feast-dev
Update dependencies in sdk/python/feast/ui
Is your feature request related to a problem? Please describe.
The dependencies have vulnerabilities. See #4439 for context.
Describe the solution you'd like
I would appreciate it if someone who knows JS stuff could upgrade those dependencies.
Describe alternatives you've considered
See #4439
I'm willing to open a change for this, but I would need some guidance for how to fix vulnerabilities using yarn.
Most of the vulnerabilities come from react-scripts which hasn't been updated in 2.5 years. We'll need to eject to basically get rid of that dependency and start managing the setup ourselves, and then update or replace related dependencies. I'd be interested to try it out, I actually quickly tried a while ago but hit some errors.
For the rest, usually these commands go far:
# Upgrade multiple dependencies selectively at once to latest versions (also updates package.json)
yarn upgrade-interactive --latest
# Upgrade direct dependencies to latest versions (also updates package.json)
yarn add [--dev] <packages> # Use --dev if the dependencies are in devDependencies
# Upgrade direct dependencies and their transitive dependencies to latest versions (only updates yarn.lock)
yarn upgrade <packages>
Also yarn why <package> is useful for finding out why a package is in the project (which packages depend on it).
These are the direct dependencies we'd need to upgrade based on yarn audit:
% yarn audit | grep 'Dependency of' | sort | uniq
│ Dependency of │ @babel/core │
│ Dependency of │ @babel/preset-env │
│ Dependency of │ msw │
│ Dependency of │ protobufjs-cli │
│ Dependency of │ react-code-blocks │
│ Dependency of │ react-scripts │
│ Dependency of │ rollup-plugin-copy │
│ Dependency of │ rollup-plugin-svgo │
I'd be happy to try upgrading the others too, and would start from them.
