wu-sheng opened a new pull request, #85: URL: https://github.com/apache/skywalking-horizon-ui/pull/85
## Why Dependabot shows 14 open advisories. Remediating by **dependency upgrade, not pnpm overrides** (per maintainer preference) — this lands the real version bumps that clear everything with an available patch path. ## What Each parent's declared range already permitted the patched version, so these are honest upgrades — **no overrides added**: | Package | Bump | Advisory | Sev | |---|---|---|---| | vite | 6.4.2 → 6.4.3 | GHSA-fx2h-pf6j-xcff | **high** | | vite | ″ | GHSA-v6wh-96g9-6wx3 | moderate | | form-data | → 4.0.6 (via jsdom) | GHSA-hmw2-7cc7-3qxx | **high** | | tsx | 4.21.0 → 4.22.4 → esbuild 0.28.1 | GHSA-g7r4-m6w7-qqqr | low | | js-yaml | → 4.3.0 (via eslint) | GHSA-h67p-54hq-rp68 | moderate | | @babel/core | → 7.29.7 | GHSA-4x5r-pxfx-6jf8 | low | **Dependabot 14 → 8.** Both highs and every dev-only advisory cleared. ## What's left — and why there's no upgrade The remaining 8 are all **DOMPurify via `monaco-editor`**. monaco's latest *stable* (0.55.1) still declares and vendors DOMPurify 3.2.7 with no patched release (only `0.56.0-dev` pre-releases) — **so there is no upgrade path**. They're low/moderate; the npm `dompurify` is a *phantom* dep (the shipped bundle uses monaco's vendored 3.2.7 regardless, which an npm override can't reach); and that sanitizer only handles trusted in-app editor (MQE/YAML) content, never OAP wire data. Recommend accepting + tracking a monaco upgrade rather than masking the SCA number with a cosmetic override. ## Validation type-check (both workspaces), build-ui, build-bff, lint + source-budget, **116 UI + 162 BFF tests** — all green. The esbuild 0.27→0.28 minor and the vite patch were verified against the full build + test suite. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
