In order to open the door to LTS support of plugins which depend on chains of 3rd party deps which sometimes can't or won't be updated in a timely manner, we will need a process for "ghost forking" packages and delivering them to NRRC (https://npm.registry.redhat.com/ ).

This will then open the door to customers being able to get our security/bugfix patched versions of dependencies by referring to the NRRC registry to resolve deps, instead of the unpatched ones in the wilderness (from yarn or npmjs registries).

To achieve this we need to start using the charon-powered Konflux tasks that can take maven and npm packages and copy them to NRRC.

Prelim information (to be fleshed out into epics/tasks):

• https://gitlab.cee.redhat.com/gli/quarkus-maven-ta/-/blob/main/konflux/release/mrrc-rpa.yaml#L47
  • "pipelines/managed/release-to-mrrc/release-to-mrrc.yaml"

• https://github.com/konflux-ci/release-service-catalog/blob/development/pipelines/managed/release-to-mrrc/release-to-mrrc.yaml

TL;DR

We want to be able to

• rebuild some upstream node packages from @backstage scope in case there's a CVE
• that we have to fix outside the Backstage 6mo support agreement;
  We would then need a way to
• publish that patched package to a RH-approved registry,
• using ideally the SAME namespace (not under @redhat), but would
• apply a patched version, eg., with -redhat suffix or something to
• differentiate the original upstream from our security-patched version

Also we'd want use

• Yarn v4
• hermeto
• konflux snapshots and
• release yamls