asf-tooling commented on issue #1215: URL: https://github.com/apache/tooling-trusted-releases/issues/1215#issuecomment-4409667279
<!-- gofannon-issue-triage-bot v2 --> **Automated triage** — analyzed at `main@2da7807a` **Type:** `discussion` • **Classification:** `no_action` • **Confidence:** `high` **Application domain(s):** `shared_infrastructure` ### Summary This issue is explicitly a tracking/context issue for a Dependabot alert about the `uuid` transitive dependency in Mermaid. The upstream fix exists (mermaid-js/mermaid#7684) but has not been included in a Mermaid release yet. The current pinned version is 11.14.0 in bootstrap/source/package.json. No code change is possible until Mermaid publishes a new release containing the fix. ### Proposed approach No action is possible until Mermaid publishes a release that includes the uuid fix from mermaid-js/mermaid#7684. Once that release is available, the version in `bootstrap/source/package.json` should be bumped from `11.14.0` to the new version. The team may also consider adding an `npm` package-ecosystem entry to `.github/dependabot.yml` targeting the `bootstrap/source/` directory so that future Mermaid updates are automatically proposed, though the issue does not explicitly request this. As the issue states, this is purely a context/tracking issue — the Dependabot alert is known, the upstream fix is merged but unreleased, and the team is waiting. ### Open questions - When will Mermaid publish a release including PR #7684 (the uuid fix)? - Should an npm dependabot ecosystem be added for bootstrap/source/ to automatically pick up the Mermaid update when it's released? - Is the Dependabot alert about uuid a security vulnerability or just a deprecation warning? _The agent reviewed this issue and is not proposing patches in this run. Review the existing-code citations and open questions above before deciding next steps._ ### Files examined - `atr/static/js/min/mermaid-init.js` - `bootstrap/source/package.json` - `.github/dependabot.yml` --- *Draft from a triage agent. A human reviewer should validate before merging any change. The agent did not run tests or verify diffs apply.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
