Cachito problem:

we cache yarn locks under https://github.com/janus-idp/backstage-showcase/tree/main/dynamic-plugins and https://gitlab.cee.redhat.com/rhidp/rhdh/-/tree/rhdh-1-rhel-9/distgit/containers/rhdh-hub/dynamic-plugins-imports-peer-dependencies which MIGHT differ / include older versions than the root yarn lock, leading to situations where:

• a CVE is fixed in a dependency
• but the dynamic plugin wrapper still uses the older unpatched dependency
• customers do their own scanning of the node_modules folders we ship in the rhdh-hub container
• complaints arise that we haven't fixed ALL the dependency chains

Some possible ideas:

• Use Resolutions as hackarounds to override missed transitive deps?
• Delete and regen yarn lock at intervals?
• check if Cachito still needs all these files (or if we can exclude them and just use the root yarn lock as input to the caching process)