[Snyk] Fix for 3 vulnerabilities

[q1blue]

Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/techdocs-cli-embedded-app/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Cross-site Scripting (XSS) SNYK-JS-REMIXRUNROUTER-14908530	134
	Open Redirect SNYK-JS-REACTROUTER-14908286	114
	Open Redirect SNYK-JS-REMIXRUNROUTER-14908287	114

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Cross-site Scripting (XSS)

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[snyk-io]

⛔ Snyk checks have failed. 1 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (1)
⛔	Open Source Security	0	0	1	0	1 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[entelligence-ai-pr-reviews]

Walkthrough

Changes

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    actor User
    participant App as TechDocs CLI<br/>Embedded App
    participant CoreAPI as @backstage/core-app-api<br/>(v1.1.0)
    participant Router as react-router-dom<br/>(v6.30.3)
    participant TechDocs as @backstage/plugin-techdocs<br/>(v0.1.1)
    participant TechDocsReact as @backstage/plugin-techdocs-react<br/>(v0.1.0)
    participant Integration as @backstage/integration-react<br/>(v0.1.1)

    User->>App: Launch TechDocs CLI
    activate App
    
    App->>CoreAPI: Initialize app APIs
    activate CoreAPI
    CoreAPI-->>App: API context ready
    deactivate CoreAPI
    
    App->>Router: Setup routing (v6.30.3)
    activate Router
    Note over Router: Updated from v6.3.0<br/>to v6.30.3
    Router-->>App: Routes configured
    deactivate Router
    
    User->>App: Navigate to documentation
    
    App->>TechDocs: Load TechDocs plugin
    activate TechDocs
    
    TechDocs->>TechDocsReact: Render documentation UI
    activate TechDocsReact
    TechDocsReact-->>TechDocs: UI components
    deactivate TechDocsReact
    
    TechDocs->>Integration: Fetch documentation source
    activate Integration
    Integration-->>TechDocs: Documentation content
    deactivate Integration
    
    TechDocs-->>App: Rendered documentation
    deactivate TechDocs
    
    App-->>User: Display documentation
    deactivate App

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[augmentcode]

🤖 Augment PR Summary

Summary: Updates dependencies for the TechDocs CLI embedded app to address Snyk-reported vulnerabilities.

Changes:

• Bumps react-router-dom to ^6.30.3 and pins several @backstage/* dependencies to specific versions
• Aims to remediate Open Redirect / XSS issues flagged in transitive router dependencies

Technical Notes: The PR text indicates yarn.lock was not updated, so the lockfile likely needs regeneration to ensure the upgraded versions are actually used.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

Pinning @backstage/* dependencies here to older published versions (e.g. @backstage/core-app-api 1.1.0) while the rest remain workspace:^ will likely make Yarn pull registry packages that don’t match the workspace versions, leading to duplicate Backstage deps and potential build/runtime breakage. Consider keeping these as workspace:^ or otherwise ensuring the specified versions satisfy the local workspace package versions (also applies to the other pinned @backstage/* entries in this file).

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

The PR description notes yarn.lock wasn’t updated; without a lockfile refresh the repo may still resolve the vulnerable transitive versions and builds can be non-reproducible. Consider running yarn and committing the resulting lockfile update alongside this dependency bump.

_{🤖 Was this useful? React with 👍 or 👎}