chore(orchestator): multiple dependency updates for CVE fixes (#2773)

[lholmquist]

manual cherry pick of #2773

• fix: ran yarn up -R ajv.

fixes https://access.redhat.com/security/cve/cve-2025-69873

• fix: ran yarn up -R path-to-regexp

fixes https://access.redhat.com/security/cve/CVE-2026-4926

• fix: ran yarn up -R lodash

fixes: https://access.redhat.com/security/cve/CVE-2026-4800

• squash: add the changeset

Hey, I just made a Pull Request!

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)

🐞\ ⛨ Security (1)

1. Old lodash still resolved 🐞 ⛨

Description

Although the PR bumps direct lodash ranges to ^4.18.1, the orchestrator workspace still resolves
lodash@4.17.23 because transitive dependencies require lodash ~4.17.21, so installs will still
include lodash <4.18.1. This undermines the changeset’s stated goal of updating lodash for CVE
fixes.

Code

workspaces/orchestrator/plugins/orchestrator-backend/package.json[87]

+    "lodash": "^4.18.1",

Evidence

yarn.lock contains two distinct lodash resolutions: one to 4.18.1 for caret ranges and another to
4.17.23 for tilde ranges; the tilde range is forced by transitive deps (e.g., @stoplight/spectral-*)
that explicitly require ~4.17.21, which cannot be satisfied by 4.18.1.

workspaces/orchestrator/.changeset/nervous-eels-mate.md[1-8]
workspaces/orchestrator/yarn.lock[26378-26395]
workspaces/orchestrator/yarn.lock[12650-12675]
workspaces/orchestrator/yarn.lock[12712-12727]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The PR updates direct dependencies to `lodash: ^4.18.1`, but `yarn.lock` still pins `lodash@4.17.23` for transitive dependencies that require `~4.17.21`, leaving a <4.18.1 lodash copy in the install.

### Issue Context
This PR’s changeset message states it is “updating lodash for cve fixes”, so leaving an older lodash in the dependency tree likely defeats the purpose.

### Fix Focus Areas
- workspaces/orchestrator/yarn.lock[26378-26395]
- workspaces/orchestrator/yarn.lock[12650-12675]
- workspaces/orchestrator/yarn.lock[12712-12727]
- workspaces/orchestrator/package.json[52-57]

### Suggested fix
1. Identify the transitive deps that pin `lodash` to `~4.17.21` (e.g., the @stoplight packages shown in `yarn.lock`) and upgrade them to versions that allow `lodash >= 4.18.1`.
2. If upgrades are not feasible, add a Yarn `resolutions` override at `workspaces/orchestrator/package.json` to force `lodash` to `4.18.1` across the workspace, then run `yarn install` to regenerate `yarn.lock`.
3. Verify `yarn.lock` no longer contains a `lodash@npm:~4.17.*` entry and only resolves to `4.18.1`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Update lodash dependency for CVE-2026-4800 security fix

🐞 Bug fix

Walkthroughs

Description

• Update lodash dependency across orchestrator packages
• Address CVE-2026-4800 security vulnerability
• Downgrade lodash from 4.17.21 to 4.18.1 in four packages
• Add changeset documenting the security fix

Diagram

flowchart LR
  CVE["CVE-2026-4800<br/>Security Vulnerability"]
  CVE -- "fix via<br/>lodash update" --> Backend["orchestrator-backend<br/>package.json"]
  CVE -- "fix via<br/>lodash update" --> FormReact["orchestrator-form-react<br/>package.json"]
  CVE -- "fix via<br/>lodash update" --> FormWidgets["orchestrator-form-widgets<br/>package.json"]
  CVE -- "fix via<br/>lodash update" --> Orchestrator["orchestrator<br/>package.json"]
  Backend --> Changeset["Changeset:<br/>nervous-eels-mate.md"]
  FormReact --> Changeset
  FormWidgets --> Changeset
  Orchestrator --> Changeset

Loading

File Changes

1. workspaces/orchestrator/.changeset/nervous-eels-mate.md 📝 Documentation +8/-0

Add changeset for lodash CVE fix

• Create new changeset file documenting the lodash security fix
• Mark patch version updates for four orchestrator packages
• Reference CVE-2026-4800 vulnerability fix

workspaces/orchestrator/.changeset/nervous-eels-mate.md

---

2. workspaces/orchestrator/plugins/orchestrator-backend/package.json Dependencies +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Address CVE-2026-4800 security vulnerability

workspaces/orchestrator/plugins/orchestrator-backend/package.json

---

3. workspaces/orchestrator/plugins/orchestrator-form-react/package.json Dependencies +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Address CVE-2026-4800 security vulnerability

workspaces/orchestrator/plugins/orchestrator-form-react/package.json

---

View more (2)

4. workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json Dependencies +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Address CVE-2026-4800 security vulnerability

workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json

---

5. workspaces/orchestrator/plugins/orchestrator/package.json Dependencies +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Address CVE-2026-4800 security vulnerability

workspaces/orchestrator/plugins/orchestrator/package.json

---