Skip to content

chore(deps): bump axios to patched version in ga-plugins#3547

Draft
alizard0 wants to merge 1 commit into
mainfrom
triager-plugins/44487
Draft

chore(deps): bump axios to patched version in ga-plugins#3547
alizard0 wants to merge 1 commit into
mainfrom
triager-plugins/44487

Conversation

@alizard0

@alizard0 alizard0 commented Jun 23, 2026

Copy link
Copy Markdown
Member

It bumps axios using triager-plugins with surgeon.

cve: CVE-2026-44487
patch: 1.16.0, 0.32.0
affected: >= 1.0.0, < 1.16.0, < 0.32.0

Execution logs:

$ triager-plugins --cve CVE-2026-44487 --surgeon
ga-plugins: @red-hat-developer-hub/backstage-plugin-adoption-insights, @red-hat-developer-hub/backstage-plugin-global-header, @red-hat-developer-hub/backstage-plugin-lightspeed, @red-hat-developer-hub/backstage-plugin-lightspeed-backend, @red-hat-developer-hub/backstage-plugin-orchestrator, @red-hat-developer-hub/backstage-plugin-orchestrator-backend, @red-hat-developer-hub/backstage-plugin-orchestrator-form-widgets, @red-hat-developer-hub/backstage-plugin-quickstart, @red-hat-developer-hub/backstage-plugin-scaffolder-backend-module-orchestrator
note: 22 GA plugin(s) are not in this repo (sourced from other monorepos)
Triaging @red-hat-developer-hub/backstage-plugin-adoption-insights in workspace adoption-insights
Running yarn install in /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/adoption-insights ...
CVE-2026-44487 axios
  patch: 1.16.0, 0.32.0
  affected: >= 1.0.0, < 1.16.0, < 0.32.0
@internal/adoption-insights@0.0.1 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/adoption-insights
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.0
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.15.0
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.16.3
│   ├─┬ @nestjs/axios@3.1.3
│   │ └── axios@1.7.9 deduped
│   └── axios@1.7.9
├─┬ app-legacy@0.0.0 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.13.5
│   └─┬ swagger-ui-react@5.30.2
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0-rc.3
│         └── axios@1.15.0 deduped
└─┬ backend@0.0.0 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
    └─┬ @backstage/plugin-techdocs-node@1.14.4
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.15.0 deduped
Upgrading dependency with yarn-lockfile-surgeon → axios@1.16.0 ...
@internal/adoption-insights@0.0.1 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/adoption-insights
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.0
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.16.0
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.16.3
│   ├─┬ @nestjs/axios@3.1.3
│   │ └── axios@1.7.9 deduped
│   └── axios@1.7.9
├─┬ app-legacy@0.0.0 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.13.5
│   └─┬ swagger-ui-react@5.30.2
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0-rc.3
│         └── axios@1.16.0 deduped
└─┬ backend@0.0.0 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
    └─┬ @backstage/plugin-techdocs-node@1.14.4
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.16.0 deduped

Triaging @red-hat-developer-hub/backstage-plugin-global-header in workspace global-header
Running yarn install in /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/global-header ...
CVE-2026-44487 axios
  patch: 1.16.0, 0.32.0
  affected: >= 1.0.0, < 1.16.0, < 0.32.0
@internal/global-header@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/global-header
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.0
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.13.6
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.15.3
│   ├─┬ @nestjs/axios@3.1.1
│   │ └── axios@1.7.7 deduped
│   └── axios@1.7.7
├─┬ @red-hat-developer-hub/backstage-plugin-global-header@1.21.6 -> ./plugins/global-header
│ └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
│   └─┬ @backstage/plugin-techdocs-node@1.14.4
│     └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
│       └── axios@1.13.6 deduped
└─┬ app-legacy@0.0.0 -> ./packages/app-legacy
  └─┬ @backstage/plugin-api-docs@0.13.5
    └─┬ swagger-ui-react@5.30.2
      └─┬ swagger-client@3.36.0
        └─┬ @swagger-api/apidom-reference@1.0.0-rc.3
          └── axios@1.13.6 deduped
Upgrading dependency with yarn-lockfile-surgeon → axios@1.16.0 ...
@internal/global-header@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/global-header
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.0
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.16.0
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.15.3
│   ├─┬ @nestjs/axios@3.1.1
│   │ └── axios@1.7.7 deduped
│   └── axios@1.7.7
├─┬ @red-hat-developer-hub/backstage-plugin-global-header@1.21.6 -> ./plugins/global-header
│ └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
│   └─┬ @backstage/plugin-techdocs-node@1.14.4
│     └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
│       └── axios@1.16.0 deduped
└─┬ app-legacy@0.0.0 -> ./packages/app-legacy
  └─┬ @backstage/plugin-api-docs@0.13.5
    └─┬ swagger-ui-react@5.30.2
      └─┬ swagger-client@3.36.0
        └─┬ @swagger-api/apidom-reference@1.0.0-rc.3
          └── axios@1.16.0 deduped

Triaging @red-hat-developer-hub/backstage-plugin-lightspeed in workspace lightspeed
Running yarn install in /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/lightspeed ...
CVE-2026-44487 axios
  patch: 1.16.0, 0.32.0
  affected: >= 1.0.0, < 1.16.0, < 0.32.0
@internal/lightspeed@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/lightspeed
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.2
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.13.6
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.15.3
│   ├─┬ @nestjs/axios@3.1.1
│   │ └── axios@1.7.7 deduped
│   └── axios@1.7.7
├─┬ app-legacy@0.0.28 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.13.5
│   └─┬ swagger-ui-react@5.30.3
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0
│         └── axios@1.13.6 deduped
└─┬ backend@0.0.59 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
    └─┬ @backstage/plugin-techdocs-node@1.14.4
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.13.6 deduped
Upgrading dependency with yarn-lockfile-surgeon → axios@1.16.0 ...
@internal/lightspeed@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/lightspeed
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.2
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.16.0
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.15.3
│   ├─┬ @nestjs/axios@3.1.1
│   │ └── axios@1.7.7 deduped
│   └── axios@1.7.7
├─┬ app-legacy@0.0.28 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.13.5
│   └─┬ swagger-ui-react@5.30.3
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0
│         └── axios@1.16.0 deduped
└─┬ backend@0.0.59 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
    └─┬ @backstage/plugin-techdocs-node@1.14.4
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.16.0 deduped

Triaging @red-hat-developer-hub/backstage-plugin-orchestrator in workspace orchestrator
Running yarn install in /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/orchestrator ...
CVE-2026-44487 axios
  patch: 1.16.0, 0.32.0
  affected: >= 1.0.0, < 1.16.0, < 0.32.0
@internal/orchestrator@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/orchestrator
├─┬ @backstage/repo-tools@0.17.2
│ └─┬ @openapitools/openapi-generator-cli@2.30.2
│   ├─┬ @nestjs/axios@4.0.1
│   │ └── axios@1.15.0 deduped
│   └── axios@1.15.0 deduped
├─┬ @red-hat-developer-hub/backstage-plugin-orchestrator-common@3.7.1 invalid: "workspace:^" from plugins/orchestrator-backend-module-loki, "workspace:^" from plugins/orchestrator-backend -> ./plugins/orchestrator-common
│ └── axios@1.15.0
├─┬ @red-hat-developer-hub/backstage-plugin-orchestrator@5.8.1 -> ./plugins/orchestrator
│ └── axios@1.15.0 deduped
├─┬ @red-hat-developer-hub/backstage-plugin-scaffolder-backend-module-orchestrator@1.6.1 -> ./plugins/scaffolder-backend-module-orchestrator
│ └── axios@1.15.0 deduped
├─┬ app-legacy@0.0.3 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.14.1
│   └─┬ swagger-ui-react@5.30.0
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0-rc.1
│         └── axios@1.15.0 deduped
└─┬ backend@0.0.0 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.14
    └─┬ @backstage/plugin-techdocs-node@1.15.0
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.15.0 deduped
Updating direct dependency in plugins/orchestrator-common/package.json: axios 1.15.0 → 1.16.0
Updating direct dependency in plugins/orchestrator/package.json: axios 1.15.0 → 1.16.0
Updating direct dependency in plugins/scaffolder-backend-module-orchestrator/package.json: axios 1.15.0 → 1.16.0
Upgrading dependency with yarn-lockfile-surgeon → axios@1.16.0 ...
@internal/orchestrator@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/orchestrator
├─┬ @backstage/repo-tools@0.17.2
│ └─┬ @openapitools/openapi-generator-cli@2.30.2
│   ├─┬ @nestjs/axios@4.0.1
│   │ └── axios@1.16.0 deduped
│   └── axios@1.16.0 deduped
├─┬ @red-hat-developer-hub/backstage-plugin-orchestrator-common@3.7.1 invalid: "workspace:^" from plugins/orchestrator-backend-module-loki, "workspace:^" from plugins/orchestrator-backend -> ./plugins/orchestrator-common
│ └── axios@1.16.0
├─┬ @red-hat-developer-hub/backstage-plugin-orchestrator@5.8.1 -> ./plugins/orchestrator
│ └── axios@1.16.0 deduped
├─┬ @red-hat-developer-hub/backstage-plugin-scaffolder-backend-module-orchestrator@1.6.1 -> ./plugins/scaffolder-backend-module-orchestrator
│ └── axios@1.16.0 deduped
├─┬ app-legacy@0.0.3 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.14.1
│   └─┬ swagger-ui-react@5.30.0
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0-rc.1
│         └── axios@1.16.0 deduped
└─┬ backend@0.0.0 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.14
    └─┬ @backstage/plugin-techdocs-node@1.15.0
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.16.0 deduped

Triaging @red-hat-developer-hub/backstage-plugin-quickstart in workspace quickstart
Running yarn install in /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/quickstart ...
CVE-2026-44487 axios
  patch: 1.16.0, 0.32.0
  affected: >= 1.0.0, < 1.16.0, < 0.32.0
@internal/quickstart@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/quickstart
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.0
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.13.6
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.20.2
│   ├─┬ @nestjs/axios@4.0.0
│   │ └── axios@1.9.0 deduped
│   └── axios@1.9.0
├─┬ app-legacy@0.0.0 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.13.5
│   └─┬ swagger-ui-react@5.30.2
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0-rc.3
│         └── axios@1.13.6 deduped
└─┬ backend@0.0.0 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
    └─┬ @backstage/plugin-techdocs-node@1.14.4
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.13.6 deduped
Upgrading dependency with yarn-lockfile-surgeon → axios@1.16.0 ...
@internal/quickstart@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/quickstart
├─┬ @backstage/cli-defaults@0.1.0
│ └─┬ @backstage/cli-module-build@0.1.0
│   └─┬ @module-federation/enhanced@0.21.6
│     └─┬ @module-federation/dts-plugin@0.21.6
│       └── axios@1.16.0
├─┬ @backstage/repo-tools@0.17.0
│ └─┬ @openapitools/openapi-generator-cli@2.20.2
│   ├─┬ @nestjs/axios@4.0.0
│   │ └── axios@1.9.0 deduped
│   └── axios@1.9.0
├─┬ app-legacy@0.0.0 -> ./packages/app-legacy
│ └─┬ @backstage/plugin-api-docs@0.13.5
│   └─┬ swagger-ui-react@5.30.2
│     └─┬ swagger-client@3.36.0
│       └─┬ @swagger-api/apidom-reference@1.0.0-rc.3
│         └── axios@1.16.0 deduped
└─┬ backend@0.0.0 -> ./packages/backend
  └─┬ @backstage/plugin-search-backend-module-techdocs@0.4.12
    └─┬ @backstage/plugin-techdocs-node@1.14.4
      └─┬ @trendyol-js/openstack-swift-sdk@0.0.7
        └── axios@1.16.0 deduped

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

This pull request adds a new top-level directory under workspaces/. Please follow Submitting a Pull Request for a New Workspace in CONTRIBUTING.md.

@rhdh-gh-app

rhdh-gh-app Bot commented Jun 23, 2026

Copy link
Copy Markdown

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

  • @red-hat-developer-hub/backstage-plugin-orchestrator-common
  • @red-hat-developer-hub/backstage-plugin-orchestrator
  • @red-hat-developer-hub/backstage-plugin-scaffolder-backend-module-orchestrator

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name Package Path Changeset Bump Current Version
@red-hat-developer-hub/backstage-plugin-orchestrator-common workspaces/orchestrator/plugins/orchestrator-common none v3.7.1
@red-hat-developer-hub/backstage-plugin-orchestrator workspaces/orchestrator/plugins/orchestrator none v5.8.1
@red-hat-developer-hub/backstage-plugin-scaffolder-backend-module-orchestrator workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator none v1.6.1

@sonarqubecloud

sonarqubecloud Bot commented Jun 23, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov

codecov Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.74%. Comparing base (7bb75a9) to head (cfe9dd0).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3547   +/-   ##
=======================================
  Coverage   53.74%   53.74%           
=======================================
  Files        2268     2268           
  Lines       86468    86468           
  Branches    24268    24256   -12     
=======================================
  Hits        46468    46468           
+ Misses      39774    39773    -1     
- Partials      226      227    +1
Flag Coverage Δ *Carryforward flag
adoption-insights 83.70% <ø> (ø)
ai-integrations 67.95% <ø> (ø) Carriedforward from 7bb75a9
app-defaults 69.79% <ø> (ø) Carriedforward from 7bb75a9
augment 46.39% <ø> (ø) Carriedforward from 7bb75a9
boost 71.71% <ø> (ø) Carriedforward from 7bb75a9
bulk-import 72.46% <ø> (ø) Carriedforward from 7bb75a9
cost-management 14.10% <ø> (ø) Carriedforward from 7bb75a9
dcm 61.79% <ø> (ø) Carriedforward from 7bb75a9
extensions 61.53% <ø> (ø) Carriedforward from 7bb75a9
global-floating-action-button 71.18% <ø> (ø) Carriedforward from 7bb75a9
global-header 59.71% <ø> (ø)
homepage 49.84% <ø> (ø) Carriedforward from 7bb75a9
install-dynamic-plugins 56.23% <ø> (ø) Carriedforward from 7bb75a9
konflux 91.49% <ø> (ø) Carriedforward from 7bb75a9
lightspeed 68.57% <ø> (ø)
mcp-integrations 85.46% <ø> (ø) Carriedforward from 7bb75a9
orchestrator 38.02% <ø> (ø)
quickstart 63.76% <ø> (ø)
sandbox 79.56% <ø> (ø) Carriedforward from 7bb75a9
scorecard 83.96% <ø> (ø) Carriedforward from 7bb75a9
theme 61.26% <ø> (ø) Carriedforward from 7bb75a9
translations 7.25% <ø> (ø) Carriedforward from 7bb75a9
x2a 78.68% <ø> (ø) Carriedforward from 7bb75a9

*This pull request uses carry forward flags. Click here to find out more.

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7bb75a9...cfe9dd0. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@alizard0 alizard0 marked this pull request as draft June 23, 2026 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@divyanshiGupta divyanshiGupta Awaiting requested review from divyanshiGupta divyanshiGupta is a code owner

@its-mitesh-kumar its-mitesh-kumar Awaiting requested review from its-mitesh-kumar its-mitesh-kumar is a code owner

@lholmquist lholmquist Awaiting requested review from lholmquist lholmquist is a code owner

@lokanandaprabhu lokanandaprabhu Awaiting requested review from lokanandaprabhu lokanandaprabhu is a code owner

@karthikjeeyar karthikjeeyar Awaiting requested review from karthikjeeyar karthikjeeyar is a code owner

@christoph-jerolimov christoph-jerolimov Awaiting requested review from christoph-jerolimov christoph-jerolimov is a code owner

@rohitkrai03 rohitkrai03 Awaiting requested review from rohitkrai03 rohitkrai03 is a code owner

@yangcao77 yangcao77 Awaiting requested review from yangcao77 yangcao77 is a code owner

@ciiay ciiay Awaiting requested review from ciiay ciiay is a code owner

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram Eswaraiahsapram is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/hold do-not-merge/work-in-progress workspace/adoption-insights workspace/global-header workspace/lightspeed workspace/orchestrator workspace/quickstart

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alizard0