The comment itself acknowledges this mirrors install-dynamic-plugins.py. Should we just call the Python script directly as a pre-step instead of reimplementing it in JS?

The overlay repo currently gets the script from the RHDH container image — by removing Docker, we lose access to it. But we could copy the script here (with a version marker) as a short-term solution. That would:

• Eliminate ~60 lines of JS OCI code
• Inherit all security protections for free (zip bomb, symlink traversal, integrity checks)
• Leverage the 130KB+ test suite that already covers this logic

Longer-term options: publish as a pip package or container tool so any repo can consume it.

For context, there's also a parallel POC in RHDH core (redhat-developer/rhdh#4523) that extends the same Python script with parallel downloads (ThreadPoolExecutor) achieving ~34% speedup. Reusing it here would get that performance benefit too.

for now, I added a step that downloads install-dynamic-plugins script and its requirements and uses it directly. Not sure if the would benefit from the parallel downloads, since it only runs on a single workspace, so only a couple OCIs at a time.

This extracts tar contents with a bare execSync('tar xf ...') — no validation of archive members before extraction. The Python script in RHDH core (install-dynamic-plugins.py) checks for:

• Zip bomb: member.size > MAX_ENTRY_SIZE (20MB default per entry)
• Symlink traversal: os.path.realpath() validation against the destination directory
• Hardlink traversal: same check
• Device files/FIFOs: rejected entirely
• Safe tar filter: tar.extractall(..., filter='tar')

Even in CI, a crafted OCI layer could exploit path traversal via symlinks. If we keep the JS implementation, all of these checks need to be ported.

replaced by python script.

createBackend() is the production API. Backstage provides startTestBackend() from @backstage/backend-test-utils specifically for this use case — it handles lifecycle management, automatic cleanup, built-in in-memory SQLite, and exposes mock services. It would also reduce the manual plugin registration below (~20 lines of backend.add() calls).

redhat-developer/rhdh#4523 uses startTestBackend() for the same plugin loadability validation and it works well.

This was meant to keep the environment somewhat real, but I guess it makes sense to have this as a simple "plugin loads" check rather than anything more complicated.

This reimplements config deep-merge that already exists in install-dynamic-plugins.py (the merge() function). The Python version also detects key conflicts and raises errors — this one silently overwrites. If we use the Python script as a pre-step, this function becomes unnecessary since the script already generates app-config.dynamic-plugins.yaml with all plugin configs merged.

replaced with python script

This probe plugin concept is great — using dynamicPluginsServiceRef to verify frontend plugins actually loaded at runtime is more thorough than filesystem-only checks. Worth keeping regardless of the OCI download approach. The sanity check POC in RHDH core (redhat-developer/rhdh#4523) currently only validates bundles via filesystem (dist-scalprum/plugin-manifest.json); this runtime probe approach would complement it nicely.

Downloads are sequential here. The install-dynamic-plugins-fast.py in redhat-developer/rhdh#4523 uses ThreadPoolExecutor for parallel OCI downloads with a shared image cache (one download per unique image, not per plugin), achieving ~34% speedup. Another reason to reuse the existing script rather than maintaining a separate implementation.

replaced with the basic python script, same reason as above.

This should be pinned to a hash and match the other workflows:

There are two LTS releases after this one that are currently active, let's not target older Node.js versions if we can avoid it.

Is this supposed to be pinned to a specific commit?

this will get replaced with the ts version after redhat-developer/rhdh#4574 gets merged anyway...

Looks like this script is not triggered in the CI, but rather executed manually, let's use npm test for consistency.

Let's not rely on pinned versions here, but use caret ranges ^ and a lockfile.

There is no need to use .mjs, you can use .js and Node will be able to detect it, also because the type is already set in the package.

Node.js can run TypeScript these days, so using .ts would also work, and make your code type-safe.

Node.js has built-in support for parsing CLI arguments, there is no need to implement this yourself.

Node.js has built-in support for parsing .env files, so there is no need to implement this yourself.

The custom deepMerge and loadConfigs can be removed entirely — Backstage's config loader already handles deep merging of multiple --config files. Just push the config paths onto process.argv before calling startTestBackend() and let the default rootConfig service pick them up. This is the same approach the old Docker-based smoke test used (chaining --config flags on the node packages/backend command).

This also removes the need for mockServices.rootConfig.factory({ data }).