chore: bump Backstage from 1.49.4 to 1.52.0

[schultzp2020]

Summary

• Upgrade RHDH core, app, backend, internal plugins, and dynamic-plugin wrappers from Backstage 1.49.4 to 1.52.0, including lockfile regeneration for root and dynamic-plugins/.
• Remove broad yarn resolutions (especially zod v3 pins that blocked frontend zod v4) so Backstage 1.52 frontend plugins resolve correctly; keep only the refractor/prismjs security pin.
• Fix upgrade-specific backend issues: custom OpenTelemetry vs alpha.core.tracing, sign-in resolver TypeScript (TS2589), instrumentation.js coverage-safe structure, workspace linking (workspace:*), and Knex type alignment in licensed-users-info-backend.
• Fix deprecated React default imports in app catalog/sidebar components (clears lint warnings).

Notable dependency changes

• @backstage/plugin-scaffolder-backend 3.x → 4.0.1 (major)
• @backstage/plugin-auth-backend-module-oauth2-proxy-provider 0.2.x → 0.3.0
• Frontend plugins now use nested zod v4; backend continues on zod v3

E2E smoke: Scalprum duplicate singleton

E2E smoke hit a blank sign-in page even though the backend was healthy. The app bundle had two copies of @scalprum/core (direct 0.9.2 vs 0.9.3 pulled in by @scalprum/react-core). ScalprumProvider initialized one copy; our dynamic-plugin code called getScalprum() on the other, so Scalprum never looked initialized and React rendered an empty page.

Fix: pin @scalprum/core@0.9.3 in root resolutions, align packages/app to the same version, and pin @scalprum/react-core@0.11.2. This stays on the existing SDK 5 / Scalprum 0.11 line — not a jump to Scalprum 0.13 (that would require rebuilding all dynamic plugins for dynamic-plugin-sdk 8).

E2E / CI notes

• No Playwright spec changes included — main showcase E2E uses ./dynamic-plugins/dist/* built from this branch.
• Third-party sanity-plugin OCI overlays in .ci/pipelines/value_files/*.yaml still reference bs_1.49.4__* tags on ghcr; update to bs_1.52.0__* in a follow-up once those overlay images are published.
• Watch CI for potential flakes in scaffolder, catalog-timestamp (nth(7)), MUI/combobox helpers, and home-page-customization.spec.ts (upgrade project).

Test plan

• yarn install (root + dynamic-plugins/)
• yarn test
• yarn tsc
• yarn build
• yarn build in dynamic-plugins/
• yarn lint:check (app React import warnings cleared)
• yarn monorepo:check
• CI green (unit + E2E)
• Manual smoke: yarn dev — catalog, scaffolder, sign-in
• Verify external deploy configs for 1.52 breaking changes (discovery.endpoints, removed catalog.stitchingStrategy.mode: immediate)

Made with Cursor

[github-actions]

The container image build workflow finished with status: cancelled.

[codecov]

Codecov Report

❌ Patch coverage is 20.00000% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.39%. Comparing base (1c0f25c) to head (5fcca3e).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4990      +/-   ##
==========================================
- Coverage   55.82%   55.39%   -0.44%     
==========================================
  Files         121      122       +1     
  Lines        2350     2365      +15     
  Branches      563      568       +5     
==========================================
- Hits         1312     1310       -2     
- Misses       1032     1048      +16     
- Partials        6        7       +1     

Flag	Coverage Δ
rhdh	55.39% <20.00%> (-0.44%)	⬇️

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1c0f25c...5fcca3e. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

The container image build workflow finished with status: failure.

[github-actions]

The container image build and publish workflows were skipped (either due to [skip-build] tag or no relevant changes with existing image).

[github-actions]

The container image build workflow finished with status: failure.

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4990
• quay.io/rhdh-community/rhdh:pr-4990-021fe446

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4990
• quay.io/rhdh-community/rhdh:pr-4990-a005b33c

[github-actions]

The container image build workflow finished with status: cancelled.

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4990
• quay.io/rhdh-community/rhdh:pr-4990-80635f1b

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4990
• quay.io/rhdh-community/rhdh:pr-4990-26c78fb0

[github-actions]

The container image build workflow finished with status: cancelled.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Image was built and published successfully. It is available at:

• quay.io/rhdh-community/rhdh:pr-4990
• quay.io/rhdh-community/rhdh:pr-4990-5fcca3e9