chore(orchestator): multiple dependency updates for CVE fixes (#2773)

[lholmquist]

manual cherry-pick of PR #2773

• fix: ran yarn up -R ajv.

fixes https://access.redhat.com/security/cve/cve-2025-69873

• fix: ran yarn up -R path-to-regexp

fixes https://access.redhat.com/security/cve/CVE-2026-4926

• fix: ran yarn up -R lodash

fixes: https://access.redhat.com/security/cve/CVE-2026-4800

• squash: add the changeset

Hey, I just made a Pull Request!

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)

🐞\ ⛨ Security (1)

1. Old lodash still installed 🐞 ⛨

Description

Bumping direct dependencies to lodash ^4.18.1 does not stop the orchestrator workspace from also
installing lodash 4.17.23 and 2.4.2 via transitive dependencies, leaving older lodash copies in the
dependency tree. This can undermine the intended CVE remediation and keeps multiple lodash versions
in the install.

Code

workspaces/orchestrator/plugins/orchestrator-backend/package.json[86]

+    "lodash": "^4.18.1",

Relevance

⭐⭐ Medium

PR #2773 explicitly notes some ranges still resolve to older lodash; they may accept residual copies
without resolutions.

PR-#2773
PR-#1725

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The orchestrator yarn.lock shows multiple lodash versions resolved (4.18.1, 4.17.23, and 2.4.2). It
also shows which transitive dependencies constrain lodash to older ranges (e.g., ~4.17.21, ~4.17.15,
~2.4.1), and the workspace root package.json currently has no lodash override in its existing
"resolutions" block.

workspaces/orchestrator/yarn.lock[27865-27884]
workspaces/orchestrator/yarn.lock[26610-26619]
workspaces/orchestrator/yarn.lock[14115-14134]
workspaces/orchestrator/yarn.lock[8447-8461]
workspaces/orchestrator/package.json[52-60]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Directly bumping lodash in a few packages still allows older lodash versions to be installed due to transitive dependencies that require `~4.17.x` and `~2.4.x`.

### Issue Context
`workspaces/orchestrator/yarn.lock` currently resolves multiple lodash versions, meaning the workspace install is not fully consolidated onto the intended patched lodash version.

### Fix Focus Areas
- Add/adjust a workspace-level Yarn `resolutions` override to force lodash to a single patched version (or upgrade/replace the transitive dependencies that pin lodash to older ranges).
- Re-run the install/update step to ensure `yarn.lock` converges and verify only the desired lodash version remains.

- workspaces/orchestrator/package.json[52-60]
- workspaces/orchestrator/yarn.lock[27865-27884]
- workspaces/orchestrator/yarn.lock[14115-14134]
- workspaces/orchestrator/yarn.lock[8447-8461]
- workspaces/orchestrator/yarn.lock[26610-26619]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Update lodash dependency for CVE-2026-4800 fix

🐞 Bug fix

Walkthroughs

Description

• Update lodash dependency across orchestrator packages
• Address CVE-2026-4800 security vulnerability
• Downgrade lodash from 4.17.21 to 4.18.1
• Add changeset documenting the security fix

Diagram

flowchart LR
  CVE["CVE-2026-4800<br/>Security Vulnerability"]
  CVE -- "requires fix" --> Lodash["Lodash Dependency<br/>Update"]
  Lodash -- "applied to" --> Backend["orchestrator-backend"]
  Lodash -- "applied to" --> FormReact["orchestrator-form-react"]
  Lodash -- "applied to" --> FormWidgets["orchestrator-form-widgets"]
  Lodash -- "applied to" --> Orchestrator["orchestrator"]
  Backend --> Changeset["Changeset Created"]
  FormReact --> Changeset
  FormWidgets --> Changeset
  Orchestrator --> Changeset

Loading

File Changes

1. workspaces/orchestrator/.changeset/nervous-eels-mate.md 📝 Documentation +8/-0

Add changeset for lodash CVE fix

• Created new changeset file documenting the lodash CVE fix
• Marks patch version bump for four orchestrator packages
• References CVE-2026-4800 security vulnerability

workspaces/orchestrator/.changeset/nervous-eels-mate.md

---

2. workspaces/orchestrator/plugins/orchestrator-backend/package.json 🐞 Bug fix +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Addresses CVE-2026-4800 vulnerability

workspaces/orchestrator/plugins/orchestrator-backend/package.json

---

3. workspaces/orchestrator/plugins/orchestrator-form-react/package.json 🐞 Bug fix +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Addresses CVE-2026-4800 vulnerability

workspaces/orchestrator/plugins/orchestrator-form-react/package.json

---

View more (2)

4. workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json 🐞 Bug fix +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Addresses CVE-2026-4800 vulnerability

workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json

---

5. workspaces/orchestrator/plugins/orchestrator/package.json 🐞 Bug fix +1/-1

Update lodash dependency version

• Downgrade lodash from ^4.17.21 to ^4.18.1
• Addresses CVE-2026-4800 vulnerability

workspaces/orchestrator/plugins/orchestrator/package.json

---