feat: add process docs and scripts for yarn.lock only backports#2713
feat: add process docs and scripts for yarn.lock only backports#2713JessicaJHee wants to merge 3 commits into
Conversation
66ee59f to
7793d32
Compare
There was a problem hiding this comment.
As per redhat-developer/rhdh-adr#9 and architecture call agreements, all new scripts should be written using TypeScript as the preferred language.
7793d32 to
d45d20f
Compare
c0371e1 to
5ecd8a8
Compare
5ecd8a8 to
d0ef54a
Compare
d0ef54a to
c37d759
Compare
|
@jonkoops Just converted the script over to TypeScript. I dismissed a few path validation SonarCloud warnings since the script requires cross repo access. Accepting the risk since this is a local only script meant to be run manually. We're looking to integrate this in the future in a GitHub actions as well, in that case the inputs will be controlled as well. PTAL :) |
Signed-off-by: Jessica He <jhe@redhat.com>
c37d759 to
03c7e7f
Compare
|
|
||
| | Option | Required | Description | | ||
| |--------|----------|-------------| | ||
| | `--release` | yes | RHDH release line (e.g. `1.10` → branch `release-1.10` on rhdh-plugin-export-overlays) | |
There was a problem hiding this comment.
non-blocking comment: if 1.10 means release-1.10, why dont the user specify direclty --release release-1.10
| backports: | ||
| - cve_ids: | ||
| - CVE-2026-44486 | ||
| - CVE-2026-44487 |
There was a problem hiding this comment.
non-blocking: in the example we should set at least one cve with override
|



Summary
Adds tooling to backport transitive dependency CVE fixes in
yarn.lockonly for z-stream releases — without bumpingsource.json:repo-ref.Tooling lives in
scripts/yarnlock-backport/(TypeScript CLI). Full workflow: user-guide/06-patch-management.md.Commands
Typical usage:
Artifacts per workspace
Documentation
user-guide/06-patch-management.md(prepare →yarn up→ generate, re-roll when patch apply fails, manifest format)scripts/yarnlock-backport/README.md— quick startFork clones need an
upstreamremote for rhdh-plugin-export-overlays and rhdh-plugins; the tool syncs release branches and fetches pinnedrepo-refSHAs from upstream.Example output
Lightspeed CVE backport generated with this tooling: #2722