fix(deps): CVE remediation for lodash, immutable, qs (main)

[pcbailey]

Multi-branch CVE remediation for Open Jira issues in New status (lodash CVE-2026-4800 / CVE-2025-13465, immutable CVE-2026-29063, qs CVE-2025-15284).

This PR: main — npm audit fix plus overrides for qs@6.14.2.

Sister PRs: release-4.20, release-4.19, release-4.18, release-4.17 — Yarn resolutions (lodash, qs) and immutable@3.x bumped to 3.8.3 in yarn.lock.

Verification: npm ci and npm run build on this branch.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Updated dependency configuration overrides to enhance system stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1d4fe4d0-db82-46bc-b2a7-a13947c973a7

📥 Commits

Reviewing files that changed from the base of the PR and between 9958062 and cf4b3db.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

Walkthrough

Updated the package.json dependency resolution overrides to pin the qs package to version 6.14.2, adding a new override entry while maintaining the existing @parcel/watcher override at version 2.5.1.

Changes

Cohort / File(s)	Summary
Dependency Resolution Configuration package.json	Added a new overrides entry for qs pinned to 6.14.2 alongside the existing @parcel/watcher override.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: CVE remediation for multiple dependencies (lodash, immutable, qs) on the main branch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for Ginkgo test files is not applicable to this repository, which uses Jest and Cypress tests instead.
Test Structure And Quality	✅ Passed	PR modifies only package.json for CVE remediation; no Ginkgo test code changes present.
Microshift Test Compatibility	✅ Passed	PR modifies package.json for CVE remediation only; custom check for Ginkgo e2e tests not applicable to this TypeScript/JavaScript console plugin repository.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies package.json for CVE remediation; no Ginkgo e2e tests are added, so check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies package.json for CVE remediation without changing any Kubernetes manifests, operator code, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is designed for Go-based projects using OpenShift Tests Extension binaries. This PR modifies a Node.js/TypeScript console plugin with only configuration changes to package.json. The check is not applicable to this project type as it contains no Go code, no OTE-based tests, and no process-level stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check not applicable; PR only modifies package.json for CVE remediation without introducing Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pcbailey]

Companion release PRs: #190 (4.20), #191 (4.19), #192 (4.18), #193 (4.17).

[openshift-ci]

@pcbailey: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[avivtur]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avivtur, pcbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [avivtur,pcbailey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pcbailey]

Pushed an additional commit for CVE-2026-22029 (GHSA-2w69-qvjg-hvjx): bump react-router-dom-v5-compat to ^6.30.3 and pin @remix-run/router to 1.23.2 (Yarn resolutions on release branches; npm overrides on main). The v5 react-router line is not in the affected 7.x range; the fix targets the v6 compat stack bundled with the console SDK.

[pcbailey]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@pcbailey: new pull request created: #207

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.