LuciferYang opened a new pull request, #56560: URL: https://github.com/apache/spark/pull/56560
### What changes were proposed in this pull request? This clears the `npm audit` warnings in the two npm projects in the repo, `ui-test` and `dev`. The common one is `js-yaml`. Both projects depend on it transitively pinned to `^3.13.1` (via `@istanbuljs/load-nyc-config` in `ui-test`, and `eslint`/`@eslint/eslintrc` in `dev`), and the only release that fixes GHSA-h67p-54hq-rp68 is `4.2.0`, which is outside that range. `npm audit fix` can only reach it with `--force`, which downgrades jest to 25 and upgrades eslint to 10. To avoid that, both `package.json` files add an `overrides` entry pinning `js-yaml` to `^4.2.0`. `ui-test` has three more advisories that `npm audit fix` resolves in range: `ws` to 8.21.0, `@babel/core` to 7.29.7, and `brace-expansion` to patched releases. Regenerating the lockfile also moves the jest packages from 30.2.0 to 30.4.x; `jest-environment-jsdom` is bumped to 30.4.1 to match the jest core, since a version skew there breaks the test run. ### Why are the changes needed? `npm audit` reports 20 vulnerabilities in `ui-test` and 3 in `dev`, including a high-severity `ws` advisory. These are dev/test-only dependencies, but it is worth keeping the audit clean. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? `npm audit` reports 0 vulnerabilities in both projects. The `ui-test` jest suite (19 tests) and `dev/lint-js` both pass, and `npm ci` succeeds in both. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Opus 4.8) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
