Fix cost plugin cves (#2951)

* fix(cost-management): resolve 6 CVEs via linkifyjs resolution and msw v2 upgrade

Pin linkifyjs to 4.3.2 to fix Prototype Pollution & XSS (CVE-2025-8101).
Upgrade msw from v1 to v2 in frontend and backend plugin devDependencies,
removing the transitive @xmldom/xmldom@0.8.10 dependency and its 5 High
severity CVEs (XML injection, DoS, CDATA/comment/processing instruction
injection).

Made-with: Cursor

* fix(cost-management): resolve 2 critical CVEs via scoped Yarn resolutions

Add scoped resolutions to fix fast-xml-parser entity encoding bypass
(CVE #3087, CVSS 9.3) and form-data unsafe random boundary generation
(CVE #3010, CVSS 9.4) without affecting other consumers of these packages.

- @aws-sdk/core/fast-xml-parser: 4.4.1 -> 4.5.4
- request/form-data: 2.3.3 -> 2.5.4
- @types/request/form-data: 2.5.3 -> 2.5.4

Made-with: Cursor

Author: PreetiW

workspaces/cost-management/package.json

@@ -60,7 +60,11 @@
     "@types/react-dom": "^18",
     "react": "^18",
     "react-dom": "^18",
-    "@protobufjs/inquire": "1.1.0"
+    "@protobufjs/inquire": "1.1.0",
+    "linkifyjs": "4.3.2",
+    "@aws-sdk/core/fast-xml-parser": "4.5.4",
+    "request/form-data": "2.5.4",
+    "@types/request/form-data": "2.5.4"
   },
   "prettier": "@spotify/prettier-config",
   "lint-staged": {

workspaces/cost-management/plugins/cost-management-backend/package.json

@@ -35,7 +35,7 @@
     "@backstage/plugin-proxy-backend": "^0.6.11",
     "@types/lodash": "4.17.24",
     "@types/supertest": "^6.0.0",
-    "msw": "^1.0.0",
+    "msw": "^2.3.4",
     "supertest": "^7.0.0"
   },
   "exports": {

workspaces/cost-management/plugins/cost-management/package.json

@@ -55,7 +55,7 @@
     "@testing-library/jest-dom": "^6.0.0",
     "@testing-library/react": "^16.0.0",
     "@testing-library/user-event": "^14.0.0",
-    "msw": "^1.0.0",
+    "msw": "^2.3.4",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^6.30.2"