rusackas opened a new pull request, #40541: URL: https://github.com/apache/superset/pull/40541
### SUMMARY Forces `d3-color` to **3.1.0** in `docs/yarn.lock` via a yarn `resolutions` override, picking up an upstream fix flagged by Dependabot. The vulnerable copy (`2.0.0`) was pulled in by an older `[email protected] - 2` requesting the `1 - 2` range, while the rest of the d3 stack (d3-interpolate 3.x, d3-scale-chromatic, d3-transition, d3@^7.9.0) already resolved to the patched `3.1.0`. Dependabot can't bump the `1 - 2` copy because it falls outside that range. The override unifies every `d3-color` request to `3.1.0`. d3-color 3.0.0's only breaking change was adopting `type: module` (Node 12+) — there are **no API changes** from the 2.x line — and the docs build runs Node 20 through webpack, so the ESM form is fine. ### TESTING INSTRUCTIONS - [ ] CI passes - [ ] `cd docs && yarn install --immutable` is a clean no-op - [x] Full `cd docs && yarn build` succeeds (d3 stack is exercised in chart components); static files generated ### ADDITIONAL INFORMATION - [ ] Has associated issue: n/a - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
