chore(scorecard): version bump to v1.51.0

[Eswaraiahsapram]

Hey, I just made a Pull Request!

Scorecard version bump

Fix - https://redhat.atlassian.net/browse/RHIDP-13795

Screen.Recording.2026-06-03.at.8.55.19.PM.mov

How to test

1. Configure the GitHub integration in app-config.yaml

integrations:
  github:
    - host: github.com
      token: GITHUB_TOKEN

2. Configure the Jira integration in app-config.yaml

jira:
  baseUrl: https://redhat.atlassian.net
  token: JIRA_TOKEN
  product: cloud

3. Configure proxy in app-config.yaml

proxy:
  '/jira/api':
    target: https://redhat.atlassian.net
    headers:
      Authorization: <JIRA_PAT>
      Accept: 'application/json'
      Content-Type: 'application/json'
      X-Atlassian-Token: 'nocheck'
      User-Agent: 'MY-UA-STRING'

4. Already, we have a few example entities in the examples folder to test.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-gh-app]

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
app-legacy	workspaces/scorecard/packages/app-legacy	none	v0.0.0
app	workspaces/scorecard/packages/app	none	v0.0.0
backend	workspaces/scorecard/packages/backend	none	v0.0.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot	workspaces/scorecard/plugins/scorecard-backend-module-dependabot	minor	v0.2.11
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-filecheck	workspaces/scorecard/plugins/scorecard-backend-module-filecheck	minor	v0.1.8
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-github	workspaces/scorecard/plugins/scorecard-backend-module-github	minor	v2.7.7
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-jira	workspaces/scorecard/plugins/scorecard-backend-module-jira	minor	v2.7.7
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-openssf	workspaces/scorecard/plugins/scorecard-backend-module-openssf	minor	v0.2.11
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-sonarqube	workspaces/scorecard/plugins/scorecard-backend-module-sonarqube	minor	v0.1.6
@red-hat-developer-hub/backstage-plugin-scorecard-backend	workspaces/scorecard/plugins/scorecard-backend	minor	v2.7.7
@red-hat-developer-hub/backstage-plugin-scorecard-common	workspaces/scorecard/plugins/scorecard-common	minor	v2.7.7
@red-hat-developer-hub/backstage-plugin-scorecard-node	workspaces/scorecard/plugins/scorecard-node	minor	v2.7.7
@red-hat-developer-hub/backstage-plugin-scorecard	workspaces/scorecard/plugins/scorecard	minor	v2.7.7

[fullsend-ai-review]

Review

Findings

Low

• [test-weakened] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — switchToLocale switches from role-based link clicking (getByRole('link', { name: 'Settings' })) to direct URL navigation (page.goto('/settings')). This bypasses UI element verification for the settings and home navigation links. However, this pattern is consistent with existing page.goto() usage in loginAndSetLocale() and openCatalog() in the same file, and the method's core purpose (locale switching) remains fully tested. Likely a necessary adaptation to Backstage v1.51.0 sidebar changes.

• [pattern-violation] workspaces/scorecard/plugins/scorecard/report-alpha.api.md:57 — The configInput property ordering changed from {title, path} to {path, title}. This is a cosmetic reordering in the auto-generated API report, likely caused by a change in API Extractor's output ordering in the new Backstage version. No semantic impact.

Info

• [api-contract] workspaces/scorecard/plugins/scorecard/package.json — Several major version bumps included: @backstage/plugin-catalog-react ^2.x → ^3.0.0, @backstage/plugin-scaffolder-backend ^3.x → ^4.0.0, @backstage/frontend-plugin-api ^0.15.x → ^0.17.0. No source code changes accompany these bumps, suggesting the consumed API surface was not affected. CI build and test results should confirm compatibility.

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: the sonnet model was unavailable on this deployment. This is a sonnet-tier dimension and does not block the review.

Previous run

Review

Findings

Low

• [api-contract] workspaces/scorecard/.changeset/icy-poets-run.md — Changeset marks all scorecard packages as minor despite consuming major dependency version bumps (@backstage/plugin-catalog-react v2→v3, @backstage/plugin-scaffolder-backend v3→v4). The generated API report (report-alpha.api.md) shows only a cosmetic property reorder, confirming no breaking type changes propagated to the scorecard plugins' public API. This appears consistent with standard Backstage version bump practice, but worth verifying that no breaking changes affect downstream consumers.

• [test-inadequate] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — E2E test replaced UI-element-based navigation (getByRole('link', { name: 'Settings' }) and locator('a').filter({ hasText: 'Home' })) with direct page.goto() calls. This is reasonable for a version bump (the UI elements may have changed), but slightly reduces coverage of navigation link presence/functionality. The affected code is test setup, not the behavior under test.

• [naming-convention] workspaces/scorecard/.changeset/icy-poets-run.md — Typo in changeset description: "Backsatge" should be "Backstage".

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. Style review was not performed for this PR.

Previous run (2)

Review

Findings

Medium

• [api-contract] workspaces/scorecard/plugins/scorecard/package.json:59 — @backstage/plugin-catalog-react is bumped from ^2.1.1 to ^3.0.0 (major version). The scorecard plugin imports EntityContentBlueprint, useEntity, catalogApiRef, entityRouteRef, EntityRefLink, and EntityRefLinks from this package across 8 source files. A major version bump may include breaking API changes. No source code changes accompany this bump, so if any of these imports changed shape in v3, the build will fail silently after merge.
  Remediation: Confirm CI build and test suite pass. Verify all imports from @backstage/plugin-catalog-react are still valid in v3.0.0.

• [api-contract] workspaces/scorecard/plugins/scorecard/package.json:56 — @backstage/frontend-plugin-api is bumped from ^0.15.1 to ^0.17.0 (two minor versions on a 0.x package, which per semver may include breaking changes). The scorecard plugin imports createFrontendPlugin, createFrontendModule, PageBlueprint, createApiFactory, and ApiBlueprint from this package. The report-alpha.api.md shows a property reorder in configInput, confirming the API extractor ran against the new version and the generated surface shifted.
  Remediation: Confirm CI passes. For 0.x packages, even minor bumps can be breaking per semver.

Low

• [api-contract] workspaces/scorecard/packages/backend/package.json:38 — @backstage/plugin-scaffolder-backend is bumped from ^3.2.0 to ^4.0.0 (major version). No scorecard source code directly imports from this package (it is a backend app dependency only), so the risk is limited to runtime module registration changes.

• [api-contract] workspaces/scorecard/packages/app-legacy/package.json:41 — @backstage/plugin-permission-react is bumped from ^0.4.41 to ^0.5.1 (minor on 0.x). The app-legacy package uses RequirePermission from this package — verify it still works with 0.5.x.

• [naming-convention] workspaces/scorecard/.changeset/icy-poets-run.md:14 — Typo in changeset description: "Backsatge" should be "Backstage".

Info

• [test-adequacy] This PR bumps multiple dependencies with major version changes but modifies zero source or test files. Ensure the CI build, type-checking, and test suite have been validated against the new dependency versions.

• [sub-agent-failure] The style-conventions, intent-coherence, and cross-repo-contracts sub-agents could not be dispatched (model unavailable). These are sonnet-tier dimensions; findings from these dimensions were not evaluated for this review.

Previous run (3)

Review

Findings

High

• [api-contract] workspaces/scorecard/plugins/scorecard/package.json — Several dependencies have major version bumps (plugin-catalog-react v2→v3, plugin-scaffolder-backend v3→v4, frontend-plugin-api v0.15→v0.17, plugin-permission-react v0.4→v0.5, ui v0.13→v0.15) but no source code (.ts/.tsx) files are modified in this PR. CI confirms a problem: both "Workspace scorecard, CI step for node 22" and "node 24" are failing, while the Verify step passes. The source code imports from these packages (e.g., entityRouteRef, useEntity, useEntityPresentation from plugin-catalog-react; RequirePermission from plugin-permission-react; PageBlueprint, createFrontendModule from frontend-plugin-api). Major version bumps can introduce breaking changes to APIs, type signatures, or runtime behavior.
  Remediation: Investigate the CI failures in the scorecard workspace CI step. Review the Backstage upgrade changelogs for plugin-catalog-react v3, plugin-scaffolder-backend v4, frontend-plugin-api v0.16/v0.17, and plugin-permission-react v0.5 for migration steps. Apply any required source code changes to fix the build/tests.

Low

• [api-contract] workspaces/scorecard/packages/backend/package.json — plugin-scaffolder-backend is bumped from ^3.2.0 to ^4.0.0 (major version) and plugin-auth-backend from ^0.27.3 to ^0.29.0 (skipping v0.28). While packages/backend only wires these as backend modules, major version bumps in backend plugins can change module registration APIs, configuration schemas, or database migration behavior.
  Remediation: Review Backstage changelogs for plugin-scaffolder-backend v4.0.0 and plugin-auth-backend v0.29.0 to confirm no migration steps are needed.

• [naming-convention] workspaces/scorecard/.changeset/icy-poets-run.md:14 — Typo in changeset description: "Backsatge version bump to v1.51.0" should be "Backstage version bump to v1.51.0". This text will appear in the published changelog.
  Remediation: Fix the typo: Backsatge → Backstage.

Info

• [sub-agent-failure] N/A — The style-conventions and intent-coherence sub-agents did not return findings: model not available on deployment. These are sonnet-tier dimensions and do not block the review.

Previous run (4)

Review

Reason: stale-head

The review agent reviewed commit 19a59bb9d4d30ad380ca3fce1805f8aa5094d171 but the PR HEAD is now 4b5264d23fdd75f36b2d332b25183ec129b9a9a3. This review was discarded to avoid approving unreviewed code.

Previous run (5)

Review

Reason: stale-head

The review agent reviewed commit 3b9be5228239f6d27e2bed351bd41ad3074da819 but the PR HEAD is now 19a59bb9d4d30ad380ca3fce1805f8aa5094d171. This review was discarded to avoid approving unreviewed code.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] naming-convention

Typo in changeset description: 'Backsatge version bump to v1.51.0' should be 'Backstage version bump to v1.51.0'. This text will appear in the published changelog.

Suggested fix: Fix the typo: Backsatge → Backstage.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.93%. Comparing base (1a93ef9) to head (aad1405).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3284   +/-   ##
=======================================
  Coverage   53.93%   53.93%           
=======================================
  Files        2379     2379           
  Lines       86166    86166           
  Branches    23916    23915    -1     
=======================================
  Hits        46476    46476           
  Misses      39385    39385           
  Partials      305      305           

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.58% <ø> (ø)		Carriedforward from 1a93ef9
ai-integrations	70.03% <ø> (ø)		Carriedforward from 1a93ef9
app-defaults	69.60% <ø> (ø)		Carriedforward from 1a93ef9
augment	46.39% <ø> (ø)		Carriedforward from 1a93ef9
bulk-import	72.86% <ø> (ø)		Carriedforward from 1a93ef9
cost-management	17.48% <ø> (ø)		Carriedforward from 1a93ef9
dcm	59.64% <ø> (ø)		Carriedforward from 1a93ef9
extensions	61.79% <ø> (ø)		Carriedforward from 1a93ef9
global-floating-action-button	74.30% <ø> (ø)		Carriedforward from 1a93ef9
global-header	61.63% <ø> (ø)		Carriedforward from 1a93ef9
homepage	51.52% <ø> (ø)		Carriedforward from 1a93ef9
konflux	91.01% <ø> (ø)		Carriedforward from 1a93ef9
lightspeed	68.50% <ø> (ø)		Carriedforward from 1a93ef9
mcp-integrations	85.46% <ø> (ø)		Carriedforward from 1a93ef9
orchestrator	37.34% <ø> (ø)		Carriedforward from 1a93ef9
quickstart	62.09% <ø> (ø)		Carriedforward from 1a93ef9
sandbox	79.56% <ø> (ø)		Carriedforward from 1a93ef9
scorecard	83.84% <ø> (ø)
theme	64.54% <ø> (ø)		Carriedforward from 1a93ef9
translations	8.49% <ø> (ø)		Carriedforward from 1a93ef9
x2a	78.79% <ø> (ø)		Carriedforward from 1a93ef9

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1a93ef9...aad1405. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fullsend-ai-review]

[low] test-inadequate

E2E test replaced UI-element-based navigation with direct page.goto() calls, slightly reducing coverage of navigation link presence/functionality. The affected code is test setup, not the behavior under test.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fullsend-ai-review]

[low] test-weakened

switchToLocale switches from role-based link clicking to direct URL navigation (page.goto), bypassing UI element verification. However, this is consistent with existing page.goto() usage in loginAndSetLocale() and openCatalog() in the same file, and the method's core purpose (locale switching) remains fully tested.