ui: fix synk vulnerabilities

[harsh-vador]

Describe your changes:

Summary

Patches known npm dependency vulnerabilities in openmetadata-ui by updating direct dependencies and adding/updating resolutions entries to force safe versions across the transitive dependency tree.

Changes

openmetadata-ui/src/main/resources/ui/package.json

Package	Change	CVE / Advisory
dompurify (direct dep)	^3.2.4 → ^3.2.7	CVE-2025-15599
dompurify (resolution)	3.2.4 → 3.2.7	CVE-2025-15599
immutable (resolution added)	pinned to 4.3.8	CVE-2026-29063 (CVSS 9.3)
prosemirror-model (resolution)	1.18.1 → 1.22.1	SNYK-JS-PROSEMIRRORMODEL-7838221
@babel/runtime (resolution added)	pinned to 7.26.10	CVE-2025-27789
@tootallnate/once (resolution added)	pinned to 3.0.1	Incorrect Control Flow Scoping

openmetadata-ui-core-components/src/main/resources/ui/package.json

Package	Change	Advisory
vite-plugin-dts/minimatch (resolution already present)	10.2.3	SNYK-JS-MINIMATCH

Notes

immutable pinned to 4.3.8 (not 5.1.5)

The CVE fix for immutable was patched in both 4.3.8 and 5.1.5.
Pinning to 5.1.5 was attempted but causes a Vite/Rollup build failure:
@react-awesome-query-builder/core uses import Immutable from "immutable"
(default export), which was removed in 5.1.5. Version 4.3.8 retains
the default export and is compatible with all consumers.

Not fixable in this PR

The following vulnerabilities have no available patch or require a
breaking upstream upgrade outside the scope of this change:

Package	Reason
showdown@2.1.0	No patched version published
quill@2.0.3	No patched version published
dompurify@2.5.9 (via @toast-ui/editor)	toast-ui bundles its own old dompurify; no remediation path
dompurify CVE-2026-0540	No patch available yet
codemirror ReDoS	Requires full CM6 migration (separate effort)

Testing

Run yarn install in openmetadata-ui/src/main/resources/ui to regenerate the lock file, then verify yarn build succeeds.

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

[gitar-bot]

🔍 CI failure analysis for da89d76: Both failing CI jobs show pre-existing Playwright test flakiness (timeouts, element visibility issues) unrelated to the dependency version bumps in this PR.

Issue

Two playwright-ci-postgresql jobs have reported failures. None are related to the dompurify, immutable, prosemirror-model, @babel/runtime, or @tootallnate/once version changes in this PR.

Root Cause

These are pre-existing UI test instability issues in the Playwright suite across both runs.

---

Job playwright-ci-postgresql (4, 6) — previous run:

Deterministic Failures (2):

1. Entity.spec.ts:2137 — Table › Set & update column-level custom property — Test timeout of 180000ms exceeded waiting for .column-detail-panel-container [data-testid="custom-properties-tab"] to render.

2. Entity.spec.ts:440 — ML Model › Tag Add, Update and Remove for child entities — expect(locator).toBeHidden() failed; tag PersonalData.SpecialCategory remained visible when it should have been removed.

Flaky Tests (3):

3. PersonaFlow.spec.ts:498 — Persona ID mismatch: non-deterministic test data causes intermittent assertion failure.

4. Customproperties-part2.spec.ts:187 — page.waitForResponse timeout of 180000ms; intermittent backend delay.

5. Domains.spec.ts:2622 — Domain rename: getByTestId('entity-header-name') not found after rename; operation did not complete in time.

---

Job playwright-ci-postgresql (6, 6) — current run:

Deterministic Failures (2):

1. Pages › Lineage › Verify table search with special characters as handled — expect(locator).toBeVisible() failed; element not found within 5000ms timeout.

2. Pages › Tag › Tag Page with Limited EditTag Permission › Add and Remove Assets and Check Restricted Entity — page.goto timeout of 60000ms exceeded in beforeAll hook (server unreachable during setup).

Flaky Test (1):

3. Pages › HyperlinkCustomProperty › Hyperlink Custom Property Tests › should accept valid http and https URLs — locator.scrollIntoViewIfNeeded timeout of 60000ms exceeded.

598 of 609 tests passed (98.2%). 8 skipped.

Details

All failures are timing/element-visibility/server-connectivity issues in the existing test suite that recur across CI runs independent of code changes. The two different shard runs show different flaky tests, confirming non-deterministic infrastructure issues. No failure references or shows symptoms attributable to the package version bumps in this PR.

Code Review ✅ Approved

Snyk vulnerability fixes for the UI dependencies. No issues found.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	66% (57263/86750)	45.63% (30192/66154)	48.41% (9066/18725)

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Changes have been cherry-picked to the 1.12.2 branch.