fix(deps): update rhdh x2a dependencies (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage-community/plugin-rbac-backend (source)	7.6.2 → 7.13.0
@playwright/test (source)	1.59.1 → 1.60.0

---

Release Notes

backstage/community-plugins (@​backstage-community/plugin-rbac-backend)

v7.13.0

Compare Source

Minor Changes

• 6a916a1: Backstage version bump to v1.50.4

Patch Changes

• Updated dependencies [6a916a1]
  • @​backstage-community/plugin-rbac-common@​1.27.0
  • @​backstage-community/plugin-rbac-node@​1.21.0

v7.12.5

Compare Source

Patch Changes

• 39a3942: Hardens RBAC policy handling to prevent Casbin CSV poisoning and improve error visibility.

  Key fixes:

  • Rejects permission policy permission values containing " before persistence (prevents known CSV parse failures).
  • Rethrows loadPolicy failures after audit logging so mutation/read paths surface the root cause instead of secondary errors.
  • Improves policy API request validation and missing-role handling (400/404 where appropriate).
  • Validates default configured permissions/admin refs with the same stricter checks used by runtime write paths.
  • Strengthens conditional and plugin-id payload validation and aligns owner filtering behavior for default roles.

  Compatibility notes:

  • Requests/config entries using permission values with embedded " are now rejected.
  • Conditional policy payloads and conditional YAML ingestion now enforce limits.
  • Conditional permissionMapping must list distinct Backstage permission actions (no duplicates); at most one entry per supported action (create, read, update, delete, use).
  • Plugin ID registration payloads now enforce count/length/duplicate checks.
  • For larger existing payloads, limits are configurable via:
  • permission.rbac.validation.conditionalPolicies.maxConditionDepth
  • permission.rbac.validation.conditionalPolicies.maxConditionNodeCount
  • permission.rbac.validation.conditionalPolicies.maxCriteriaItems
  • permission.rbac.validation.conditionalPoliciesFile.maxBytes
  • permission.rbac.validation.conditionalPoliciesFile.maxDocuments

  Operational note:

  • CSV policy files are parsed line-by-line; malformed lines are skipped with warnings instead of aborting the entire file load.

v7.12.4

Compare Source

Patch Changes

• 170f85d: Migrate to Jest 30 and fix backend test assertion compatibility
• Updated dependencies [170f85d]
  • @​backstage-community/plugin-rbac-common@​1.26.1
  • @​backstage-community/plugin-rbac-node@​1.20.1

v7.12.3

Compare Source

Patch Changes

• fb2a770: Made postgres username and password optional in casbin adapter factory to support passwordless authentication

v7.12.2

Compare Source

Patch Changes

• 39272f8: Updated dependency csv-parse to ^6.0.0.
• 70e6333: Updated dependency @dagrejs/graphlib to ^4.0.0.
• a559dfb: Updated dependency @types/node to 22.19.17.
• 8846adf: Updated dependency qs to 6.15.1.

v7.12.1

Compare Source

Patch Changes

• 40e44bb: Updated dependency qs to 6.14.2.

v7.12.0

Compare Source

Minor Changes

• 8993474: Backstage version bump to v1.49.2

Patch Changes

• Updated dependencies [8993474]
  • @​backstage-community/plugin-rbac-common@​1.26.0
  • @​backstage-community/plugin-rbac-node@​1.20.0

v7.11.0

Compare Source

Minor Changes

• 50e194d: Add support for a default role and permissions for authenticated users in RBAC backend

  • Introduced a new defaultRole and basicPermissions configuration options to assign a default role to all authenticated users.

    permission:
      rbac:
    +   defaultPermissions:
    +     defaultRole: role:default/my-default-role
    +     basicPermissions:
    +       - permission: catalog.entity.read
    +         action: read

  • Updated the RBAC permission policy to include the default role in user roles if not already present.

Patch Changes

• Updated dependencies [50e194d]
  • @​backstage-community/plugin-rbac-common@​1.25.0
  • @​backstage-community/plugin-rbac-node@​1.19.1

v7.10.0

Compare Source

Minor Changes

• 133eae6: Add support for loading conditional permissions from a remote provider (fix #​6412)

Patch Changes

• Updated dependencies [133eae6]
  • @​backstage-community/plugin-rbac-node@​1.19.0

v7.9.1

Compare Source

Patch Changes

• d737494: Backstage version bump to v1.48.5
• Updated dependencies [d737494]
  • @​backstage-community/plugin-rbac-common@​1.24.1
  • @​backstage-community/plugin-rbac-node@​1.18.1

v7.9.0

Compare Source

Minor Changes

• da170a1: Add support for group reference in superUsers list, using direct membership only

Patch Changes

• 8a6b81c: Updated dependency @types/supertest to ^7.0.0.

v7.8.0

Compare Source

Minor Changes

• 843bbe2: Backstage version bump to v1.48.4

Patch Changes

• Updated dependencies [843bbe2]
  • @​backstage-community/plugin-rbac-common@​1.24.0
  • @​backstage-community/plugin-rbac-node@​1.18.0

v7.7.2

Compare Source

Patch Changes

• 8c7bddb: Added NFS support
• af998b7: Updated dependency supertest to 7.2.2.

v7.7.1

Compare Source

Patch Changes

• b133c9d: Updated dependency @types/supertest to ^6.0.0.
• 497d5c6: Updated dependency @types/node to 22.19.11.
• 9c7ae87: Fix - stop error on upgrade v1.47.x - allow all plugins in the arry to show

v7.7.0

Compare Source

Minor Changes

• e6dbf70: Backstage version bump to v1.47.2

Patch Changes

• e6dbf70: updated the permissionFactory to use the FetchUrlReader.fromConfig
• a184943: Updated dependency @types/node to 22.19.7.
• Updated dependencies [e6dbf70]
  • @​backstage-community/plugin-rbac-common@​1.23.0
  • @​backstage-community/plugin-rbac-node@​1.17.0

microsoft/playwright (@​playwright/test)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[rhdh-gh-app]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/x2a/packages/backend	none	v0.0.0

[mareklibra]

So far we must preserve RHDH 1.9 (Backstage 1.45.3) compatibility

---

The @playwright/test bump to 1.59.1 is fine.

---

The @backstage-community/plugin-rbac-backend should stay at 7.6.2 (or whichever version is compatible with Backstage 1.45.3).

The rbac-backend 7.12.3 code runs against @backstage/backend-defaults@0.13.2 and @backstage/backend-plugin-api@1.5.0. This is almost certain to cause runtime errors.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.29%. Comparing base (3d8b160) to head (170d2c3).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2791      +/-   ##
==========================================
- Coverage   53.29%   53.29%   -0.01%     
==========================================
  Files        2407     2407              
  Lines       86420    86422       +2     
  Branches    23954    23953       -1     
==========================================
  Hits        46057    46057              
- Misses      40036    40111      +75     
+ Partials      327      254      -73     

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.58% <ø> (ø)		Carriedforward from 3d8b160
ai-integrations	70.03% <ø> (ø)		Carriedforward from 3d8b160
app-defaults	69.60% <ø> (ø)		Carriedforward from 3d8b160
augment	46.39% <ø> (ø)		Carriedforward from 3d8b160
bulk-import	72.86% <ø> (ø)		Carriedforward from 3d8b160
cost-management	16.49% <ø> (ø)		Carriedforward from 3d8b160
dcm	32.85% <ø> (ø)		Carriedforward from 3d8b160
extensions	61.79% <ø> (ø)		Carriedforward from 3d8b160
global-floating-action-button	74.30% <ø> (ø)		Carriedforward from 3d8b160
global-header	61.63% <ø> (ø)		Carriedforward from 3d8b160
homepage	51.52% <ø> (ø)		Carriedforward from 3d8b160
konflux	91.01% <ø> (ø)		Carriedforward from 3d8b160
lightspeed	68.33% <ø> (ø)		Carriedforward from 3d8b160
mcp-integrations	85.46% <ø> (ø)		Carriedforward from 3d8b160
orchestrator	36.51% <ø> (ø)		Carriedforward from 3d8b160
quickstart	62.88% <ø> (ø)		Carriedforward from 3d8b160
sandbox	79.49% <ø> (ø)		Carriedforward from 3d8b160
scorecard	83.84% <ø> (ø)		Carriedforward from 3d8b160
theme	64.54% <ø> (ø)		Carriedforward from 3d8b160
translations	8.49% <ø> (ø)		Carriedforward from 3d8b160
x2a	78.76% <ø> (-0.04%)	⬇️

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3d8b160...170d2c3. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mareklibra]

Partial fix: #3108

The @backstage-community/plugin-rbac-backend update must wait.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud