wu-sheng opened a new pull request, #27: URL: https://github.com/apache/skywalking-horizon-ui/pull/27
## Summary Clears all five open Dependabot advisories. **None ship in the production bundle** — every flagged package is dev/test tooling — but this keeps the security tab and CI clean. | Package | Severity | Advisory | Resolution | |---|---|---|---| | js-cookie | **HIGH** | GHSA-qjx8-664m-686j (prototype hijack in `assign()`) | override → 3.0.7 (via `@vue/test-utils`→`js-beautify`) | | ws | medium | GHSA-58qx-3vcg-4xpx (uninitialized memory disclosure) | override → 8.21.0 (via `jsdom`) | | esbuild | medium | GHSA-67mh-4wv8-2f99 (dev-server request forgery) | override → ≥0.25.0 + BFF direct devDep → ^0.25.0 | | vite | medium | GHSA-4w7w-66w2-5vf9 (dev-server path traversal) | vite 5→**6.4.2** (no 5.x backport exists) | The vite advisory has no 5.x patch, so it required a coordinated build/test-stack bump: - `vite` ^6.4.2, `@vitejs/plugin-vue` ^6.0.7, `@vitejs/plugin-vue-jsx` ^5.1.5 - `vitest` 2→^3.2.4 in **both** UI and BFF (vitest 2 peers `vite ^5` only; a stray `[email protected]` lingered via BFF vitest until bumped) `vite.config.ts` needed no changes. ## Validation - UI: `build`, `type-check`, **69 unit tests** pass; vite-6 dev-server smoke (root + entry 200, optimizer re-ran). - BFF: `build` (esbuild 0.25), **80 unit tests** pass under vitest 3. - Dependency tree resolves a single `[email protected]`; [email protected] / [email protected] / [email protected] confirmed. ## Test plan - [ ] CI green (build + unit tests on both apps). - [ ] Dependabot re-scan shows 0 open alerts. - [ ] Smoke the dev server + a production build locally (incl. the 3D map's three.js bundle). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
