[ 
https://issues.apache.org/jira/browse/FLINK-40028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092747#comment-18092747
 ] 

Martijn Visser commented on FLINK-40028:
----------------------------------------

Thanks [~psinha], and apologies again for the overlap; I should have checked 
FLINK-39516 / https://github.com/apache/flink/pull/28000/ before opening mine.

I went through your PR. Since FLINK-40028 is specifically the Angular v21 LTS 
upgrade, I've taken that path in https://github.com/apache/flink/pull/28593/ 
(Angular 20 -> 21, ng-zorro 20 -> 21). Regenerating the lockfile on v21 pulls 
in the same secure versions your PR targets: I checked them by dependency, and 
your floors (core-js 3.49.0, d3 7.9.0, @antv/g2 4.2.12, d3-flame-graph 4.1.3, 
stylelint 14.16.1, eslint-plugin-import 2.32.0, @types/d3 7.4.3, @types/dagre 
0.7.54, ...) all resolve to exactly those versions in my lockfile, so none of 
your fixes are lost.

To make sure that hardening is explicit and not just implicit in the lockfile, 
I adopted your declared package.json floors as a dedicated commit and added you 
as co-author. I'd like to credit your groundwork on FLINK-39516 and resolve it 
as superseded by FLINK-40028: does that work for you? 

On your two points:
* More vulnerabilities: yes please. If any advisory appeared after your last 
push, point me at the specific package/CVE and I'll confirm whether the v21 
lockfile already covers it. Current {{npm audit}} is 0 critical / 4 high, and 
those 4 are dev-only Angular-CLI transitives ({{http-proxy-middleware}}, 
{{undici}}) that need the CLI to bump its own deps. Happy to fold in anything 
genuinely missing.
* Prettier churn: good catch, and you're right that the prettier bump is what 
causes the mass file changes. I deliberately deferred the prettier 3 / 
stylelint 17 refresh to a separate follow-up for exactly that reason, so 
https://github.com/apache/flink/pull/28593/ doesn't carry it. I also verified 
there are no whitespace-only file changes: the ~100 touched files are all real 
migration edits (removing now-unused {{NgIf}}/{{NgForOf}} imports, the 
control-flow conversion, and {{@for}} track fixes), not formatting noise.

One more thing: testing this upgrade surfaced a backlog of web-dashboard 
follow-ups, and they'd be great contributions if you're interested. I'm happy 
to file the JIRAs and review your PRs. The dependency-focused ones especially 
fit what you've been doing:
* The deferred prettier 3 / stylelint 17 tooling refresh (you already have the 
context on the prettier churn)
* The major UI-library migrations: monaco-editor -> 0.55, @antv/g2 v4 -> v5, 
d3-flame-graph -> 5, dagre -> @dagrejs/dagre
* Migrating the build off the legacy webpack builder to the esbuild application 
builder
* eslint 8 -> 9 (flat config)
* A pre-existing UI bug I hit while testing: the Exceptions view throws 
{{NG04008}} when navigating to an unassigned TaskManager

Let me know which of those appeal, I'll create the tickets for them anyway. And 
if you have a moment, a review of https://github.com/apache/flink/pull/28593/ 
on the dependency side would be very welcome.

> Update Angular to v21 and ng-zorro-antd to v21
> ----------------------------------------------
>
>                 Key: FLINK-40028
>                 URL: https://issues.apache.org/jira/browse/FLINK-40028
>             Project: Flink
>          Issue Type: Technical Debt
>          Components: Runtime / Web Frontend
>            Reporter: Martijn Visser
>            Assignee: Martijn Visser
>            Priority: Major
>              Labels: pull-request-available
>
> Upgrade the web dashboard from Angular 20.1.3 / ng-zorro-antd 20.1.0 to the 
> latest LTS Angular 21.2.17 / ng-zorro-antd 21.3.2 (TypeScript 5.9), refresh 
> the eslint toolchain and @types/node, regenerate the lockfile (resolving the 
> outstanding Dependabot security bumps and removing third-party-mirror URLs), 
> and fix the stale NOTICE file. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to