[jira] [Commented] (ATLAS-5307) Atlas UI: Update frontend npm dependencies in dashboard, dashboardv2, and docs

Wed, 03 Jun 2026 00:38:09 -0700 


    [ 
https://issues.apache.org/jira/browse/ATLAS-5307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085721#comment-18085721
 ] 

ASF subversion and git services commented on ATLAS-5307:
--------------------------------------------------------

Commit 8eeddd5f6c7a1d05a810579f9c93aa9528496005 in atlas's branch 
refs/heads/ATLAS-5174 from Prasad Pawar
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=8eeddd5f6 ]

ATLAS-5174: Set up Test Infrastructure and Configuration for Atlas Dashboard

ATLAS-5174: Merge master and regenerate dashboard/package-lock.json

Sync with master (ATLAS-5307 npm dependency updates: axios 1.15.2,
vite 6.4.2, lodash/flatted overrides). Resolve package-lock.json
conflict by regenerating from merged package.json (master deps +
ATLAS-5174 Jest/test devDependencies).


> Atlas UI: Update frontend npm dependencies in dashboard, dashboardv2, and docs
> ------------------------------------------------------------------------------
>
>                 Key: ATLAS-5307
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5307
>             Project: Atlas
>          Issue Type: Bug
>          Components: atlas-webui
>    Affects Versions: 3.0.0
>            Reporter: Prasad P. Pawar
>            Assignee: Prasad P. Pawar
>            Priority: Major
>             Fix For: 3.0.0, 2.6.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Address high-priority automated dependency review findings for the React UI 
> ({{{}dashboard/{}}}), classic UI ({{{}dashboardv2/{}}}), and documentation 
> site ({{{}docs/{}}}). Bump direct and transitive npm packages to patched 
> versions and refresh lockfiles so builds stay reproducible.
> h3. Scope
> ||Area||Manifests updated||
> |React dashboard|{{{}dashboard/package.json{}}}, 
> {{dashboard/package-lock.json}}|
> |Lineage bundle 
> (dashboard)|{{{}dashboard/src/views/Lineage/atlas-lineage/package.json{}}}, 
> {{package-lock.json}}|
> |Classic UI|{{{}dashboardv2/package.json{}}}, 
> {{dashboardv2/package-lock.json}}|
> |Lineage bundle 
> (dashboardv2)|{{{}dashboardv2/public/js/external_lib/atlas-lineage/package.json{}}},
>  {{package-lock.json}}|
> |Documentation site|{{{}docs/package.json{}}}, {{docs/package-lock.json}}|
> |Build tooling|Root {{pom.xml}} — RAT excludes for generated webpack/docz 
> output only (no runtime dependency change)|
> h3. Package updates (frontend)
> dashboard
>  * {{vite}} 6.4.1 → 6.4.2 (dev server file access hardening)
>  * {{axios}} 1.13.5 → 1.15.2
>  * {{lodash}} / {{lodash-es}} overrides → 4.18.1
>  * {{flatted}} override → 3.4.2 (eslint transitive)
> dashboard + dashboardv2 atlas-lineage
>  * {{@babel/core}} 7.29.0, {{@babel/preset-env}} 7.29.5
>  * Overrides: {{lodash}} 4.18.1, {{serialize-javascript}} 7.0.3, 
> {{@babel/plugin-transform-modules-systemjs}} 7.29.4
> dashboardv2
>  * {{lodash}} override 4.17.23 → 4.18.1
> docs
>  * {{axios}} 1.13.5 → 1.15.2
>  * Overrides: {{node-forge}} 1.4.0, {{lodash}} 4.18.1, 
> {{@babel/plugin-transform-modules-systemjs}} 7.29.4, {{serialize-javascript}} 
> 7.0.3, {{fast-uri}} 3.1.2, {{picomatch}} 2.3.2
> h3. 1. Direct dependencies (app code uses these)
> ||Package||Old → New||Used in project||API / method usage||Code change 
> needed?||
> |vite|6.4.1 → 6.4.2|{{dashboard/vite.config.ts}}|{{{}defineConfig{}}}, 
> {{{}server.host{}}}, {{{}server.proxy{}}}, {{{}build.rollupOptions{}}}, 
> {{resolve.alias}}|No — patch release; dev-server hardening only|
> |axios|1.13.5 → 1.15.2|{{{}dashboard/src/api/apiMethods/fetchApi.ts{}}}, type 
> imports in 3 other TS files; {{docs/theme/.../TeamList}} (import only, 
> unused)|{{{}axios(){}}}, {{{}axios.isAxiosError(){}}}, 
> {{{}AxiosRequestConfig{}}}, {{{}AxiosResponse{}}}, {{{}error.response{}}}, 
> {{error.code}}|No — same public API; {{tsc}} passes|
>  
> Dashboard axios call sites
>  ** {{fetchApi.ts}} — main HTTP wrapper
>  ** {{{}FormAutocomplete.tsx{}}}, {{{}QuickSearch.tsx{}}}, {{Labels.tsx}} — 
> {{AxiosResponse}} typing only
> ----
> h3. 2. Overrides / transitive (not imported directly in app source)
> ||Package||Old → New||Role||Direct imports in Atlas source?||Code change 
> needed?||
> |lodash / lodash-es|4.17.23 → 4.18.1|{{dashboardv2}} (via underscore/lodash 
> global), {{{}docs/theme{}}}, lineage via {{{}dagre-d3{}}}, 
> {{react-quill-new}}|Yes — see below|No for current usage|
> |flatted|3.3.3 → 3.4.2|ESLint transitive ({{{}dashboard{}}})|No|No|
> |serialize-javascript|4.x → 7.0.3|Webpack 4 / terser (lineage bundles)|No|No 
> — lineage webpack build passes|
> |@babel/plugin-transform-modules-systemjs|7.29.0 → 7.29.4|Transitive via 
> {{@babel/preset-env}}|No — webpack uses {{preset-env}} + 
> {{transform-class-properties}} only|No|
> |@babel/core / preset-env|7.23.2 → 7.29.0 / 7.29.5|Lineage 
> {{babel-loader}}|{{{}presets: ["@babel/preset-env"]{}}}, {{plugins: 
> ["@babel/plugin-transform-class-properties"]}}|No|
> |node-forge|1.3.2 → 1.4.0|Docz / webpack-dev-server transitive|No|No|
> |fast-uri|3.1.0 → 3.1.2|Docz transitive|No|No|
> |picomatch|2.3.1 → 2.3.2|Docz / tooling transitive|No|No|
>  
> ----
> h3. 3. Lodash — only area with _behavioral_ changes (not renames)
> 4.18.1 tightens behavior in two APIs. No method was renamed or removed that 
> Atlas uses.
> ||Lodash API||Change in 4.18.x||Used in Atlas?||Impact on Atlas||
> |{{_.unset}} / {{_.omit}}|Blocks {{constructor}} / {{prototype}} as path keys 
> (prototype-pollution hardening)|{{_.omit}} used widely in dashboardv2 
> ({{{}Utils.js{}}}, {{{}GlossaryLayoutView.js{}}}, {{{}TableLayout.js{}}}, 
> audit/search views, etc.) with normal keys ({{{}typeName{}}}, {{{}guid{}}}, 
> {{{}limit{}}}, …)|No impact — paths are plain property names, not 
> {{{}constructor{}}}/{{{}prototype{}}}|
> |{{_.template}}|Stricter validation of {{options.imports}} keys; throws on 
> forbidden identifiers|{{_.template(...)}} in dashboardv2 
> ({{{}BackgridHeader.js{}}}, search/audit column buttons, 
> {{{}Backgrid.ColumnManager.js{}}}) with static template strings, no custom 
> {{imports}}|No impact|
> |{{{}_.get{}}}, {{{}_.extend{}}}, {{{}_.each{}}}, {{{}_.sortBy{}}}, 
> {{{}_.isArray{}}}, {{{}_.isEmpty{}}}, {{{}_.has{}}}, {{{}_.union{}}}, 
> {{{}_.keys{}}}, {{{}_.pick{}}}, {{{}_.flatten{}}}, fp helpers|Unchanged 
> signatures|docs/theme, dashboardv2, GlossaryExport.js|No impact|
> |{{_.numberFormatWithComma}}|Custom mixin in 
> {{dashboardv2/public/js/utils/Helper.js}} (not core lodash)|Statistics, 
> search, glossary views|No impact|
>  
> React dashboard ({{{}dashboard/src{}}}) does not import lodash directly; it 
> gets lodash-es only transitively through react-quill-new (standard lodash-es 
> APIs).
> ----
> h3. 4. Axios — internal hardening only (no renames in our usage)
> Upgrades 1.13.5 → 1.15.2 add/fix internal handling (e.g. {{{}mergeConfig{}}}, 
> proxy loopback normalization, prototype-pollution guards). Public methods we 
> use are unchanged:
>  ** {{axios(config)}}
>  ** {{axios.isAxiosError(error)}}
>  ** Types: {{{}AxiosRequestConfig{}}}, {{AxiosResponse}}
> No Atlas file needs updates for renamed axios methods.
> ----
> h3. 5. Vite — patch only
> 6.4.1 → 6.4.2 fixes dev-server WebSocket {{fetchModule}} path when 
> {{server.host}} is exposed. Config in {{vite.config.ts}} is unchanged and 
> valid.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to