From 67cfe6271709693ef768f65942f3981ab1a154de Mon Sep 17 00:00:00 2001 From: Jessica He Date: Wed, 24 Jun 2026 11:17:17 -0400 Subject: [PATCH 1/2] chore(orchestrator): patch yarn.lock to resolve 1.10.2 CVEs Signed-off-by: Jessica He --- .../patches/0-cve-yarn-lock.patch | 70 +++++++++++++++++++ .../orchestrator/patches/cve-backports.yaml | 43 ++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 workspaces/orchestrator/patches/0-cve-yarn-lock.patch create mode 100644 workspaces/orchestrator/patches/cve-backports.yaml diff --git a/workspaces/orchestrator/patches/0-cve-yarn-lock.patch b/workspaces/orchestrator/patches/0-cve-yarn-lock.patch new file mode 100644 index 000000000..c88945d20 --- /dev/null +++ b/workspaces/orchestrator/patches/0-cve-yarn-lock.patch @@ -0,0 +1,70 @@ +--- yarn.lock ++++ yarn.lock +@@ -24775,29 +24775,29 @@ + linkType: hard + + "form-data@npm:^2.5.0": +- version: 2.5.5 +- resolution: "form-data@npm:2.5.5" ++ version: 2.5.6 ++ resolution: "form-data@npm:2.5.6" + dependencies: + asynckit: "npm:^0.4.0" + combined-stream: "npm:^1.0.8" + es-set-tostringtag: "npm:^2.1.0" +- hasown: "npm:^2.0.2" ++ hasown: "npm:^2.0.4" + mime-types: "npm:^2.1.35" + safe-buffer: "npm:^5.2.1" +- checksum: 10c0/7fb70447849fc9bce4d01fe9a626f6587441f85779a2803b67f803e1ab52b0bd78db0a7acd80d944c665f68ca90936c327f1244b730719b638a0219e98b20488 ++ checksum: 10c0/de6b085a2b0d013299ccc888b677dbdb3d2a54ef8d74982bda9ad7d928f57440abae1bc736a5b85ea01077cfb6c72e9a7752dc786304271c03bd0013ef8f08cb + languageName: node + linkType: hard + + "form-data@npm:^4.0.1, form-data@npm:^4.0.5": +- version: 4.0.5 +- resolution: "form-data@npm:4.0.5" ++ version: 4.0.6 ++ resolution: "form-data@npm:4.0.6" + dependencies: + asynckit: "npm:^0.4.0" + combined-stream: "npm:^1.0.8" + es-set-tostringtag: "npm:^2.1.0" +- hasown: "npm:^2.0.2" +- mime-types: "npm:^2.1.12" +- checksum: 10c0/dd6b767ee0bbd6d84039db12a0fa5a2028160ffbfaba1800695713b46ae974a5f6e08b3356c3195137f8530dcd9dfcb5d5ae1eeff53d0db1e5aad863b619ce3b ++ hasown: "npm:^2.0.4" ++ mime-types: "npm:^2.1.35" ++ checksum: 10c0/43947a77bf0ff45c6ceed789778982d47a3f3e720a74b71721174ebf3310a5f1a8be1d6b38a3ee3688e8a18a2c4273073ec0844cd37efda3eaf46d41c9c318ff + languageName: node + linkType: hard + +@@ -25855,6 +25855,15 @@ + dependencies: + function-bind: "npm:^1.1.2" + checksum: 10c0/3769d434703b8ac66b209a4cca0737519925bbdb61dd887f93a16372b14694c63ff4e797686d87c90f08168e81082248b9b028bad60d4da9e0d1148766f56eb9 ++ languageName: node ++ linkType: hard ++ ++"hasown@npm:^2.0.4": ++ version: 2.0.4 ++ resolution: "hasown@npm:2.0.4" ++ dependencies: ++ function-bind: "npm:^1.1.2" ++ checksum: 10c0/2d8de939e270b70618f8cebb69746620db10617dbb495bc66ddad326955ea24d3ca4af133aff3eb7c1853e0218f867bc2b050ec26fe02e3aea58f880ffc5e506 + languageName: node + linkType: hard + +@@ -38727,9 +38736,9 @@ + linkType: hard + + "undici@npm:^7.1.1, undici@npm:^7.16.0, undici@npm:^7.2.3, undici@npm:^7.24.0": +- version: 7.25.0 +- resolution: "undici@npm:7.25.0" +- checksum: 10c0/02a0b45dc14eb91bc488948750232450fe52f27a6b08086d6ac6736bb47908d600fe3a96d346f12eab24729c782e5c2f693bc8e8eca6696d4e4c09b1ed4cb4ec ++ version: 7.28.0 ++ resolution: "undici@npm:7.28.0" ++ checksum: 10c0/fe781983a26098795e99bb1f64906cbb7d0bcaa029a26baade007b53ea67f2631d189b8f9671a31f4c8d0cb3773b7559608628ba54452fef51fec90e7c78bb0d + languageName: node + linkType: hard + diff --git a/workspaces/orchestrator/patches/cve-backports.yaml b/workspaces/orchestrator/patches/cve-backports.yaml new file mode 100644 index 000000000..6cd141d74 --- /dev/null +++ b/workspaces/orchestrator/patches/cve-backports.yaml @@ -0,0 +1,43 @@ +# CVE backports applied via workspace patches (not repo-ref bumps). +# Auto-generated by scripts/yarnlock-backport. +# Optional: add notes on any backport row (preserved when you re-run generate). + +patch_file: 0-cve-yarn-lock.patch +backports: + - cve_ids: + - CVE-2026-12143 + package: form-data + patch_version: 2.3.3, 2.5.6, 4.0.6 + notes: |- + [auto] form-data@2.3.3 is still in CVE affected range; verify dev-only + └─┬ @internal/orchestrator@1.0.0 + └─┬ app-legacy@0.0.3 + └─┬ @backstage-community/plugin-rbac@1.33.2 + └─┬ @janus-idp/shared-react@2.14.0 + └─┬ @kubernetes/client-node@0.22.3 + └─┬ request@2.88.2 + └── form-data@2.3.3 + - cve_ids: + - CVE-2026-42338 + package: ip-address + patch_version: 10.2.0 + - cve_ids: + - CVE-2026-12151 + - CVE-2026-6734 + - CVE-2026-9697 + package: undici + patch_version: 7.28.0 + - cve_ids: + - CVE-2026-45736 + - CVE-2026-48779 + package: ws + patch_version: 8.18.0, 8.21.0 + notes: |- + [auto] ws@8.18.0 is still in CVE affected range; verify dev-only + └─┬ @internal/orchestrator@1.0.0 + └─┬ @backstage/cli@0.36.0 + └─┬ @backstage/cli-module-build@0.1.0 + └─┬ @module-federation/enhanced@0.21.6 + └─┬ @module-federation/dts-plugin@0.21.6 + └─┬ isomorphic-ws@5.0.0 + └── ws@8.18.0 From 8ed53a94816cb8471b67a6d9d00a1c81267a402a Mon Sep 17 00:00:00 2001 From: sanketpathak Date: Thu, 2 Jul 2026 18:08:33 +0530 Subject: [PATCH 2/2] disable rerun failswitch orchestrator test --- .../e2e-tests/tests/specs/orchestrator-workflow-core.tests.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/workspaces/orchestrator/e2e-tests/tests/specs/orchestrator-workflow-core.tests.ts b/workspaces/orchestrator/e2e-tests/tests/specs/orchestrator-workflow-core.tests.ts index 1d19db390..96d96bef2 100644 --- a/workspaces/orchestrator/e2e-tests/tests/specs/orchestrator-workflow-core.tests.ts +++ b/workspaces/orchestrator/e2e-tests/tests/specs/orchestrator-workflow-core.tests.ts @@ -106,8 +106,9 @@ export function registerOrchestratorCoreWorkflowTests( await orchestrator.validateCurrentWorkflowStatus("Completed"); }); + // FIXME: This test is flaky, needs to be fixed. tracked here https://redhat.atlassian.net/browse/RHDHBUGS-3431 // eslint-disable-next-line playwright/expect-expect - test("Rerun Failswitch from failure point", async ({}, testInfo) => { + test.fixme("Rerun Failswitch from failure point", async ({}, testInfo) => { // 4 minutes: pod restarts + 60s sleep + failure/recovery time test.setTimeout(240_000); const ns = testInfo.project.name;