Yicong-Huang opened a new pull request, #6155: URL: https://github.com/apache/texera/pull/6155
### What changes were proposed in this PR? Patch upgrade of the Angular CLI toolchain in `frontend/`: `@angular-devkit/build-angular` and `@angular/cli` 21.2.8 → 21.2.18 (same minor, no config changes). The motivation is security: the 21.2.8 toolchain exact-pins several build-time dependencies with open advisories, and a plain lockfile refresh cannot move exact pins. 21.2.18 re-pins them all to patched versions: | Pinned dep | Before | After | Advisories cleared | | --- | --- | --- | --- | | undici | 7.24.4 | 7.28.0 | GHSA-hm92-r4w5-c3mj (high), GHSA-vmh5-mc38-953g (high), GHSA-p88m-4jfj-68fv, GHSA-gcq2-9pq2-cxqm... (5) | | vite | 7.3.2 | 7.3.6 | GHSA-fx2h-pf6j-xcff (high), GHSA-v6wh-96g9-6wx3 | | piscina | 5.1.4 | 5.2.0 | GHSA-x9g3-xrwr-cwfg (high) | | webpack-dev-server | 5.2.3 | 5.2.5 | GHSA-mx8g-39q3-5c79, GHSA-79cf-xcqc-c78w | | esbuild | 0.27.3 | 0.28.1 | GHSA-g7r4-m6w7-qqqr | | postcss | 8.5.6 | 8.5.12 | GHSA-qx2v-qp2m-jg93 | Diff is `frontend/package.json` (2 lines) + the corresponding `yarn.lock` re-resolution; the lockfile shrinks because the old duplicate pins dedupe away. ### Any related issues, documentation, discussions? Closes #6154 ### How was this PR tested? Existing test cases; no behavior change expected (build toolchain only). - `yarn build` (production `ng build`) — succeeds, only pre-existing CommonJS warnings. - `yarn test:ci` — all suites pass (`NX Successfully ran target test for project gui`). ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Fable 5) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
