[jira] [Commented] (ATLAS-5212) ATLAS UI: Upgrade direct package dependencies to address Dependabot alerts

Tue, 24 Feb 2026 05:24:04 -0800 


    [ 
https://issues.apache.org/jira/browse/ATLAS-5212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18060719#comment-18060719
 ] 

ASF subversion and git services commented on ATLAS-5212:
--------------------------------------------------------

Commit 106c18eb56a0762312e30bb6dcfacbd3c69303cd in atlas's branch 
refs/heads/dependabot/npm_and_yarn/dashboardv2/public/js/external_lib/atlas-lineage/ajv-6.14.0
 from Prasad Pawar
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=106c18eb5 ]

ATLAS-5212: ATLAS UI: Upgrade direct package dependencies to address Dependabot 
alerts (#536)



> ATLAS UI: Upgrade direct package dependencies to address Dependabot alerts
> --------------------------------------------------------------------------
>
>                 Key: ATLAS-5212
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5212
>             Project: Atlas
>          Issue Type: Task
>          Components: atlas-webui
>    Affects Versions: 3.0.0
>            Reporter: Prasad P. Pawar
>            Assignee: Prasad P. Pawar
>            Priority: Major
>              Labels: Atlas-UI
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
>  
> Upgrade direct package dependencies to newer versions as recommended by 
> Dependabot. This includes axios, d3, lodash, react-router-dom, underscore, 
> requirejs, grunt-contrib-htmlmin, and gh-pages. Additionally, deprecated 
> underscore methods (_.contains, _.pluck) were migrated to _.includes and 
> _.map for future compatibility.
>  
> {code:java}
> Package: axios
> Version Upgrade: 1.8.4 → 1.13.1
> Dependabot Reference:
> https://github.com/apache/atlas/security/dependabot/458
> {code}
>  
> {code:java}
> Package:  d3
> Version Upgrade: 5.14.2 → 5.16.0
> Dependabot References:
> https://github.com/apache/atlas/security/dependabot/353
> https://github.com/apache/atlas/security/dependabot/341
> https://github.com/apache/atlas/security/dependabot/132
> https://github.com/apache/atlas/security/dependabot/127
> {code}
>  
> {code:java}
> Package: lodash
> Version Upgrade: 4.17.21 → 4.17.23
> Dependabot References:
> https://github.com/apache/atlas/security/dependabot/348
> https://github.com/apache/atlas/security/dependabot/8
> {code}
>  
> {code:java}
> Package: react-router-dom
> Version Upgrade: 6.22.3 → 6.30.3
> Dependabot Reference:
> https://github.com/apache/atlas/security/dependabot/491
> {code}
>  
> {code:java}
> Package: underscore
> Version Upgrade: 1.13.1 → 1.13.7
> Dependabot Reference:
> https://github.com/apache/atlas/security/dependabot/66
> {code}
>  
> {code:java}
> Package: requirejs
> Version Upgrade: 2.3.3 → 2.3.8
> Dependabot Reference:
> https://github.com/apache/atlas/security/dependabot/231
> {code}
>  
> {code:java}
> Package: grunt-contrib-htmlmin
> Version Upgrade: 2.2.0 → 3.1.0
> Dependabot Reference:
> https://github.com/apache/atlas/security/dependabot/326
> {code}
>  
> {code:java}
> Package: gh-pages
> Version Upgrade: 2.0.1 → 5.0.0
> Dependabot Reference:
> https://github.com/apache/atlas/security/dependabot/327
> {code}
> h1. Version Change Details – Key Packages
> Below are the major dependency updates along with impact analysis and applied 
> fixes:
> ----
> ||Package||Changes in New Version||Files Affected||Fix Applied||
> |*axios*|• Introduced {{AxiosError}} native error handling• 
> {{allowAbsoluteUrls}} config added (v1.8.0)• HTTP/2 support added 
> (v1.13.0)|{{{}fetchApi.ts{}}}{{{}TeamList/index.js{}}}|No code changes 
> required; API remains compatible|
> |*d3*|• Improvements in {{{}d3-color{}}}• No breaking API changes within 5.x 
> versions|{{{}RelationshipLineage.tsx{}}}{{{}nv.d3.js{}}}{{{}RelationshipLayoutView.js{}}}|Retained
>  v5.x; {{@types/d3}} pinned to 5.16.5|
> |*lodash*|• Patch fixes in {{{}_.unset{}}}, {{{}_.omit{}}}• No API 
> changes|{{{}atlas-lineage{}}}{{{}docs{}}}|No code changes required|
> |*react-router-dom*|• Stable 6.x release• No breaking changes|All dashboard 
> routing modules|No code changes required|
> |*underscore*|• Patch release• Deprecated: {{_.contains}} → 
> {{{}_.includes{}}}• Deprecated: {{_.pluck}} → {{_.map}}|{{dashboardv2}} 
> views|Migrated deprecated methods|
> |*requirejs*|• Optimizer updates|{{dashboardv2}} module loader|No code 
> changes required|
> |*grunt-contrib-htmlmin*|• Requires Node.js ≥ 6• Uses {{html-minifier}} 
> v4|{{gruntfile.js}}|Existing options ({{{}removeComments{}}}, 
> {{{}collapseWhitespace{}}}) remain supported|
> Apply npm overrides for transitive dependencies in the dashboard and docs to 
> address Dependabot alerts. This ensures build tools and their dependencies 
> use recommended versions.
> **Fix Applied (dashboard/package.json):**
> `json
>  
> {code:java}
> "overrides": { "loader-utils":"3.2.1", "semver":"7.5.4", "json5":"2.2.3", 
> "braces":"3.0.3" }{code}
>  
> **Fix Applied (docs/package.json):**
>  
> {code:java}
> "overrides": { "braces":"^3.0.3", "cross-spawn":"^7.0.6", "ejs":"^3.1.10" 
> }{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to