rusackas opened a new pull request, #40540: URL: https://github.com/apache/superset/pull/40540
### SUMMARY Forces `serialize-javascript` to **7.0.5** in `docs/yarn.lock` via a yarn `resolutions` override, picking up upstream security fixes flagged by Dependabot. It's a transitive, build-time-only dependency used by `copy-webpack-plugin` and `css-minimizer-webpack-plugin` (both request `^6.x`). The fixes only land in the 7.x line, which those plugins don't yet request — so Dependabot can't bump it without upstream releases. The 7.x changes are security hardening (function-body sanitization, RegExp/Date handling); there is no API change for the `serialize(obj)` usage these plugins rely on. `7.0.5` clears both the high-severity and the follow-up medium-severity advisories for this package. ### TESTING INSTRUCTIONS - [ ] CI passes - [ ] `cd docs && yarn install --immutable` is a clean no-op - [x] Full `cd docs && yarn build` succeeds — webpack minification (which uses serialize-javascript) completes and static files are generated ### ADDITIONAL INFORMATION - [ ] Has associated issue: n/a - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
