diff --git a/workspaces/cost-management/.changeset/fix-transitive-dep-cves.md b/workspaces/cost-management/.changeset/fix-transitive-dep-cves.md deleted file mode 100644 index 679c1dd749..0000000000 --- a/workspaces/cost-management/.changeset/fix-transitive-dep-cves.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -'@red-hat-developer-hub/plugin-cost-management': patch -'@red-hat-developer-hub/plugin-cost-management-backend': patch -'@red-hat-developer-hub/plugin-cost-management-common': patch ---- - -fix: patch transitive dependency CVEs via yarn resolutions - -Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts: diff --git a/workspaces/cost-management/.changeset/patch-additional-cve-and-dep-fixes.md b/workspaces/cost-management/.changeset/patch-additional-cve-and-dep-fixes.md deleted file mode 100644 index 6a2521c4e2..0000000000 --- a/workspaces/cost-management/.changeset/patch-additional-cve-and-dep-fixes.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -'@red-hat-developer-hub/plugin-cost-management': patch -'@red-hat-developer-hub/plugin-cost-management-backend': patch -'@red-hat-developer-hub/plugin-cost-management-common': patch ---- - -fix: additional CVE patches and dependency updates for 2.2.1 - -Covers the following changes merged after the initial CVE patch (558b7c3): - -- chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps - `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5, - `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4 - via yarn resolutions - -- fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1 - to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and - GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5) - -- fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) — - updates pinned lodash versions in individual plugin package.json files so - Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh - -- fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds - `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3 - -- fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) — - upgrades rbac-backend and rbac-common to address a Backstage backend CVE - -- chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump diff --git a/workspaces/cost-management/plugins/cost-management-backend/CHANGELOG.md b/workspaces/cost-management/plugins/cost-management-backend/CHANGELOG.md index 366bbfce2f..b74aede804 100644 --- a/workspaces/cost-management/plugins/cost-management-backend/CHANGELOG.md +++ b/workspaces/cost-management/plugins/cost-management-backend/CHANGELOG.md @@ -1,5 +1,42 @@ # @red-hat-developer-hub/plugin-cost-management-backend +## 2.2.1 + +### Patch Changes + +- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions + + Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts: + +- 815580b: fix: additional CVE patches and dependency updates for 2.2.1 + + Covers the following changes merged after the initial CVE patch (558b7c3): + + - chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps + `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5, + `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4 + via yarn resolutions + + - fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1 + to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and + GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5) + + - fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) — + updates pinned lodash versions in individual plugin package.json files so + Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh + + - fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds + `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3 + + - fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) — + upgrades rbac-backend and rbac-common to address a Backstage backend CVE + + - chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump + +- Updated dependencies [558b7c3] +- Updated dependencies [815580b] + - @red-hat-developer-hub/plugin-cost-management-common@2.2.1 + ## 2.2.0 ### Minor Changes diff --git a/workspaces/cost-management/plugins/cost-management-backend/package.json b/workspaces/cost-management/plugins/cost-management-backend/package.json index 28859ec2b9..3445a9f1fc 100644 --- a/workspaces/cost-management/plugins/cost-management-backend/package.json +++ b/workspaces/cost-management/plugins/cost-management-backend/package.json @@ -1,6 +1,6 @@ { "name": "@red-hat-developer-hub/plugin-cost-management-backend", - "version": "2.2.0", + "version": "2.2.1", "backstage": { "pluginId": "cost-management", "pluginPackages": [ diff --git a/workspaces/cost-management/plugins/cost-management-common/CHANGELOG.md b/workspaces/cost-management/plugins/cost-management-common/CHANGELOG.md index e1346de48c..67da461892 100644 --- a/workspaces/cost-management/plugins/cost-management-common/CHANGELOG.md +++ b/workspaces/cost-management/plugins/cost-management-common/CHANGELOG.md @@ -1,5 +1,38 @@ # @red-hat-developer-hub/plugin-cost-management-common +## 2.2.1 + +### Patch Changes + +- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions + + Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts: + +- 815580b: fix: additional CVE patches and dependency updates for 2.2.1 + + Covers the following changes merged after the initial CVE patch (558b7c3): + + - chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps + `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5, + `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4 + via yarn resolutions + + - fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1 + to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and + GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5) + + - fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) — + updates pinned lodash versions in individual plugin package.json files so + Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh + + - fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds + `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3 + + - fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) — + upgrades rbac-backend and rbac-common to address a Backstage backend CVE + + - chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump + ## 2.2.0 ### Minor Changes diff --git a/workspaces/cost-management/plugins/cost-management-common/package.json b/workspaces/cost-management/plugins/cost-management-common/package.json index 0428980817..8d0f5768b7 100644 --- a/workspaces/cost-management/plugins/cost-management-common/package.json +++ b/workspaces/cost-management/plugins/cost-management-common/package.json @@ -1,7 +1,7 @@ { "name": "@red-hat-developer-hub/plugin-cost-management-common", "description": "Common functionalities for the cost-management plugin", - "version": "2.2.0", + "version": "2.2.1", "backstage": { "pluginId": "cost-management", "pluginPackages": [ diff --git a/workspaces/cost-management/plugins/cost-management/CHANGELOG.md b/workspaces/cost-management/plugins/cost-management/CHANGELOG.md index ff6324d289..2bc5cec224 100644 --- a/workspaces/cost-management/plugins/cost-management/CHANGELOG.md +++ b/workspaces/cost-management/plugins/cost-management/CHANGELOG.md @@ -1,5 +1,42 @@ # @red-hat-developer-hub/plugin-cost-management +## 2.2.1 + +### Patch Changes + +- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions + + Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts: + +- 815580b: fix: additional CVE patches and dependency updates for 2.2.1 + + Covers the following changes merged after the initial CVE patch (558b7c3): + + - chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps + `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5, + `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4 + via yarn resolutions + + - fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1 + to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and + GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5) + + - fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) — + updates pinned lodash versions in individual plugin package.json files so + Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh + + - fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds + `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3 + + - fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) — + upgrades rbac-backend and rbac-common to address a Backstage backend CVE + + - chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump + +- Updated dependencies [558b7c3] +- Updated dependencies [815580b] + - @red-hat-developer-hub/plugin-cost-management-common@2.2.1 + ## 2.2.0 ### Minor Changes diff --git a/workspaces/cost-management/plugins/cost-management/package.json b/workspaces/cost-management/plugins/cost-management/package.json index 3cdd558856..8bbfde1abb 100644 --- a/workspaces/cost-management/plugins/cost-management/package.json +++ b/workspaces/cost-management/plugins/cost-management/package.json @@ -1,6 +1,6 @@ { "name": "@red-hat-developer-hub/plugin-cost-management", - "version": "2.2.0", + "version": "2.2.1", "backstage": { "pluginId": "cost-management", "pluginPackages": [