Fix lodash prototype pollution vulnerability

[karanh37]

Summary

• Bump lodash direct dependency from ^4.17.21 to ^4.17.23 to patch a prototype pollution vulnerability in _.unset and _.omit
• Add "lodash": ">=4.17.23" to yarn resolutions to force all 9 transitive dependents (@ant-design/icons, @auth0/auth0-react, @deuex-solutions/react-tour, @react-awesome-query-builder/antd, @rjsf/utils, @testing-library/jest-dom, antd, rapidoc, recharts) to use the patched version

Test plan

• Verify yarn.lock resolves lodash to 4.17.23
• Run yarn install successfully
• Run frontend unit tests (yarn test)
• Run frontend build (yarn build)
• Smoke test the UI to confirm no regressions from the lodash bump

🤖 Generated with Claude Code

[gitar-bot]

🔍 CI failure analysis for 31f3c77: CI failure is unrelated to lodash update - this is a pre-existing flaky test with timing issues in the Playwright E2E suite.

Issue

The Playwright E2E test GlossaryImportExport.spec.ts:584:7 › Import partial success - some terms pass, some fail failed with:

Error: expect(locator).toBeVisible() failed
Locator: locator('.rdg-header-row')

Root Cause

This failure is NOT caused by the lodash security update. The test exhibits classic flaky behavior:

1. Failed twice: Initial run (14.9s) and retry (20.3s) both failed
2. Timing issue: Test expects data grid header .rdg-header-row to be visible after CSV file upload, but element doesn't appear within timeout
3. Part of broader flakiness: CI run shows 6 flaky tests total across different features (Glossary, Tags, Users)

Details

Why this is unrelated to lodash 4.17.21 → 4.17.23:

• Scope: Patch version fixing CVE-2025-13465 in _.unset and _.omit functions (prototype pollution)
• No breaking changes: Lodash 4.17.23 maintains full backward compatibility
• Different failure domain: UI element visibility ≠ data manipulation utilities
• Test pattern: Element not rendering in time is a timing/rendering issue, not a logic bug
• No code changes: PR only updates dependencies, no functional changes

Test execution summary:

• ✅ 526 tests passed
• ❌ 1 test failed (this flaky test)
• ⚠️ 6 flaky tests (including this one)
• ⏭️ 22 tests skipped

The test waits 500ms after file upload (line 624) before checking for the grid header, but this timeout appears insufficient in some CI environments.

Code Review ✅ Approved

Clean security patch that correctly bumps lodash to 4.17.23 and uses yarn resolutions to enforce the minimum version across all transitive dependencies. No issues found.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	65.8% (55633/84546)	44.84% (28707/64015)	47.68% (8740/18329)

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud