[
https://issues.apache.org/jira/browse/ATLAS-5316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prasad P. Pawar resolved ATLAS-5316.
------------------------------------
Fix Version/s: 3.0.0
2.6.0
Resolution: Fixed
> ATLAS UI: Dependency version uplift for Atlas React dashboard and
> documentation site
> ------------------------------------------------------------------------------------
>
> Key: ATLAS-5316
> URL: https://issues.apache.org/jira/browse/ATLAS-5316
> Project: Atlas
> Issue Type: Bug
> Components: atlas-webui
> Affects Versions: 3.0.0
> Reporter: Prasad P. Pawar
> Assignee: Prasad P. Pawar
> Priority: Major
> Fix For: 3.0.0, 2.6.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> This work updates direct and transitive npm dependencies in
> {{dashboard/package.json}} and {{docs/package.json}} (including {{overrides}}
> and lockfiles) to align with upstream recommended releases. The goal is
> improved dependency hygiene, consistent transitive resolution, and alignment
> with current library maintenance guidance—without changing application source
> code.
> ----
> h3. Scope
> ||Module||Files updated||
> |React Dashboard|{{{}dashboard/package.json{}}},
> {{dashboard/package-lock.json}}|
> |Documentation site|{{{}docs/package.json{}}}, {{docs/package-lock.json}}|
> |Existing docz patches
> (unchanged)|{{{}docs/patches/html-minifier+4.0.0.patch{}}},
> {{docs/patches/http-proxy-middleware+0.19.1.patch}}|
> ----
> h3. Dependency change matrix
> ||Package||Module||Previous version||Updated version||Change type||Why this
> change||Where used in Atlas||Version difference (high level)||Project impact||
> |axios|dashboard|1.15.2|1.16.0|Direct dependency + {{overrides}}|Align HTTP
> client with latest stable 1.x release; improves proxy/redirect handling and
> adapter consistency|{{dashboard/src/api/apiMethods/fetchApi.ts}} (main API
> calls); type imports in {{{}QuickSearch.tsx{}}}, {{{}Labels.tsx{}}},
> {{FormAutocomplete.tsx}}|Improved redirect header handling, proxy credential
> handling, IPv6 hostname normalization in proxy rules; no public API
> renames|Low — browser XHR adapter unchanged for normal UI flows; build and 38
> fetchApi unit tests pass|
> |axios|docs|1.15.2|1.16.0|devDependency + {{overrides}}|Same HTTP client
> alignment for docs tooling|{{docs/theme/components/shared/TeamList/index.js}}
> ({{{}axios.get{}}} for team list fetch)|Same as dashboard row|Low — simple
> GET usage only|
> |handlebars|dashboard|4.7.8 (transitive via ts-jest)|4.7.9|{{overrides}}
> only|Pin transitive template engine to latest 4.7.x patch|Not used in app
> source — only {{ts-jest}} CLI ({{{}config:init{}}} Jest config template
> generation)|Internal compiler/runtime hardening; stricter AST handling; no
> method renames|None — no imports in dashboard source|
> |@babel/preset-env|dashboard|7.28.5|7.29.5|devDependency|Brings updated Babel
> preset used by Jest test pipeline|Jest/Babel test compilation (no runtime UI
> usage)|Updated preset bundle; pulls patched systemjs transform plugin|None —
> tests compile as before|
> |@babel/plugin-transform-modules-systemjs|dashboard|7.28.5
> (transitive)|7.29.4|{{overrides}}|Align transitive Babel plugin with
> preset-env 7.29.5|Transitive via {{{}@babel/preset-env{}}}; dashboard does
> not use {{modules: "systemjs"}}|Safer handling of untrusted module input
> during compile|None — trusted test/build code only|
> |shell-quote|docs|1.7.3|1.8.4|{{overrides}}|Replace previously pinned older
> transitive version with current stable release|Transitive via {{docz}} →
> {{react-dev-utils}} → {{shell-quote.parse()}} on {{REACT_EDITOR}} env var
> (docz dev tooling only)|{{quote()}} validates object-token shapes strictly;
> {{parse()}} behavior unchanged for string inputs|None — not imported in docs
> source|
> |html-minifier|docs|3.5.21 / 4.0.0 (mixed transitive)|4.0.0 (unified) +
> existing patch|{{overrides}} + {{patch-package}}|Consolidate to single
> version; apply existing local patch for regex performance
> hardening|Transitive via {{docz}} / {{docz-core}} (docs site
> build/minification only)|Override removes nested 3.5.21; patch limits regex
> repetition in minifier|Low — docs build-time only; patch already applied on
> postinstall|
> |http-proxy-middleware|docs|0.19.1|0.19.1 (unchanged version)|Existing
> {{patch-package}} patch|docz/webpack-dev-server requires 0.19.x; no
> compatible major upgrade without replacing docz|Transitive via {{docz}} →
> {{webpack-dev-server}} (docs dev server only)|Patch wraps micromatch calls to
> avoid unhandled rejection during dev|None for dashboard; docs dev server only|
> |tmp|docs|0.0.33 (transitive via patch-package)|0.2.6|{{overrides}}|Align
> temp-file helper to maintained release|Transitive via {{patch-package}}
> postinstall (docs tooling)|Improved path handling in temp file creation
> APIs|None — patch-package uses fixed trusted prefixes|
>
> ----
> h3. package.json changes detail
> h4. dashboard/package.json
> ||Section||Field||Before||After||
> |dependencies|{{axios}}|1.15.2|1.16.0|
> |devDependencies|{{@babel/preset-env}}|7.28.5|7.29.5|
> |overrides|{{handlebars}}|(not set)|4.7.9|
> |overrides|{{axios}}|(not set)|1.16.0|
> |overrides|{{@babel/plugin-transform-modules-systemjs}}|(not set)|7.29.4|
> h4. docs/package.json
> ||Section||Field||Before||After||
> |devDependencies|{{axios}}|1.15.2|1.16.0|
> |overrides|{{shell-quote}}|1.7.3|1.8.4|
> |overrides|{{axios}}|1.15.2|1.16.0|
> |overrides|{{html-minifier}}|(not set)|4.0.0|
> |overrides|{{tmp}}|(not set)|0.2.6|
> ----
> h3. Application code impact assessment
> ||Area||Code changes required?||Notes||
> |Dashboard UI / API layer|No|axios public API unchanged ({{{}get{}}},
> {{{}post{}}}, {{{}isAxiosError{}}}, {{{}AxiosRequestConfig{}}})|
> |Dashboard unit tests|No|Jest/Babel pipeline updated; all fetchApi tests pass|
> |Docs site theme|No|TeamList axios usage unchanged|
> |Docs build / dev server|No|Existing patch-package patches continue to apply
> on {{npm install}}|
> |Classic UI (dashboardv2)|Out of scope|Bundled Handlebars 4.7.8 in
> {{dashboardv2/public/js/external_lib/}} is separate from npm overrides|
> ----
> h3. Verification completed
> ||Check||Result||
> |{{dashboard}} production build|Passed|
> |{{fetchApi}} unit tests (38)|Passed|
> |ESLint|No new errors from dependency changes (4 pre-existing errors in
> untracked cypress files)|
> |Resolved versions ({{{}npm ls{}}})|axios 1.16.0, handlebars 4.7.9,
> shell-quote 1.8.4, tmp 0.2.6, html-minifier 4.0.0|
> ----
> h3. Out of scope / follow-up
> ||Item||Reason||
> |Replace docz / webpack-dev-server stack|Required for native
> {{http-proxy-middleware}} 2.x upgrade; current 0.19.1 patch mitigates
> dev-server behavior|
> |Upgrade dashboardv2 bundled Handlebars|Separate legacy UI bundle, not
> managed by dashboard npm lockfile|
> ----
> h3. Acceptance criteria
> * {{dashboard/package.json}} and {{dashboard/package-lock.json}} updated as
> per table above
> * {{docs/package.json}} and {{docs/package-lock.json}} updated as per table
> above
> * Dashboard build succeeds
> * Dashboard fetchApi tests pass
> * Docs {{npm install}} applies existing patches successfully
> * No application source code changes required
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
