fix(deps): update rhdh scorecard dependencies (patch) to v0.11.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@scalprum/react-core	0.11.1 → 0.11.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

scalprum/scaffolding (@​scalprum/react-core)

v0.11.3

Compare Source

v0.11.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[rhdh-gh-app]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
app-legacy	workspaces/scorecard/packages/app-legacy	none	v0.0.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.50%. Comparing base (daa1e8b) to head (e463737).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3374   +/-   ##
=======================================
  Coverage   53.50%   53.50%           
=======================================
  Files        2251     2251           
  Lines       85686    85686           
  Branches    24139    24147    +8     
=======================================
  Hits        45850    45850           
  Misses      38360    38360           
  Partials     1476     1476           

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.70% <ø> (ø)		Carriedforward from daa1e8b
ai-integrations	67.95% <ø> (ø)		Carriedforward from daa1e8b
app-defaults	69.79% <ø> (ø)		Carriedforward from daa1e8b
augment	46.39% <ø> (ø)		Carriedforward from daa1e8b
bulk-import	72.46% <ø> (ø)		Carriedforward from daa1e8b
cost-management	14.10% <ø> (ø)		Carriedforward from daa1e8b
dcm	61.79% <ø> (ø)		Carriedforward from daa1e8b
extensions	61.53% <ø> (ø)		Carriedforward from daa1e8b
global-floating-action-button	71.18% <ø> (ø)		Carriedforward from daa1e8b
global-header	59.71% <ø> (ø)		Carriedforward from daa1e8b
homepage	49.92% <ø> (ø)		Carriedforward from daa1e8b
install-dynamic-plugins	56.23% <ø> (ø)		Carriedforward from daa1e8b
konflux	91.49% <ø> (ø)		Carriedforward from daa1e8b
lightspeed	68.57% <ø> (ø)		Carriedforward from daa1e8b
mcp-integrations	85.46% <ø> (ø)		Carriedforward from daa1e8b
orchestrator	36.56% <ø> (ø)		Carriedforward from daa1e8b
quickstart	63.99% <ø> (ø)		Carriedforward from daa1e8b
sandbox	79.56% <ø> (ø)		Carriedforward from daa1e8b
scorecard	83.83% <ø> (ø)
theme	61.26% <ø> (ø)		Carriedforward from daa1e8b
translations	6.55% <ø> (ø)		Carriedforward from daa1e8b
x2a	78.68% <ø> (ø)		Carriedforward from daa1e8b

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update daa1e8b...e463737. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:59 AM UTC · Completed 9:02 AM UTC
Commit: 665cfa6 · View workflow run →

[fullsend-ai-review]

Review

Findings

No findings.

Previous run

Review

Findings

No findings.

This is a clean Renovate patch-version dependency bump of @scalprum/react-core from 0.11.1 to 0.11.3, with the transitive @scalprum/core bump from 0.9.0 to 0.9.3. The lockfile updates are consistent, semver constraints are satisfied, and no stale references to the old versions exist in source code.

Previous run (2)

Review

Findings

No findings.

Previous run (3)

Review

Findings

No findings.

Previous run (4)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on vertex deployment. This dimension was not evaluated; given the mechanical nature of this dependency bump (version string change only), no style findings are expected.

No blocking findings. This is a clean patch-level dependency bump of @scalprum/react-core (0.11.1 → 0.11.3) and its transitive dependency @scalprum/core (0.9.0 → 0.9.3), generated by Renovate bot. The package.json and yarn.lock changes are consistent and correct.

Previous run (5)

Review

Findings

No findings.

This is a well-formed Renovate bot patch dependency update bumping @scalprum/react-core from 0.11.1 to 0.11.3. The lockfile changes are correct: the old 0.11.1 resolution block is retained for the @red-hat-developer-hub/backstage-plugin-dynamic-home-page transitive dependency, @scalprum/core is deduplicated to 0.9.3 (satisfying both ^0.9.0 and ^0.9.1), and the new 0.11.3 resolution block is properly added.

Previous run (6)

Review

Reason: stale-head

The review agent reviewed commit d4a830abbd3680eec37b0314b80803e0eed57ebd but the PR HEAD is now e00edf59091724b582c47ef217cc5f3c20b36f82. This review was discarded to avoid approving unreviewed code.

Previous run (7)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment. This is a mechanical dependency version bump; style review would have early-exited with no findings per its own criteria.

Previous run (8)

Review

Findings

No findings.

Previous run (9)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 not available on vertex deployment. This is a mechanical dependency version bump where the style early-exit criteria would apply; no style concerns expected.

Previous run (10)

Review

Findings

Low

• [dependency version duplication] workspaces/scorecard/yarn.lock — After this change, @scalprum/react-core will exist in two versions in the dependency tree: 0.11.3 (used by app-legacy) and 0.11.1 (used by @red-hat-developer-hub/backstage-plugin-dynamic-home-page@1.11.0). Since nodeLinker: node-modules is configured, both versions will be installed. If these packages share React context objects across component boundaries, the context identity mismatch could cause the consumer to receive undefined. In practice, patch bumps (0.11.1 to 0.11.3) rarely change context shape, and Yarn may hoist one version if the resolution graph allows it, so this is low risk.

Info

• [sub-agent-failure] The style-conventions sub-agent did not return findings due to model unavailability. This does not affect the review outcome for this trivial dependency update.

Previous run (11)

Review

Findings

No findings.

Previous run (12)

Review

Findings

No findings.

This is a straightforward Renovate bot patch dependency update of @scalprum/react-core from 0.11.1 to 0.11.3 in the scorecard workspace. The version bump in package.json is consistent with the resolved versions in yarn.lock, and the transitive dependency @scalprum/core is correctly upgraded from 0.9.0 to 0.9.3 with compatible semver ranges.

Previous run (13)

Review

Findings

Medium

• [runtime mechanism] workspaces/scorecard/yarn.lock — After this change, two distinct versions of @scalprum/react-core will be installed: 0.11.1 (required by @red-hat-developer-hub/backstage-plugin-dynamic-home-page as a regular dependency) and 0.11.3 (required by app-legacy). Because @scalprum/react-core exports a React context (ScalprumContext), having two copies means the context provider instantiated from one version will not be visible to consumers using the other version — React contexts are matched by object identity. Before this PR, both consumers resolved to the same 0.11.1 copy.
  Remediation: Either (a) ensure @red-hat-developer-hub/backstage-plugin-dynamic-home-page is also updated to a version that depends on @scalprum/react-core 0.11.3 so yarn can deduplicate to a single copy, or (b) add a resolutions field in the workspace root package.json to force a single version of @scalprum/react-core across the workspace.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. This dimension was not evaluated but is unlikely to surface findings for a mechanical dependency version bump.

Previous run (14)

Review

Findings

No findings.

Previous run (15)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. This dimension was not evaluated. Given the nature of this change (a mechanical dependency version bump), no style findings are expected.

No blocking findings. This is a straightforward Renovate bot patch-level dependency bump of @scalprum/react-core from 0.11.1 to 0.11.3 (with transitive @scalprum/core from 0.9.0 to 0.9.3). The lockfile and package.json changes are consistent and the version ranges are compatible.

Previous run (16)

Review

Findings

No findings.

This is a clean, automated patch-level dependency update from Renovate bot, bumping @scalprum/react-core from 0.11.1 to 0.11.3 (with transitive @scalprum/core 0.9.0 → 0.9.3). The lockfile changes are consistent with a normal patch-level npm registry update. No code, auth, permission, or API surface changes are introduced.

Previous run (17)

Review

Findings

No findings.

Previous run (18)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model not available on vertex deployment. This dimension has minimal relevance for a mechanical dependency version bump with no code changes.

No correctness, security, or architectural concerns. This is a straightforward Renovate bot patch bump of @scalprum/react-core from 0.11.1 to 0.11.3 (and transitive @scalprum/core from 0.9.0 to 0.9.3). The lockfile updates are consistent and the pinned version in package.json matches the resolved version in yarn.lock.

Previous run (19)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-6@default is not available on this deployment. This is a low-risk dependency version bump where the early-exit criteria would apply, so no style findings are expected.

Previous run (20)

Review

Findings

No findings.

Previous run (21)

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on this deployment. This dimension was not evaluated; however, the change is a mechanical dependency version bump with no style surface area.

No blocking findings. This is a straightforward automated patch-level dependency bump of @scalprum/react-core from 0.11.1 to 0.11.3 (and transitive @scalprum/core from 0.9.0 to 0.9.3). Lockfile changes are internally consistent — version ranges and deduplication are correct.

Previous run (22)

Review

Findings

Low

• [edge-case] workspaces/scorecard/yarn.lock — After this PR, two versions of @scalprum/react-core will coexist in the dependency tree: 0.11.3 (used by app-legacy) and 0.11.1 (used by @red-hat-developer-hub/backstage-plugin-dynamic-home-page). If ScalprumContext is a React context shared between these packages, the duplicate instances could cause context values provided by one version to be invisible to consumers from the other. This is a patch bump and unlikely to introduce behavioral differences, but worth monitoring.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. This is a trivial dependency version bump where the early-exit criteria would apply (no style findings expected).

Previous run (23)

Review

Findings

No findings.

Previous run (24)

Review

Findings

No findings.

This is a clean patch-level dependency bump of @scalprum/react-core from 0.11.1 to 0.11.3 (authored by Renovate bot). The lockfile changes are consistent with the package.json update, and the transitive @scalprum/core bump from 0.9.0 to 0.9.3 remains within the ^0.9.0 semver range. The same version (0.11.3) is already in use in the homepage workspace with the same API surface, confirming compatibility.

Previous run (25)

Review

Findings

High

• [logic-error] workspaces/scorecard/yarn.lock — After this update, app-legacy will use @scalprum/react-core@0.11.3 (direct dependency) while @red-hat-developer-hub/backstage-plugin-dynamic-home-page@1.11.0 (also a dependency of app-legacy) hard-pins @scalprum/react-core@0.11.1. The yarn.lock confirms both resolution entries coexist: the 0.11.1 block remains and a new 0.11.3 block is added. Since React contexts rely on referential identity, the ScalprumContext created by 0.11.3 in the app shell will be invisible to code running under 0.11.1 inside dynamic-home-page, potentially breaking dynamic home page mount points.
  Remediation: Either (1) update @red-hat-developer-hub/backstage-plugin-dynamic-home-page to a version compatible with @scalprum/react-core@0.11.3, or (2) add a resolutions entry in the workspace root package.json to force a single resolution of @scalprum/react-core to 0.11.3, or (3) hold this bump until the transitive dependency is aligned.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment.
• [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment.

Previous run (26)

Review

Findings

No findings.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:14 AM UTC · Completed 9:22 AM UTC
Commit: 483a960 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 12:59 PM UTC · Completed 1:04 PM UTC
Commit: a85170e · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:11 PM UTC · Completed 2:16 PM UTC
Commit: 27b0488 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:49 PM UTC · Completed 1:55 PM UTC
Commit: 8c5d14c · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:18 PM UTC · Completed 2:23 PM UTC
Commit: 50be9f2 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:31 PM UTC · Completed 2:37 PM UTC
Commit: dcf930d · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:41 PM UTC · Completed 2:49 PM UTC
Commit: dcf930d · View workflow run →

[fullsend-ai-review]

/fs-review

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:51 PM UTC · Completed 2:56 PM UTC
Commit: 65e0cea · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:20 PM UTC · Completed 3:24 PM UTC
Commit: 8f34ce4 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:22 PM UTC · Completed 6:27 PM UTC
Commit: 25734c4 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:29 PM UTC · Completed 6:34 PM UTC
Commit: 761b256 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:41 PM UTC · Completed 6:46 PM UTC
Commit: 1fd9844 · View workflow run →

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:19 PM UTC · Completed 8:25 PM UTC
Commit: daa1e8b · View workflow run →