[
https://issues.apache.org/jira/browse/ATLAS-5307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085718#comment-18085718
]
ASF subversion and git services commented on ATLAS-5307:
--------------------------------------------------------
Commit 86a375f7ea93447f9b704131e7aca1e6062f93e8 in atlas's branch
refs/heads/atlas-2.6 from Prasad Pawar
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=86a375f7e ]
ATLAS-5307: Atlas UI: Update frontend npm dependencies in dashboard,
dashboardv2, and docs (#653)
( cherry-picked from commit 81325f2fa7d36f8bb09d9a326538452b6bfcd38d)
> Atlas UI: Update frontend npm dependencies in dashboard, dashboardv2, and docs
> ------------------------------------------------------------------------------
>
> Key: ATLAS-5307
> URL: https://issues.apache.org/jira/browse/ATLAS-5307
> Project: Atlas
> Issue Type: Bug
> Components: atlas-webui
> Affects Versions: 3.0.0
> Reporter: Prasad P. Pawar
> Assignee: Prasad P. Pawar
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Address high-priority automated dependency review findings for the React UI
> ({{{}dashboard/{}}}), classic UI ({{{}dashboardv2/{}}}), and documentation
> site ({{{}docs/{}}}). Bump direct and transitive npm packages to patched
> versions and refresh lockfiles so builds stay reproducible.
> h3. Scope
> ||Area||Manifests updated||
> |React dashboard|{{{}dashboard/package.json{}}},
> {{dashboard/package-lock.json}}|
> |Lineage bundle
> (dashboard)|{{{}dashboard/src/views/Lineage/atlas-lineage/package.json{}}},
> {{package-lock.json}}|
> |Classic UI|{{{}dashboardv2/package.json{}}},
> {{dashboardv2/package-lock.json}}|
> |Lineage bundle
> (dashboardv2)|{{{}dashboardv2/public/js/external_lib/atlas-lineage/package.json{}}},
> {{package-lock.json}}|
> |Documentation site|{{{}docs/package.json{}}}, {{docs/package-lock.json}}|
> |Build tooling|Root {{pom.xml}} — RAT excludes for generated webpack/docz
> output only (no runtime dependency change)|
> h3. Package updates (frontend)
> dashboard
> * {{vite}} 6.4.1 → 6.4.2 (dev server file access hardening)
> * {{axios}} 1.13.5 → 1.15.2
> * {{lodash}} / {{lodash-es}} overrides → 4.18.1
> * {{flatted}} override → 3.4.2 (eslint transitive)
> dashboard + dashboardv2 atlas-lineage
> * {{@babel/core}} 7.29.0, {{@babel/preset-env}} 7.29.5
> * Overrides: {{lodash}} 4.18.1, {{serialize-javascript}} 7.0.3,
> {{@babel/plugin-transform-modules-systemjs}} 7.29.4
> dashboardv2
> * {{lodash}} override 4.17.23 → 4.18.1
> docs
> * {{axios}} 1.13.5 → 1.15.2
> * Overrides: {{node-forge}} 1.4.0, {{lodash}} 4.18.1,
> {{@babel/plugin-transform-modules-systemjs}} 7.29.4, {{serialize-javascript}}
> 7.0.3, {{fast-uri}} 3.1.2, {{picomatch}} 2.3.2
> h3. 1. Direct dependencies (app code uses these)
> ||Package||Old → New||Used in project||API / method usage||Code change
> needed?||
> |vite|6.4.1 → 6.4.2|{{dashboard/vite.config.ts}}|{{{}defineConfig{}}},
> {{{}server.host{}}}, {{{}server.proxy{}}}, {{{}build.rollupOptions{}}},
> {{resolve.alias}}|No — patch release; dev-server hardening only|
> |axios|1.13.5 → 1.15.2|{{{}dashboard/src/api/apiMethods/fetchApi.ts{}}}, type
> imports in 3 other TS files; {{docs/theme/.../TeamList}} (import only,
> unused)|{{{}axios(){}}}, {{{}axios.isAxiosError(){}}},
> {{{}AxiosRequestConfig{}}}, {{{}AxiosResponse{}}}, {{{}error.response{}}},
> {{error.code}}|No — same public API; {{tsc}} passes|
>
> Dashboard axios call sites
> ** {{fetchApi.ts}} — main HTTP wrapper
> ** {{{}FormAutocomplete.tsx{}}}, {{{}QuickSearch.tsx{}}}, {{Labels.tsx}} —
> {{AxiosResponse}} typing only
> ----
> h3. 2. Overrides / transitive (not imported directly in app source)
> ||Package||Old → New||Role||Direct imports in Atlas source?||Code change
> needed?||
> |lodash / lodash-es|4.17.23 → 4.18.1|{{dashboardv2}} (via underscore/lodash
> global), {{{}docs/theme{}}}, lineage via {{{}dagre-d3{}}},
> {{react-quill-new}}|Yes — see below|No for current usage|
> |flatted|3.3.3 → 3.4.2|ESLint transitive ({{{}dashboard{}}})|No|No|
> |serialize-javascript|4.x → 7.0.3|Webpack 4 / terser (lineage bundles)|No|No
> — lineage webpack build passes|
> |@babel/plugin-transform-modules-systemjs|7.29.0 → 7.29.4|Transitive via
> {{@babel/preset-env}}|No — webpack uses {{preset-env}} +
> {{transform-class-properties}} only|No|
> |@babel/core / preset-env|7.23.2 → 7.29.0 / 7.29.5|Lineage
> {{babel-loader}}|{{{}presets: ["@babel/preset-env"]{}}}, {{plugins:
> ["@babel/plugin-transform-class-properties"]}}|No|
> |node-forge|1.3.2 → 1.4.0|Docz / webpack-dev-server transitive|No|No|
> |fast-uri|3.1.0 → 3.1.2|Docz transitive|No|No|
> |picomatch|2.3.1 → 2.3.2|Docz / tooling transitive|No|No|
>
> ----
> h3. 3. Lodash — only area with _behavioral_ changes (not renames)
> 4.18.1 tightens behavior in two APIs. No method was renamed or removed that
> Atlas uses.
> ||Lodash API||Change in 4.18.x||Used in Atlas?||Impact on Atlas||
> |{{_.unset}} / {{_.omit}}|Blocks {{constructor}} / {{prototype}} as path keys
> (prototype-pollution hardening)|{{_.omit}} used widely in dashboardv2
> ({{{}Utils.js{}}}, {{{}GlossaryLayoutView.js{}}}, {{{}TableLayout.js{}}},
> audit/search views, etc.) with normal keys ({{{}typeName{}}}, {{{}guid{}}},
> {{{}limit{}}}, …)|No impact — paths are plain property names, not
> {{{}constructor{}}}/{{{}prototype{}}}|
> |{{_.template}}|Stricter validation of {{options.imports}} keys; throws on
> forbidden identifiers|{{_.template(...)}} in dashboardv2
> ({{{}BackgridHeader.js{}}}, search/audit column buttons,
> {{{}Backgrid.ColumnManager.js{}}}) with static template strings, no custom
> {{imports}}|No impact|
> |{{{}_.get{}}}, {{{}_.extend{}}}, {{{}_.each{}}}, {{{}_.sortBy{}}},
> {{{}_.isArray{}}}, {{{}_.isEmpty{}}}, {{{}_.has{}}}, {{{}_.union{}}},
> {{{}_.keys{}}}, {{{}_.pick{}}}, {{{}_.flatten{}}}, fp helpers|Unchanged
> signatures|docs/theme, dashboardv2, GlossaryExport.js|No impact|
> |{{_.numberFormatWithComma}}|Custom mixin in
> {{dashboardv2/public/js/utils/Helper.js}} (not core lodash)|Statistics,
> search, glossary views|No impact|
>
> React dashboard ({{{}dashboard/src{}}}) does not import lodash directly; it
> gets lodash-es only transitively through react-quill-new (standard lodash-es
> APIs).
> ----
> h3. 4. Axios — internal hardening only (no renames in our usage)
> Upgrades 1.13.5 → 1.15.2 add/fix internal handling (e.g. {{{}mergeConfig{}}},
> proxy loopback normalization, prototype-pollution guards). Public methods we
> use are unchanged:
> ** {{axios(config)}}
> ** {{axios.isAxiosError(error)}}
> ** Types: {{{}AxiosRequestConfig{}}}, {{AxiosResponse}}
> No Atlas file needs updates for renamed axios methods.
> ----
> h3. 5. Vite — patch only
> 6.4.1 → 6.4.2 fixes dev-server WebSocket {{fetchModule}} path when
> {{server.host}} is exposed. Config in {{vite.config.ts}} is unchanged and
> valid.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
