[jira] [Updated] (ATLAS-5307) Atlas UI: Update frontend npm dependencies in dashboard, dashboardv2, and docs

Fri, 29 May 2026 05:21:10 -0700 


     [ 
https://issues.apache.org/jira/browse/ATLAS-5307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prasad P. Pawar updated ATLAS-5307:
-----------------------------------
    Description: 
Address high-priority automated dependency review findings for the React UI 
({{{}dashboard/{}}}), classic UI ({{{}dashboardv2/{}}}), and documentation site 
({{{}docs/{}}}). Bump direct and transitive npm packages to patched versions 
and refresh lockfiles so builds stay reproducible.
h3. Scope
||Area||Manifests updated||
|React dashboard|{{{}dashboard/package.json{}}}, 
{{dashboard/package-lock.json}}|
|Lineage bundle 
(dashboard)|{{{}dashboard/src/views/Lineage/atlas-lineage/package.json{}}}, 
{{package-lock.json}}|
|Classic UI|{{{}dashboardv2/package.json{}}}, {{dashboardv2/package-lock.json}}|
|Lineage bundle 
(dashboardv2)|{{{}dashboardv2/public/js/external_lib/atlas-lineage/package.json{}}},
 {{package-lock.json}}|
|Documentation site|{{{}docs/package.json{}}}, {{docs/package-lock.json}}|
|Build tooling|Root {{pom.xml}} — RAT excludes for generated webpack/docz 
output only (no runtime dependency change)|
h3. Package updates (frontend)

dashboard
 * {{vite}} 6.4.1 → 6.4.2 (dev server file access hardening)
 * {{axios}} 1.13.5 → 1.15.2
 * {{lodash}} / {{lodash-es}} overrides → 4.18.1
 * {{flatted}} override → 3.4.2 (eslint transitive)

dashboard + dashboardv2 atlas-lineage
 * {{@babel/core}} 7.29.0, {{@babel/preset-env}} 7.29.5
 * Overrides: {{lodash}} 4.18.1, {{serialize-javascript}} 7.0.3, 
{{@babel/plugin-transform-modules-systemjs}} 7.29.4

dashboardv2
 * {{lodash}} override 4.17.23 → 4.18.1

docs
 * {{axios}} 1.13.5 → 1.15.2
 * Overrides: {{node-forge}} 1.4.0, {{lodash}} 4.18.1, 
{{@babel/plugin-transform-modules-systemjs}} 7.29.4, {{serialize-javascript}} 
7.0.3, {{fast-uri}} 3.1.2, {{picomatch}} 2.3.2






h3. 1. Direct dependencies (app code uses these)
||Package||Old → New||Used in project||API / method usage||Code change needed?||
|vite|6.4.1 → 6.4.2|{{dashboard/vite.config.ts}}|{{{}defineConfig{}}}, 
{{{}server.host{}}}, {{{}server.proxy{}}}, {{{}build.rollupOptions{}}}, 
{{resolve.alias}}|No — patch release; dev-server hardening only|
|axios|1.13.5 → 1.15.2|{{{}dashboard/src/api/apiMethods/fetchApi.ts{}}}, type 
imports in 3 other TS files; {{docs/theme/.../TeamList}} (import only, 
unused)|{{{}axios(){}}}, {{{}axios.isAxiosError(){}}}, 
{{{}AxiosRequestConfig{}}}, {{{}AxiosResponse{}}}, {{{}error.response{}}}, 
{{error.code}}|No — same public API; {{tsc}} passes|
 
Dashboard axios call sites

 ** {{fetchApi.ts}} — main HTTP wrapper
 ** {{{}FormAutocomplete.tsx{}}}, {{{}QuickSearch.tsx{}}}, {{Labels.tsx}} — 
{{AxiosResponse}} typing only
----
h3. 2. Overrides / transitive (not imported directly in app source)
||Package||Old → New||Role||Direct imports in Atlas source?||Code change 
needed?||
|lodash / lodash-es|4.17.23 → 4.18.1|{{dashboardv2}} (via underscore/lodash 
global), {{{}docs/theme{}}}, lineage via {{{}dagre-d3{}}}, 
{{react-quill-new}}|Yes — see below|No for current usage|
|flatted|3.3.3 → 3.4.2|ESLint transitive ({{{}dashboard{}}})|No|No|
|serialize-javascript|4.x → 7.0.3|Webpack 4 / terser (lineage bundles)|No|No — 
lineage webpack build passes|
|@babel/plugin-transform-modules-systemjs|7.29.0 → 7.29.4|Transitive via 
{{@babel/preset-env}}|No — webpack uses {{preset-env}} + 
{{transform-class-properties}} only|No|
|@babel/core / preset-env|7.23.2 → 7.29.0 / 7.29.5|Lineage 
{{babel-loader}}|{{{}presets: ["@babel/preset-env"]{}}}, {{plugins: 
["@babel/plugin-transform-class-properties"]}}|No|
|node-forge|1.3.2 → 1.4.0|Docz / webpack-dev-server transitive|No|No|
|fast-uri|3.1.0 → 3.1.2|Docz transitive|No|No|
|picomatch|2.3.1 → 2.3.2|Docz / tooling transitive|No|No|
 
----
h3. 3. Lodash — only area with _behavioral_ changes (not renames)

4.18.1 tightens behavior in two APIs. No method was renamed or removed that 
Atlas uses.
||Lodash API||Change in 4.18.x||Used in Atlas?||Impact on Atlas||
|{{_.unset}} / {{_.omit}}|Blocks {{constructor}} / {{prototype}} as path keys 
(prototype-pollution hardening)|{{_.omit}} used widely in dashboardv2 
({{{}Utils.js{}}}, {{{}GlossaryLayoutView.js{}}}, {{{}TableLayout.js{}}}, 
audit/search views, etc.) with normal keys ({{{}typeName{}}}, {{{}guid{}}}, 
{{{}limit{}}}, …)|No impact — paths are plain property names, not 
{{{}constructor{}}}/{{{}prototype{}}}|
|{{_.template}}|Stricter validation of {{options.imports}} keys; throws on 
forbidden identifiers|{{_.template(...)}} in dashboardv2 
({{{}BackgridHeader.js{}}}, search/audit column buttons, 
{{{}Backgrid.ColumnManager.js{}}}) with static template strings, no custom 
{{imports}}|No impact|
|{{{}_.get{}}}, {{{}_.extend{}}}, {{{}_.each{}}}, {{{}_.sortBy{}}}, 
{{{}_.isArray{}}}, {{{}_.isEmpty{}}}, {{{}_.has{}}}, {{{}_.union{}}}, 
{{{}_.keys{}}}, {{{}_.pick{}}}, {{{}_.flatten{}}}, fp helpers|Unchanged 
signatures|docs/theme, dashboardv2, GlossaryExport.js|No impact|
|{{_.numberFormatWithComma}}|Custom mixin in 
{{dashboardv2/public/js/utils/Helper.js}} (not core lodash)|Statistics, search, 
glossary views|No impact|
 
React dashboard ({{{}dashboard/src{}}}) does not import lodash directly; it 
gets lodash-es only transitively through react-quill-new (standard lodash-es 
APIs).
----
h3. 4. Axios — internal hardening only (no renames in our usage)

Upgrades 1.13.5 → 1.15.2 add/fix internal handling (e.g. {{{}mergeConfig{}}}, 
proxy loopback normalization, prototype-pollution guards). Public methods we 
use are unchanged:

 ** {{axios(config)}}
 ** {{axios.isAxiosError(error)}}
 ** Types: {{{}AxiosRequestConfig{}}}, {{AxiosResponse}}
No Atlas file needs updates for renamed axios methods.
----
h3. 5. Vite — patch only

6.4.1 → 6.4.2 fixes dev-server WebSocket {{fetchModule}} path when 
{{server.host}} is exposed. Config in {{vite.config.ts}} is unchanged and valid.

  was:
Address high-priority automated dependency review findings for the React UI 
({{{}dashboard/{}}}), classic UI ({{{}dashboardv2/{}}}), and documentation site 
({{{}docs/{}}}). Bump direct and transitive npm packages to patched versions 
and refresh lockfiles so builds stay reproducible.
h3. Scope
||Area||Manifests updated||
|React dashboard|{{{}dashboard/package.json{}}}, 
{{dashboard/package-lock.json}}|
|Lineage bundle 
(dashboard)|{{{}dashboard/src/views/Lineage/atlas-lineage/package.json{}}}, 
{{package-lock.json}}|
|Classic UI|{{{}dashboardv2/package.json{}}}, {{dashboardv2/package-lock.json}}|
|Lineage bundle 
(dashboardv2)|{{{}dashboardv2/public/js/external_lib/atlas-lineage/package.json{}}},
 {{package-lock.json}}|
|Documentation site|{{{}docs/package.json{}}}, {{docs/package-lock.json}}|
|Build tooling|Root {{pom.xml}} — RAT excludes for generated webpack/docz 
output only (no runtime dependency change)|
h3. Package updates (frontend)

dashboard
 * {{vite}} 6.4.1 → 6.4.2 (dev server file access hardening)
 * {{axios}} 1.13.5 → 1.15.2
 * {{lodash}} / {{lodash-es}} overrides → 4.18.1
 * {{flatted}} override → 3.4.2 (eslint transitive)

dashboard + dashboardv2 atlas-lineage
 * {{@babel/core}} 7.29.0, {{@babel/preset-env}} 7.29.5
 * Overrides: {{lodash}} 4.18.1, {{serialize-javascript}} 7.0.3, 
{{@babel/plugin-transform-modules-systemjs}} 7.29.4

dashboardv2
 * {{lodash}} override 4.17.23 → 4.18.1

docs
 * {{axios}} 1.13.5 → 1.15.2
 * Overrides: {{node-forge}} 1.4.0, {{lodash}} 4.18.1, 
{{@babel/plugin-transform-modules-systemjs}} 7.29.4, {{serialize-javascript}} 
7.0.3, {{fast-uri}} 3.1.2, {{picomatch}} 2.3.2


> Atlas UI: Update frontend npm dependencies in dashboard, dashboardv2, and docs
> ------------------------------------------------------------------------------
>
>                 Key: ATLAS-5307
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5307
>             Project: Atlas
>          Issue Type: Bug
>          Components: atlas-webui
>    Affects Versions: 3.0.0
>            Reporter: Prasad P. Pawar
>            Assignee: Prasad P. Pawar
>            Priority: Major
>
> Address high-priority automated dependency review findings for the React UI 
> ({{{}dashboard/{}}}), classic UI ({{{}dashboardv2/{}}}), and documentation 
> site ({{{}docs/{}}}). Bump direct and transitive npm packages to patched 
> versions and refresh lockfiles so builds stay reproducible.
> h3. Scope
> ||Area||Manifests updated||
> |React dashboard|{{{}dashboard/package.json{}}}, 
> {{dashboard/package-lock.json}}|
> |Lineage bundle 
> (dashboard)|{{{}dashboard/src/views/Lineage/atlas-lineage/package.json{}}}, 
> {{package-lock.json}}|
> |Classic UI|{{{}dashboardv2/package.json{}}}, 
> {{dashboardv2/package-lock.json}}|
> |Lineage bundle 
> (dashboardv2)|{{{}dashboardv2/public/js/external_lib/atlas-lineage/package.json{}}},
>  {{package-lock.json}}|
> |Documentation site|{{{}docs/package.json{}}}, {{docs/package-lock.json}}|
> |Build tooling|Root {{pom.xml}} — RAT excludes for generated webpack/docz 
> output only (no runtime dependency change)|
> h3. Package updates (frontend)
> dashboard
>  * {{vite}} 6.4.1 → 6.4.2 (dev server file access hardening)
>  * {{axios}} 1.13.5 → 1.15.2
>  * {{lodash}} / {{lodash-es}} overrides → 4.18.1
>  * {{flatted}} override → 3.4.2 (eslint transitive)
> dashboard + dashboardv2 atlas-lineage
>  * {{@babel/core}} 7.29.0, {{@babel/preset-env}} 7.29.5
>  * Overrides: {{lodash}} 4.18.1, {{serialize-javascript}} 7.0.3, 
> {{@babel/plugin-transform-modules-systemjs}} 7.29.4
> dashboardv2
>  * {{lodash}} override 4.17.23 → 4.18.1
> docs
>  * {{axios}} 1.13.5 → 1.15.2
>  * Overrides: {{node-forge}} 1.4.0, {{lodash}} 4.18.1, 
> {{@babel/plugin-transform-modules-systemjs}} 7.29.4, {{serialize-javascript}} 
> 7.0.3, {{fast-uri}} 3.1.2, {{picomatch}} 2.3.2
> h3. 1. Direct dependencies (app code uses these)
> ||Package||Old → New||Used in project||API / method usage||Code change 
> needed?||
> |vite|6.4.1 → 6.4.2|{{dashboard/vite.config.ts}}|{{{}defineConfig{}}}, 
> {{{}server.host{}}}, {{{}server.proxy{}}}, {{{}build.rollupOptions{}}}, 
> {{resolve.alias}}|No — patch release; dev-server hardening only|
> |axios|1.13.5 → 1.15.2|{{{}dashboard/src/api/apiMethods/fetchApi.ts{}}}, type 
> imports in 3 other TS files; {{docs/theme/.../TeamList}} (import only, 
> unused)|{{{}axios(){}}}, {{{}axios.isAxiosError(){}}}, 
> {{{}AxiosRequestConfig{}}}, {{{}AxiosResponse{}}}, {{{}error.response{}}}, 
> {{error.code}}|No — same public API; {{tsc}} passes|
>  
> Dashboard axios call sites
>  ** {{fetchApi.ts}} — main HTTP wrapper
>  ** {{{}FormAutocomplete.tsx{}}}, {{{}QuickSearch.tsx{}}}, {{Labels.tsx}} — 
> {{AxiosResponse}} typing only
> ----
> h3. 2. Overrides / transitive (not imported directly in app source)
> ||Package||Old → New||Role||Direct imports in Atlas source?||Code change 
> needed?||
> |lodash / lodash-es|4.17.23 → 4.18.1|{{dashboardv2}} (via underscore/lodash 
> global), {{{}docs/theme{}}}, lineage via {{{}dagre-d3{}}}, 
> {{react-quill-new}}|Yes — see below|No for current usage|
> |flatted|3.3.3 → 3.4.2|ESLint transitive ({{{}dashboard{}}})|No|No|
> |serialize-javascript|4.x → 7.0.3|Webpack 4 / terser (lineage bundles)|No|No 
> — lineage webpack build passes|
> |@babel/plugin-transform-modules-systemjs|7.29.0 → 7.29.4|Transitive via 
> {{@babel/preset-env}}|No — webpack uses {{preset-env}} + 
> {{transform-class-properties}} only|No|
> |@babel/core / preset-env|7.23.2 → 7.29.0 / 7.29.5|Lineage 
> {{babel-loader}}|{{{}presets: ["@babel/preset-env"]{}}}, {{plugins: 
> ["@babel/plugin-transform-class-properties"]}}|No|
> |node-forge|1.3.2 → 1.4.0|Docz / webpack-dev-server transitive|No|No|
> |fast-uri|3.1.0 → 3.1.2|Docz transitive|No|No|
> |picomatch|2.3.1 → 2.3.2|Docz / tooling transitive|No|No|
>  
> ----
> h3. 3. Lodash — only area with _behavioral_ changes (not renames)
> 4.18.1 tightens behavior in two APIs. No method was renamed or removed that 
> Atlas uses.
> ||Lodash API||Change in 4.18.x||Used in Atlas?||Impact on Atlas||
> |{{_.unset}} / {{_.omit}}|Blocks {{constructor}} / {{prototype}} as path keys 
> (prototype-pollution hardening)|{{_.omit}} used widely in dashboardv2 
> ({{{}Utils.js{}}}, {{{}GlossaryLayoutView.js{}}}, {{{}TableLayout.js{}}}, 
> audit/search views, etc.) with normal keys ({{{}typeName{}}}, {{{}guid{}}}, 
> {{{}limit{}}}, …)|No impact — paths are plain property names, not 
> {{{}constructor{}}}/{{{}prototype{}}}|
> |{{_.template}}|Stricter validation of {{options.imports}} keys; throws on 
> forbidden identifiers|{{_.template(...)}} in dashboardv2 
> ({{{}BackgridHeader.js{}}}, search/audit column buttons, 
> {{{}Backgrid.ColumnManager.js{}}}) with static template strings, no custom 
> {{imports}}|No impact|
> |{{{}_.get{}}}, {{{}_.extend{}}}, {{{}_.each{}}}, {{{}_.sortBy{}}}, 
> {{{}_.isArray{}}}, {{{}_.isEmpty{}}}, {{{}_.has{}}}, {{{}_.union{}}}, 
> {{{}_.keys{}}}, {{{}_.pick{}}}, {{{}_.flatten{}}}, fp helpers|Unchanged 
> signatures|docs/theme, dashboardv2, GlossaryExport.js|No impact|
> |{{_.numberFormatWithComma}}|Custom mixin in 
> {{dashboardv2/public/js/utils/Helper.js}} (not core lodash)|Statistics, 
> search, glossary views|No impact|
>  
> React dashboard ({{{}dashboard/src{}}}) does not import lodash directly; it 
> gets lodash-es only transitively through react-quill-new (standard lodash-es 
> APIs).
> ----
> h3. 4. Axios — internal hardening only (no renames in our usage)
> Upgrades 1.13.5 → 1.15.2 add/fix internal handling (e.g. {{{}mergeConfig{}}}, 
> proxy loopback normalization, prototype-pollution guards). Public methods we 
> use are unchanged:
>  ** {{axios(config)}}
>  ** {{axios.isAxiosError(error)}}
>  ** Types: {{{}AxiosRequestConfig{}}}, {{AxiosResponse}}
> No Atlas file needs updates for renamed axios methods.
> ----
> h3. 5. Vite — patch only
> 6.4.1 → 6.4.2 fixes dev-server WebSocket {{fetchModule}} path when 
> {{server.host}} is exposed. Config in {{vite.config.ts}} is unchanged and 
> valid.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to