chore(deps): update yarn to v4.14.1

[backstage-goalie]

Summary of changes in this PR

This PR updates yarn from 4.12.0 → 4.14.1. Starting in yarn 4.13.0, two new security-focused defaults were introduced that affect several workspaces:

🔒 enableScripts: false (new default)

Yarn now disables lifecycle scripts (postinstall, install, etc.) by default during yarn install. This is a security hardening measure to prevent malicious packages from executing arbitrary code at install time.

Impact: Workspaces that depend on native Node.js modules (which require compilation via node-gyp at install time) will fail to build their binary bindings.

Fix applied: For workspaces that need native modules, dependenciesMeta entries were added to the workspace root package.json to explicitly opt those specific packages back in:

Workspace	Native module	Reason
announcements, badges, bazaar, code-coverage, copilot, entity-feedback, keycloak, linguist, mcp-chat, ocm, playlist, rbac, tech-insights multi-source-security-viewer	better-sqlite3	SQLite bindings require compilation
kiali	canvas	Canvas rendering requires native bindings
multi-source-security-viewer	isolated-vm	V8 isolate bindings require compilation

"dependenciesMeta": {
  "better-sqlite3": {
    "built": true
  }
}

Note: The dependenciesMeta entries added in this PR cover only the packages that were causing CI failures. It is possible that other packages in some workspaces also require build scripts to work correctly in local development — however, we are intentionally keeping this list minimal. The safer default is to only allow what is strictly necessary, and let individual workspace owners opt-in additional packages if needed.

To discover which packages in a workspace are being blocked, you can run yarn install and look for YN0004 warning messages in the output — each one indicates a package that requested a build script but was blocked by enableScripts: false. Example:

➤ YN0004: │ better-sqlite3@npm:5.9.0 tried to access a script (install), but this is not allowed

🔒 approvedGitRepositories (new default)

Git-sourced dependencies (e.g. "pkg": "github:org/repo") are now blocked by default. Workspaces using git dependencies need to explicitly approve them.

📦 yarn.lock metadata version bump

Yarn 4.14.x updated the lockfile format to metadata version 9. All workspace yarn.lock files were regenerated to reflect this.

🧹 Additional fixes required to pass CI

• workspaces/jenkins/packages/app-next/knip-report.md: Updated the committed knip report to acknowledge known unused dependencies (@backstage/core-components, @material-ui/icons) in the app-next package. The Sidebar.tsx component is defined but not yet wired into the app; knip correctly flags those deps as unreachable. The committed report acts as an acceptance list — CI passes when the generated report matches the committed one.

• Other lint/type fixes: A small number of workspaces had pre-existing lint issues (@backstage/no-undeclared-imports, missing license headers, etc.) that were surfaced by the updated tooling and fixed alongside the yarn bump.

---

❓ Open question for reviewers

Some workspaces required lint fixes (undeclared imports, missing license headers, etc.) to unblock CI. Should we generate changesets for those packages, or would we prefer to leave that to the individual plugin owners to handle? Happy to add changesets if that's the preferred approach, just wanted to check before doing so.

original renovate description:

This PR contains the following updates:

Package	Change	Age	Confidence
yarn (source)	4.12.0 → 4.14.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

yarnpkg/berry (yarn)

v4.14.1

Compare Source

v4.14.0

Compare Source

v4.13.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[Parsifal-M]

@Sarabadu thanks for looking into this!

[Copilot]

Pull request overview

Updates the repository’s pinned Yarn (Berry) version to 4.14.1 and regenerates lockfiles to match the new Yarn lockfile format/version.

Changes:

• Bump Yarn pin in package.json (packageManager) to yarn@4.14.1.
• Update .yarnrc.yml to point yarnPath at yarn-4.14.1.cjs.
• Regenerate root and workspace yarn.lock files (including lockfile metadata version bump).

Reviewed changes

Copilot reviewed 2 out of 112 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.yarnrc.yml	Points yarnPath to the vendored Yarn 4.14.1 CLI.
package.json	Pins package manager to yarn@4.14.1.
yarn.lock	Regenerated with Yarn 4.14.1 (lockfile metadata version bump and resolution churn).
workspaces/3scale/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/acr/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/acs/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/adr/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/agent-forge/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/airbrake/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/allure/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/amplication/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/analytics/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/announcements/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/apache-airflow/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/apiiro/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/apollo-explorer/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/argocd/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/azure-devops/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/azure-resources/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/azure-sites/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/azure-storage-explorer/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/badges/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/bazaar/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/bitbucket-pull-requests/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/bitrise/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/blackduck/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/bookmarks/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/catalog/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/cicd-statistics/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/cloudbuild/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/code-climate/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/code-coverage/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/codescene/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/confluence/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/copilot/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/cost-insights/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/dynatrace/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/entity-feedback/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/entity-validation/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/explore/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/fairwinds-insights/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/feedback/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/firehydrant/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/flux/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/fossa/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/gcalendar/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/gcp-projects/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/git-release-manager/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/github/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/gitops-profiles/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/gocd/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/grafana/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/graphiql/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/graphql-voyager/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/growthbook-flags/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/ilert/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/jaeger/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/jenkins/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/jfrog-artifactory/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/kafka/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/keycloak/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/kiali/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/lighthouse/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/linkerd/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/linguist/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/manage/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/mcp-chat/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/mend/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/microsoft-calendar/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/mta/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/multi-source-security-viewer/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/n8n/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/newrelic/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/nexus-repository-manager/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/nomad/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/noop/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/npm/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/ocm/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/octopus-deploy/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/opencost/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/periskop/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/pingidentity/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/playlist/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/puppetdb/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/quay/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/rbac/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/repo-tools/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/report-portal/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/rollbar/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/scaffolder-backend-module-annotator/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/scaffolder-backend-module-kubernetes/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/scaffolder-backend-module-regex/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/scaffolder-backend-module-servicenow/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/scaffolder-backend-module-sonarqube/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/scaffolder-relation-processor/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/sentry/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/servicenow/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/shortcuts/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/sonarqube/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/splunk/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/stack-overflow/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/stackstorm/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/tech-insights/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/tech-radar/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/tekton/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/todo/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/topology/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/vault/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/wheel-of-names/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.
workspaces/xcmetrics/yarn.lock	Lockfile metadata updated to match Yarn 4.14.1 format.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[backstage-goalie]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[Sarabadu]

Sry for the big ping here, we are updating yarn version here.
This minor version includes some important breaking changes

To prevent the malicious script execution Yan will now have this 2 configurations changes

• enableScripts: now by default would be false prevention postInstall scripts on dependencies this can be change manually on dependenciesMeta config metadata to allow specific packages

• [approvedGitRepositories:](https://yarnpkg.com/configuration/yarnrc#approvedGitRepositories) by default git: dependencies are not allowed and need to be allowed manually

Note: the yarn install default behavior set the yarnrc.yaml files to keep this behavior as non breaking change but i think it makes sense to try to keep the default values as seems safer defaults.

I will if any of the falling workspaces need this values to be enabled

[backstage-goalie]

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

• @backstage-community/plugin-azure-resources-node
• @backstage-community/plugin-multi-source-security-viewer
• @backstage-community/plugin-tech-insights-common

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage-community/plugin-azure-resources-node	workspaces/azure-resources/plugins/azure-resources-node	none	v0.10.0
app-next	workspaces/jenkins/packages/app-next	none	v0.0.2
backend	workspaces/multi-source-security-viewer/packages/backend	none	v0.0.0
@backstage-community/plugin-multi-source-security-viewer	workspaces/multi-source-security-viewer/plugins/multi-source-security-viewer	none	v0.15.2
@backstage-community/plugin-nexus-repository-manager	workspaces/nexus-repository-manager/plugins/nexus-repository-manager	patch	v1.23.0
app	workspaces/tech-insights/packages/app	none	v0.0.11
@backstage-community/plugin-tech-insights-common	workspaces/tech-insights/plugins/tech-insights-common	none	v0.8.2

[Copilot]

Pull request overview

Copilot reviewed 13 out of 123 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 135 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 139 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 139 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 30 out of 140 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

workspaces/nexus-repository-manager/plugins/nexus-repository-manager/dev/alpha/index.ts:1

• Using // eslint-disable-next-line without specifying a rule disables all lint rules for the following line, which can hide unrelated issues. Prefer disabling the specific rule being triggered (matching the approach used elsewhere in this PR) or add a brief justification plus a scoped rule name.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

With Yarn 4.13+ changing security-related defaults (notably lifecycle scripts), installs can behave differently depending on the Yarn version in use. Consider explicitly setting the intended script policy (e.g., enableScripts: false) in .yarnrc.yml so the behavior is stable and self-documenting, rather than relying on a version-dependent default.

[Sarabadu]

enableScripts: false is the default now