Update dependency @backstage/backend-common to v0.19.10 [SECURITY] #103
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.15.1
->0.19.10
GitHub Vulnerability Alerts
CVE-2024-26150
Impact
Paths checks with the
resolveSafeChildPath
utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.Patches
Patched in
@backstage/backend-common
version0.21.1
.Patched in
@backstage/backend-common
version0.20.2
.Patched in
@backstage/backend-common
version0.19.10
.For more information
If you have any questions or comments about this advisory:
Release Notes
backstage/backstage (@backstage/backend-common)
v0.19.10
Compare Source
v0.19.9
Compare Source
Patch Changes
aa13482
: Limit the database creation concurrency to one, defensively013611b
:knex
has been bumped to major version 3 andbetter-sqlite3
to major version 9, which deprecate node 16 support.3d04352
: Updated dependencyaws-sdk-client-mock
to^3.0.0
.v0.19.8
Compare Source
Patch Changes
74491c9
: TheHostDiscovery
export has been deprecated, import it from@backstage/backend-app-api
instead.b95d66d
: Properly close write stream when writing temporary archive for processing zip-based.readTree()
responses.b94f322
: Added the ability to fetch git tags through theGit
class. This is useful for scaffolder actions that want to take action based on tag versions in a cloned repository0b55f77
: Removed some unused dependencies4c39e38
: Added/testUtils
entry point, with a utility for mocking resolve package paths as returned byresolvePackagePath
.9101c0d
: Updated dependency@kubernetes/client-node
to0.19.0
.a250ad7
: Removedmock-fs
dev dependency.2a40cd4
: Adds the optional flag for useRedisSets for the Redis cache to the config.1c3d6fa
: TheuseHotCleanup
anduseHotMemoize
helpers are now deprecated, since hot module reloads for backend are being phased out.v0.19.7
Compare Source
Patch Changes
b94f322
: Added the ability to fetch git tags through theGit
class. This is useful for scaffolder actions that want to take action based on tag versions in a cloned repositoryv0.19.6
Compare Source
v0.19.5
Compare Source
Patch Changes
6847cd6
: Avoid starting database keepalive loop in tests.fd3fdd0
: The root logger is now initialized lazily, fixing a circular dependency issue with@backstage/backend-app-api
that would result inCannot read properties of undefined (reading 'redacter')
.5f1a92b
: UseDefaultAzureDevOpsCredentialsProvider
to retrieve credentials for Azure DevOps.19a1404
: Added retries for initial database creation, as well as set minimum connection pool size for the database creation client to 0 and lowered the connection acquisition timeout.05508a9
: Minor internal refactorcfc3ca6
: Changes needed to support MySQLv0.19.4
Compare Source
Patch Changes
5f1a92b
: UseDefaultAzureDevOpsCredentialsProvider
to retrieve credentials for Azure DevOps.cfc3ca6
: Changes needed to support MySQLv0.19.3
Compare Source
v0.19.2
Compare Source
Patch Changes
629cbd1
: UsecoreServices.rootConfig
instead ofcoreService.config
443afcf
: To improve performance,GerritUrlReader.readTree()
now uses Gitiles to fetch an archive instead of cloning the repository.If
gitilesBaseUrl
is not configured,readTree
still uses Git to clone the repository.Added
stripFirstDirectory
option toReadTreeResponseFactory.fromTarArchive()
, allowing to disable stripping first directoryfor
tar
archives.4b82382
: Fixed invalid configuration schema. The configuration schema may be more strict as a result.Updated dependencies
v0.19.1
Compare Source
Patch Changes
787ddcc
: useReadable.from
to explicitly convert thebuffer
fromnode-fetch
to aReadable
streamv0.19.0
Compare Source
Minor Changes
c7f848b
: Support authentication with a service principal or managed identity for Azure DevOpsAzure DevOps recently released support, in public preview, for authenticating with a service principal or managed identity instead of a personal access token (PAT): https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/. With this change the Azure integration now supports service principals and managed identities for Azure AD backed Azure DevOps organizations. Service principal and managed identity authentication is not supported on Azure DevOps Server (on-premises) organizations.
Patch Changes
4ef91ab
: Updated the backend database connection configuration schema to set the password visibility to secret52d5998
: Changed the default backend CacheClient to an in-memory cache when not explicitly configured.Explicit configuration of an in-memory cache can be removed from
app-config.yaml
, as this is now the default:5f2c38c
: Fix SNYK-JS-FASTXMLPARSER-5668858 (fast-xml-parser
) by upgrading aws-sdk to at least the current latest version.eeb3f80
:HostDiscovery
now strips trailing slashes in thebackend.baseUrl
config.9f47a74
: Fixed typo in HostDiscovery's JSDoc810c6de
: Remove unused dev dependencyaws-sdk-mock
.Updated dependencies
v0.18.5
Compare Source
Patch Changes
0297f7a
: Remove the direct dependency on deprecated "request" library284db22
: Updated theDatabaseManager
to include the plugin id in the Postgres application name of the database connections created for each plugin.3659c71
: Standardize@aws-sdk
v3 versions42d817e
: AddedHostDiscovery
to supersede deprecatedSingleHostDiscovery
(deprecated due to name)v0.18.4
Compare Source
Patch Changes
a1002df
: Support commit hashes atGithubUrlReader.readTree/search
additionally to branch names.Additionally, this will reduce the number of API calls from 2 to 1 for retrieving the "repo details"
for all cases besides when the default branch has to be resolved and used
(e.g., repo URL without any branch or commit hash).
5c7ce58
: Allow an additionalConfig to be provided to loadBackendConfig that fetches config values during runtime.2b15cb4
: The dependency isomorphic-git is now on version 1.23.03416727
: Renamed theloadBackendConfig
optionadditionalConfig
toadditionalConfigs
as an array, and ensured that they get passed on properly.This is technically breaking, but the original addition hasn't been released in mainline yet so we are taking this step now as a
patch
change.4201645
: Improve GitlabUrlReader to only load requested sub-pathUpdated dependencies
v0.18.3
Compare Source
Patch Changes
f750978
: Adds config optionbackend.database.role
to set ownership for newly created schemas and tables in PostgresThe example config below connects to the database as user
v-backstage-123
but sets the ownership ofthe create schemas and tables to
backstage
928a12a
: Internal refactor of/alpha
exports.52b0022
: Updated dependencymsw
to^1.0.0
.87f0bbe
: AwsS3UrlReader upgraded to use aws-sdk v3c1ee073
: AddedlastModifiedAt
field onUrlReaderService
responses and alastModifiedAfter
option toUrlReaderService.readUrl
.482dae5
: Updated link to docs.Updated dependencies
v0.18.2
Compare Source
Patch Changes
5febb21
: BREAKING: TheCacheClient
interface must now also implement thewithOptions
method. The.get()
method has also received a type parameter that helps ensure thatundefined
in the event of a cache miss is handled.Added a
cacheToPluginCacheManager
helper that converts aCacheService
into a legacyPluginCacheManager
instance.5febb21
: Updated to match the newCacheService
interface.e716946
: Updated usage of the lifecycle service.d31d8e0
: Updated to work with the newtype: 'pem'
withcreateHttpServer
from@backstage/backend-app-api
0ff0331
: Updated usage ofcreateBackendPlugin
.f60cca9
: TheDatabaseManager.forPlugin
method now accepts additional service dependencies. There is no need to update existing code to pass these dependencies.628e2bd
: Updated dependency@kubernetes/client-node
to0.18.1
.Updated dependencies
v0.18.1
Compare Source
Added a new badges plugin, split into
@backstage/plugin-badges
and@backstage/plugin-badges-backend
.The badges plugin offers a set of badges that can be used outside of your backstage deployment, showing information related to data in the catalog, such as entity owner and lifecycle data.
v0.18.0
Compare Source
Minor Changes
5e2cebe
: BREAKING: Removed deprecatedread
method from theUrlReader
interface. All implementations should use thereadUrl
method instead.Migrated
UrlReader
and related types tobackend/backend-plugin-api
, types remain re-exported frombackend-common
for now.Patch Changes
0e63aab
: Internal refactor of the logger and configuration loading implementations.31e2309
: AddedlegacyPlugin
and the lower levelmakeLegacyPlugin
wrappers that convert legacy plugins to the new backend system. This will be used to ease the future migration to the new backend system, but we discourage use of it for now.8e06f3c
: AddedloggerToWinstonLogger
, which was moved from@backstage/backend-plugin-api
.2b1554c
: Replaced dependencies on theLogger
type fromwinston
withLoggerService
from@backstage/backend-plugin-api
. This is not a breaking change as theLoggerService
is a subset of theLogger
interface.5437fe4
: Migrated types related toTokenManagerService
,CacheService
andDatabaseService
into backend-plugin-api.6f02d23
: MovedPluginEndpointDiscovery
type from backend-common to backend-plugin-api.d592ec4
: Updated the logger created bycreateRootLogger
to make it possible to override the defaultservice
log label.b99c030
: Refactor to rely on@backstage/backend-app-api
for the implementation ofcreateServiceBuilder
.f23eef3
: Updated dependencybetter-sqlite3
to^8.0.0
.v0.17.0
Compare Source
Minor Changes
de8a975
: Changed to use nativeAbortController
andAbortSignal
from Node.js, insteadof the one from
node-abort-controller
. This is possible now that the minimumsupported Node.js version of the project is 16.
Note that their interfaces are very slightly different, but typically not in a
way that matters to consumers. If you see any typescript errors as a direct
result from this, they are compatible with each other in the ways that we
interact with them, and should be possible to type-cast across without ill
effects.
Patch Changes
d3fea4a
: Internal fixes to avoid implicit usage of globals98776e6
: Fixed GitlabUrlReader to include api tokens in API calls1f2b2de
: exported KubernetesContainerRunner, KubernetesContainerRunnerOptions, KubernetesContainerRunnerMountBase840f211
: FixGitlabUrlReader.readTree
bug when there were no matching commits20a5161
: Adds MySQL support for the catalog-backend3280711
: Updated dependencymsw
to^0.49.0
.9ce7866
: Updated dependency@kubernetes/client-node
to0.18.0
.3c1302c
: Updated dependency@types/http-errors
to^2.0.0
.6b82598
: Added the ability to understand Job Artifact URLs to the GitLab integrationdfc8edf
: Internal refactor to avoid usage of deprecated symbols.8015ff1
: Tweaked wording to use inclusive terminology8646067
: FixedSingleHostDiscovery
so that it properly handles single-stringbackend.listen
configurations such as:80
.v0.16.0
Compare Source
Minor Changes
a7607b5
: BREAKING CHANGE: TheUrlReader
interface has been updated to require thatreadUrl
is implemented.readUrl
has previously been optional to implement but a warning has been logged when calling its predecessorread
.The
read
method is now deprecated and will be removed in a future release.Patch Changes
88f99b8
: Bumpedtar
dependency to^6.1.12
in order to ensure Node.js v18 compatibility.5522771
: Generated development HTTPS backend certificate is now checked for expiration date instead of file age.d05e184
: This patch adds GiteaURLReader to the available classes. It currently only reads single files via gitea's public repos apie6ced24
: Change to using@keyv/memcache
now thatkeyv-memcache
is deprecated210a3b5
: Small update to fix compatibility with newer versions of thekeyv
librarycfb30b7
: Pin@kubernetes/client-node
version to0.17.0
.c1784a4
: Replaces in-code uses ofGitHub
withGithub
and deprecates old versions.v0.15.2
Compare Source
Patch Changes
e8d7976
: Added back support for when no branch is provided for the Bitbucket ServerUrlReader
c44cf41
: Fix BitBucket server integrationc31f7cd
: Fixed an issue wheregetClient()
for apluginId
would return different clients and not share them2d3a5f0
: Useresponse.json
rather thanresponse.send
where appropriate, as outlined inSECURITY.md
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.