Skip to content

Bump vite in UI packages to patched releases#66798

Closed
arpitjain099 wants to merge 1 commit into
apache:mainfrom
arpitjain099:security/bump-vite-ui-packages
Closed

Bump vite in UI packages to patched releases#66798
arpitjain099 wants to merge 1 commit into
apache:mainfrom
arpitjain099:security/bump-vite-ui-packages

Conversation

@arpitjain099
Copy link
Copy Markdown
Contributor

@arpitjain099 arpitjain099 commented May 12, 2026

Summary

  • Bump vite to patched ranges in both UI package manifests:
    • airflow-core/src/airflow/ui/package.json: ^5.4.17 -> ^5.4.18 (resolves to 5.4.21 in lockfile)
    • airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/package.json: ^6.2.6 -> ^6.4.2
  • Refresh related lockfiles:
    • both pnpm-lock.yaml files
    • package-lock.json in the simple auth UI package

Why

Dependabot flags multiple vulnerabilities in vulnerable Vite ranges used by these UI packages (including advisories patched in 5.4.18+ and 6.4.2+). This updates the direct dependency constraints and lockfiles to patched versions.

Validation

  • pnpm install --frozen-lockfile --ignore-scripts in airflow-core/src/airflow/ui
  • pnpm install --frozen-lockfile --ignore-scripts in airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui
  • npm ci --ignore-scripts --legacy-peer-deps in airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui

@boring-cyborg boring-cyborg Bot added area:API Airflow's REST/HTTP API area:UI Related to UI/UX. For Frontend Developers. labels May 12, 2026
@bbovenzi
Copy link
Copy Markdown
Contributor

bbovenzi commented May 12, 2026

Merge conflicts

@arpitjain099
Copy link
Copy Markdown
Contributor Author

arpitjain099 commented May 13, 2026

@bbovenzi rebased and same story as #66797 - moot. Main has moved vite to ^8.0.8 and ^8.0.10 in the two UIs, while this PR was bumping to ^5.4.18 / ^6.4.2. Both bumps have been superseded. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@guan404ming guan404ming Awaiting requested review from guan404ming guan404ming is a code owner

@vatsrahul1001 vatsrahul1001 Awaiting requested review from vatsrahul1001 vatsrahul1001 is a code owner

@choo121600 choo121600 Awaiting requested review from choo121600 choo121600 is a code owner

@vincbeck vincbeck Awaiting requested review from vincbeck vincbeck is a code owner

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API area:UI Related to UI/UX. For Frontend Developers.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @bbovenzi