The GitHub Actions job "npm_and_yarn in /airflow-core/src/airflow/ui for @chakra-ui/react, @codemirror/lang-json, @tanstack/react-query, @tanstack/react-virtual, @uiw/codemirror-themes-all, @uiw/react-codemirror, @xyflow/react, anser, axios, chakra-react-select, chart.js, dayjs, elkjs, i18next, i18next-browser-languagedetector, node-sql-parser, react, @types/react, react-chartjs-2, react-dom, @types/react-dom, react-hook-form, react-hotkeys-hook, react-i18next, react-markdown, react-resizable, react-resizable-panels, react-rout..." on airflow.git/v3-1-test has succeeded. Run started by GitHub user dependabot[bot] (triggered by dependabot[bot]).
Head commit for run: b77ab9a1cd04bf00e953ff4a12ded59899c162f8 / Pierre Jeambrun <[email protected]> [V3-1-test] Fix minimatch ReDoS vulnerabilities via pnpm overrides (#62805) * Fix minimatch ReDoS vulnerabilities via pnpm overrides Update pnpm overrides to patch minimatch ReDoS vulnerabilities (CVE for matchOne() combinatorial backtracking and nested extglobs) across three UI manifests: - airflow-core/src/airflow/ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3 - simple-auth-manager-ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3 - react-plugin-template: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3 * Constrain minimatch overrides to major version ranges The minimatch overrides used open-ended ranges (e.g. >=3.1.4) which allowed pnpm to resolve 3.x consumers to 10.x, breaking the API (minimatch 10.x uses named exports, 3.x uses a default function). Constrain to >=3.1.4 <4.0.0 and >=9.0.7 <10.0.0 respectively. Report URL: https://github.com/apache/airflow/actions/runs/22637560121 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
