fix(deps): update build-tools and fix npm vulnerabilities

[platex-rehor-bot]

What and why

RHCLOUD-48037

Vulnerability mitigation for the insights-rbac-ui container image. The June 2026 scan identified 58 vulnerabilities (2 Critical, 19 High) in the built image, primarily from outdated base images and npm dependencies.

Container image fixes (Phase 1):

• Update build-tools submodule to latest (6bdef6f) — bumps Node.js builder image from 9.7-1773053268 to 9.8-1780375952, removes deprecated valpop binary. A rebuild will pull the latest caddy-ubi:latest runtime image, picking up RPM patches for gnutls, krb5-libs, libcap, libnghttp2, and other system packages.

npm dependency fixes:

• Add axios ^1.17.0 as direct dependency (used in 20 source files, was only transitive)
• Update vitest / @vitest/coverage-v8 / @vitest/ui to ^4.1.8 (fixes critical vitest RCE)
• Update happy-dom to ^20.10.2 (fixes high severity issues)
• Add overrides for transitive deps: serialize-javascript ^7.0.5, shell-quote ^1.8.4, tmp ^0.2.7

Result: npm audit reduced from 51 vulnerabilities (5 critical, 13 high) to 16 moderate-only. All critical and high severity npm vulnerabilities are resolved.

Note: Go module vulnerabilities (CVE-2026-27143 in Go stdlib, OpenTelemetry, Caddy, golang.org/x/crypto, pgx) reside in the caddy-ubi runtime image and require an upstream image update — tracked separately as Phase 2.

---

Screenshots

N/A — no UI changes.

---

Anything non-obvious reviewers should know?

• The axios addition to direct dependencies is intentional — it was previously resolved only as a transitive dependency despite being imported in 20 source files.
• The overrides section forces patched versions of serialize-javascript, shell-quote, and tmp which are transitive dependencies not directly imported in this project.
• This PR supersedes the scope of PR chore(deps): update build-tools digest to 6bdef6f #2349 (build-tools digest update to 72c2bef) by going to the latest commit (6bdef6f).

---

Attention needed

• (Optional) QE: notable impact on test coverage or OUIA IDs changed
• (Optional) UX: end-user UX modified, designs may need sign-off

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated build tools and dependencies, including adding axios and pinning critical transitive dependencies for improved stability.

[coderabbitai]

Warning

Review limit reached

@platex-rehor-bot, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 53 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4d626b93-6eaf-4d1f-bd2a-de0a354ef2a5

📥 Commits

Reviewing files that changed from the base of the PR and between 29ae98b and ca4213c.

📒 Files selected for processing (1)

• package.json

📝 Walkthrough

Walkthrough

Build tools submodule reference is updated to a new commit, and package.json adds axios as a dependency, introduces an overrides section to pin three transitive dependencies, and bumps testing tool versions including vitest, vitest coverage, vitest ui, and happy-dom.

Changes

Dependencies and Build Tools Update

Layer / File(s)	Summary
Build tools submodule update build-tools	Build tools subproject reference is advanced to a new Git commit SHA.
Package dependencies update package.json	axios (^1.17.0) is added as a dependency. An overrides section is introduced to pin serialize-javascript, shell-quote, and tmp to specific versions. Testing devDependencies are bumped: @vitest/coverage-v8 and @vitest/ui to ^4.1.8, happy-dom to ^20.10.2, and vitest to ^4.1.8.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• RedHatInsights/insights-rbac-ui#2207: Both PRs only change the build-tools submodule pointer (different SHAs), with no other code changes.
• RedHatInsights/insights-rbac-ui#2166: Both PRs update the build-tools submodule/digest by changing its recorded commit SHA, with no other code changes.
• RedHatInsights/insights-rbac-ui#2226: The main PR updates the build-tools submodule pointer/recorded commit SHA, which directly overlaps with the retrieved PR's build-tools digest submodule revision bump.

Suggested labels

dependencies, javascript

Suggested reviewers

• riccardo-forina

Poem

🐰 Hop along, dear dependencies flow,
Axios joins the team, testing tools grow.
Build tools steady, overrides in place,
A gentle bump to keep the testing race! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: updating build-tools and fixing npm vulnerabilities, matching the primary objectives of the PR.
Description check	✅ Passed	The description comprehensively covers all required template sections with detailed explanations of the changes, rationale, and impact, including proper issue linkage and notes on non-obvious decisions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 48-52: The package.json uses the "overrides" field which only
takes effect on npm >=8.3.0; update the package.json "engines" entry (or add one
if missing) to require npm ">=8.3.0" so the overrides will be applied (i.e., set
or change the "npm" value under "engines" to ">=8.3.0"); if an existing
engines.npm range is present, replace it with the new minimum; ensure CI/docs
that enforce Node/npm versions are aligned with this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 84502aa8-0f38-4d1c-ac96-543212858d88

📥 Commits

Reviewing files that changed from the base of the PR and between daa921f and 29ae98b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• build-tools
• package.json

[github-actions]

Chromatic Build

	Link
Storybook	https://687a10bbc18d4b17063770ba-ljpolsqqty.chromatic.com/
Build	https://www.chromatic.com/build?appId=687a10bbc18d4b17063770ba&number=1852

[aferd]

We will leave the overrides because the current situation with overrides:

1. serialize-javascript - brought in by webpack → terser-webpack-plugin
2. shell-quote - brought in by:
   - @redhat-cloud-services/frontend-components-config → concurrently
   - npm-run-all2
   - webpack-dev-server → launch-editor
3. tmp - brought in by patch-package

Can we solve without overrides?

Short answer: No, not easily. Here's why:

1. serialize-javascript: Would require webpack or terser-webpack-plugin to update. You can't reasonably avoid webpack in this project.
2. shell-quote: Multiple packages depend on it. You'd need:
   - @redhat-cloud-services/frontend-components-config to update (Red Hat package, outside your control)
   - npm-run-all2 to update
   - webpack-dev-server to update
3. tmp: Would require patch-package to update its dependency.

The overrides are the correct solution because:

• These are transitive dependencies you don't directly control
• The upstream packages haven't updated yet
• Overrides ensure you get the secure versions without waiting for all upstream packages to update
• The npm engines requirement (>=8.3.0) ensures overrides work correctly

[aferd]

@platex-rehor-bot this branch is out of date, please update.