Update dependency @backstage/plugin-scaffolder-backend to v1.15.0 [SECURITY] #102
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.6.0
->1.15.0
GitHub Vulnerability Alerts
CVE-2023-35926
The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been
vm2
, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.Impact
A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.
Patches
This is vulnerability is fixed in version 1.15.0 of
@backstage/plugin-scaffolder-backend
.Workarounds
Note that the Backstage Threat Model states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual reviews of changes to the scaffolder templates. The exploit is of a nature where it is easily discoverable in manual review.
Release Notes
backstage/backstage (@backstage/plugin-scaffolder-backend)
v1.15.0
Compare Source
Minor Changes
84b0e47
: AddTargetBranchName
variable and output for thepublish:gitlab:merge-request
andpublish:github:pull-request
s'cascaffolder actions.6a694ce
: Add a scaffolder action that pull-requests for bitbucket server1948845
: Addedgithub:deployKey:create
andgithub:environment:create
scaffolder actions. You will need to addread/write
permissions to your GITHUB_TOKEN and/or Github Backstage App for RepositoryAdministration
(for deploy key functionality) andEnvironments
(for Environment functionality)df84117
: Add support for Repository Variables and Secrets to thepublish:github
andgithub:repo:create
scaffolder actions. You will need to addread/write
permissions to your GITHUB_TOKEN and/or Github Backstage App for RepositorySecrets
andVariables
Upgrade octokit introduces some breaking changes.
Patch Changes
cc936b5
: Fix handling ofoptional
property incatalog:register
scaffolder actionb269da3
: Clearer error messages for actionpublish:gitlab:merge-request
11e0f62
: Fix wrong gitlabUrl format in repoUrl input descriptiona2c70cd
: Switch out the sandbox, fromvm2
toisolated-vm
.This is a native dependency, which means that it will need to be compiled with the same version of node on the same OS. This could cause some issues when running in Docker for instance, as you will need to make sure that the dependency is installed and compiled inside the docker container that it will run on.
This could mean adding in some dependencies to the container like
build-essential
to make sure that this compiles correctly.If you're having issues installing this dependency, there's some install instructions over on
isolated-vm
's repo.Updated dependencies
v1.14.0
Compare Source
Minor Changes
67115f5
: Expose both types of scaffolder permissions and rules through the metadata endpoint.The metadata endpoint now correctly exposes both types of scaffolder permissions and rules (for both the template and action resource types) through the metadata endpoint.
a73b3c0
: Add ability to usedefaultNamespace
anddefaultKind
for scaffolder actioncatalog:fetch
Patch Changes
1a48b84
: Bump minimum required version ofvm2
to be 3.9.18d20c879
: Bump minimum required version ofvm2
to be 3.9.176d954de
: Update typing forRouterOptions::actions
andScaffolderActionsExtensionPoint::addActions
to allow any kind of action being assigned to it.v1.13.1
Compare Source
This release bumps the minimum required version of
vm2
to 3.9.17v1.13.0
Compare Source
Minor Changes
2b15cb4
: The non-PR/MR Git Actions now return the commit hash of the commit pushed as a new output calledcommitHash
, isomorphic-git is now on version 1.23.030ffdae
: Addedfetch:plain:file
action to fetch a single file, this action is also added to the list of built-in actions.65e989f
: Added the possibility to authorize parameters and steps of a templateThe scaffolder plugin is now integrated with the permission framework.
It is possible to toggle parameters or actions within templates by marking each section with specific
tags
, inside abackstage:permissions
property under each parameter or action. Each parameter or action can then be permissioned by using a conditional decision containing thescaffolderTemplateRules.hasTag
rule.3b68b09
: Renamed permissionApi router option to permissionsbcae5aa
: Added the possibility to authorize actionsIt is now possible to decide who should be able to execute certain actions or who should be able to pass specific input to specified actions.
Some of the existing utility functions for creating conditional decisions have been renamed:
createScaffolderConditionalDecision
has been renamed tocreateScaffolderActionConditionalDecision
scaffolderConditions
has been renamed toscaffolderTemplateConditions
d7c8c22
: Allow for a commit message to differ from the PR title when publishing a GitHub pull request.95ea9f6
: Provide some more default filters out of the box and refactoring how the filters are applied to theSecureTemplater
.parseEntityRef
will take an string entity triplet and return a parsed object.pick
will allow you to reference a specific property in the piped object.So you can now combine things like this:
${{ parameters.entity | parseEntityRef | pick('name') }}
to get the name of a specific entity, or${{ parameters.repoUrl | parseRepoUrl | pick('owner') }}
to get the owner of a repo.Patch Changes
e23abb3
: Rename output parametermergeRequestURL
ofpublish:gitlab:merge-request
action tomergeRequestUrl
.e27ddc3
: Added a possibility to cancel the running task (executing of a scaffolder template)a7eb36c
: Improve type-check for scaffolder output parametersc9a0fdc
: Fix deprecated types.1e4f5e9
: Bumpzod
andzod-to-json-schema
dependencies.9c26e6d
: Updated the alphascaffolderPlugin
to not require options.f37a95a
: Stripped entity types and namespace before passing to GitHub APIv1.12.0
Compare Source
Minor Changes
7d724d8
: Added the ability to be able to define an actionsinput
andoutput
schema usingzod
instead of hand writing types andjsonschema
Patch Changes
860de10
: Make identity valid if subject of token is a backstage server-2-server auth token6545487
: Minor API report tweaksc6c78b4
: throw error from catalog:fetch scaffolder action when entity is null and optional is false9968f45
: catalog write action should allow any shape of object928a12a
: Internal refactor of/alpha
exports.52b0022
: Updated dependencymsw
to^1.0.0
.7af1285
: Extended scaffolder actioncatalog:fetch
to fetch multiple catalog entities by entity references.v1.11.0
Compare Source
Minor Changes
0b2952e
: Added the option to overwrite files in thetargetPath
of thetemplate:fetch
action1271549
: Renamed the exportscaffolderCatalogModule
tocatalogModuleTemplateKind
in order to follow the new recommended naming patterns of backend system items. This is technically a breaking change but in an alpha export, so take care to change your imports if you have already migrated to the new backend system.Patch Changes
0ff0331
: Updated usage ofcreateBackendPlugin
.ad3edc4
: Deprecations: The following are deprecated and should instead be imported from the new package@backstage/plugin-scaffolder-node
:ActionContext
createTemplateAction
TaskSecrets
TemplateAction
6c70919
: Provide better error messaging when GitHub fails due to missing team definitions66cf22f
: Updated dependencyesbuild
to^0.17.0
.Updated dependencies
v1.10.1
Compare Source
@rjsf/*
libraries were incompatiblev1.10.0
Compare Source
Minor Changes
a6808b6
: ImplementRequired approving review count
,Restrictions
, andRequired commit signing
support forpublish:github
action04a2048
: Allow custom repository roles to be configured on github reposc0ad734
: Add Scaffolder actioncatalog:fetch
to get entity by entity reference from catalogb44eb68
: This change adds changes to provide examples alongside scaffolder task actions.The
createTemplateAction
function now takes a list of examples e.g.These examples can be retrieved later from the api.
72d6b9f
: Added ability to override the commit message and author details for thepublish:bitbucketServer
action.a69664f
: Add Github repository support for squash merge commit title and message optionsPatch Changes
2fadff2
: Change scaffolder task actions to include markdown to demonstrate the newActionsPage
markdown feature.ecbec4e
: Internal refactor to match new options pattern in the experimental backend system.e4c0240
: AddedcatalogFilter
field to OwnerPicker and EntityPicker components to support filtering options by any field(s) of an entity.The
allowedKinds
field has been deprecated. UsecatalogFilter
instead. This field allows users to specify a filter on the shape of EntityFilterQuery, which can be passed into the CatalogClient. See examples below:Get all entities of kind
Group
Get entities of kind
Group
and spec.typeteam
8e06f3c
: Switched imports ofloggerToWinstonLogger
to@backstage/backend-common
.Updated dependencies
v1.9.0
Compare Source
Minor Changes
a20a0ea
: AddedrequiredConversationResolution
template option togithub:repo:create
,github:repo:push
andpublish:github
b32005e
: Deprecated thetaskWorkers
option in RouterOptions in favor ofconcurrentTasksLimit
which sets the limit of concurrent tasks in a single TaskWorkerTaskWorker can now run multiple (defaults to 10) tasks concurrently using the
concurrentTasksLimit
option available in bothRouterOptions
andCreateWorkerOptions
.To use the option to create a TaskWorker:
const worker = await TaskWorker.create({ taskBroker, actionRegistry, integrations, logger, workingDirectory, additionalTemplateFilters, + concurrentTasksLimit: 10 // (1 to Infinity) });
fc51bd8
: Add support for disabling Github repository wiki, issues and projects0053d07
: Update thegithub:publish
action to allow passing wether to dismiss stale reviews on the protected default branch.Patch Changes
cb71600
: Internal refactor to improve tests935b66a
: Change step output template examples to use square bracket syntax.884d749
: Refactored to usecoreServices
from@backstage/backend-plugin-api
.b05dcd5
: Move thezod
dependency to a version that does not collide with other libraries2640443
: Use Json types from @backstage/typesb07ccff
: Backend now returns 'ui:options' value from template metadata, it can be used by all your custom scaffolder components.309f2da
: Updated dependencyesbuild
to^0.16.0
.3280711
: Updated dependencymsw
to^0.49.0
.19356df
: Updated dependencyzen-observable
to^0.9.0
.c3fa90e
: Updated dependencyzen-observable
to^0.10.0
.v1.8.0
Compare Source
Minor Changes
ea14eb6
: Added a set of default Prometheus metrics around scaffolding. See below for a list of metrics and an explanation of their labels:scaffolder_task_count
: Tracks successful task runs.Labels:
template
: The entity ref of the scaffolded templateuser
: The entity ref of the user that invoked the template runresult
: A string describing whether the task ran successfully, failed, or was skippedscaffolder_task_duration
: a histogram which tracks the duration of a task runLabels:
template
: The entity ref of the scaffolded templateresult
: A boolean describing whether the task ran successfullyscaffolder_step_count
: a count that tracks each step runLabels:
template
: The entity ref of the scaffolded templatestep
: The name of the step that was runresult
: A string describing whether the task ran successfully, failed, or was skippedscaffolder_step_duration
: a histogram which tracks the duration of each step runLabels:
template
: The entity ref of the scaffolded templatestep
: The name of the step that was runresult
: A string describing whether the task ran successfully, failed, or was skippedYou can find a guide for running Prometheus metrics here: https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/prometheus-metrics.md
5921b5c
: - The GitLab Project ID for thepublish:gitlab:merge-request
action is now passed through the query parameterproject
in therepoUrl
. It still allows people to not use theprojectid
and use therepoUrl
with theowner
andrepo
query parameters instead. This makes it easier to publish to repositories instead of writing the full path to the project.5025d2e
: Adds the ability to pass (an optional) array of strings that will be applied to the newly scaffolded repository as topic labels.Patch Changes
7573b65
: Internal refactor of imports to avoid circular dependencies969a844
: Updated dependencyesbuild
to^0.15.0
.9ff4ff3
: Implement "Branch protection rules" support for "publish:github" actionv1.7.0
Compare Source
Minor Changes
253453f
: Added a new property calledadditionalTemplateGlobals
which allows you to add global functions to the scaffolder nunjucks templates.17ff771
: Update thegithub:publish
action to allow passing whether pullrequests must be up to date with the default branch before merging.
304305d
: AddallowAutoMerge
option forpublish:github
action694bfe2
: Add functionality to shutdown scaffolder tasks if they are stalea8e9848
: Added optionalsourcePath
parameter topublish:gitlab:merge-request
action,targetPath
is now optional and falls back to current workspace path.Patch Changes
489621f
: Switching off duplicated timestamp in case of logging via task logger in a custom action4880d43
: Fixed setting default branch for Bitbucket Serverb681275
: Ignore .git directories in Template Editor, increase upload limit for dry-runs to 10MB.a35a27d
: Updated themoduleId
of the experimental module export.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.