chore(orchestrator): backporting CVE commits to the workspace/orchestrator for 1.8.6

[lholmquist]

Hey, I just made a Pull Request!

These are 2 cherry picks from PRs #2773 and #2767

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

ⓘ The new review experience is currently in Beta. Learn more

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Security: Backport CVE fixes for orchestrator 1.8.6 release

🐞 Bug fix

Walkthroughs

Description

• Update axios from 1.11.0 to 1.15.0 to fix CVE-2026-40175
• Update lodash from 4.17.21 to 4.18.1 to fix CVE-2026-4800
• Update ajv and path-to-regexp dependencies for CVE fixes
• Add changesets documenting security vulnerability patches

Diagram

flowchart LR
  CVE["CVE Vulnerabilities<br/>axios, lodash, ajv,<br/>path-to-regexp"]
  UPDATE["Dependency Updates<br/>to patched versions"]
  PACKAGES["Orchestrator Packages<br/>backend, common,<br/>form-react, form-widgets"]
  CHANGESET["Changesets Created<br/>for release tracking"]
  CVE -- "fix" --> UPDATE
  UPDATE -- "applied to" --> PACKAGES
  UPDATE -- "documented in" --> CHANGESET

Loading

File Changes

1. workspaces/orchestrator/.changeset/lucky-cars-study.md 📝 Documentation +7/-0

Add changeset for axios CVE fix

workspaces/orchestrator/.changeset/lucky-cars-study.md

---

2. workspaces/orchestrator/.changeset/nervous-eels-mate.md 📝 Documentation +8/-0

Add changeset for lodash CVE fix

workspaces/orchestrator/.changeset/nervous-eels-mate.md

---

3. workspaces/orchestrator/plugins/orchestrator-backend/package.json Dependencies +1/-1

Update lodash dependency to 4.18.1

workspaces/orchestrator/plugins/orchestrator-backend/package.json

---

View more (6)

4. workspaces/orchestrator/plugins/orchestrator-common/package.json Dependencies +1/-1

Update axios dependency to 1.15.0

workspaces/orchestrator/plugins/orchestrator-common/package.json

---

5. workspaces/orchestrator/plugins/orchestrator-common/report.api.md Dependencies +13/-13

Update AxiosResponse type signatures for axios

workspaces/orchestrator/plugins/orchestrator-common/report.api.md

---

6. workspaces/orchestrator/plugins/orchestrator-form-react/package.json Dependencies +1/-1

Update lodash dependency to 4.18.1

workspaces/orchestrator/plugins/orchestrator-form-react/package.json

---

7. workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json Dependencies +1/-1

Update lodash dependency to 4.18.1

workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json

---

8. workspaces/orchestrator/plugins/orchestrator/package.json Dependencies +2/-2

Update axios and lodash dependencies

workspaces/orchestrator/plugins/orchestrator/package.json

---

9. workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator/package.json Dependencies +1/-1

Update axios dependency to 1.15.0

workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator/package.json

---