Skip to content

chore: patch cli-common, backend-plugin-api, techdocs-node [release-1.9]#4498

Merged
openshift-merge-bot[bot] merged 2 commits intoredhat-developer:release-1.9from
Omar-AlJaljuli:RHDHBUGS-2844
Mar 31, 2026
Merged

chore: patch cli-common, backend-plugin-api, techdocs-node [release-1.9]#4498
openshift-merge-bot[bot] merged 2 commits intoredhat-developer:release-1.9from
Omar-AlJaljuli:RHDHBUGS-2844

Conversation

@Omar-AlJaljuli
Copy link
Copy Markdown
Contributor

@Omar-AlJaljuli Omar-AlJaljuli commented Mar 27, 2026

Description

@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks.
Upstream fixed it at backstage/backstage@66e08b0#diff-a00c2d14ca2579883df4436744e43f3ef63a192c850c36603bdaac92364354fcR3

There are three patches:

@backstage/plugin-techdocs-node - the one that had the vulnerability
@backstage/cli-common - techdocs-node uses a method from this package isChildPath that required an update too.
@backstage/backend-plugin-api is another package that uses isChildPath and as this was patched for fixing the CVE, this package needed an update too.

All patches were applied as resolutions in package.json and dynamic-plugins/package.json, with an exception of @backstage-plugin-techdocs being applied only on dynamic-plugins/package.json because it is not used by package.json

Which issue(s) does this PR fix

RHDHBUGS-2844

PR acceptance criteria

Please make sure that the following steps are complete:

  • GitHub Actions are completed and successful
  • Unit Tests are updated and passing
  • E2E Tests are updated and passing
  • Documentation is updated if necessary (requirement for new features)
  • Add a screenshot if the change is UX/UI related

How to test changes / Special notes to the reviewer

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

Image was built and published successfully. It is available at:

@kim-tsao
Copy link
Copy Markdown
Member

kim-tsao commented Mar 27, 2026

/test e2e-ocp-helm

JessicaJHee
JessicaJHee reviewed Mar 30, 2026
View reviewed changes
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026

The container image build workflow finished with status: cancelled.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026

Image was built and published successfully. It is available at:

@Omar-AlJaljuli
Copy link
Copy Markdown
Contributor Author

Omar-AlJaljuli commented Mar 31, 2026

/retest

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 31, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

Image was built and published successfully. It is available at:

@Omar-AlJaljuli
Copy link
Copy Markdown
Contributor Author

Omar-AlJaljuli commented Mar 31, 2026

/retest

kim-tsao
kim-tsao approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kim-tsao kim-tsao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 31, 2026
@kim-tsao
Copy link
Copy Markdown
Member

kim-tsao commented Mar 31, 2026

/lgtm cancel

@openshift-ci openshift-ci bot removed the lgtm label Mar 31, 2026
@openshift-merge-bot openshift-merge-bot bot merged commit f45a392 into redhat-developer:release-1.9 Mar 31, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JessicaJHee JessicaJHee JessicaJHee left review comments

@kim-tsao kim-tsao kim-tsao approved these changes

@alizard0 alizard0 Awaiting requested review from alizard0

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram

@PatAKnight PatAKnight Awaiting requested review from PatAKnight

Assignees

@kim-tsao kim-tsao

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Omar-AlJaljuli @kim-tsao @JessicaJHee