redhat-developer · rhdh-bot · May 20, 2026
@@ -1,5 +1,42 @@
 # @red-hat-developer-hub/plugin-cost-management-backend
 
+## 2.2.1
+
+### Patch Changes
+
+- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions
+
+  Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts:
+
+- 815580b: fix: additional CVE patches and dependency updates for 2.2.1
+
+  Covers the following changes merged after the initial CVE patch (558b7c3):
+
+  - chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps
+    `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5,
+    `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4
+    via yarn resolutions
+
+  - fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1
+    to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and
+    GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5)
+
+  - fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) —
+    updates pinned lodash versions in individual plugin package.json files so
+    Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
+
+  - fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds
+    `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3
+
+  - fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) —
+    upgrades rbac-backend and rbac-common to address a Backstage backend CVE
+
+  - chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump
+
+- Updated dependencies [558b7c3]
+- Updated dependencies [815580b]
+  - @red-hat-developer-hub/plugin-cost-management-common@2.2.1
+
 ## 2.2.0
 
 ### Minor Changes

@@ -1,6 +1,6 @@
 {
   "name": "@red-hat-developer-hub/plugin-cost-management-backend",
-  "version": "2.2.0",
+  "version": "2.2.1",
   "backstage": {
     "pluginId": "cost-management",
     "pluginPackages": [

@@ -1,5 +1,38 @@
 # @red-hat-developer-hub/plugin-cost-management-common
 
+## 2.2.1
+
+### Patch Changes
+
+- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions
+
+  Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts:
+
+- 815580b: fix: additional CVE patches and dependency updates for 2.2.1
+
+  Covers the following changes merged after the initial CVE patch (558b7c3):
+
+  - chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps
+    `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5,
+    `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4
+    via yarn resolutions
+
+  - fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1
+    to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and
+    GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5)
+
+  - fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) —
+    updates pinned lodash versions in individual plugin package.json files so
+    Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
+
+  - fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds
+    `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3
+
+  - fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) —
+    upgrades rbac-backend and rbac-common to address a Backstage backend CVE
+
+  - chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump
+
 ## 2.2.0
 
 ### Minor Changes

@@ -1,7 +1,7 @@
 {
   "name": "@red-hat-developer-hub/plugin-cost-management-common",
   "description": "Common functionalities for the cost-management plugin",
-  "version": "2.2.0",
+  "version": "2.2.1",
   "backstage": {
     "pluginId": "cost-management",
     "pluginPackages": [

@@ -1,5 +1,42 @@
 # @red-hat-developer-hub/plugin-cost-management
 
+## 2.2.1
+
+### Patch Changes
+
+- 558b7c3: fix: patch transitive dependency CVEs via yarn resolutions
+
+  Pins vulnerable transitive dependencies to patched versions to address open Dependabot alerts:
+
+- 815580b: fix: additional CVE patches and dependency updates for 2.2.1
+
+  Covers the following changes merged after the initial CVE patch (558b7c3):
+
+  - chore(deps): update rhdh cost management dependencies (patch) (#3000) — bumps
+    `@aws-sdk/core/fast-xml-parser` to 4.5.6, `request/form-data` to 2.5.5,
+    `request/tough-cookie` to 4.1.4, `typeorm` to 0.3.29, and `file-type` to 21.3.4
+    via yarn resolutions
+
+  - fix: resolve lodash CVEs via workspace resolution (#3135) — pins lodash to 4.18.1
+    to address GHSA-r5fr-rjxr-66jc (Code Injection via _.template, CVSS 8.1) and
+    GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset/\_.omit, CVSS 6.5)
+
+  - fix: update lodash direct deps to 4.18.1 to close Dependabot alerts (#3142) —
+    updates pinned lodash versions in individual plugin package.json files so
+    Dependabot can detect the fix for GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
+
+  - fix: CVE patches for casbin/minimatch and fast-xml-parser (#3143) — adds
+    `casbin/minimatch` resolution to 7.4.8 and bumps `fast-xml-parser` to 5.7.3
+
+  - fix: upgrade @backstage-community/plugin-rbac-backend to ^7.12.4 (#3161) —
+    upgrades rbac-backend and rbac-common to address a Backstage backend CVE
+
+  - chore(deps): update linkifyjs to v4.3.3 (#3155) — patch version bump
+
+- Updated dependencies [558b7c3]
+- Updated dependencies [815580b]
+  - @red-hat-developer-hub/plugin-cost-management-common@2.2.1
+
 ## 2.2.0
 
 ### Minor Changes

@@ -1,6 +1,6 @@
 {
   "name": "@red-hat-developer-hub/plugin-cost-management",
-  "version": "2.2.0",
+  "version": "2.2.1",
   "backstage": {
     "pluginId": "cost-management",
     "pluginPackages": [