Skip to content

feat(sec): resolve all vuln alerts in superset-embedded-sdk, superset-frontend and docs#41776

Merged
rusackas merged 8 commits into
masterfrom
feat/resolve-all-dependabot-vuln-alerts
Jul 6, 2026
Merged

feat(sec): resolve all vuln alerts in superset-embedded-sdk, superset-frontend and docs#41776
rusackas merged 8 commits into
masterfrom
feat/resolve-all-dependabot-vuln-alerts

Conversation

@hainenber

Copy link
Copy Markdown
Contributor

feat(sec): resolve all vuln alerts in superset-embedded-sdk, superset-frontend and docs

SUMMARY

Aside from fixing ALL vuln alerts at the time of writing for said directories, there are a few notable changes in this PR as well:

  • Accept webpack.extend.ts in docs into tsconfig.json for type checking and corresponding type fix.
  • Manually load YAML-based INTHEWILD file to remove usage of unmaintained js-yaml-loader.

Regarding 2nd item, I've manually checked and there are no discrepancies between docs built locally and what has been deployed

Locally build docs
image

Deployed docs
image

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

Green CI for acceptance criterion

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

hainenber added 5 commits July 4, 2026 15:47
Signed-off-by: hainenber <dotronghai96@gmail.com>
…Webpack loader

Signed-off-by: hainenber <dotronghai96@gmail.com>
…ed Webpack config

Signed-off-by: hainenber <dotronghai96@gmail.com>
Signed-off-by: hainenber <dotronghai96@gmail.com>
@github-actions github-actions Bot added doc Namespace | Anything related to documentation embedded labels Jul 5, 2026
@bito-code-review

bito-code-review Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped - Large PR

Bito didn't auto-review this change because the pull request exceeded the line limit. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.

@netlify

netlify Bot commented Jul 5, 2026

Copy link
Copy Markdown

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit 0fb6ec2
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/6a4bf5b99584670007c8242a
😎 Deploy Preview https://deploy-preview-41776--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.73%. Comparing base (83d93b8) to head (0fb6ec2).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #41776      +/-   ##
==========================================
- Coverage   64.74%   64.73%   -0.01%     
==========================================
  Files        2687     2687              
  Lines      148747   148747              
  Branches    34330    34330              
==========================================
- Hits        96299    96293       -6     
- Misses      50681    50687       +6     
  Partials     1767     1767              
Flag Coverage Δ
javascript 69.57% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR focuses on reducing security vulnerability alerts by updating/overriding vulnerable transitive JS dependencies across superset-frontend, superset-embedded-sdk, and docs, and by removing reliance on the unmaintained js-yaml-loader in the docs build.

Changes:

  • Added/updated dependency overrides/resolutions to pull in patched js-yaml versions (and related transitive updates) across the frontend and docs workspaces.
  • Replaced js-yaml-loader with Webpack 5’s asset/source for YAML in docs, and updated pages to parse YAML at runtime via js-yaml.
  • Included docs/src/webpack.extend.ts in TypeScript checking and adjusted types accordingly (including YAML module types and a DB metadata type fix).

Reviewed changes

Copilot reviewed 8 out of 12 changed files in this pull request and generated no comments.

Show a summary per file
File Description
superset-frontend/package.json Adds an npm overrides rule to force lerna’s js-yaml to a patched version.
superset-frontend/package-lock.json Updates the lockfile to reflect patched js-yaml versions and related dependency graph changes.
superset-embedded-sdk/package.json Bumps Babel toolchain devDependencies to newer patched versions.
superset-embedded-sdk/package-lock.json Updates the lockfile to match the Babel/tooling upgrades.
docs/tsconfig.json Stops excluding src/webpack.extend.ts so it is type-checked.
docs/src/webpack.extend.ts Switches YAML handling from js-yaml-loader to asset/source (raw string).
docs/src/types/yaml.d.ts Updates YAML module typing to string to match asset/source behavior.
docs/src/pages/inTheWild.tsx Parses the YAML string via js-yaml’s load() instead of casting the import directly.
docs/src/pages/index.tsx Same YAML parsing change as inTheWild.tsx for the homepage carousel data.
docs/src/components/databases/types.ts Aligns limit_method typing with numeric values in generated databases.json.
docs/package.json Removes js-yaml-loader dependency and adds Yarn resolutions to pin patched js-yaml transitive versions.
Files not reviewed (1)
  • superset-frontend/package-lock.json: Generated file

claude added 2 commits July 6, 2026 11:34
docs/yarn.lock regenerated from the merged manifests.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Takes master's js-yaml ^5.2.0 bump while keeping the js-yaml-loader
removal; docs/yarn.lock regenerated.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@rusackas rusackas left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hainenber, LGTM. I checked the resolution pins actually landed in the lockfiles (gray-matter's js-yaml on the patched 3.15.0, the 4.x line on 4.3.0), and dropping the swagger-client resolution was right... it was holding the transitive range back from 3.37.5. The limit_method type fix checks out too, databases.json really does store numbers there.

I pushed a couple of merge commits to resolve conflicts with master's js-yaml 5.2.0 bump (kept your loader removal, took the newer pin, regenerated docs/yarn.lock). The one red shard was the flaky DatabaseModal visibility test, unrelated to this... it passed on rerun, and I'll deal with that test separately. Merging!

@rusackas rusackas merged commit 69ce27f into master Jul 6, 2026
79 of 80 checks passed
@rusackas rusackas deleted the feat/resolve-all-dependabot-vuln-alerts branch July 6, 2026 19:14
@bito-code-review

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies:npm doc Namespace | Anything related to documentation embedded size/XXL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants