This is an automated email from the ASF dual-hosted git repository.
tbonelee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/master by this push:
new 963a518360 [MINOR] Bump zeppelin-react linkify-it and undici to clear
high npm-audit advisories
963a518360 is described below
commit 963a5183603a41209a66642e7bb1a2658f941bf5
Author: YONGJAE LEE (이용재) <[email protected]>
AuthorDate: Tue Jul 7 01:23:35 2026 +0900
[MINOR] Bump zeppelin-react linkify-it and undici to clear high npm-audit
advisories
### What is this PR for?
`npm audit --audit-level=high` fails on master, so every frontend PR's
npm-audit job goes red. Two high-severity advisories in zeppelin-react's
dependency tree:
- **linkify-it** 3.0.3 (via ansi-to-react): GHSA-22p9-wv53-3rq4.
Constrained to `^5.0.2`.
- **undici** 7.27.0 (via jsdom): GHSA-vmh5-mc38-953g and related.
Constrained to `^7.28.0`, which stays within jsdom's `^7.25.0` and lets
in-range security patches flow.
Both use `overrides`. `npm audit fix --force` was avoided because it
downgrades ansi-to-react.
The linkify-it 3 to 5 bump needs no source changes. No project code imports
linkify-it, and its only consumer (ansi-to-react) calls `.tlds()`,
`.pretest()`, and `.match()`, which are unchanged from v3 through v5. The
override deliberately crosses ansi-to-react's declared `^3.0.3` range, and can
be revisited if ansi-to-react is updated.
### What type of PR is it?
Improvement
### What is the Jira issue?
N/A
### How should this be tested?
* `cd zeppelin-web-angular/projects/zeppelin-react && npm ci && npm audit
--audit-level=high` exits 0.
* `npm run lint`, `npm test` (vitest), and `npm run build` pass.
* ansi-to-react still renders URLs as links with linkify-it 5.
### Questions:
* Does the license files need to update? No.
* Is there breaking changes for older versions? No.
* Does this needs documentation? No.
Closes #5278 from voidmatcha/react-npm-audit-high.
Signed-off-by: ChanHo Lee <[email protected]>
---
.../projects/zeppelin-react/package-lock.json | 43 ++++++++++------------
.../projects/zeppelin-react/package.json | 3 ++
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
b/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
index 354bdcc974..e8b9719d44 100644
--- a/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
+++ b/zeppelin-web-angular/projects/zeppelin-react/package-lock.json
@@ -1269,19 +1269,6 @@
"@emnapi/runtime": "^1.7.1"
}
},
- "node_modules/@noble/hashes": {
- "version": "2.2.0",
- "resolved":
"https://registry.npmjs.org/@noble/hashes/-/hashes-2.2.0.tgz",
- "integrity":
"sha512-IYqDGiTXab6FniAgnSdZwgWbomxpy9FtYvLKs7wCUs2a8RkITG+DFGO1DM9cr+E3/RgADRpFjrKVaJ1z6sjtEg==",
- "extraneous": true,
- "license": "MIT",
- "engines": {
- "node": ">= 20.19.0"
- },
- "funding": {
- "url": "https://paulmillr.com/funding/"
- }
- },
"node_modules/@oxc-project/types": {
"version": "0.133.0",
"resolved":
"https://registry.npmjs.org/@oxc-project/types/-/types-0.133.0.tgz",
@@ -7152,12 +7139,22 @@
}
},
"node_modules/linkify-it": {
- "version": "3.0.3",
- "resolved":
"https://registry.npmjs.org/linkify-it/-/linkify-it-3.0.3.tgz",
- "integrity":
"sha512-ynTsyrFSdE5oZ/O9GEf00kPngmOfVwazR5GKDq6EYfhlpFug3J2zybX56a2PRRpc9P+FuSoGNAwjlbDs9jJBPQ==",
+ "version": "5.0.2",
+ "resolved":
"https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.2.tgz",
+ "integrity":
"sha512-ONTm2jCMAVZjgQa/Fy1kScXsuOoF5NPTsoFBdE1KVIZ2vAh/r9+Bqo+0jINCBYnavTPQZz38QzFTme79ENoN3Q==",
+ "funding": [
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/puzrin"
+ },
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/markdown-it"
+ }
+ ],
"license": "MIT",
"dependencies": {
- "uc.micro": "^1.0.1"
+ "uc.micro": "^2.0.0"
}
},
"node_modules/loader-runner": {
@@ -10618,9 +10615,9 @@
}
},
"node_modules/uc.micro": {
- "version": "1.0.6",
- "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-1.0.6.tgz",
- "integrity":
"sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==",
+ "version": "2.1.0",
+ "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
+ "integrity":
"sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
"license": "MIT"
},
"node_modules/unbox-primitive": {
@@ -10643,9 +10640,9 @@
}
},
"node_modules/undici": {
- "version": "7.27.0",
- "resolved": "https://registry.npmjs.org/undici/-/undici-7.27.0.tgz",
- "integrity":
"sha512-+t2Z/GwkZQDtu00813aP66ygViGtPHKhhoFZpQKpKrE+9jIgES+Zw+mFNaDWOVRKiuJjuqKHzD3B1sfGg8+ZOQ==",
+ "version": "7.28.0",
+ "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz",
+ "integrity":
"sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==",
"dev": true,
"license": "MIT",
"engines": {
diff --git a/zeppelin-web-angular/projects/zeppelin-react/package.json
b/zeppelin-web-angular/projects/zeppelin-react/package.json
index cf1e807d58..a17a90e6b6 100644
--- a/zeppelin-web-angular/projects/zeppelin-react/package.json
+++ b/zeppelin-web-angular/projects/zeppelin-react/package.json
@@ -50,5 +50,8 @@
"webpack": "5.105.4",
"webpack-cli": "5.1.4",
"webpack-dev-server": "5.2.4"
+ },
+ "overrides": {
+ "linkify-it": "^5.0.2"
}
}