[pull] master from apache:master#568
Merged
pull[bot] merged 4 commits intomiqdigital:masterfrom Mar 9, 2026
Merged
Conversation
### What is this PR for? This PR updates the copyright year range in the NOTICE file from 2015-2025 to 2015-2026 to reflect ongoing development and contributions in 2026. ### What type of PR is it? Documentation ### Todos * [x] - Update copyright year in NOTICE file ### What is the Jira issue? * https://issues.apache.org/jira/browse/ZEPPELIN-6402 ### How should this be tested? * Verify that the NOTICE file contains the updated copyright year range "2015 - 2026" * Confirm that no other changes were made to the NOTICE file ### Screenshots (if appropriate) N/A ### Questions: * Does the license files need to update? No. * Is there breaking changes for older versions? No. * Does this needs documentation? No. Closes #5177 from ParkGyeongTae/ZEPPELIN-6402. Signed-off-by: ParkGyeongTae <gyeongtae@apache.org>
### What is this PR for? Resolved all 16 npm audit vulnerabilities (8 high, 6 moderate, 2 low) in zeppelin-web-angular/projects/zeppelin-react. Direct dependency upgrades: - webpack 5.88.0 → 5.105.4 (moderate: DOM Clobbering XSS, SSRF) - webpack-dev-server 4.15.0 → 5.2.3 (moderate: source code theft vulnerability) - <at>antv/g2plot 2.4.35 → 2.3.32 (high: XSS, Path Traversal) - g2plot 2.4.35 pulls in fmin → rollup<at>2.x as transitive dependency, which has 2 high severity vulnerabilities - g2plot 2.3.32 does not depend on fmin, so rollup is removed entirely - No API breaking changes — Column, Line, Pie, Scatter all available in 2.3.32 - xlsx 0.18.5 → replaced with xlsx-js-style 1.2.0 (high: Prototype Pollution, ReDoS) - All versions of xlsx on npm are vulnerable with no patched version available - xlsx-js-style is an API-compatible community fork with the vulnerabilities fixed - <at>types/xlsx 0.0.36 → removed (no longer needed after xlsx replacement) Transitive dependency fixes (via npm audit fix): - lodash 4.17.21 → 4.17.23 (moderate: Prototype Pollution) - lodash-es 4.17.21 → 4.17.23 (moderate: Prototype Pollution) - node-forge 1.3.1 → 1.3.3 (high: ASN.1 vulnerabilities) - serialize-javascript — resolved via webpack upgrade (high: RCE, dep removed in newer terser-webpack-plugin) - qs/express/body-parser — audit fix (moderate: DoS) - ajv — audit fix (moderate: ReDoS) Constraints: - Node 18 environment maintained (serialize-javascript 7.x requires Node >= 20, resolved by upgrading webpack instead) Verification: - npm audit → 0 vulnerabilities - npm run build → success Related Dependabot PRs (redundant, to be closed): - #5168, #5169, #5170, #5171, #5172, #5173 ### What type of PR is it? Hot Fix ### Todos ### What is the Jira issue? ZEPPELIN-6401 ### How should this be tested? ### Screenshots (if appropriate) ### Questions: * Does the license files need to update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Closes #5176 from dididy/fix/zeppelin-react-audit. Signed-off-by: ChanHo Lee <chanholee@apache.org>
### What is this PR for? This PR bumps the testcontainers minor/patch versions. <img width="2156" height="124" alt="image" src="https://github.com/user-attachments/assets/1db7118f-98f8-490f-863c-dc9eecc6e7dd" /> The interpreter-test-non-core job has been failing intermittently. Based on the error pattern, this appears related to a compatibility issue between older Testcontainers versions and newer Docker Engine APIs (see: testcontainers/testcontainers-java#11212). Testcontainers released a patch to address this, so this PR updates Testcontainers to 1.21.4 (release notes: https://github.com/testcontainers/testcontainers-java/releases/tag/1.21.4). ### What type of PR is it? Bug Fix ### What is the Jira issue?[ * Open an issue on Jira https://issues.apache.org/jira/browse/ZEPPELIN-6397 ### How should this be tested? Check `interpreter-test-non-core` job. ### Questions: * Does the license files need to update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Closes #5159 from tbonelee/bump-testcontainers-neo4j. Signed-off-by: ChanHo Lee <chanholee@apache.org>
Bumps [immutable](https://github.com/immutable-js/immutable-js) from 4.3.7 to 4.3.8. - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v4.3.7...v4.3.8) --- updated-dependencies: - dependency-name: immutable dependency-version: 4.3.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )