rusackas opened a new pull request, #40542: URL: https://github.com/apache/superset/pull/40542
### SUMMARY Forces `uuid` to **11.1.1** in `docs/yarn.lock` via a yarn `resolutions` override, picking up an upstream fix flagged by Dependabot. The vulnerable `8.3.2` was pulled in transitively by: - `postman-collection` (exact `8.3.2`, via the OpenAPI docs generation) - `sockjs` (`^8.3.2`, webpack-dev-server's websocket fallback) The fix only lands in the 11.x line, so Dependabot can't bump it without upstream releases. The override forces every `uuid` request to `11.1.1`. `mermaid` (`^11.1.0 || ^12 || ^13 || ^14.0.0`) is unaffected — `11.1.1` satisfies its range. **Breaking-change review:** uuid v9 removed the default export, but both consumers use the named `.v4()` API, which is unchanged across 8.x → 11.x. So the override is API-safe for the actual usage. ### TESTING INSTRUCTIONS - [ ] CI passes - [ ] `cd docs && yarn install --immutable` is a clean no-op - [x] Full `cd docs && yarn build` succeeds (exercises the postman-collection / OpenAPI-docs path); static files generated > ⚠️ **Coverage note:** `sockjs` is only used by `docusaurus start` (the dev server), **not** the production build, so its `uuid` path is validated by changelog review (named `.v4()` usage) rather than by the build. Functionally low-risk, but flagging for transparency. ### ADDITIONAL INFORMATION - [ ] Has associated issue: n/a - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
