fix(deps): update kubernetes-client to fix CVE-2024-21534 (#2459)

* fix(deps): update kubernetes-client to fix CVE-2024-21534

* fix(deps): update version in dist-dynamic

* fix(deps): remove --embed-package and run yarn export-dynamic

.changeset/quick-dryers-train.md

@@ -0,0 +1,9 @@
+---
+"@janus-idp/backstage-scaffolder-backend-module-kubernetes": patch
+"@janus-idp/shared-react": patch
+"@janus-idp/backstage-plugin-ocm-backend": patch
+"@janus-idp/backstage-plugin-topology": patch
+"@janus-idp/backstage-plugin-tekton": patch
+---
+
+Fix CVE-2024-21534 by upgrading @kubernetes/client-node package to 0.22.1

plugins/kubernetes-actions/dist-dynamic/package.json

@@ -27,7 +27,7 @@
   },
   "scripts": {},
   "dependencies": {
-    "@kubernetes/client-node": "^0.20.0"
+    "@kubernetes/client-node": "^0.22.1"
   },
   "devDependencies": {},
   "files": [

plugins/kubernetes-actions/package.json

@@ -51,7 +51,7 @@
     "@backstage/catalog-client": "^1.6.5",
     "@backstage/catalog-model": "^1.5.0",
     "@backstage/plugin-scaffolder-node": "^0.4.8",
-    "@kubernetes/client-node": "^0.20.0"
+    "@kubernetes/client-node": "^0.22.1"
   },
   "devDependencies": {
     "@backstage/backend-common": "0.23.3",

plugins/ocm-backend/dist-dynamic/package.json

@@ -31,13 +31,10 @@
   "scripts": {},
   "configSchema": "config.d.ts",
   "dependencies": {
-    "@kubernetes/client-node": "^0.20.0",
+    "@kubernetes/client-node": "^0.22.1",
     "express": "^4.18.2",
     "express-promise-router": "^4.1.1",
-    "semver": "^7.5.4",
-    "kubernetes-models": "^4.3.1",
-    "lodash": "^4.17.21",
-    "luxon": "^3.0.0"
+    "semver": "^7.5.4"
   },
   "devDependencies": {},
   "files": [
@@ -76,9 +73,9 @@
     "@backstage/config": "^1.2.0",
     "@backstage/errors": "^1.2.4",
     "@backstage/plugin-catalog-node": "^1.12.4",
+    "@backstage/plugin-kubernetes-common": "^0.8.1",
     "@backstage/plugin-permission-common": "^0.8.0",
-    "@backstage/plugin-permission-node": "^0.8.0",
-    "@backstage/types": "^1.1.1"
+    "@backstage/plugin-permission-node": "^0.8.0"
   },
   "overrides": {
     "@aws-sdk/util-utf8-browser": {

plugins/ocm-backend/package.json

@@ -35,8 +35,8 @@
   "scripts": {
     "build": "backstage-cli package build",
     "clean": "backstage-cli package clean",
-    "export-dynamic": "janus-cli package export-dynamic-plugin --embed-package --embed-package @backstage/plugin-kubernetes-common --no-embed-as-dependencies",
-    "export-dynamic:clean": "janus-cli package export-dynamic-plugin --embed-package --embed-package @backstage/plugin-kubernetes-common --no-embed-as-dependencies --clean",
+    "export-dynamic": "janus-cli package export-dynamic-plugin --no-embed-as-dependencies",
+    "export-dynamic:clean": "janus-cli package export-dynamic-plugin --no-embed-as-dependencies --clean",
     "lint:check": "backstage-cli package lint",
     "lint:fix": "backstage-cli package lint --fix",
     "postpack": "backstage-cli package postpack",
@@ -67,7 +67,7 @@
     "@backstage/plugin-permission-common": "^0.8.0",
     "@backstage/plugin-permission-node": "^0.8.0",
     "@janus-idp/backstage-plugin-ocm-common": "3.3.0",
-    "@kubernetes/client-node": "^0.20.0",
+    "@kubernetes/client-node": "^0.22.1",
     "express": "^4.18.2",
     "express-promise-router": "^4.1.1",
     "semver": "^7.5.4"

plugins/ocm-backend/src/constants.ts

@@ -1,2 +1,3 @@
 export const CONSOLE_CLAIM = 'consoleurl.cluster.open-cluster-management.io';
 export const HUB_CLUSTER_NAME_IN_OCM = 'local-cluster';
+export const ANNOTATION_KUBERNETES_API_SERVER = 'kubernetes.io/api-server';

plugins/ocm-backend/src/providers/ManagedClusterProvider.ts

@@ -26,7 +26,6 @@ import {
   EntityProvider,
   EntityProviderConnection,
 } from '@backstage/plugin-catalog-node';
-import { ANNOTATION_KUBERNETES_API_SERVER } from '@backstage/plugin-kubernetes-common';
 
 import { CustomObjectsApi } from '@kubernetes/client-node';
 
@@ -35,7 +34,11 @@ import {
   ANNOTATION_PROVIDER_ID,
 } from '@janus-idp/backstage-plugin-ocm-common';
 
-import { CONSOLE_CLAIM, HUB_CLUSTER_NAME_IN_OCM } from '../constants';
+import {
+  ANNOTATION_KUBERNETES_API_SERVER,
+  CONSOLE_CLAIM,
+  HUB_CLUSTER_NAME_IN_OCM,
+} from '../constants';
 import { readOcmConfigs } from '../helpers/config';
 import {
   getManagedCluster,

plugins/shared-react/package.json

@@ -39,7 +39,7 @@
     "@backstage/core-plugin-api": "^1.9.3",
     "@backstage/plugin-kubernetes-common": "0.8.0",
     "@backstage/plugin-kubernetes-react": "0.4.0",
-    "@kubernetes/client-node": "^0.20.0",
+    "@kubernetes/client-node": "^0.22.1",
     "classnames": "^2.3.2",
     "date-fns": "^2.30.0",
     "file-saver": "^2.0.5",

plugins/tekton/package.json

@@ -52,7 +52,7 @@
     "@backstage/theme": "^0.5.6",
     "@janus-idp/backstage-plugin-tekton-common": "1.0.0",
     "@janus-idp/shared-react": "2.10.3",
-    "@kubernetes/client-node": "^0.20.0",
+    "@kubernetes/client-node": "^0.22.1",
     "@material-ui/core": "^4.9.13",
     "@material-ui/icons": "^4.11.3",
     "@material-ui/lab": "^4.0.0-alpha.45",

plugins/topology/package.json

@@ -49,7 +49,7 @@
     "@backstage/theme": "^0.5.6",
     "@janus-idp/backstage-plugin-topology-common": "1.3.0",
     "@janus-idp/shared-react": "2.10.3",
-    "@kubernetes/client-node": "^0.20.0",
+    "@kubernetes/client-node": "^0.22.1",
     "@material-ui/core": "^4.9.13",
     "@material-ui/icons": "^4.11.3",
     "@material-ui/lab": "^4.0.0-alpha.45",