[Snyk] Fix for 3 vulnerabilities #9909
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-REMIXRUNROUTER-14908530 - https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 - https://snyk.io/vuln/SNYK-JS-REMIXRUNROUTER-14908287
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
WalkthroughChangesSequence DiagramThis diagram shows the interactions between components: sequenceDiagram
participant PM as Package Manager
participant US as user-settings Plugin
participant CAA as @backstage/core-app-api
participant PCR as @backstage/plugin-catalog-react
participant TH as @backstage/theme
Note over PM,TH: Dependency Resolution Process
PM->>US: Install dependencies
alt Before Change (workspace:^)
US->>PM: Request workspace:^ versions
PM->>PM: Resolve from local workspace
PM-->>US: Link local workspace packages
else After Change (pinned versions)
US->>PM: Request specific versions
PM->>CAA: Fetch version 1.1.0
CAA-->>PM: Return package
PM->>PCR: Fetch version 0.0.1
PCR-->>PM: Return package
PM->>TH: Fetch version 0.1.1
TH-->>PM: Return package
PM-->>US: Install pinned versions
end
Note over US: Plugin now uses fixed versions<br/>instead of workspace references
Note for WindsurfPlease change the default marketplace provider to the following in the windsurf settings:Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts belowEmoji Descriptions:
Interact with the Bot:
Also you can trigger various commands with the bot by doing The current supported commands are
More commands to be added soon. |
🤖 Augment PR SummarySummary: Updates Changes:
🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
| }, | ||
| "dependencies": { | ||
| "@backstage/core-app-api": "workspace:^", | ||
| "@backstage/core-app-api": "1.1.0", |
There was a problem hiding this comment.
These version pins (1.1.0/0.0.1/0.1.1) are lower than the repo’s workspace package versions (e.g. local @backstage/core-app-api is 1.9.1-next.0), so Yarn will resolve them from the registry rather than the local workspaces, which can introduce incompatible duplicate Backstage packages at runtime. Is that intentional for @backstage/core-app-api / @backstage/plugin-catalog-react / @backstage/theme here?
🤖 Was this useful? React with 👍 or 👎
Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
plugins/user-settings/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-REMIXRUNROUTER-14908530
SNYK-JS-REACTROUTER-14908286
SNYK-JS-REMIXRUNROUTER-14908287
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Open Redirect
🦉 Cross-site Scripting (XSS)