rusackas opened a new pull request, #40535: URL: https://github.com/apache/superset/pull/40535
### SUMMARY Resolves high-severity Dependabot alert [#1154](https://github.com/apache/superset/security/dependabot/1154) — `lodash` code injection via `_.template` import key names (GHSA-r5fr-rjxr-66jc), vulnerable `<= 4.17.23`, patched in `4.18.0`. **Why Dependabot couldn't fix it:** the alert is for a transitive dependency in `docs/yarn.lock`. Three Postman packages pulled in via the OpenAPI docs plugin hard-pin lodash to an exact `4.17.21` (no caret): - `openapi-to-postmanv2` - `postman-code-generators` - `postman-collection` Because the pin is exact, the vulnerable `4.17.21` stayed in the lockfile alongside the already-patched `4.18.1` resolved elsewhere — Dependabot can't bump it without an upstream release from those packages. **Fix:** add a yarn `resolutions` override forcing every lodash request to `4.18.1` — a backward-compatible bump within the 4.x line that contains the `_.template` fix. `yarn install` collapses the two lockfile entries into one and removes `lodash-4.17.21.tgz` entirely. ### BEFORE/AFTER `docs/yarn.lock` previously had two lodash entries (`4.17.21` and `4.18.1`); after this change there is a single entry resolving to `4.18.1`. ### TESTING INSTRUCTIONS - [ ] CI passes - [ ] `yarn install` in `docs/` resolves lodash to `4.18.1` with no `4.17.21` remaining (`grep lodash-4.17.21 docs/yarn.lock` returns nothing) - [ ] Docs build succeeds (no runtime/behavior change — patch-level lodash bump) ### ADDITIONAL INFORMATION - [ ] Has associated issue: Dependabot alert #1154 - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
