fix(security): patch minimatch ReDoS and DOMPurify XSS vulnerabilities

[harsh-vador]

Describe your changes:

Fixes:

• 309
• 320

Summary

Addresses two Dependabot security advisories by upgrading vulnerable transitive dependencies via yarn resolutions.

CVE fixes

minimatch ReDoS (openmetadata-ui-core-components)

• Affected: minimatch >= 10.0.0, < 10.2.3 (introduced via vite-plugin-dts)
• Fixed: bumped to 10.2.3 via resolutions["vite-plugin-dts/minimatch"]

DOMPurify XSS (openmetadata-ui)

• Affected: dompurify >= 3.1.3, <= 3.3.1 (introduced via @toast-ui/react-editor)
• Fixed: bumped to 3.3.2 via resolutions["dompurify"]

Changes

• openmetadata-ui-core-components/.../yarn.lock — minimatch 10.2.1 → 10.2.3
• openmetadata-ui/.../package.json — dompurify resolution 3.2.7 → 3.3.2
• openmetadata-ui/.../yarn.lock — dompurify 3.2.7 → 3.3.2

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

[gitar-bot]

🔍 CI failure analysis for 1956013: Playwright E2E tests are timing out and failing with browser context closure errors after UI dependency updates (minimatch and DOMPurify security patches). 1 test failure + 1 flaky test caused by dependency compatibility issues or timing changes.

Overview

Analyzed 7 CI logs across 6 error templates. The PR introduces security patches to minimatch and DOMPurify by updating dependencies in yarn.lock and package.json. This has triggered Playwright E2E test failures during the ingestion test suite, with 1 confirmed test failure and 1 flaky test exhibiting browser context lifecycle issues.

Failures

Playwright E2E Test Timeouts & Browser Context Closure (confidence: medium)

• Type: flaky_test
• Affected jobs: Ingestion test suite (playwright), shard 2
• Related to PR: yes
• Root cause: PR dependency updates (minimatch, DOMPurify patches via yarn.lock changes) appear to have introduced timing or version incompatibilities with Playwright. Tests fail with "Target page, context or browser has been closed" errors when waiting for page responses. Specifically:
  • Large Table Column Search & Copy Link test times out at 60s while waiting for keyProfileMetricsResponse at Table.spec.ts:736
  • Domains Widget test is flaky, timing out at 180s while waiting for locator visibility at CustomizeWidgets.spec.ts:548

Both errors indicate premature page/context cleanup or browser lifecycle management disruption.

• Suggested fix:
  1. Verify Playwright version compatibility with the updated dependency versions in yarn.lock
  2. Check if yarn.lock changes included indirect Playwright dependencies that may have shifted async timing behavior
  3. Review test timeout settings—may need temporary increase to accommodate new dependency behavior
  4. Investigate whether page/context cleanup hooks are firing earlier than expected in the test lifecycle
  5. If Playwright was indirectly upgraded, consider pinning its version to maintain test stability
  6. Run tests locally to determine if issue reproduces or is environment-specific

Infrastructure/Build Setup (confidence: low)

• Type: infrastructure
• Affected jobs: General CI setup (dependency resolution, Maven builds)
• Related to PR: no
• Root cause: Pre-existing CI infrastructure behavior. Maven cache restored successfully, Python dependencies installed, Docker containers initialized normally. No blocker to PR validation.
• Suggested fix: No action needed; this is normal CI operation.

Summary

• PR-related failures: 2 (1 confirmed test failure + 1 flaky test in Playwright E2E suite caused by UI dependency updates)
• Infrastructure/flaky failures: Narrow to Playwright browser lifecycle issues; remainder of CI pipeline (Maven, Python, Docker setup) healthy
• Recommended action: Investigate Playwright version pinning or test timeout adjustment in relation to the minimatch/DOMPurify security patch dependencies. Consider reverting yarn.lock changes, running Playwright tests in isolation to confirm the root cause, or updating test retry/timeout logic to accommodate potential async timing shifts from the new dependency versions.

Code Review ✅ Approved 1 resolved / 1 findings

Security patch addresses minimatch ReDoS (CVE-2022-3517) and DOMPurify XSS vulnerabilities by updating dependencies in the UI lockfile. No issues found.

✅ 1 resolved

✅ Security: minimatch 3.1.4 (CVE-2022-3517) still present in main UI lockfile

📄 openmetadata-ui/src/main/resources/ui/package.json:256 📄 openmetadata-ui/src/main/resources/ui/yarn.lock
The PR title claims to patch the minimatch ReDoS vulnerability, and the core-components lockfile correctly bumps minimatch from 10.2.1 → 10.2.3. However, the main UI yarn.lock still resolves minimatch@*, minimatch@3.1.4, and several semver ranges to version 3.1.4, which is affected by CVE-2022-3517 (ReDoS via braceExpand). This version was not updated by this PR.

To fix this, add a minimatch entry to the resolutions block in package.json (e.g., "minimatch": ">=3.0.5") or pin it to a patched version like 3.1.5+ to force the lockfile to resolve a safe version.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	65.98% (57311/86849)	45.68% (30240/66187)	48.44% (9073/18728)

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Failed to cherry-pick changes to the 1.12.2 branch.
Please cherry-pick the changes manually.
You can find more details here.