sarutak opened a new pull request, #53472:
URL: https://github.com/apache/spark/pull/53472
### What changes were proposed in this pull request?
This PR proposes to upgrade `js-yaml` which is used for the JS linter to
`3.14.2`.
This change is done by `npm --prefix dev audit fix`.
### Why are the changes needed?
To suppress a warning.
When we run lint-js, we will see the following warning.
```
$ dev/lint-js
added 113 packages, and audited 114 packages in 623ms
15 packages are looking for funding
run `npm fund` for details
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
lint-js checks passed.
```
The reason is that there is a known security issue in js-yaml 3.14.1.
The issue itself has almost no effect to on Spark because lint-js is used
only in test phase.
```
$ npm --prefix dev/ audit
# npm audit report
js-yaml <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) -
https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
```
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
After upgrading `js-yaml`, we don't see the warning.
```
$ npm --prefix dev audit
found 0 vulnerabilities
```
### Was this patch authored or co-authored using generative AI tooling?
No.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
