fix(ai-integrations): resolve isolated-vm to ^6 and allow Node 22–24

[hopehadfield]

Hey, I just made a Pull Request!

isolated-vm v5.x fails to build on Node 24, which RHDH has recently migrated to. isolated-vm was bumped to v6 in Backstage 1.46, though with ai-integrations still remaining on 1.45, this resolution is needed to build on Node 24 in the interim.

I also updated engines to reflect supported Node versions.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0)

1. Node 23 excluded 🐞 Bug ≡ Correctness

Description

The ai-integrations workspace sets engines.node to "22 || 24", which excludes Node 23.x and will
fail engine checks for users running Node 23. If the intent is to support the full 22–24 range, the
engine constraint is incorrect.

Code

workspaces/ai-integrations/package.json[5]

+    "node": "22 || 24"

Relevance

⭐ Low

Repo historically lists only LTS majors (ai-integrations was 18||20; root engines pinned to 24), so
excluding 23 seems intentional.

PR-#2774

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The manifest’s engine expression is a logical OR of majors 22 and 24, so it does not match 23.x.

workspaces/ai-integrations/package.json[4-6]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`workspaces/ai-integrations/package.json` sets `engines.node` to `"22 || 24"`, which excludes Node 23.x. If the goal is to support Node 22 through 24, this semver expression is too restrictive.

## Issue Context
Some tooling/CI environments enforce `engines` checks; users on Node 23 will be blocked even if Node 23 would otherwise work.

## Fix Focus Areas
- workspaces/ai-integrations/package.json[4-6]

## Suggested change
Update the engine constraint to an inclusive range, for example:
- `">=22 <25"` (supports 22, 23, 24)

If excluding non-LTS releases is intentional, keep the value but update accompanying documentation/PR description to avoid implying a contiguous 22–24 range.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Overrides isolated-vm semver 🐞 Bug ☼ Reliability

Description

The new Yarn resolution forces isolated-vm ^6.0.1, overriding @backstage/plugin-scaffolder-backend’s
declared isolated-vm dependency (^5.0.1). This bypasses the dependency’s compatibility contract and
can cause runtime issues unless the Backstage package versions are upgraded/validated against
isolated-vm v6.

Code

workspaces/ai-integrations/package.json[R51-54]

  "resolutions": {
    "@types/react": "^18",
-    "@types/react-dom": "^18"
+    "@types/react-dom": "^18",
+    "isolated-vm": "^6.0.1"

Relevance

⭐ Low

Team already merged same workaround: Yarn resolution forcing isolated-vm ^6.0.1 for Node 24 CI; only
removed when Node24 not targeted.

PR-#2871
PR-#2098

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The PR adds a global resolution for isolated-vm v6. The workspace backend depends on
@backstage/plugin-scaffolder-backend, and the lockfile shows that package declares `isolated-vm:
npm:^5.0.1`, meaning the resolution is forcing a major-version jump beyond the dependent’s requested
range.

workspaces/ai-integrations/package.json[51-55]
workspaces/ai-integrations/packages/backend/package.json[23-55]
workspaces/ai-integrations/yarn.lock[3861-3896]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A workspace-level Yarn `resolutions` entry forces `isolated-vm` to `^6.0.1`, but `@backstage/plugin-scaffolder-backend` declares a dependency on `isolated-vm` `^5.0.1`. This forces a major version outside the dependent’s requested range and can lead to runtime incompatibilities.

## Issue Context
`packages/backend` depends on `@backstage/plugin-scaffolder-backend`, and the lockfile indicates it expects `isolated-vm: npm:^5.0.1`. With the new resolution, installs will select isolated-vm v6 anyway, so compatibility should be ensured via version alignment and/or explicit validation.

## Fix Focus Areas
- workspaces/ai-integrations/package.json[51-55]
- workspaces/ai-integrations/packages/backend/package.json[23-55]
- workspaces/ai-integrations/yarn.lock[3861-3896]

## Suggested fix options
1) **Preferred:** Upgrade Backstage packages (at least `@backstage/plugin-scaffolder-backend`, and any related Backstage packages) to versions that officially support `isolated-vm` v6.
2) If upgrade isn’t possible, consider whether a different mitigation is needed (e.g., temporarily pinning to an `isolated-vm` version compatible with your Node targets), but avoid forcing a major outside the dependent’s declared range without tests.

## Acceptance criteria
- The resolved `isolated-vm` major version is within the declared semver range of the Backstage packages in use, OR
- There are explicit compatibility validations (tests/smoke run) demonstrating scaffolder backend functionality with `isolated-vm` v6 under the supported Node versions.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Upgrade isolated-vm to v6 and update Node engine support

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Upgrade isolated-vm dependency to ^6.0.1 for Node 24 compatibility
• Update Node engine support from 18||20 to 22||24
• Resolve build failures on Node 24 with newer isolated-vm version

Diagram

flowchart LR
  A["isolated-vm v5"] -->|"Fails on Node 24"| B["Build Error"]
  C["Update to isolated-vm ^6.0.1"] -->|"Resolves"| B
  D["Node engines: 18||20"] -->|"Update to"| E["Node engines: 22||24"]
  C -->|"Enables support for"| E

Loading

File Changes

1. workspaces/ai-integrations/package.json Dependencies +3/-2

Update Node engines and add isolated-vm resolution

• Updated Node engine requirement from "18 || 20" to "22 || 24"
• Added isolated-vm resolution to ^6.0.1 in resolutions section
• Maintains existing devDependencies and configuration

workspaces/ai-integrations/package.json

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@5508d6c). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2966   +/-   ##
=======================================
  Coverage        ?   69.58%           
=======================================
  Files           ?       53           
  Lines           ?      789           
  Branches        ?      151           
=======================================
  Hits            ?      549           
  Misses          ?      239           
  Partials        ?        1           

Flag	Coverage Δ
ai-integrations	69.58% <ø> (?)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5508d6c...19f5efb. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gabemontero]

thanks @hopehadfield