In order to open the door to EUS support of plugins which depend on chains of 3rd party deps which sometimes can't or won't be updated in a timely manner, we will need a process for "ghost forking" packages and delivering them to NRRC (https://npm.registry.redhat.com/ ).

This will then open the door to customers being able to get our security/bugfix patched versions of dependencies by referring to the NRRC registry to resolve deps, instead of the unpatched ones in the wilderness (from yarn or npmjs registries).

To achieve this we need to start using the charon-powered Konflux tasks that can take maven and npm packages and copy them to NRRC.

Prelim information (to be fleshed out into epics/tasks):

• https://gitlab.cee.redhat.com/gli/quarkus-maven-ta/-/blob/main/konflux/release/mrrc-rpa.yaml#L47
  • "pipelines/managed/release-to-mrrc/release-to-mrrc.yaml"

• https://github.com/konflux-ci/release-service-catalog/blob/development/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml