This is an automated email from the ASF dual-hosted git repository.

tbonelee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git


The following commit(s) were added to refs/heads/master by this push:
     new 963a518360 [MINOR] Bump zeppelin-react linkify-it and undici to clear 
high npm-audit advisories
963a518360 is described below

commit 963a5183603a41209a66642e7bb1a2658f941bf5
Author: YONGJAE LEE (이용재) <[email protected]>
AuthorDate: Tue Jul 7 01:23:35 2026 +0900

    [MINOR] Bump zeppelin-react linkify-it and undici to clear high npm-audit 
advisories
    
    ### What is this PR for?
    `npm audit --audit-level=high` fails on master, so every frontend PR's 
npm-audit job goes red. Two high-severity advisories in zeppelin-react's 
dependency tree:
    
    - **linkify-it** 3.0.3 (via ansi-to-react): GHSA-22p9-wv53-3rq4. 
Constrained to `^5.0.2`.
    - **undici** 7.27.0 (via jsdom): GHSA-vmh5-mc38-953g and related. 
Constrained to `^7.28.0`, which stays within jsdom's `^7.25.0` and lets 
in-range security patches flow.
    
    Both use `overrides`. `npm audit fix --force` was avoided because it 
downgrades ansi-to-react.
    
    The linkify-it 3 to 5 bump needs no source changes. No project code imports 
linkify-it, and its only consumer (ansi-to-react) calls `.tlds()`, 
`.pretest()`, and `.match()`, which are unchanged from v3 through v5. The 
override deliberately crosses ansi-to-react's declared `^3.0.3` range, and can 
be revisited if ansi-to-react is updated.
    
    ### What type of PR is it?
    Improvement
    
    ### What is the Jira issue?
    N/A
    
    ### How should this be tested?
    * `cd zeppelin-web-angular/projects/zeppelin-react && npm ci && npm audit 
--audit-level=high` exits 0.
    * `npm run lint`, `npm test` (vitest), and `npm run build` pass.
    * ansi-to-react still renders URLs as links with linkify-it 5.
    
    ### Questions:
    * Does the license files need to update? No.
    * Is there breaking changes for older versions? No.
    * Does this needs documentation? No.
    
    
    Closes #5278 from voidmatcha/react-npm-audit-high.
    
    Signed-off-by: ChanHo Lee <[email protected]>
---
 .../projects/zeppelin-react/package-lock.json      | 43 ++++++++++------------
 .../projects/zeppelin-react/package.json           |  3 ++
 2 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/zeppelin-web-angular/projects/zeppelin-react/package-lock.json 
b/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
index 354bdcc974..e8b9719d44 100644
--- a/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
+++ b/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
@@ -1269,19 +1269,6 @@
         "@emnapi/runtime": "^1.7.1"
       }
     },
-    "node_modules/@noble/hashes": {
-      "version": "2.2.0",
-      "resolved": 
"https://registry.npmjs.org/@noble/hashes/-/hashes-2.2.0.tgz";,
-      "integrity": 
"sha512-IYqDGiTXab6FniAgnSdZwgWbomxpy9FtYvLKs7wCUs2a8RkITG+DFGO1DM9cr+E3/RgADRpFjrKVaJ1z6sjtEg==",
-      "extraneous": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 20.19.0"
-      },
-      "funding": {
-        "url": "https://paulmillr.com/funding/";
-      }
-    },
     "node_modules/@oxc-project/types": {
       "version": "0.133.0",
       "resolved": 
"https://registry.npmjs.org/@oxc-project/types/-/types-0.133.0.tgz";,
@@ -7152,12 +7139,22 @@
       }
     },
     "node_modules/linkify-it": {
-      "version": "3.0.3",
-      "resolved": 
"https://registry.npmjs.org/linkify-it/-/linkify-it-3.0.3.tgz";,
-      "integrity": 
"sha512-ynTsyrFSdE5oZ/O9GEf00kPngmOfVwazR5GKDq6EYfhlpFug3J2zybX56a2PRRpc9P+FuSoGNAwjlbDs9jJBPQ==",
+      "version": "5.0.2",
+      "resolved": 
"https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.2.tgz";,
+      "integrity": 
"sha512-ONTm2jCMAVZjgQa/Fy1kScXsuOoF5NPTsoFBdE1KVIZ2vAh/r9+Bqo+0jINCBYnavTPQZz38QzFTme79ENoN3Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/puzrin";
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/markdown-it";
+        }
+      ],
       "license": "MIT",
       "dependencies": {
-        "uc.micro": "^1.0.1"
+        "uc.micro": "^2.0.0"
       }
     },
     "node_modules/loader-runner": {
@@ -10618,9 +10615,9 @@
       }
     },
     "node_modules/uc.micro": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-1.0.6.tgz";,
-      "integrity": 
"sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz";,
+      "integrity": 
"sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
       "license": "MIT"
     },
     "node_modules/unbox-primitive": {
@@ -10643,9 +10640,9 @@
       }
     },
     "node_modules/undici": {
-      "version": "7.27.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.27.0.tgz";,
-      "integrity": 
"sha512-+t2Z/GwkZQDtu00813aP66ygViGtPHKhhoFZpQKpKrE+9jIgES+Zw+mFNaDWOVRKiuJjuqKHzD3B1sfGg8+ZOQ==",
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz";,
+      "integrity": 
"sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/zeppelin-web-angular/projects/zeppelin-react/package.json 
b/zeppelin-web-angular/projects/zeppelin-react/package.json
index cf1e807d58..a17a90e6b6 100644
--- a/zeppelin-web-angular/projects/zeppelin-react/package.json
+++ b/zeppelin-web-angular/projects/zeppelin-react/package.json
@@ -50,5 +50,8 @@
     "webpack": "5.105.4",
     "webpack-cli": "5.1.4",
     "webpack-dev-server": "5.2.4"
+  },
+  "overrides": {
+    "linkify-it": "^5.0.2"
   }
 }

Reply via email to