chore(deps): [release-1.8] upgrade backstage packages to tar v7

[jonkoops]

Upgrades @backstage/backend-defaults (0.12.2 -> 0.12.3), @backstage/plugin-scaffolder-backend (2.2.2 -> 2.2.3), and @backstage/plugin-scaffolder-node (0.11.2 -> 0.11.3) to replace the deprecated tar v6 with tar v7.

Backports backstage/backstage#32471 via backstage/backstage#33902.

Stacked on #4640.

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Dynamic plugins still tar v6 🐞 Bug ≡ Correctness

Description

dynamic-plugins/package.json removes the previous pin for @backstage/plugin-scaffolder-node, but
dynamic-plugins/yarn.lock still resolves scaffolder-node to 0.11.2 which depends on tar v6. This
leaves the dynamic-plugins build path still using deprecated tar v6 instead of the intended tar v7
scaffolder-node.

Code

dynamic-plugins/package.json[L37-38]

-    "@backstage/backend-defaults": "patch:@backstage/backend-defaults@npm%3A0.12.0#./.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch",
-    "@backstage/plugin-scaffolder-node": "patch:@backstage/plugin-scaffolder-node@npm%3A0.11.0#./.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch",

Evidence

In the dynamic-plugins subproject, @backstage/plugin-scaffolder-node is still locked to 0.11.2 and
explicitly depends on tar: ^6.1.12, while the main repo is already on scaffolder-node 0.11.3 which
depends on tar: ^7.4.3.

dynamic-plugins/yarn.lock[5918-5942]
yarn.lock[5260-5284]
dynamic-plugins/package.json[29-47]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`dynamic-plugins/package.json` no longer pins `@backstage/plugin-scaffolder-node`, but `dynamic-plugins/yarn.lock` still resolves it to `0.11.2` (tar v6). This contradicts the PR intent to move scaffolder to tar v7.

### Issue Context
The root workspace already resolves `@backstage/plugin-scaffolder-node` to a tar-v7-based version, but the dynamic-plugins subproject maintains its own `yarn.lock` and must be upgraded separately.

### Fix Focus Areas
- dynamic-plugins/yarn.lock[5918-5942]
- dynamic-plugins/yarn.lock[3761-3783]
- dynamic-plugins/package.json[29-47]

### What to do
1. In `dynamic-plugins/`, run a lockfile update so that `@backstage/plugin-scaffolder-node` resolves to `0.11.3` (and `@backstage/backend-defaults` resolves to `0.12.3` if desired/needed).
  - e.g. `cd dynamic-plugins && yarn up @backstage/plugin-scaffolder-node@0.11.3 @backstage/backend-defaults@0.12.3`
2. Commit the resulting `dynamic-plugins/yarn.lock` changes.
3. Verify `dynamic-plugins/yarn.lock` no longer shows scaffolder-node depending on `tar: ^6.1.12`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Auth-node version out-of-range 🐞 Bug ☼ Reliability

Description

After upgrading @backstage/backend-defaults to 0.12.3, the dependency graph requires
@backstage/plugin-auth-node ^0.6.7, but the repo-wide resolution forces @backstage/plugin-auth-node
to 0.6.6. This forces backend-defaults to run with an out-of-range dependency version and can break
at runtime if backend-defaults relies on 0.6.7+ APIs.

Code

packages/backend/package.json[28]

+    "@backstage/backend-defaults": "0.12.3",

Evidence

@backstage/backend-defaults@0.12.3 declares a dependency on @backstage/plugin-auth-node: ^0.6.7,
but package.json resolutions force @backstage/plugin-auth-node to 0.6.6. The lockfile shows
only @backstage/plugin-auth-node@0.6.6 is installed, meaning the forced resolution violates the
declared semver range.

yarn.lock[2855-2876]
package.json[52-67]
yarn.lock[4397-4406]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Upgrading `@backstage/backend-defaults` to `0.12.3` introduces a dependency requirement of `@backstage/plugin-auth-node@^0.6.7`, but the repo forces `@backstage/plugin-auth-node` to `0.6.6` via `resolutions`. This creates an out-of-range override.

### Issue Context
Yarn `resolutions` will force the version even if it violates the dependent package’s semver range; that can lead to runtime failures when the dependent expects newer APIs.

### Fix Focus Areas
- packages/backend/package.json[25-31]
- package.json[52-67]
- yarn.lock[2855-2876]
- yarn.lock[4397-4406]

### What to do
1. Update the repo-wide resolution for `@backstage/plugin-auth-node` from `0.6.6` to a version that satisfies `^0.6.7` (e.g. `0.6.7`).
2. Regenerate `yarn.lock` so that `@backstage/backend-defaults@0.12.3` is no longer paired with an out-of-range `@backstage/plugin-auth-node`.
3. If `dynamic-plugins/` is intended to remain aligned, apply the same resolution bump there and regenerate `dynamic-plugins/yarn.lock` as well.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[github-actions]

The container image build workflow finished with status: failure.

[jonkoops]

Replacing with stacked PR

[rhdh-qodo-merge]

Review Summary by Qodo

Upgrade Backstage packages to tar v7 and fix CVE-2026-24046

✨ Enhancement 🐞 Bug fix

Walkthroughs

Description

• Upgrade Backstage packages to tar v7 (replacing deprecated tar v6)
• Fix CVE-2026-24046 symlink path traversal vulnerability in Scaffolder
• Update @backstage/backend-defaults from 0.12.0 to 0.12.3
• Update @backstage/plugin-scaffolder-backend from 2.2.0 to 2.2.3
• Update @backstage/plugin-scaffolder-node from 0.11.0 to 0.11.3

Diagram

flowchart LR
  A["Backstage Packages v0.12.0/2.2.0"] -- "Upgrade to v0.12.3/2.2.3" --> B["tar v7 Support"]
  A -- "Security Fix" --> C["CVE-2026-24046 Patched"]
  B --> D["Multiple Package.json Files Updated"]
  C --> D

Loading

File Changes

1. packages/backend/package.json Dependencies +2/-2

Upgrade Backstage dependencies to latest versions

packages/backend/package.json

---

2. plugins/licensed-users-info-backend/package.json Dependencies +1/-1

Update backend-defaults to 0.12.3

plugins/licensed-users-info-backend/package.json

---

3. plugins/dynamic-plugins-info-backend/package.json Dependencies +1/-1

Update backend-defaults to 0.12.3

plugins/dynamic-plugins-info-backend/package.json

---

View more (10)

4. plugins/scalprum-backend/package.json Dependencies +1/-1

Update backend-defaults to 0.12.3

plugins/scalprum-backend/package.json

---

5. e2e-tests/.local-test/rhdh ⚙️ Configuration changes +1/-0

Add subproject commit reference

e2e-tests/.local-test/rhdh

---

6. .yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch Additional files +0/-67

...

.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch

---

7. .yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch Additional files +0/-82

...

.yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch

---

8. .yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch Additional files +0/-22

...

.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch

---

9. dynamic-plugins/.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch Additional files +0/-67

...

dynamic-plugins/.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch

---

10. dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch Additional files +0/-82

...

dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch

---

11. dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch Additional files +0/-22

...

dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch

---

12. dynamic-plugins/package.json Additional files +0/-2

...

dynamic-plugins/package.json

---

13. package.json Additional files +0/-4

...

package.json

---