[Snyk] Security upgrade @backstage/core-app-api from 0.0.0-use.local to 1.1.0 #9911
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-REMIXRUNROUTER-14908530 - https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 - https://snyk.io/vuln/SNYK-JS-REMIXRUNROUTER-14908287
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
WalkthroughChangesSequence DiagramThis diagram shows the interactions between components: sequenceDiagram
participant TestUtils as "@backstage/test-utils"
participant CoreAppAPI as "@backstage/core-app-api"
participant Workspace as "Workspace (local)"
participant NPM as "NPM Registry"
Note over TestUtils,NPM: Dependency Resolution Change
rect rgb(255, 200, 200)
Note over TestUtils,Workspace: BEFORE: workspace:^
TestUtils->>Workspace: Request @backstage/core-app-api
Workspace-->>TestUtils: Return local workspace version
end
rect rgb(200, 255, 200)
Note over TestUtils,NPM: AFTER: 1.1.0
TestUtils->>NPM: Request @backstage/core-app-api@1.1.0
NPM-->>TestUtils: Return pinned version 1.1.0
end
Note over TestUtils: Test utilities now use<br/>fixed version instead of<br/>local workspace version
Note for WindsurfPlease change the default marketplace provider to the following in the windsurf settings:Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts belowEmoji Descriptions:
Interact with the Bot:
Also you can trigger various commands with the bot by doing The current supported commands are
More commands to be added soon. |
🤖 Augment PR SummarySummary: Pins 🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
| "dependencies": { | ||
| "@backstage/config": "workspace:^", | ||
| "@backstage/core-app-api": "workspace:^", | ||
| "@backstage/core-app-api": "1.1.0", |
There was a problem hiding this comment.
Setting @backstage/core-app-api to 1.1.0 will cause Yarn to stop using the local workspace package (currently packages/core-app-api is 1.9.1-next.0) and instead pull an older published copy, which can introduce dependency skew/duplicate instances—was that intended?
🤖 Was this useful? React with 👍 or 👎
Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/test-utils/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-REMIXRUNROUTER-14908530
SNYK-JS-REACTROUTER-14908286
SNYK-JS-REMIXRUNROUTER-14908287
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Open Redirect
🦉 Cross-site Scripting (XSS)