chore(deps): patch cli-common, backend-plugin-api, techdocs-node

[alizard0]

Description

@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks.
Upstream fixed it at backstage/backstage@66e08b0#diff-a00c2d14ca2579883df4436744e43f3ef63a192c850c36603bdaac92364354fcR3

There are three patches:

1. @backstage/plugin-techdocs-node - the one that had the vulnerability
2. @backstage/cli-common - techdocs-node uses a method from this package isChildPath that required an update too.
3. @backstage/backend-plugin-api is another package that uses isChildPath and as this was patched for fixing the CVE, this package needed an update too.

All patches were applied as resolutions in package.json and dynamic-plugins/package.json, with an exception of @backstage-plugin-techdocs being applied only on dynamic-plugins/package.json because it is not used by package.json

Which issue(s) does this PR fix

• Fixes https://redhat.atlassian.net/browse/RHIDP-11731

PR acceptance criteria

Please make sure that the following steps are complete:

• GitHub Actions are completed and successful
• Unit Tests are updated and passing
• E2E Tests are updated and passing
• Documentation is updated if necessary (requirement for new features)
• Add a screenshot if the change is UX/UI related

How to test changes / Special notes to the reviewer

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4411
• quay.io/rhdh-community/rhdh:pr-4411-9d2b6c0d

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4411
• quay.io/rhdh-community/rhdh:pr-4411-4b51ed39

[JessicaJHee]

Looks good! Just confirming that my understanding is correct - these 2 versions are left alone because they're safe?

├─ @backstage/backend-plugin-api@npm:1.7.0
│  └─ @backstage/cli-common@npm:0.1.18 (via npm:^0.1.18)

• CVE fixed in 0.1.17

├─ @backstage/plugin-permission-node@npm:0.10.10
│  └─ @backstage/backend-plugin-api@npm:1.7.0 (via npm:^1.7.0)

• CVE fixed in 1.6.1

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4411
• quay.io/rhdh-community/rhdh:pr-4411-159b5881

[kim-tsao]

We should probably get this PR in before this one so we can rebase

[kim-tsao]

you removed the 1.4.3 patch. I believe most deps were on 1.4.3 so we discussed keeping the 1.4.3 and resolving 1.4.2 versions to 1.4.3

[alizard0]

I re-imported the patch and added

"@backstage/backend-plugin-api": "patch:@backstage/backend-plugin-api@npm%3A1.4.3#./.yarn/patches/@backstage-backend-plugin-api-npm-1.4.3-b7f08217ef.patch"

in the yarn only exists 1.4.3 and its patch

[github-actions]

The container image build workflow finished with status: failure.

[openshift-ci]

@alizard0: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-ocp-helm	72f17b6	link	true	/test e2e-ocp-helm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[alizard0]

the current PR need changes from #4424 otherwise rhdh won't start.

issues with zod dependencies that might be fixed with the resolutions from that PR

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.