Skip to content

chore(deps): [release-1.9] bumps js-cookie@3.0.7 or higher#5038

Open
alizard0 wants to merge 1 commit into
redhat-developer:release-1.9from
alizard0:RHIDP-15066
Open

chore(deps): [release-1.9] bumps js-cookie@3.0.7 or higher#5038
alizard0 wants to merge 1 commit into
redhat-developer:release-1.9from
alizard0:RHIDP-15066

Conversation

@alizard0

@alizard0 alizard0 commented Jun 30, 2026

Copy link
Copy Markdown
Member

Fixes CVE-2026-46625 by patching js-cookie to 3.0.7 or higher.
Apart from that, bump the pinned version react-use from 17.6.0 to 17.6.1 on app and app-next.

More details at: https://redhat.atlassian.net/browse/RHIDP-15066

root is patched

root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh
├─┬ @backstage/frontend-test-utils@0.4.1
│ └─┬ @backstage/plugin-app@0.3.2
│   └─┬ @react-hookz/web@24.0.4
│     └── js-cookie@3.0.8 deduped
└─┬ app-next@0.0.23 -> ./packages/app-next
  └─┬ react-use@17.6.1
    └── js-cookie@3.0.8

dynamic plugin isn't.

Blocking question - Not sure why @backstage-community/plugin-acr@1.20.2 does not bump the react-use, it does not have a pinned version.

@segment/analytics-next@1.81.1 has already opened a PR to patch it upstream the js-cookie - segmentio/analytics-next#1368

@react-hookz/web@24.0.4 uses js-cookie has a dev dependency

dynamic-plugins-root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh/dynamic-plugins
├─┬ backstage-community-plugin-acr@1.20.2 -> ./wrappers/backstage-community-plugin-acr
│ └─┬ @backstage-community/plugin-acr@1.20.2
│   └─┬ react-use@17.6.0
│     └── js-cookie@2.2.1 invalid: "^3.0.5" from node_modules/@react-hookz/web
├─┬ backstage-community-plugin-analytics-provider-segment@1.22.2 -> ./wrappers/backstage-community-plugin-analytics-provider-segment
│ └─┬ @backstage-community/plugin-analytics-provider-segment@1.22.2
│   └─┬ @segment/analytics-next@1.81.1
│     └── js-cookie@3.0.1
└─┬ backstage-plugin-techdocs-module-addons-contrib@1.1.30 -> ./wrappers/backstage-plugin-techdocs-module-addons-contrib
  └─┬ @backstage/plugin-techdocs-module-addons-contrib@1.1.30
    └─┬ @react-hookz/web@24.0.4
      └── js-cookie@2.2.1 deduped invalid: "^3.0.5" from node_modules/@react-hookz/web

@openshift-ci openshift-ci Bot requested review from PatAKnight and durandom June 30, 2026 14:12
@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

@alizard0 alizard0 changed the title chore(deps): bumps js-cookie@3.0.7 or higher chore(deps): [release-1.9] bumps js-cookie@3.0.7 or higher Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant