chore(deps): bump vulnerable transitive deps across lockfiles

[rusackas]

SUMMARY

Clears a batch of open Dependabot security alerts for transitive npm/yarn dependencies by pinning patched versions via npm overrides / yarn resolutions. No direct/runtime API changes — all bumps are same-major (except ws for one dev-only consumer, see below) and the lockfiles are regenerated with the repo's pinned toolchain (node 24 / npm 11 / yarn 1.22).

Alerts addressed (10 of the 16 open npm/yarn alerts):

Lockfile	Package	→	Advisories
superset-frontend/package-lock.json	dompurify	3.4.11	GHSA-cmwh-pvxp-8882, GHSA-vxr8-fq34-vvx9, GHSA-gvmj-g25r-r7wr
	esbuild	0.28.1	GHSA-g7r4-m6w7-qqqr
	http-proxy-middleware	2.0.10	GHSA-64mm-vxmg-q3vj
	tar	7.5.16	GHSA-vmf3-w455-68vh
docs/yarn.lock	ws	8.21.0	GHSA-96hv-2xvq-fx4p (×2, HIGH)
superset-websocket/package-lock.json	@babel/core	7.29.7	GHSA-4x5r-pxfx-6jf8
superset-frontend/cypress-base/package-lock.json	@babel/core	7.29.7	GHSA-4x5r-pxfx-6jf8

Notes / deliberate decisions:

• js-yaml (GHSA-h67p-54hq-rp68) is intentionally left out. The only patched release is 4.2.0, but the remaining vulnerable instance everywhere is js-yaml@3.14.2, pulled in by @istanbuljs/load-nyc-config (jest coverage tooling) which relies on the v3 API (safeLoad) removed in v4. Forcing v4 globally breaks the build. It needs upstream consumer upgrades and is better handled separately. This also leaves superset-embedded-sdk (js-yaml-only) untouched.
• docs ws: yarn classic (1.22) can only force a single version globally, so all ws consumers (storybook, webpack-dev-server, and webpack-bundle-analyzer) move to 8.21.0. webpack-bundle-analyzer's declared range was ^7.3.1, but it's a dev-only tool used only in optional analyze mode and its WebSocket.Server usage is compatible across ws 7→8.
• Flask / PyJWT (pip alerts) are out of scope here: PyJWT is already handled in chore(deps): bump pyjwt to 2.13.0 (CVE-2026-48526) #41288, and the Flask alert requires the in-progress 2.x→3.x major upgrade.

TESTING INSTRUCTIONS

Lockfile-only changes; CI exercises the affected toolchains. Locally:

• cd superset-frontend && npm ci && npm run build / npm run test
• cd superset-websocket && npm ci && npm run test
• cd docs && yarn install && yarn build

After merge, the listed Dependabot alerts should auto-close.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	959ad67
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a39db0196b71f000833b63c
😎 Deploy Preview	https://deploy-preview-41307--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[bito-code-review]

Code Review Agent Run #531d4e

Actionable Suggestions - 1

• docs/yarn.lock - 1

  • Manual lock file edit violation · Line 15249-15255

Review Details

• Files reviewed - 1 · Commit Range: 959ad67..959ad67

  • docs/yarn.lock
• Files skipped - 7

  • docs/package.json - Reason: Filter setting
  • superset-frontend/cypress-base/package-lock.json - Reason: Filter setting
  • superset-frontend/cypress-base/package.json - Reason: Filter setting
  • superset-frontend/package-lock.json - Reason: Filter setting
  • superset-frontend/package.json - Reason: Filter setting
  • superset-websocket/package-lock.json - Reason: Filter setting
  • superset-websocket/package.json - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.34%. Comparing base (3b46a5f) to head (959ad67).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #41307   +/-   ##
=======================================
  Coverage   64.34%   64.34%           
=======================================
  Files        2653     2653           
  Lines      144952   144952           
  Branches    33433    33433           
=======================================
  Hits        93273    93273           
  Misses      49995    49995           
  Partials     1684     1684           

Flag	Coverage Δ
javascript	68.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.