wu-sheng opened a new pull request, #85:
URL: https://github.com/apache/skywalking-horizon-ui/pull/85

   ## Why
   
   Dependabot shows 14 open advisories. Remediating by **dependency upgrade, 
not pnpm overrides** (per maintainer preference) — this lands the real version 
bumps that clear everything with an available patch path.
   
   ## What
   
   Each parent's declared range already permitted the patched version, so these 
are honest upgrades — **no overrides added**:
   
   | Package | Bump | Advisory | Sev |
   |---|---|---|---|
   | vite | 6.4.2 → 6.4.3 | GHSA-fx2h-pf6j-xcff | **high** |
   | vite | ″ | GHSA-v6wh-96g9-6wx3 | moderate |
   | form-data | → 4.0.6 (via jsdom) | GHSA-hmw2-7cc7-3qxx | **high** |
   | tsx | 4.21.0 → 4.22.4 → esbuild 0.28.1 | GHSA-g7r4-m6w7-qqqr | low |
   | js-yaml | → 4.3.0 (via eslint) | GHSA-h67p-54hq-rp68 | moderate |
   | @babel/core | → 7.29.7 | GHSA-4x5r-pxfx-6jf8 | low |
   
   **Dependabot 14 → 8.** Both highs and every dev-only advisory cleared.
   
   ## What's left — and why there's no upgrade
   
   The remaining 8 are all **DOMPurify via `monaco-editor`**. monaco's latest 
*stable* (0.55.1) still declares and vendors DOMPurify 3.2.7 with no patched 
release (only `0.56.0-dev` pre-releases) — **so there is no upgrade path**. 
They're low/moderate; the npm `dompurify` is a *phantom* dep (the shipped 
bundle uses monaco's vendored 3.2.7 regardless, which an npm override can't 
reach); and that sanitizer only handles trusted in-app editor (MQE/YAML) 
content, never OAP wire data. Recommend accepting + tracking a monaco upgrade 
rather than masking the SCA number with a cosmetic override.
   
   ## Validation
   
   type-check (both workspaces), build-ui, build-bff, lint + source-budget, 
**116 UI + 162 BFF tests** — all green. The esbuild 0.27→0.28 minor and the 
vite patch were verified against the full build + test suite.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to