Copilot commented on code in PR #18014:
URL: https://github.com/apache/pinot/pull/18014#discussion_r3004336064
##########
pinot-controller/src/main/resources/package-lock.json:
##########
@@ -10988,20 +10967,44 @@
"dev": true
},
"node_modules/minimatch": {
- "version": "10.0.3",
- "resolved":
"https://registry.npmjs.org/minimatch/-/minimatch-10.0.3.tgz";,
- "integrity":
"sha512-IPZ167aShDZZUMdRk66cyQAW3qr0WzbHkPdMYa8bzZhlHhO3jALbKdxcaak7W9FfT2rZNpQuUu4Od7ILEpXSaw==",
+ "version": "10.2.3",
+ "resolved":
"https://registry.npmjs.org/minimatch/-/minimatch-10.2.3.tgz";,
+ "integrity":
"sha512-Rwi3pnapEqirPSbWbrZaa6N3nmqq4Xer/2XooiOKyV3q12ML06f7MOuc5DVH8ONZIFhwIYQ3yzPH4nt7iWHaTg==",
"dev": true,
+ "license": "BlueOak-1.0.0",
"dependencies": {
- "@isaacs/brace-expansion": "^5.0.0"
+ "brace-expansion": "^5.0.2"
},
"engines": {
- "node": "20 || >=22"
+ "node": "18 || 20 || >=22"
},
Review Comment:
This lockfile shows `[email protected]` with an engines constraint of `node:
"18 || 20 || >=22"`. Since the build currently installs Node v16.15.0 for the
controller UI, this dependency set is not compatible and may cause `npm
ci`/build failures (or at least unsupported-engine warnings). Either align the
pinned Node version with these engine requirements, or adjust
dependencies/overrides to avoid pulling Node>=18-only packages while Node 16 is
still required.
##########
pinot-controller/src/main/resources/package.json:
##########
@@ -47,6 +46,7 @@
"fs": "0.0.1-security",
"html-loader": "0.5.5",
"html-webpack-plugin": "4.5.2",
+ "minimatch": "^10.2.3",
Review Comment:
`minimatch@^10.2.3` requires Node >=18 (see package-lock entry for minimatch
engines), but the controller UI build/tooling is pinned to Node v16.15.0 (e.g.,
`.nvmrc` and `pinot-controller/pom.xml` frontend-maven-plugin). This mismatch
is likely to break `npm ci` / `npm run build(-ci)` during the Maven build.
Consider either bumping the pinned Node version to >=18 everywhere, or avoid
introducing minimatch v10 if the build must remain on Node 16 (and only
override the vulnerable minimatch ranges that are actually in use).
```suggestion
"minimatch": "^9.0.0",
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
