Re: [PR] [#11143] web-v2(ui): upgrade dependency by dependabot issue [gravitino]

Wed, 20 May 2026 04:59:07 -0700 


Copilot commented on code in PR #11145:
URL: https://github.com/apache/gravitino/pull/11145#discussion_r3273706088


##########
web-v2/web/package.json:
##########
@@ -74,7 +74,14 @@
     "overrides": {
       "rollup": "^4.59.0",
       "minimatch": "^9.0.7",
-      "ajv": "^6.14.0"
+      "ajv": "^6.14.0",
+      "flatted": "^3.4.2",
+      "tar": "^7.5.11",
+      "undici": "^6.24.0",
+      "postcss": "^8.5.10",
+      "picomatch": "^4.0.4",
+      "yaml": "^1.10.3",

Review Comment:
   The `pnpm.overrides` entry forces `yaml` to `^1.10.3` (major v1). This is a 
downgrade from the v2 range previously recorded in the lockfile (e.g., 
`postcss-load-config` used to declare `yaml: ^2.4.2`), and can cause 
incompatible resolutions if any dependency requires `yaml@2` APIs. Consider 
removing this override or bumping it to a compatible v2+ range that addresses 
the security advisory (e.g., `^2.4.2` or newer), then regenerate the lockfile.
   



##########
web-v2/web/pnpm-lock.yaml:
##########
@@ -2701,22 +2563,22 @@ packages:
     resolution: {integrity: 
sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==}
     engines: {node: '>=14.0.0'}
     peerDependencies:
-      postcss: ^8.0.0
+      postcss: ^8.5.10
 
   [email protected]:
     resolution: {integrity: 
sha512-oIAOTqgIo7q2EOwbhb8UalYePMvYoIeRY2YKntdpFQXNosSu3vLrniGgmH9OKs/qAkfoj5oB3le/7mINW1LCfw==}
     engines: {node: ^12 || ^14 || >= 16}
     peerDependencies:
-      postcss: ^8.4.21
+      postcss: ^8.5.10
 
   [email protected]:
     resolution: {integrity: 
sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g==}
     engines: {node: '>= 18'}
     peerDependencies:
       jiti: '>=1.21.0'
-      postcss: '>=8.0.9'
+      postcss: ^8.5.10
       tsx: ^4.8.1
-      yaml: ^2.4.2
+      yaml: ^1.10.3

Review Comment:
   `[email protected]` now shows a peer dependency of `yaml: ^1.10.3`, 
which appears to be a side effect of the new `yaml` override. This effectively 
forces an older major line of `yaml` and can break tooling that expects 
`yaml@2` behavior. Please adjust/remove the `yaml` override to keep `yaml` on a 
compatible major version and regenerate the lockfile so peer dependency 
metadata matches upstream expectations.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to