[Snyk] Security upgrade codemirror from 5.65.16 to 6.0.0

[chirag-madlani]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• openmetadata-ui/src/main/resources/ui/package.json
• openmetadata-ui/src/main/resources/ui/yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CODEMIRROR-10494092	666

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

---

Summary by Gitar

• Breaking dependency upgrade: CodeMirror v6 is a complete architectural rewrite with new @codemirror/* scoped package structure (adds 10+ new dependencies including Lezer parser system)
• Migration considerations: v5→v6 requires code changes for components using CodeMirror APIs (migration guide)

_{This will update automatically on new commits.}

[gitar-bot]

🔍 CI failure analysis for 4b90a09: All 7 CI failures (6 playwright jobs + ui-coverage-tests) caused by incomplete CodeMirror 5→6 migration. The v5 addon system no longer exists in v6.

Issue

All CI jobs failing with identical module resolution errors during build and test phases.

Root Cause

The Snyk security fix upgraded CodeMirror from 5.65.16 to 6.0.0 (commit 1ab2d105) to address vulnerability SNYK-JS-CODEMIRROR-10494092. However, CodeMirror 6 is a complete architectural rewrite that removed the v5 addon system entirely.

The PR only updated package.json and yarn.lock but did not migrate the application code to use CodeMirror 6's new API.

Details

All Failed Jobs (7 total):

Playwright CI - Build failures during Vite bundling:

• playwright-ci-postgresql (1, 6) - Job 61581003839
• playwright-ci-postgresql (2, 6) - Job 61581003515
• playwright-ci-postgresql (3, 6) - Job 61581003514
• playwright-ci-postgresql (4, 6) - Job 61581003502
• playwright-ci-postgresql (5, 6) - Job 61581003521
• playwright-ci-postgresql (6, 6) - Job 61581003534

UI Coverage Tests - Test suite import failures:

• ui-coverage-tests - Job 61581004108 (452 test suites failed)

Common Error:

[commonjs--resolver] Missing "./addon/edit/closebrackets.js" specifier in "codemirror" package

Affected Files (5 files with v5 addon imports):

1. src/components/Database/SchemaEditor/SchemaEditor.tsx (lines 18-23)
2. src/components/Database/SchemaEditor/CodeEditor.tsx (lines 17-23)
3. src/components/Database/Profiler/TableProfiler/ProfilerSettingsModal/ProfilerSettingsModal.tsx
4. src/components/common/RichTextEditor/CustomHtmlRederer/CustomHtmlRederer.tsx
5. src/components/DataQuality/AddDataQualityTest/components/ParameterForm.tsx

Breaking Imports:

import 'codemirror/addon/edit/closebrackets.js';     // ❌ Not in v6
import 'codemirror/addon/edit/matchbrackets.js';     // ❌ Not in v6
import 'codemirror/addon/fold/brace-fold';           // ❌ Not in v6
import 'codemirror/addon/fold/foldgutter.js';        // ❌ Not in v6
import 'codemirror/addon/selection/active-line';     // ❌ Not in v6
import 'codemirror/addon/runmode/runmode';           // ❌ Not in v6

Additional Blocker:
The project uses react-codemirror2@7.2.1, which only supports CodeMirror 5.x (peer dependency mismatch).

Architecture Change:

• CodeMirror 5: Monolithic package with addon system
• CodeMirror 6: Modular packages (@codemirror/state, @codemirror/view, @codemirror/language, etc.) with extension-based architecture

Code Review 🚫 Blocked 0 resolved / 1 findings

Security fix upgrades CodeMirror 5→6 to address ReDoS vulnerability, but this is a breaking change that requires application code migration. Without updating existing CM5 usage in the codebase, this will likely cause runtime failures.

🚨 Bug: CodeMirror 5→6 major version upgrade may break existing code

📄 openmetadata-ui/src/main/resources/ui/package.json:93 🔗 CodeMirror 5 to 6 Migration Guide 🔗 SNYK-JS-CODEMIRROR-10494092

This PR upgrades CodeMirror from version 5.65.16 to 6.0.0, which is a major version breaking change. CodeMirror 6 has a completely different architecture and API from version 5:

Breaking changes include:

• CM5 uses a single monolithic package; CM6 uses modular @codemirror/* scoped packages
• Different editor instantiation: CM5's CodeMirror() constructor vs CM6's EditorView class
• Different state management: CM5 uses imperative API vs CM6's immutable state model
• Different extension/plugin system
• Different DOM structure and styling approach

The PR only updates the dependency version without any application code changes. Any existing code using CodeMirror's CM5 API will likely fail at runtime with errors like CodeMirror is not a constructor or similar.

Recommended action:

1. Search the codebase for existing CodeMirror usage (e.g., imports from 'codemirror', CodeMirror editor instances)
2. Either:
   • Update application code to use the CM6 API (migration guide), OR
   • If extensive changes are needed, consider whether a minor security patch for CM5 is available instead

Note: The Snyk metadata explicitly flags "isBreakingChange": true for this upgrade.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[gitar-bot]

🚨 Bug: CodeMirror 5→6 major version upgrade may break existing code

Details

This PR upgrades CodeMirror from version 5.65.16 to 6.0.0, which is a major version breaking change. CodeMirror 6 has a completely different architecture and API from version 5:

Breaking changes include:

• CM5 uses a single monolithic package; CM6 uses modular @codemirror/* scoped packages
• Different editor instantiation: CM5's CodeMirror() constructor vs CM6's EditorView class
• Different state management: CM5 uses imperative API vs CM6's immutable state model
• Different extension/plugin system
• Different DOM structure and styling approach

The PR only updates the dependency version without any application code changes. Any existing code using CodeMirror's CM5 API will likely fail at runtime with errors like CodeMirror is not a constructor or similar.

Recommended action:

1. Search the codebase for existing CodeMirror usage (e.g., imports from 'codemirror', CodeMirror editor instances)
2. Either:
   • Update application code to use the CM6 API (migration guide), OR
   • If extensive changes are needed, consider whether a minor security patch for CM5 is available instead

Note: The Snyk metadata explicitly flags "isBreakingChange": true for this upgrade.

---

Was this helpful? React with 👍 / 👎