chore(scorecard): version:bump to v1.49.3

[Eswaraiahsapram]

Hey, I just made a Pull Request!

Fix

• https://redhat.atlassian.net/browse/RHIDP-12843

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-gh-app]

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
app-legacy	workspaces/scorecard/packages/app-legacy	none	v0.0.0
app	workspaces/scorecard/packages/app	none	v0.0.0
backend	workspaces/scorecard/packages/backend	none	v0.0.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot	workspaces/scorecard/plugins/scorecard-backend-module-dependabot	minor	v0.1.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-github	workspaces/scorecard/plugins/scorecard-backend-module-github	minor	v2.4.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-jira	workspaces/scorecard/plugins/scorecard-backend-module-jira	minor	v2.4.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-openssf	workspaces/scorecard/plugins/scorecard-backend-module-openssf	minor	v0.1.6
@red-hat-developer-hub/backstage-plugin-scorecard-backend	workspaces/scorecard/plugins/scorecard-backend	minor	v2.4.0
@red-hat-developer-hub/backstage-plugin-scorecard-common	workspaces/scorecard/plugins/scorecard-common	minor	v2.4.0
@red-hat-developer-hub/backstage-plugin-scorecard-node	workspaces/scorecard/plugins/scorecard-node	minor	v2.4.0
@red-hat-developer-hub/backstage-plugin-scorecard	workspaces/scorecard/plugins/scorecard	minor	v2.4.0

[rhdh-qodo-merge]

Review Summary by Qodo

Backstage version bump to v1.49.3 with type safety improvements

✨ Enhancement

Walkthroughs

Description

• Upgrade Backstage dependencies to v1.49.3 across all packages
• Add TypeScript type safety improvements to permission rules
• Remove deprecated variant="gridItem" props from entity cards
• Update dev module configuration and API exports

Diagram

flowchart LR
  A["Version Update<br/>1.45.2 → 1.49.3"] --> B["Backstage Dependencies<br/>Updated"]
  B --> C["Backend Packages"]
  B --> D["Frontend Packages"]
  C --> E["Permission Rules<br/>Type Safety"]
  D --> F["Entity Cards<br/>Props Cleanup"]
  E --> G["TypeScript<br/>5.3.0 → 5.8.0"]
  F --> H["Dev Module<br/>Config Fix"]

Loading

File Changes

1. workspaces/scorecard/backstage.json ⚙️ Configuration changes +1/-1

Update Backstage version to 1.49.3

workspaces/scorecard/backstage.json

---

2. workspaces/scorecard/package.json Dependencies +5/-4

Update Backstage CLI and dependencies

workspaces/scorecard/package.json

---

3. workspaces/scorecard/plugins/scorecard-backend/src/permissions/permissionUtils.ts ✨ Enhancement +6/-1

Add type safety to permission filter params

workspaces/scorecard/plugins/scorecard-backend/src/permissions/permissionUtils.ts

---

View more (18)

4. workspaces/scorecard/plugins/scorecard-backend/src/permissions/rules.ts ✨ Enhancement +14/-3

Improve type safety for permission rules

workspaces/scorecard/plugins/scorecard-backend/src/permissions/rules.ts

---

5. workspaces/scorecard/.changeset/early-mirrors-sin.md 📝 Documentation +12/-0

Add changeset for version bump

workspaces/scorecard/.changeset/early-mirrors-sin.md

---

6. workspaces/scorecard/packages/app-legacy/package.json Dependencies +26/-26

Update Backstage plugin dependencies

workspaces/scorecard/packages/app-legacy/package.json

---

7. workspaces/scorecard/packages/app-legacy/src/components/catalog/EntityPage.tsx ✨ Enhancement +20/-21

Remove deprecated variant prop from cards

workspaces/scorecard/packages/app-legacy/src/components/catalog/EntityPage.tsx

---

8. workspaces/scorecard/packages/app/package.json Dependencies +16/-16

Update Backstage frontend dependencies

workspaces/scorecard/packages/app/package.json

---

9. workspaces/scorecard/packages/backend/package.json Dependencies +23/-23

Update Backstage backend dependencies

workspaces/scorecard/packages/backend/package.json

---

10. workspaces/scorecard/plugins/scorecard-backend-module-dependabot/package.json Dependencies +6/-6

Update Backstage backend plugin dependencies

workspaces/scorecard/plugins/scorecard-backend-module-dependabot/package.json

---

11. workspaces/scorecard/plugins/scorecard-backend-module-github/package.json Dependencies +7/-7

Update Backstage backend plugin dependencies

workspaces/scorecard/plugins/scorecard-backend-module-github/package.json

---

12. workspaces/scorecard/plugins/scorecard-backend-module-jira/package.json Dependencies +6/-6

Update Backstage backend plugin dependencies

workspaces/scorecard/plugins/scorecard-backend-module-jira/package.json

---

13. workspaces/scorecard/plugins/scorecard-backend-module-openssf/package.json Dependencies +5/-5

Update Backstage backend plugin dependencies

workspaces/scorecard/plugins/scorecard-backend-module-openssf/package.json

---

14. workspaces/scorecard/plugins/scorecard-backend/package.json Dependencies +10/-10

Update Backstage backend plugin dependencies

workspaces/scorecard/plugins/scorecard-backend/package.json

---

15. workspaces/scorecard/plugins/scorecard-common/package.json Dependencies +2/-2

Update Backstage permission common dependency

workspaces/scorecard/plugins/scorecard-common/package.json

---

16. workspaces/scorecard/plugins/scorecard-node/package.json Dependencies +5/-5

Update Backstage backend plugin dependencies

workspaces/scorecard/plugins/scorecard-node/package.json

---

17. workspaces/scorecard/plugins/scorecard/dev/index.tsx 🐞 Bug fix +2/-2

Fix dev module plugin ID and API name

workspaces/scorecard/plugins/scorecard/dev/index.tsx

---

18. workspaces/scorecard/plugins/scorecard/package.json Dependencies +21/-19

Update Backstage frontend plugin dependencies

workspaces/scorecard/plugins/scorecard/package.json

---

19. workspaces/scorecard/plugins/scorecard/report-alpha.api.md 📝 Documentation +57/-9

Update API report for new extension features

workspaces/scorecard/plugins/scorecard/report-alpha.api.md

---

20. workspaces/scorecard/plugins/scorecard/report.api.md 📝 Documentation +3/-7

Update API report for component signature

workspaces/scorecard/plugins/scorecard/report.api.md

---

21. workspaces/scorecard/tsconfig.json ⚙️ Configuration changes +1/-10

Remove path mappings from TypeScript config

workspaces/scorecard/tsconfig.json

---

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Permission rule cast bypass 🐞 Bug ⚙ Maintainability

Description

hasMetricId is cast through any/unknown to PermissionRule, bypassing TypeScript validation
of the rule contract after the Backstage upgrade. This increases the risk of silently introducing
permission-condition mismatches that would only be caught at runtime (or not at all) when the
permissions registry consumes the rule set.

Code

workspaces/scorecard/plugins/scorecard-backend/src/permissions/rules.ts[R70-75]

+} as any) as unknown as PermissionRule<
+  Metric,
+  ScorecardFilter,
+  typeof RESOURCE_TYPE_SCORECARD_METRIC,
+  HasMetricIdParams
+>;

Evidence

The rule is created via createPermissionRule(...) but then force-cast (`as any) as unknown as
PermissionRule<...>`), which disables compile-time checking of the rule’s shape/types. The resulting
rules are registered with permissionsRegistry.addResourceType, so this cast directly affects the
authorization surface of the backend plugin.

workspaces/scorecard/plugins/scorecard-backend/src/permissions/rules.ts[47-75]
workspaces/scorecard/plugins/scorecard-backend/src/plugin.ts[81-88]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`hasMetricId` is being coerced to `PermissionRule` using `as any`/`as unknown`, which bypasses the type contract for permission rules. Because this rule is registered with the permissions registry, keeping it type-safe is important to avoid subtle authorization bugs.

### Issue Context
This was likely introduced as a workaround for changed generics/type inference in the newer `@backstage/plugin-permission-node` version.

### Fix Focus Areas
- workspaces/scorecard/plugins/scorecard-backend/src/permissions/rules.ts[47-75]

### What to change
- Remove the `as any) as unknown as PermissionRule<...>` chain.
- Instead, make the `createPermissionRule` call type-safe by providing explicit generics (as supported by the current Backstage typings) and/or deriving params from the Zod schema (e.g., `type HasMetricIdParams = z.infer<typeof paramsSchema>` pattern) so `apply`/`toQuery` signatures align without assertions.
- If a type assertion is truly unavoidable due to upstream typing limitations, replace `as any` with the narrowest possible assertion and add a short comment explaining the upstream typing gap and the expected shape being asserted.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[Eswaraiahsapram]

This PR makes #2689 redundant so that it (#2689) can be closed.

cc: @christoph-jerolimov

[christoph-jerolimov]

Rebased this PR to rerun sonarqube check after #2613 was now merged.

[debsmita1]

same as above

[debsmita1]

@Eswaraiahsapram you've missed this one

[Eswaraiahsapram]

@debsmita1 Removing this causes a TypeScript error.

[Eswaraiahsapram]

With the current @backstage/plugin-permission-node typings, the resourceRef overload treats rule params as undefined.

When I tried fixing it using proper generics, it resulted in a TS2589 (excessively deep instantiation) error.

So this cast is needed here to make it work, and it’s scoped only to this call.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud