version Change Details – Key Packages
Below are the major dependency updates along with impact analysis and applied
fixes:
----
||Package||Changes in New Version||Files Affected||Fix Applied||
|*axios*|• Introduced {{AxiosError}} native error handling•
{{allowAbsoluteUrls}} config added (v1.8.0)• HTTP/2 support added
(v1.13.0)|{{{}fetchApi.ts{}}}{{{}TeamList/index.js{}}}|No code changes
required; API remains compatible|
|*d3*|• Improvements in {{{}d3-color{}}}• No breaking API changes within 5.x
versions|{{{}RelationshipLineage.tsx{}}}{{{}nv.d3.js{}}}{{{}RelationshipLayoutView.js{}}}|Retained
v5.x; {{@types/d3}} pinned to 5.16.5|
|*lodash*|• Patch fixes in {{{}_.unset{}}}, {{{}_.omit{}}}• No API
changes|{{{}atlas-lineage{}}}{{{}docs{}}}|No code changes required|
|*react-router-dom*|• Stable 6.x release• No breaking changes|All dashboard
routing modules|No code changes required|
|*underscore*|• Patch release• Deprecated: {{_.contains}} → {{{}_.includes{}}}•
Deprecated: {{_.pluck}} → {{_.map}}|{{dashboardv2}} views|Migrated deprecated
methods|
|*requirejs*|• Optimizer updates|{{dashboardv2}} module loader|No code changes
required|
|*grunt-contrib-htmlmin*|• Requires Node.js ≥ 6• Uses {{html-minifier}}
v4|{{gruntfile.js}}|Existing options ({{{}removeComments{}}},
{{{}collapseWhitespace{}}}) remain supported|
Apply npm overrides for transitive dependencies in the dashboard and docs to
address Dependabot alerts. This ensures build tools and their dependencies use
recommended versions.
**Fix Applied (dashboard/package.json):**
`json
{code:java}
"overrides": { "loader-utils":"3.2.1", "semver":"7.5.4", "json5":"2.2.3",
"braces":"3.0.3" }{code}
**Fix Applied (docs/package.json):**
{code:java}
"overrides": { "braces":"^3.0.3", "cross-spawn":"^7.0.6", "ejs":"^3.1.10"
}{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
