fix: UI vulnerabilities

[harsh-vador]

Describe your changes:

Fixes:

• https://github.com/open-metadata/OpenMetadata/security/dependabot/311
• https://github.com/open-metadata/OpenMetadata/security/dependabot/309
• https://github.com/open-metadata/OpenMetadata/security/dependabot/310

Summary

Patches transitive npm dependency security vulnerabilities in both openmetadata-ui and openmetadata-ui-core-components by adding/updating resolutions in their respective package.json files.

Vulnerabilities Fixed

#	Package	Affected Versions	Patched Version	Impacted Lock File
311	rollup	>= 4.0.0, < 4.59.0	4.59.0	openmetadata-ui + openmetadata-ui-core-components
310	minimatch	>= 9.0.0, < 9.0.7	9.0.7	openmetadata-ui + openmetadata-ui-core-components
309	minimatch	>= 10.0.0, < 10.2.3	10.2.3	openmetadata-ui + openmetadata-ui-core-components
—	minimatch	< 3.1.4	3.1.4	openmetadata-ui

CVE Details

• Rollup Arbitrary File Write (Path Traversal) — Insecure output filename sanitization allows traversal sequences (../) to overwrite arbitrary files on the host, enabling persistent RCE. Introduced transitively via vite.
• minimatch ReDoS — matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments causes denial of service. Affects 3.x, 9.x, and 10.x ranges introduced via eslint, jest, @storybook/react-vite, and vite-plugin-dts.

Changes

• openmetadata-ui/src/main/resources/ui/package.json

  • minimatch: 3.1.3 → 3.1.4
  • Added rollup: 4.59.0
  • Added @storybook/react-vite/minimatch: 9.0.7
  • Added vite-plugin-dts/minimatch: 10.2.3

• openmetadata-ui-core-components/src/main/resources/ui/package.json

  • Added new resolutions block with rollup: 4.59.0, @storybook/react-vite/minimatch: 9.0.7, vite-plugin-dts/minimatch: 10.2.3

Test plan

• yarn install in both UI packages regenerates lock files with patched versions
• yarn build passes in both packages
• Security scanner reports no remaining CVEs for rollup and minimatch

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	65.93% (57229/86801)	45.52% (30194/66320)	48.38% (9072/18751)

[gitar-bot]

🔍 CI failure analysis for 9e80b05: The `playwright-ci-postgresql (6, 6)` failure is unrelated to this PR — it consists of one pre-existing hard failure and four flaky tests, none caused by the `rollup`/`minimatch` version pins in `package.json`/`yarn.lock`.

Issue

The playwright-ci-postgresql (6, 6) job failed with 1 hard failure and 4 flaky tests. None of these failures are related to this PR, which only modifies package.json and yarn.lock files to pin rollup and minimatch versions.

Root Cause

Hard Failure: playwright/e2e/Pages/Lineage.spec.ts:466:5 — expect(locator).toBeVisible() times out (5s) because the lineage node for a table with a / in its name (data-testid containing pw-table-with/slash-...) never renders in the DOM. This is a pre-existing application bug in how special-character entity names are handled in lineage views.

Flaky Tests (4 intermittent failures):

• playwright/e2e/Pages/Tag.spec.ts:571 — expect(locator).not.toBeVisible() fails: pw-mlmodel entity remains visible when it should not be (access control state race condition)
• playwright/e2e/Pages/UserDetails.spec.ts:492 — 60s timeout; browser context closed mid-test (locator.click: Target page, context or browser has been closed)
• playwright/e2e/Pages/Users.spec.ts:570 — 180s timeout; browser context closed mid-test (locator.waitFor: Target page, context or browser has been closed)
• playwright/e2e/VersionPages/EntityVersionPages.spec.ts:152 — TypeError: Cannot read properties of undefined (reading '0') in SearchIndexClass.ts:169 — entityResponseData.fields is undefined/null in the test fixture

Details

• This PR only modifies package.json/yarn.lock — no application logic, UI components, or test code was changed
• The Lineage.spec.ts:466 hard failure and similar flaky tests were also observed in the previous CI run on this PR, confirming these are pre-existing issues not introduced by these changes
• 596 tests passed; only these 5 tests exhibited issues
• The browser context closure failures (UserDetails, Users) indicate resource/infrastructure flakiness during the long-running (~58 min) test suite, unrelated to dependency version changes

Code Review ✅ Approved

UI vulnerability fixes applied with no issues found. Changes are safe to test and ready to merge.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud