rusackas opened a new pull request, #41307: URL: https://github.com/apache/superset/pull/41307
### SUMMARY Clears a batch of open [Dependabot security alerts](https://github.com/apache/superset/security/dependabot) for **transitive** npm/yarn dependencies by pinning patched versions via npm `overrides` / yarn `resolutions`. No direct/runtime API changes — all bumps are same-major (except `ws` for one dev-only consumer, see below) and the lockfiles are regenerated with the repo's pinned toolchain (node 24 / npm 11 / yarn 1.22). Alerts addressed (10 of the 16 open npm/yarn alerts): | Lockfile | Package | → | Advisories | |---|---|---|---| | `superset-frontend/package-lock.json` | dompurify | 3.4.11 | GHSA-cmwh-pvxp-8882, GHSA-vxr8-fq34-vvx9, GHSA-gvmj-g25r-r7wr | | | esbuild | 0.28.1 | GHSA-g7r4-m6w7-qqqr | | | http-proxy-middleware | 2.0.10 | GHSA-64mm-vxmg-q3vj | | | tar | 7.5.16 | GHSA-vmf3-w455-68vh | | `docs/yarn.lock` | ws | 8.21.0 | GHSA-96hv-2xvq-fx4p (×2, **HIGH**) | | `superset-websocket/package-lock.json` | @babel/core | 7.29.7 | GHSA-4x5r-pxfx-6jf8 | | `superset-frontend/cypress-base/package-lock.json` | @babel/core | 7.29.7 | GHSA-4x5r-pxfx-6jf8 | **Notes / deliberate decisions:** - **`js-yaml` (GHSA-h67p-54hq-rp68) is intentionally left out.** The only patched release is `4.2.0`, but the remaining vulnerable instance everywhere is `[email protected]`, pulled in by `@istanbuljs/load-nyc-config` (jest coverage tooling) which relies on the v3 API (`safeLoad`) removed in v4. Forcing v4 globally breaks the build. It needs upstream consumer upgrades and is better handled separately. This also leaves `superset-embedded-sdk` (js-yaml-only) untouched. - **`docs` `ws`:** yarn classic (1.22) can only force a single version globally, so all `ws` consumers (storybook, webpack-dev-server, and webpack-bundle-analyzer) move to `8.21.0`. webpack-bundle-analyzer's declared range was `^7.3.1`, but it's a dev-only tool used only in optional `analyze` mode and its `WebSocket.Server` usage is compatible across ws 7→8. - **Flask / PyJWT (pip alerts)** are out of scope here: PyJWT is already handled in #41288, and the Flask alert requires the in-progress 2.x→3.x major upgrade. ### TESTING INSTRUCTIONS Lockfile-only changes; CI exercises the affected toolchains. Locally: - `cd superset-frontend && npm ci && npm run build` / `npm run test` - `cd superset-websocket && npm ci && npm run test` - `cd docs && yarn install && yarn build` After merge, the listed Dependabot alerts should auto-close. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
