sergehuber opened a new pull request, #795:
URL: https://github.com/apache/unomi/pull/795

   ## Plain-language summary
   
   This change updates low-risk npm and Java library versions to reduce known 
security advisories before the 3.1 release. It covers front-end build 
dependencies (web tracker and GraphQL UI) and two root Maven properties (Kafka 
client and Log4j). OpenCSV is intentionally excluded and deferred to 3.2.
   
   ## What changed
   
   * **E1 — wab:** yarn resolutions + lockfile for decode-uri-component, json5, 
semver; Babel toolchain upgraded (Dependabot #554, #566, #635, #671)
   * **E1 — graphql-ui:** pin transitive semver to 5.7.2 (#634); #672/#673/#680 
obsolete after GraphiQL migration
   * **E2 — pom.xml:** `kafka-client.version` 2.2.1 → 2.6.3 (#674); 
`log4j.version` 2.19.0 → 2.24.0 (#692)
   * **Skipped:** opencsv (#677), jetty (#675 — BOM already at 9.4.57), jsoup 
(#493 — already 1.15.3)
   
   ## Review map
   
   | Commit | Paths | Risk | Focus |
   |--------|-------|------|-------|
   | wab E1 | `extensions/web-tracker/wab/` | low | `yarn build` passes |
   | graphql-ui E1 | `graphql/graphql-ui/` | low | lockfile only |
   | kafka E2 | `pom.xml` | medium | kafka-injector compatibility |
   | log4j E2 | `pom.xml` | medium | BOM-wide logging alignment |
   
   ## Test plan
   
   - [x] `yarn build` in `extensions/web-tracker/wab`
   - [ ] `./build.sh --ci`
   - [ ] `./build.sh --integration-tests --skip-unit-tests` (CI)
   
   ## References
   
   UNOMI-875 · Dependabot #554, #566, #635, #671, #634, #674, #692


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to