feat(sec): resolve all vuln alerts in superset-embedded-sdk, superset-frontend and docs#41776
Conversation
Signed-off-by: hainenber <dotronghai96@gmail.com>
…Webpack loader Signed-off-by: hainenber <dotronghai96@gmail.com>
…ed Webpack config Signed-off-by: hainenber <dotronghai96@gmail.com>
Signed-off-by: hainenber <dotronghai96@gmail.com>
|
Bito Automatic Review Skipped - Large PR |
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #41776 +/- ##
==========================================
- Coverage 64.74% 64.73% -0.01%
==========================================
Files 2687 2687
Lines 148747 148747
Branches 34330 34330
==========================================
- Hits 96299 96293 -6
- Misses 50681 50687 +6
Partials 1767 1767
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR focuses on reducing security vulnerability alerts by updating/overriding vulnerable transitive JS dependencies across superset-frontend, superset-embedded-sdk, and docs, and by removing reliance on the unmaintained js-yaml-loader in the docs build.
Changes:
- Added/updated dependency overrides/resolutions to pull in patched
js-yamlversions (and related transitive updates) across the frontend and docs workspaces. - Replaced
js-yaml-loaderwith Webpack 5’sasset/sourcefor YAML indocs, and updated pages to parse YAML at runtime viajs-yaml. - Included
docs/src/webpack.extend.tsin TypeScript checking and adjusted types accordingly (including YAML module types and a DB metadata type fix).
Reviewed changes
Copilot reviewed 8 out of 12 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| superset-frontend/package.json | Adds an npm overrides rule to force lerna’s js-yaml to a patched version. |
| superset-frontend/package-lock.json | Updates the lockfile to reflect patched js-yaml versions and related dependency graph changes. |
| superset-embedded-sdk/package.json | Bumps Babel toolchain devDependencies to newer patched versions. |
| superset-embedded-sdk/package-lock.json | Updates the lockfile to match the Babel/tooling upgrades. |
| docs/tsconfig.json | Stops excluding src/webpack.extend.ts so it is type-checked. |
| docs/src/webpack.extend.ts | Switches YAML handling from js-yaml-loader to asset/source (raw string). |
| docs/src/types/yaml.d.ts | Updates YAML module typing to string to match asset/source behavior. |
| docs/src/pages/inTheWild.tsx | Parses the YAML string via js-yaml’s load() instead of casting the import directly. |
| docs/src/pages/index.tsx | Same YAML parsing change as inTheWild.tsx for the homepage carousel data. |
| docs/src/components/databases/types.ts | Aligns limit_method typing with numeric values in generated databases.json. |
| docs/package.json | Removes js-yaml-loader dependency and adds Yarn resolutions to pin patched js-yaml transitive versions. |
Files not reviewed (1)
- superset-frontend/package-lock.json: Generated file
docs/yarn.lock regenerated from the merged manifests. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Takes master's js-yaml ^5.2.0 bump while keeping the js-yaml-loader removal; docs/yarn.lock regenerated. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
rusackas
left a comment
There was a problem hiding this comment.
Thanks @hainenber, LGTM. I checked the resolution pins actually landed in the lockfiles (gray-matter's js-yaml on the patched 3.15.0, the 4.x line on 4.3.0), and dropping the swagger-client resolution was right... it was holding the transitive range back from 3.37.5. The limit_method type fix checks out too, databases.json really does store numbers there.
I pushed a couple of merge commits to resolve conflicts with master's js-yaml 5.2.0 bump (kept your loader removal, took the newer pin, regenerated docs/yarn.lock). The one red shard was the flaky DatabaseModal visibility test, unrelated to this... it passed on rerun, and I'll deal with that test separately. Merging!
|
Bito Automatic Review Skipped – PR Already Merged |
feat(sec): resolve all vuln alerts in
superset-embedded-sdk,superset-frontendanddocsSUMMARY
Aside from fixing ALL vuln alerts at the time of writing for said directories, there are a few notable changes in this PR as well:
webpack.extend.tsin docs into tsconfig.json for type checking and corresponding type fix.INTHEWILDfile to remove usage of unmaintainedjs-yaml-loader.Regarding 2nd item, I've manually checked and there are no discrepancies between
docsbuilt locally and what has been deployedLocally build

docsDeployed

docsBEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A
TESTING INSTRUCTIONS
Green CI for acceptance criterion
ADDITIONAL INFORMATION