sergehuber opened a new pull request, #795: URL: https://github.com/apache/unomi/pull/795
## Plain-language summary This change updates low-risk npm and Java library versions to reduce known security advisories before the 3.1 release. It covers front-end build dependencies (web tracker and GraphQL UI) and two root Maven properties (Kafka client and Log4j). OpenCSV is intentionally excluded and deferred to 3.2. ## What changed * **E1 — wab:** yarn resolutions + lockfile for decode-uri-component, json5, semver; Babel toolchain upgraded (Dependabot #554, #566, #635, #671) * **E1 — graphql-ui:** pin transitive semver to 5.7.2 (#634); #672/#673/#680 obsolete after GraphiQL migration * **E2 — pom.xml:** `kafka-client.version` 2.2.1 → 2.6.3 (#674); `log4j.version` 2.19.0 → 2.24.0 (#692) * **Skipped:** opencsv (#677), jetty (#675 — BOM already at 9.4.57), jsoup (#493 — already 1.15.3) ## Review map | Commit | Paths | Risk | Focus | |--------|-------|------|-------| | wab E1 | `extensions/web-tracker/wab/` | low | `yarn build` passes | | graphql-ui E1 | `graphql/graphql-ui/` | low | lockfile only | | kafka E2 | `pom.xml` | medium | kafka-injector compatibility | | log4j E2 | `pom.xml` | medium | BOM-wide logging alignment | ## Test plan - [x] `yarn build` in `extensions/web-tracker/wab` - [ ] `./build.sh --ci` - [ ] `./build.sh --integration-tests --skip-unit-tests` (CI) ## References UNOMI-875 · Dependabot #554, #566, #635, #671, #634, #674, #692 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
