Cost Management Plugin v2.1.0 - Dev Preview

Highlights

• Upgraded Backstage framework from 1.39.0 to 1.49.4 to align with RHDH 1.10
• Verified compatibility with both RHDH 1.9 and RHDH 1.10
• Promoted support level from Developer Preview to Dev Preview
• Remediated 47 out of 79 reported CVEs, including 2 Critical severity vulnerabilities

Packages

• @red-hat-developer-hub/plugin-cost-management — 2.1.0
• @red-hat-developer-hub/plugin-cost-management-backend — 2.1.0
• @red-hat-developer-hub/plugin-cost-management-common — 2.1.0

OCI Image

https://quay.io/repository/redhat-resource-optimization/dynamic-plugins?tab=tags&tag=2.1.0

What's Changed

Backstage Upgrade (1.39.0 → 1.49.4)

• All @backstage/* dependencies updated to align with RHDH 1.10
• Node.js engine requirement updated from 18/20 to 22
• TypeScript updated from 5.3 to 5.8
• Removed deprecated variant="gridItem" usage in catalog components
• Updated @backstage/plugin-proxy-backend import path (alpha → root export)
• Fixed AuthorizeResult type narrowing in permission handling code
• Regenerated API reports for updated public API surface

CVE Remediation

• Resolved 6 CVEs by pinning linkifyjs to 4.3.2 (fixes Prototype Pollution & XSS) and upgrading msw from v1 to v2 (removes vulnerable @xmldom/xmldom transitive dependency)
• Resolved 2 Critical CVEs via scoped Yarn resolutions:
  • fast-xml-parser entity encoding bypass (CVSS 9.3)
  • form-data unsafe random boundary generation

Dependency Cleanup

• Removed unused orchestrator plugins from dev environment to reduce dependency footprint
• Removed unused @janus-idp/backstage-plugin-audit-log-node dependency
• Removed stale Yarn resolutions (catalog-backend, scaffolder pinned versions)

Installation

See the plugin README for installation instructions.

Cost Management Plugin v2.0.2 - Dev Preview

Highlights

Plugin Restructure

• Renamed from redhat-resource-optimization to cost-management with new package names, config keys, and routes

OpenShift Cost Tracking (New)

• Added OpenShift section with cost tracking for clusters, grouped by cluster, project, node, or tag

Security Hardening

• Moved all data fetching server-side — no more proxy config, no token exposure
• Added authorization, validation, and confirmation for Apply Recommendation
• Added structured audit logging with user identity
• Surfaced SSO auth errors instead of silent failures

RBAC Updates

• Permission separator changed from . to / for cluster/project-specific permissions (e.g., ros.CLUSTER → ros/CLUSTER)

OCI Images

• Published to quay.io/redhat-resource-optimization/dynamic-plugins:2.0.2
• Compatible with RHDH 1.8 and 1.9

See dynamic-plugin.md for installation instructions.

V1.2.1 - Dev Preview Release of ROS Plugin for Red Hat Developer Hub

V1.2.1 - Dev Preview Release of ROS Plugin for Red Hat Developer Hub

• dark theme support for box plot

V1.2.0 - Dev Preview Release of ROS Plugin for Red Hat Developer Hub

V1.2.0 - Dev Preview Release of Resource Optimization Plugin for RHDH V1.5 and V1.6

• RBAC Changes - ros.<cluster_name>.<project_name> permissions
• Sending cluster_id instead of cluster_name to the API

V1.1.0 - Dev Preview Release of ROS Plugin for Red Hat Developer Hub

V1.1.0 - Dev Preview Release of Resource Optimization Plugin for RHDH V1.5 and V1.6

• RBAC Changes - ros.plugin and ros.<cluster_name> permissions
• Manual and automatic workflow for applying recommendations