chore(orchestrator): backporting CVE commits to the workspace/orchestrator for 1.8.6 (#2797)

lholmquist · web-flow · commit 0bba7fa8fcf2 · 2026-04-16T08:02:52.000-04:00
* fix(orchestrator): update axios dependencies (#2767) (#2777) * fix(orchestrator): update axios dependencies (#2767) * chore(orchestator): multiple dependency updates for CVE fixes (#2773) (#2779) * fix: ran yarn up -R ajv. fixes https://access.redhat.com/security/cve/cve-2025-69873 * fix: ran yarn up -R path-to-regexp fixes https://access.redhat.com/security/cve/CVE-2026-4926 * fix: ran yarn up -R lodash fixes: https://access.redhat.com/security/cve/CVE-2026-4800 * squash: add the changeset
diff --git a/workspaces/orchestrator/.changeset/lucky-cars-study.md b/workspaces/orchestrator/.changeset/lucky-cars-study.md
@@ -0,0 +1,7 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scaffolder-backend-module-orchestrator': patch
+'@red-hat-developer-hub/backstage-plugin-orchestrator-common': patch
+'@red-hat-developer-hub/backstage-plugin-orchestrator': patch
+---
+
+fix: update axios for CVE-2026-40175
diff --git a/workspaces/orchestrator/.changeset/nervous-eels-mate.md b/workspaces/orchestrator/.changeset/nervous-eels-mate.md
@@ -0,0 +1,8 @@
+---
+'@red-hat-developer-hub/backstage-plugin-orchestrator-form-widgets': patch
+'@red-hat-developer-hub/backstage-plugin-orchestrator-form-react': patch
+'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': patch
+'@red-hat-developer-hub/backstage-plugin-orchestrator': patch
+---
+
+fix: updating lodash for cve fixes
diff --git a/workspaces/orchestrator/plugins/orchestrator-backend/package.json b/workspaces/orchestrator/plugins/orchestrator-backend/package.json
@@ -84,7 +84,7 @@
     "express-promise-router": "^4.1.1",
     "fs-extra": "^10.1.0",
     "isomorphic-git": "^1.23.0",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "moment": "^2.29.4",
     "openapi-backend": "^5.10.5",
     "yn": "^5.0.0"
diff --git a/workspaces/orchestrator/plugins/orchestrator-common/package.json b/workspaces/orchestrator/plugins/orchestrator-common/package.json
@@ -61,7 +61,7 @@
     "@backstage/plugin-permission-common": "^0.9.1",
     "@backstage/types": "^1.2.1",
     "@severlessworkflow/sdk-typescript": "^3.0.3",
-    "axios": "^1.11.0",
+    "axios": "^1.15.0",
     "js-yaml": "^4.1.0"
   },
   "devDependencies": {
diff --git a/workspaces/orchestrator/plugins/orchestrator-common/report.api.md b/workspaces/orchestrator/plugins/orchestrator-common/report.api.md
@@ -172,7 +172,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    abortWorkflow(instanceId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<string, any>>;
+    abortWorkflow(instanceId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<string, any, {}>>;
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@summary" is not defined in this configuration
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
@@ -184,7 +184,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    executeWorkflow(workflowId: string, executeWorkflowRequestDTO: ExecuteWorkflowRequestDTO, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ExecuteWorkflowResponseDTO, any>>;
+    executeWorkflow(workflowId: string, executeWorkflowRequestDTO: ExecuteWorkflowRequestDTO, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ExecuteWorkflowResponseDTO, any, {}>>;
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@summary" is not defined in this configuration
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
@@ -194,7 +194,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getInstanceById(instanceId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ProcessInstanceDTO, any>>;
+    getInstanceById(instanceId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ProcessInstanceDTO, any, {}>>;
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@summary" is not defined in this configuration
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-optional-name) The @param should not include a JSDoc-style optional name; it must not be enclosed in '[ ]' brackets.
@@ -205,7 +205,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getInstances(searchRequest?: SearchRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ProcessInstanceListResultDTO, any>>;
+    getInstances(searchRequest?: SearchRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ProcessInstanceListResultDTO, any, {}>>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
@@ -217,7 +217,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowInputSchemaById(workflowId: string, instanceId?: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<InputSchemaResponseDTO, any>>;
+    getWorkflowInputSchemaById(workflowId: string, instanceId?: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<InputSchemaResponseDTO, any, {}>>;
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@summary" is not defined in this configuration
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
@@ -230,7 +230,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowInstances(workflowId: string, searchRequest?: SearchRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ProcessInstanceListResultDTO, any>>;
+    getWorkflowInstances(workflowId: string, searchRequest?: SearchRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<ProcessInstanceListResultDTO, any, {}>>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
@@ -239,7 +239,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowOverviewById(workflowId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowOverviewDTO, any>>;
+    getWorkflowOverviewById(workflowId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowOverviewDTO, any, {}>>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
@@ -248,7 +248,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowSourceById(workflowId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<string, any>>;
+    getWorkflowSourceById(workflowId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<string, any, {}>>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-optional-name) The @param should not include a JSDoc-style optional name; it must not be enclosed in '[ ]' brackets.
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
@@ -258,7 +258,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowsOverview(searchRequest?: SearchRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowOverviewListResultDTO, any>>;
+    getWorkflowsOverview(searchRequest?: SearchRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowOverviewListResultDTO, any, {}>>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-optional-name) The @param should not include a JSDoc-style optional name; it must not be enclosed in '[ ]' brackets.
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
@@ -268,15 +268,15 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowsOverviewForEntity(getWorkflowsOverviewForEntityRequest?: GetWorkflowsOverviewForEntityRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowOverviewListResultDTO, any>>;
+    getWorkflowsOverviewForEntity(getWorkflowsOverviewForEntityRequest?: GetWorkflowsOverviewForEntityRequest, options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowOverviewListResultDTO, any, {}>>;
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@summary" is not defined in this configuration
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-optional-name) The @param should not include a JSDoc-style optional name; it must not be enclosed in '[ ]' brackets.
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    getWorkflowStatuses(options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowRunStatusDTO[], any>>;
+    getWorkflowStatuses(options?: RawAxiosRequestConfig): Promise<AxiosResponse<WorkflowRunStatusDTO[], any, {}>>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
@@ -285,7 +285,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    pingWorkflowServiceById(workflowId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<boolean, any>>;
+    pingWorkflowServiceById(workflowId: string, options?: RawAxiosRequestConfig): Promise<AxiosResponse<boolean, any, {}>>;
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@summary" is not defined in this configuration
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     // Warning: (tsdoc-param-tag-with-invalid-type) The @param block should not include a JSDoc-style '{type}'
@@ -299,7 +299,7 @@ export class DefaultApi extends BaseAPI {
     // Warning: (tsdoc-escape-right-brace) The "}" character should be escaped using a backslash to avoid confusion with a TSDoc inline tag
     // Warning: (tsdoc-malformed-inline-tag) Expecting a TSDoc tag starting with "{@"
     // Warning: (tsdoc-undefined-tag) The TSDoc tag "@memberof" is not defined in this configuration
-    retriggerInstance(workflowId: string, instanceId: string, retriggerInstanceRequestDTO: RetriggerInstanceRequestDTO, options?: RawAxiosRequestConfig): Promise<AxiosResponse<object, any>>;
+    retriggerInstance(workflowId: string, instanceId: string, retriggerInstanceRequestDTO: RetriggerInstanceRequestDTO, options?: RawAxiosRequestConfig): Promise<AxiosResponse<object, any, {}>>;
 }
 
 // Warning: (tsdoc-undefined-tag) The TSDoc tag "@export" is not defined in this configuration
diff --git a/workspaces/orchestrator/plugins/orchestrator-form-react/package.json b/workspaces/orchestrator/plugins/orchestrator-form-react/package.json
@@ -44,7 +44,7 @@
     "@rjsf/utils": "^5.21.2",
     "@rjsf/validator-ajv8": "^5.21.2",
     "json-schema-library": "^9.0.0",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "tss-react": "^4.9.18"
   },
   "peerDependencies": {
diff --git a/workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json b/workspaces/orchestrator/plugins/orchestrator-form-widgets/package.json
@@ -65,7 +65,7 @@
     "clsx": "^2.1.1",
     "json-schema": "^0.4.0",
     "jsonata": "^2.0.6",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "react-use": "^17.2.4",
     "tss-react": "^4.9.18"
   },
diff --git a/workspaces/orchestrator/plugins/orchestrator/package.json b/workspaces/orchestrator/plugins/orchestrator/package.json
@@ -67,9 +67,9 @@
     "@red-hat-developer-hub/backstage-plugin-orchestrator-common": "workspace:^",
     "@red-hat-developer-hub/backstage-plugin-orchestrator-form-api": "workspace:^",
     "@red-hat-developer-hub/backstage-plugin-orchestrator-form-react": "workspace:^",
-    "axios": "^1.11.0",
+    "axios": "^1.15.0",
     "json-schema": "^0.4.0",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "moment": "^2.29.4",
     "react-json-view": "^1.21.3",
     "react-moment": "^1.1.3",
diff --git a/workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator/package.json b/workspaces/orchestrator/plugins/scaffolder-backend-module-orchestrator/package.json
@@ -64,7 +64,7 @@
     "@backstage/plugin-scaffolder-node": "^0.11.0",
     "@backstage/types": "^1.2.1",
     "@red-hat-developer-hub/backstage-plugin-orchestrator-common": "workspace:^",
-    "axios": "^1.11.0",
+    "axios": "^1.15.0",
     "js-yaml": "^4.1.0"
   },
   "devDependencies": {
diff --git a/workspaces/orchestrator/yarn.lock b/workspaces/orchestrator/yarn.lock
