chore(deps): Remediate CVEs for Orchestrator

[kim-tsao]

Hey, I just made a Pull Request!

Fixes: https://redhat.atlassian.net/browse/RHIDP-13297

• Update @backstage-community/plugin-rbac dependency to update jsonpath-plus (dev time dependency but app-legacy should rely on current versions). This introducs a conflict with mui as noted by Qodo review
• Update fast-xml-parser to v4.5.6+
• Update multer to 2.1.1
• Update minimatch to 3.1.5, 5.1.9, 7.4.9, 9.0.9
• Update @xmldom/xmldom to 0.8.13
• Update jsonpath to 1.3.0
• Update undici to 7.25.0
• Update follow-redirects to 1.16.0

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Duplicate MUI major versions 🐞 Bug ➹ Performance

Description

Updating @backstage-community/plugin-rbac pulls @mui/styles@6.x while app-legacy is pinned to
@mui/styles 5.18.0, so the dependency graph contains both MUI v5 and v6 theming/styling stacks. This
increases install/bundle surface area and makes MUI theming/styling behavior harder to keep
consistent across the app and plugins.

Code

workspaces/orchestrator/packages/app-legacy/package.json[22]

+    "@backstage-community/plugin-rbac": "^1.52.1",

Relevance

⭐⭐ Medium

Similar “avoid two major versions installed” was partially accepted (PR #2672), but lockfile
duplicates/dedupe was rejected (PR #2547).

PR-#2672
PR-#2547

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

app-legacy directly depends on @mui/styles 5.18.0, while the updated plugin-rbac resolves to a
version that depends on @mui/styles ^6.1.7, and the lockfile confirms both @mui/styles v5 and v6
(and corresponding theming internals) are present in the workspace dependency graph.

workspaces/orchestrator/packages/app-legacy/package.json[49-56]
workspaces/orchestrator/yarn.lock[2586-2616]
workspaces/orchestrator/yarn.lock[8578-8638]
workspaces/orchestrator/yarn.lock[8522-8555]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Upgrading `@backstage-community/plugin-rbac` introduces `@mui/styles@6.x` (and related v6 theming internals) while the app is still pinned to `@mui/styles@5.18.0`, leaving the workspace with both MUI v5 and v6 styling/theming stacks.

### Issue Context
This is visible in `yarn.lock` where `@backstage-community/plugin-rbac@1.52.2` depends on `@mui/styles: ^6.1.7`, while `app-legacy` depends on `@mui/styles: 5.18.0`, and both major versions resolve concurrently.

### Fix Focus Areas
- workspaces/orchestrator/package.json[53-59]
- workspaces/orchestrator/packages/app-legacy/package.json[21-63]

### Suggested fix approach
- Choose a single MUI styling/theming major line for the workspace:
 - **Option A (keep MUI v5 stack):** add/extend Yarn `resolutions` in `workspaces/orchestrator/package.json` to force `@mui/styles`, `@mui/private-theming`, and `@mui/utils` to the v5 line used by the app, then run install/build to confirm plugin-rbac still works.
 - **Option B (move towards MUI v6 stack):** upgrade the app’s MUI/theming dependencies (and any Backstage constraints) so that `@mui/styles@6.x` is the only version in the graph.
- After aligning, re-run `yarn install` and ensure `yarn.lock` reflects a single major line for these packages.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[rhdh-qodo-merge]

Review Summary by Qodo

Update RBAC plugin dependency to remediate CVEs

✨ Enhancement

Walkthroughs

Description

• Update @backstage-community/plugin-rbac dependency from 1.33.2 to 1.52.1
• Remediates CVEs by upgrading to latest plugin version
• Ensures app-legacy uses current dependency versions

Diagram

flowchart LR
  A["app-legacy package.json"] -- "upgrade dependency" --> B["@backstage-community/plugin-rbac v1.52.1"]
  B -- "includes" --> C["jsonpath-plus security fix"]

Loading

File Changes

1. workspaces/orchestrator/packages/app-legacy/package.json Dependencies +1/-1

Upgrade RBAC plugin to latest secure version

• Updated @backstage-community/plugin-rbac from version 1.33.2 to 1.52.1
• Addresses CVE vulnerabilities in jsonpath-plus transitive dependency
• Maintains compatibility with app-legacy frontend package

workspaces/orchestrator/packages/app-legacy/package.json

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.57%. Comparing base (756c137) to head (d264c07).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #2959    +/-   ##
========================================
  Coverage   60.57%   60.57%            
========================================
  Files        2005     2005            
  Lines       62763    62763            
  Branches    16357    16360     +3     
========================================
  Hits        38016    38016            
+ Misses      24222    23916   -306     
- Partials      525      831   +306     

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.58% <ø> (ø)		Carriedforward from 756c137
app-defaults	69.60% <ø> (ø)		Carriedforward from 756c137
augment	69.36% <ø> (ø)		Carriedforward from 756c137
bulk-import	72.57% <ø> (ø)		Carriedforward from 756c137
cost-management	16.49% <ø> (ø)		Carriedforward from 756c137
dcm	33.63% <ø> (ø)		Carriedforward from 756c137
extensions	61.42% <ø> (ø)		Carriedforward from 756c137
global-floating-action-button	73.75% <ø> (ø)		Carriedforward from 756c137
global-header	61.56% <ø> (ø)		Carriedforward from 756c137
homepage	50.92% <ø> (ø)		Carriedforward from 756c137
konflux	91.01% <ø> (ø)		Carriedforward from 756c137
lightspeed	69.61% <ø> (ø)		Carriedforward from 756c137
mcp-integrations	81.59% <ø> (ø)		Carriedforward from 756c137
orchestrator	33.08% <ø> (ø)
quickstart	62.64% <ø> (ø)		Carriedforward from 756c137
sandbox	79.56% <ø> (ø)		Carriedforward from 756c137
scorecard	83.23% <ø> (ø)		Carriedforward from 756c137
theme	64.54% <ø> (ø)		Carriedforward from 756c137
translations	8.49% <ø> (ø)		Carriedforward from 756c137
x2a	82.09% <ø> (ø)		Carriedforward from 756c137

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 756c137...d264c07. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lholmquist]

does this PR, https://github.com/redhat-developer/rhdh-plugins/pull/2961/changes, relate to this at all?

[kim-tsao]

https://github.com/redhat-developer/rhdh-plugins/pull/2961/changes

yes, but it's a patch in main not the z stream

[lholmquist]

i think i linked the wrong one, this one is against main, #2962

[kim-tsao]

i think i linked the wrong one, this one is against main, #2962

Yes, that's the same one. I removed my commit for follow-redirects

Actually, no. That PR is against the root yarn.lock. Not against the orchestrator workspace

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud