Skip to content

[Snyk] Security upgrade @backstage/plugin-scaffolder-backend from 0.0.0-use.local to 1.15.0 #6891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
snyk-io wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade @backstage/plugin-scaffolder-backend from 0.0.0-use.local to 1.15.0 #6891

snyk-io wants to merge 1 commit into from

Conversation

@snyk-io
Copy link

@snyk-io snyk-io bot commented Jul 21, 2025
edited by entelligence-ai-pr-reviews bot
Loading

EntelligenceAI PR Summary

This PR pins the scaffolder backend plugin dependency to a specific version instead of using the workspace reference.

  • Updated @backstage/plugin-scaffolder-backend dependency from workspace:^ to 1.15.0 in the cookiecutter module
  • Locks the dependency to a specific version for compatibility or stability purposes
  • Prevents automatic updates from the local workspace version

@codesandbox
Copy link

codesandbox bot commented Jul 21, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@sourcery-ai
Copy link

sourcery-ai bot commented Jul 21, 2025
edited
Loading

Reviewer's Guide

The PR upgrades the @backstage/plugin-scaffolder-backend dependency from a local workspace reference to version 1.15.0 in the scaffolder module’s package.json to remediate three high-severity vulnerabilities flagged by Snyk.

File-Level Changes

Change Details Files
Bump @backstage/plugin-scaffolder-backend dependency version
  • Replace workspace:^ spec with explicit 1.15.0 version
  • Align dependency entry format in package.json
  • Require manual update of yarn.lock before merging
 plugins/scaffolder-backend-module-cookiecutter/package.json
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@snyk-io
Copy link
Author

snyk-io bot commented Jul 21, 2025
edited
Loading

Snyk checks have failed. 88 issues have been found so far.

Status Scanner Critical High Medium Low Total (88)
Open Source Security 16 30 37 5 88 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@github-actions
Copy link

github-actions bot commented Jul 28, 2025

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions bot added the stale label Jul 28, 2025
@github-actions github-actions bot closed this Aug 5, 2025
@snyk-io snyk-io bot reopened this Aug 24, 2025
@github-actions github-actions bot removed the stale label Aug 24, 2025
@github-actions
Copy link

github-actions bot commented Sep 3, 2025

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions bot added the stale label Sep 3, 2025
@github-actions github-actions bot closed this Sep 8, 2025
@snyk-io snyk-io bot reopened this Nov 27, 2025
@entelligence-ai-pr-reviews
Copy link

entelligence-ai-pr-reviews bot commented Nov 27, 2025

Entelligence AI Vulnerability Scanner

Status: No security vulnerabilities found

Your code passed our comprehensive security analysis.

@entelligence-ai-pr-reviews
Copy link

entelligence-ai-pr-reviews bot commented Nov 27, 2025

Walkthrough

This pull request modifies the dependency management for the Cookiecutter scaffolder backend module by pinning the @backstage/plugin-scaffolder-backend dependency to a specific version (1.15.0) instead of using the workspace protocol reference. This change transitions from a dynamic workspace-based dependency resolution to a fixed version, which provides more predictable behavior and ensures compatibility with a specific API version. This type of change is typically made to avoid potential breaking changes from newer workspace versions or to maintain stability during development.

Changes

File(s) Summary
plugins/scaffolder-backend-module-cookiecutter/package.json Changed @backstage/plugin-scaffolder-backend dependency from workspace:^ to pinned version 1.15.0 to lock to a specific version instead of using local workspace version.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant PM as Package Manager
    participant CookieCutter as scaffolder-backend-module-cookiecutter
    participant ScaffolderBackend as @backstage/plugin-scaffolder-backend

    Note over PM,ScaffolderBackend: Dependency Resolution Change

    alt Before: workspace:^ protocol
        PM->>PM: Resolve from local workspace
        PM->>CookieCutter: Link to local scaffolder-backend
        Note over PM,CookieCutter: Uses local development version
    else After: Fixed version 1.15.0
        PM->>PM: Resolve from npm registry
        PM->>ScaffolderBackend: Fetch version 1.15.0
        ScaffolderBackend-->>PM: Return package
        PM->>CookieCutter: Install scaffolder-backend@1.15.0
        Note over PM,CookieCutter: Uses specific published version
    end

    Note over CookieCutter,ScaffolderBackend: Runtime behavior unchanged<br/>Only dependency resolution differs
Loading

▶️AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

  • ⚠️ Potential Issue - May require further investigation.
  • 🔒 Security Vulnerability - Fix to ensure system safety.
  • 💻 Code Improvement - Suggestions to enhance code quality.
  • 🔨 Refactor Suggestion - Recommendations for restructuring code.
  • ℹ️ Others - General comments and information.

Interact with the Bot:

  • Send a message or request using the format:
    @entelligenceai + *your message*
Example: @entelligenceai Can you suggest improvements for this code?
  • Help the Bot learn by providing feedback on its responses.
    @entelligenceai + *feedback*
Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

  1. config - shows the current config
  2. retrigger_review - retriggers the review

More commands to be added soon.

@github-actions github-actions bot removed the stale label Nov 27, 2025
@github-actions
Copy link

github-actions bot commented Dec 19, 2025

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions bot added the stale label Dec 19, 2025
@github-actions github-actions bot closed this Dec 24, 2025
@snyk-io snyk-io bot reopened this Dec 29, 2025
@entelligence-ai-pr-reviews
Copy link

entelligence-ai-pr-reviews bot commented Dec 29, 2025

Walkthrough

This pull request modifies the dependency management for the cookiecutter scaffolder backend module by pinning the @backstage/plugin-scaffolder-backend dependency to a specific version. Instead of using the workspace protocol reference that would pull from the local monorepo workspace, the dependency is now locked to version 1.15.0. This change suggests a deliberate effort to ensure compatibility with a specific API version of the scaffolder backend plugin, potentially to avoid breaking changes that may exist in newer workspace versions or to maintain stability during development.

Changes

File(s) Summary
plugins/scaffolder-backend-module-cookiecutter/package.json Changed @backstage/plugin-scaffolder-backend dependency from workspace protocol reference (workspace:^) to pinned version 1.15.0.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant Module as scaffolder-backend-module-cookiecutter
    participant Registry as NPM Registry
    participant Backend as @backstage/plugin-scaffolder-backend

    Note over Module,Backend: Dependency Version Change: workspace:^ → 1.15.0

    Dev->>Module: Update package.json dependency
    Note right of Module: Change from workspace reference<br/>to fixed version 1.15.0
    
    Module->>Registry: Request scaffolder-backend@1.15.0
    Registry-->>Module: Return published package
    
    Note over Module,Backend: Module now depends on<br/>published version instead of<br/>local workspace version
Loading

▶️AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

  • ⚠️ Potential Issue - May require further investigation.
  • 🔒 Security Vulnerability - Fix to ensure system safety.
  • 💻 Code Improvement - Suggestions to enhance code quality.
  • 🔨 Refactor Suggestion - Recommendations for restructuring code.
  • ℹ️ Others - General comments and information.

Interact with the Bot:

  • Send a message or request using the format:
    @entelligenceai + *your message*
Example: @entelligenceai Can you suggest improvements for this code?
  • Help the Bot learn by providing feedback on its responses.
    @entelligenceai + *feedback*
Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

  1. config - shows the current config
  2. retrigger_review - retriggers the review

More commands to be added soon.

@socket-security
Copy link

socket-security bot commented Dec 29, 2025
edited
Loading

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@github-actions github-actions bot removed the stale label Dec 29, 2025
@github-actions
Copy link

github-actions bot commented Jan 5, 2026

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions bot added the stale label Jan 5, 2026
@github-actions github-actions bot closed this Jan 11, 2026
@snyk-io snyk-io bot reopened this Jan 12, 2026
@entelligence-ai-pr-reviews
Copy link

entelligence-ai-pr-reviews bot commented Jan 12, 2026

Walkthrough

Changes

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant Package as scaffolder-backend-module-cookiecutter
    participant Dep as @backstage/plugin-scaffolder-backend
    participant Workspace as Local Workspace
    participant Registry as NPM Registry

    Note over Package,Dep: Dependency Version Change

    rect rgb(240, 240, 240)
        Note over Dev,Registry: BEFORE: Using workspace reference
        Dev->>Package: Build/Install dependencies
        Package->>Workspace: Resolve workspace:^ dependency
        Workspace-->>Package: Return local version
    end

    rect rgb(220, 250, 220)
        Note over Dev,Registry: AFTER: Using pinned version
        Dev->>Package: Build/Install dependencies
        Package->>Registry: Resolve version 1.15.0
        Registry-->>Package: Return v1.15.0 from registry
    end

    Note over Package,Dep: Module behavior remains unchanged<br/>Only dependency resolution changes
Loading

▶️AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

  • ⚠️ Potential Issue - May require further investigation.
  • 🔒 Security Vulnerability - Fix to ensure system safety.
  • 💻 Code Improvement - Suggestions to enhance code quality.
  • 🔨 Refactor Suggestion - Recommendations for restructuring code.
  • ℹ️ Others - General comments and information.

Interact with the Bot:

  • Send a message or request using the format:
    @entelligenceai + *your message*
Example: @entelligenceai Can you suggest improvements for this code?
  • Help the Bot learn by providing feedback on its responses.
    @entelligenceai + *feedback*
Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

  1. config - shows the current config
  2. retrigger_review - retriggers the review

More commands to be added soon.

@github-actions github-actions bot removed the stale label Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

scaffolder

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant