Skip to content

Commit 1a93ef9

Browse files
Version Packages (#3134)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 parent 1aa10e7 commit 1a93ef9

9 files changed

Lines changed: 119 additions & 54 deletions

File tree

workspaces/cost-management/.changeset/fix-rbac-dynamic-permissions.md

Lines changed: 0 additions & 12 deletions
This file was deleted.

workspaces/cost-management/.changeset/fix-transitive-dep-cves.md

Lines changed: 0 additions & 9 deletions
This file was deleted.

workspaces/cost-management/.changeset/patch-additional-cve-and-dep-fixes.md

Lines changed: 0 additions & 30 deletions
This file was deleted.

workspaces/cost-management/plugins/cost-management-backend/CHANGELOG.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,51 @@
11
# @red-hat-developer-hub/plugin-cost-management-backend
22

3+
## 2.2.1
4+
5+
### Patch Changes
6+
7+
- f32b8a8: fix: register dynamic RBAC permissions for cluster/project tiers (FLPATH-4207)
8+
9+
Cluster-specific permissions (ros/<cluster>, ros/<cluster>/<project>) were created
10+
at runtime but never registered with createPermissionIntegrationRouter. The RHDH
11+
RBAC backend only evaluates registered permissions — unregistered ones get DENY by
12+
default, breaking the 3-tier RBAC model. Now fetches cluster/project data at router
13+
init and registers all dynamic permissions. Also improves secureProxy.ts error
14+
messages to include request path and error details.
15+
16+
- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions
17+
18+
Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts:
19+
20+
- 815580b: fix: additional CVE patches and dependency updates for 2.2.1
21+
22+
Covers the following changes merged after the initial CVE patch (558b7c3):
23+
24+
- chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps
25+
`@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5,
26+
`request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4
27+
via yarn resolutions
28+
29+
- fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1
30+
to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and
31+
GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5)
32+
33+
- fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) —
34+
updates pinned lodash versions in individual plugin package.json files so
35+
Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
36+
37+
- fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds
38+
`casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3
39+
40+
- fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) —
41+
upgrades rbac-backend and rbac-common to address a Backstage backend CVE
42+
43+
- chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump
44+
45+
- Updated dependencies [558b7c3]
46+
- Updated dependencies [815580b]
47+
- @red-hat-developer-hub/plugin-cost-management-common@2.2.1
48+
349
## 2.2.0
450

551
### Minor Changes

workspaces/cost-management/plugins/cost-management-backend/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@red-hat-developer-hub/plugin-cost-management-backend",
3-
"version": "2.2.0",
3+
"version": "2.2.1",
44
"backstage": {
55
"pluginId": "cost-management",
66
"pluginPackages": [

workspaces/cost-management/plugins/cost-management-common/CHANGELOG.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,38 @@
11
# @red-hat-developer-hub/plugin-cost-management-common
22

3+
## 2.2.1
4+
5+
### Patch Changes
6+
7+
- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions
8+
9+
Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts:
10+
11+
- 815580b: fix: additional CVE patches and dependency updates for 2.2.1
12+
13+
Covers the following changes merged after the initial CVE patch (558b7c3):
14+
15+
- chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps
16+
`@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5,
17+
`request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4
18+
via yarn resolutions
19+
20+
- fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1
21+
to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and
22+
GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5)
23+
24+
- fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) —
25+
updates pinned lodash versions in individual plugin package.json files so
26+
Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
27+
28+
- fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds
29+
`casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3
30+
31+
- fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) —
32+
upgrades rbac-backend and rbac-common to address a Backstage backend CVE
33+
34+
- chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump
35+
336
## 2.2.0
437

538
### Minor Changes

workspaces/cost-management/plugins/cost-management-common/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"name": "@red-hat-developer-hub/plugin-cost-management-common",
33
"description": "Common functionalities for the cost-management plugin",
4-
"version": "2.2.0",
4+
"version": "2.2.1",
55
"backstage": {
66
"pluginId": "cost-management",
77
"pluginPackages": [

workspaces/cost-management/plugins/cost-management/CHANGELOG.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,42 @@
11
# @red-hat-developer-hub/plugin-cost-management
22

3+
## 2.2.1
4+
5+
### Patch Changes
6+
7+
- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions
8+
9+
Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts:
10+
11+
- 815580b: fix: additional CVE patches and dependency updates for 2.2.1
12+
13+
Covers the following changes merged after the initial CVE patch (558b7c3):
14+
15+
- chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps
16+
`@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5,
17+
`request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4
18+
via yarn resolutions
19+
20+
- fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1
21+
to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and
22+
GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5)
23+
24+
- fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) —
25+
updates pinned lodash versions in individual plugin package.json files so
26+
Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
27+
28+
- fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds
29+
`casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3
30+
31+
- fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) —
32+
upgrades rbac-backend and rbac-common to address a Backstage backend CVE
33+
34+
- chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump
35+
36+
- Updated dependencies [558b7c3]
37+
- Updated dependencies [815580b]
38+
- @red-hat-developer-hub/plugin-cost-management-common@2.2.1
39+
340
## 2.2.0
441

542
### Minor Changes

workspaces/cost-management/plugins/cost-management/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@red-hat-developer-hub/plugin-cost-management",
3-
"version": "2.2.0",
3+
"version": "2.2.1",
44
"backstage": {
55
"pluginId": "cost-management",
66
"pluginPackages": [

0 commit comments

Comments
 (0)