Update dependency @backstage/backend-common to v0.19.10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@backstage/backend-common (source)	0.15.1 -> 0.19.10

GitHub Vulnerability Alerts

CVE-2024-26150

Impact

Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.

Patches

Patched in @backstage/backend-common version 0.21.1.
Patched in @backstage/backend-common version 0.20.2.
Patched in @backstage/backend-common version 0.19.10.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the Backstage repository
• Visit our Discord, linked to in Backstage README

---

Release Notes

backstage/backstage (@​backstage/backend-common)

v0.19.10

Compare Source

v0.19.9

Compare Source

Patch Changes

• aa13482: Limit the database creation concurrency to one, defensively
• 013611b: knex has been bumped to major version 3 and better-sqlite3 to major version 9, which deprecate node 16 support.
• 3d04352: Updated dependency aws-sdk-client-mock to ^3.0.0.
• Updated dependencies
  • @​backstage/config-loader@​1.5.3
  • @​backstage/integration@​1.7.2
  • @​backstage/backend-plugin-api@​0.6.7
  • @​backstage/integration-aws-node@​0.1.8
  • @​backstage/backend-app-api@​0.5.8
  • @​backstage/backend-dev-utils@​0.1.2
  • @​backstage/cli-common@​0.1.13
  • @​backstage/config@​1.1.1
  • @​backstage/errors@​1.2.3
  • @​backstage/types@​1.1.1

v0.19.8

Compare Source

Patch Changes

• 74491c9: The HostDiscovery export has been deprecated, import it from @backstage/backend-app-api instead.
• b95d66d: Properly close write stream when writing temporary archive for processing zip-based .readTree() responses.
• b94f322: Added the ability to fetch git tags through the Git class. This is useful for scaffolder actions that want to take action based on tag versions in a cloned repository
• 0b55f77: Removed some unused dependencies
• 4c39e38: Added /testUtils entry point, with a utility for mocking resolve package paths as returned by resolvePackagePath.
• 9101c0d: Updated dependency @kubernetes/client-node to 0.19.0.
• a250ad7: Removed mock-fs dev dependency.
• 2a40cd4: Adds the optional flag for useRedisSets for the Redis cache to the config.
• 1c3d6fa: The useHotCleanup and useHotMemoize helpers are now deprecated, since hot module reloads for backend are being phased out.
• Updated dependencies
  • @​backstage/integration@​1.7.1
  • @​backstage/backend-dev-utils@​0.1.2
  • @​backstage/config-loader@​1.5.1
  • @​backstage/errors@​1.2.3
  • @​backstage/cli-common@​0.1.13
  • @​backstage/backend-app-api@​0.5.6
  • @​backstage/backend-plugin-api@​0.6.6
  • @​backstage/config@​1.1.1
  • @​backstage/integration-aws-node@​0.1.7
  • @​backstage/types@​1.1.1

v0.19.7

Compare Source

Patch Changes

• b94f322: Added the ability to fetch git tags through the Git class. This is useful for scaffolder actions that want to take action based on tag versions in a cloned repository
• Updated dependencies
  • @​backstage/backend-dev-utils@​0.1.2-next.0
  • @​backstage/backend-app-api@​0.5.5-next.1
  • @​backstage/backend-plugin-api@​0.6.5-next.1
  • @​backstage/config@​1.1.0
  • @​backstage/integration-aws-node@​0.1.6
  • @​backstage/cli-common@​0.1.13-next.0
  • @​backstage/config-loader@​1.5.1-next.0
  • @​backstage/errors@​1.2.2
  • @​backstage/integration@​1.7.1-next.0
  • @​backstage/types@​1.1.1

v0.19.6

Compare Source

v0.19.5

Compare Source

Patch Changes

• 6847cd6: Avoid starting database keepalive loop in tests.
• fd3fdd0: The root logger is now initialized lazily, fixing a circular dependency issue with @backstage/backend-app-api that would result in Cannot read properties of undefined (reading 'redacter').
• 5f1a92b: Use DefaultAzureDevOpsCredentialsProvider to retrieve credentials for Azure DevOps.
• 19a1404: Added retries for initial database creation, as well as set minimum connection pool size for the database creation client to 0 and lowered the connection acquisition timeout.
• 05508a9: Minor internal refactor
• cfc3ca6: Changes needed to support MySQL
• Updated dependencies
  • @​backstage/backend-app-api@​0.5.3
  • @​backstage/config@​1.1.0
  • @​backstage/errors@​1.2.2
  • @​backstage/integration@​1.7.0
  • @​backstage/types@​1.1.1
  • @​backstage/backend-plugin-api@​0.6.3
  • @​backstage/config-loader@​1.5.0
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/cli-common@​0.1.12
  • @​backstage/integration-aws-node@​0.1.6

v0.19.4

Compare Source

Patch Changes

• 5f1a92b: Use DefaultAzureDevOpsCredentialsProvider to retrieve credentials for Azure DevOps.
• cfc3ca6: Changes needed to support MySQL
• Updated dependencies
  • @​backstage/integration@​1.7.0-next.0
  • @​backstage/config-loader@​1.5.0-next.0
  • @​backstage/backend-app-api@​0.5.2-next.0
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/backend-plugin-api@​0.6.2-next.0
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.8
  • @​backstage/errors@​1.2.1
  • @​backstage/integration-aws-node@​0.1.5
  • @​backstage/types@​1.1.0

v0.19.3

Compare Source

v0.19.2

Compare Source

Patch Changes

• 629cbd1: Use coreServices.rootConfig instead of coreService.config

• 443afcf: To improve performance, GerritUrlReader.readTree() now uses Gitiles to fetch an archive instead of cloning the repository.
  If gitilesBaseUrl is not configured, readTree still uses Git to clone the repository.

  Added stripFirstDirectory option to ReadTreeResponseFactory.fromTarArchive(), allowing to disable stripping first directory
  for tar archives.

• 4b82382: Fixed invalid configuration schema. The configuration schema may be more strict as a result.

• Updated dependencies

  • @​backstage/backend-app-api@​0.5.0
  • @​backstage/config-loader@​1.4.0
  • @​backstage/backend-plugin-api@​0.6.0
  • @​backstage/integration@​1.6.0
  • @​backstage/integration-aws-node@​0.1.5
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.8
  • @​backstage/errors@​1.2.1
  • @​backstage/types@​1.1.0

v0.19.1

Compare Source

Patch Changes

• 787ddcc: use Readable.from to explicitly convert the buffer from node-fetch to a Readable stream
• Updated dependencies
  • @​backstage/errors@​1.2.1
  • @​backstage/backend-app-api@​0.4.5
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/backend-plugin-api@​0.5.4
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.8
  • @​backstage/config-loader@​1.3.2
  • @​backstage/integration@​1.5.1
  • @​backstage/integration-aws-node@​0.1.5
  • @​backstage/types@​1.1.0

v0.19.0

Compare Source

Minor Changes

• c7f848b: Support authentication with a service principal or managed identity for Azure DevOps

  Azure DevOps recently released support, in public preview, for authenticating with a service principal or managed identity instead of a personal access token (PAT): https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/. With this change the Azure integration now supports service principals and managed identities for Azure AD backed Azure DevOps organizations. Service principal and managed identity authentication is not supported on Azure DevOps Server (on-premises) organizations.

Patch Changes

• 4ef91ab: Updated the backend database connection configuration schema to set the password visibility to secret

• 52d5998: Changed the default backend CacheClient to an in-memory cache when not explicitly configured.

  Explicit configuration of an in-memory cache can be removed from app-config.yaml, as this is now the default:

  backend:
  -  cache:
  -    store: memory

• 5f2c38c: Fix SNYK-JS-FASTXMLPARSER-5668858 (fast-xml-parser) by upgrading aws-sdk to at least the current latest version.

• eeb3f80: HostDiscovery now strips trailing slashes in the backend.baseUrl config.

• 9f47a74: Fixed typo in HostDiscovery's JSDoc

• 810c6de: Remove unused dev dependency aws-sdk-mock.

• Updated dependencies

  • @​backstage/types@​1.1.0
  • @​backstage/integration-aws-node@​0.1.4
  • @​backstage/config-loader@​1.3.1
  • @​backstage/integration@​1.5.0
  • @​backstage/errors@​1.2.0
  • @​backstage/backend-app-api@​0.4.4
  • @​backstage/backend-plugin-api@​0.5.3
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.8

v0.18.5

Compare Source

Patch Changes

• 0297f7a: Remove the direct dependency on deprecated "request" library
• 284db22: Updated the DatabaseManager to include the plugin id in the Postgres application name of the database connections created for each plugin.
• 3659c71: Standardize @aws-sdk v3 versions
• 42d817e: Added HostDiscovery to supersede deprecated SingleHostDiscovery (deprecated due to name)
• Updated dependencies
  • @​backstage/config-loader@​1.3.0
  • @​backstage/integration@​1.4.5
  • @​backstage/integration-aws-node@​0.1.3
  • @​backstage/backend-app-api@​0.4.3
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/backend-plugin-api@​0.5.2
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.7
  • @​backstage/errors@​1.1.5
  • @​backstage/types@​1.0.2

v0.18.4

Compare Source

Patch Changes

• a1002df: Support commit hashes at GithubUrlReader.readTree/search additionally to branch names.

  Additionally, this will reduce the number of API calls from 2 to 1 for retrieving the "repo details"
  for all cases besides when the default branch has to be resolved and used
  (e.g., repo URL without any branch or commit hash).

• 5c7ce58: Allow an additionalConfig to be provided to loadBackendConfig that fetches config values during runtime.

• 2b15cb4: The dependency isomorphic-git is now on version 1.23.0

• 3416727: Renamed the loadBackendConfig option additionalConfig to additionalConfigs as an array, and ensured that they get passed on properly.

  This is technically breaking, but the original addition hasn't been released in mainline yet so we are taking this step now as a patch change.

• 4201645: Improve GitlabUrlReader to only load requested sub-path

• Updated dependencies

  • @​backstage/config-loader@​1.2.0
  • @​backstage/backend-app-api@​0.4.2
  • @​backstage/integration@​1.4.4
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/backend-plugin-api@​0.5.1
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.7
  • @​backstage/errors@​1.1.5
  • @​backstage/integration-aws-node@​0.1.2
  • @​backstage/types@​1.0.2

v0.18.3

Compare Source

Patch Changes

• f750978: Adds config option backend.database.role to set ownership for newly created schemas and tables in Postgres

  The example config below connects to the database as user v-backstage-123 but sets the ownership of
  the create schemas and tables to backstage

  backend:
    database:
      client: pg
      pluginDivisionMode: schema
      role: backstage
      connection:
        user: v-backstage-123
        ...

• 928a12a: Internal refactor of /alpha exports.

• 52b0022: Updated dependency msw to ^1.0.0.

• 87f0bbe: AwsS3UrlReader upgraded to use aws-sdk v3

• c1ee073: Added lastModifiedAt field on UrlReaderService responses and a lastModifiedAfter option to UrlReaderService.readUrl.

• 482dae5: Updated link to docs.

• Updated dependencies

  • @​backstage/errors@​1.1.5
  • @​backstage/backend-plugin-api@​0.5.0
  • @​backstage/backend-app-api@​0.4.1
  • @​backstage/config-loader@​1.1.9
  • @​backstage/integration@​1.4.3
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.7
  • @​backstage/integration-aws-node@​0.1.2
  • @​backstage/types@​1.0.2

v0.18.2

Compare Source

Patch Changes

• 5febb21: BREAKING: The CacheClient interface must now also implement the withOptions method. The .get() method has also received a type parameter that helps ensure that undefined in the event of a cache miss is handled.

  Added a cacheToPluginCacheManager helper that converts a CacheService into a legacy PluginCacheManager instance.

• 5febb21: Updated to match the new CacheService interface.

• e716946: Updated usage of the lifecycle service.

• d31d8e0: Updated to work with the new type: 'pem' with createHttpServer from @backstage/backend-app-api

• 0ff0331: Updated usage of createBackendPlugin.

• f60cca9: The DatabaseManager.forPlugin method now accepts additional service dependencies. There is no need to update existing code to pass these dependencies.

• 628e2bd: Updated dependency @kubernetes/client-node to 0.18.1.

• Updated dependencies

  • @​backstage/backend-app-api@​0.4.0
  • @​backstage/backend-plugin-api@​0.4.0
  • @​backstage/backend-dev-utils@​0.1.0
  • @​backstage/cli-common@​0.1.11
  • @​backstage/config@​1.0.6
  • @​backstage/config-loader@​1.1.8
  • @​backstage/errors@​1.1.4
  • @​backstage/integration@​1.4.2
  • @​backstage/types@​1.0.2

v0.18.1

Compare Source

Added a new badges plugin, split into @backstage/plugin-badges and @backstage/plugin-badges-backend.

The badges plugin offers a set of badges that can be used outside of your backstage deployment, showing information related to data in the catalog, such as entity owner and lifecycle data.

v0.18.0

Compare Source

Minor Changes

• 5e2cebe: BREAKING: Removed deprecated read method from the UrlReader interface. All implementations should use the readUrl method instead.

  Migrated UrlReader and related types to backend/backend-plugin-api, types remain re-exported from backend-common for now.

Patch Changes

• 0e63aab: Internal refactor of the logger and configuration loading implementations.
• 31e2309: Added legacyPlugin and the lower level makeLegacyPlugin wrappers that convert legacy plugins to the new backend system. This will be used to ease the future migration to the new backend system, but we discourage use of it for now.
• 8e06f3c: Added loggerToWinstonLogger, which was moved from @backstage/backend-plugin-api.
• 2b1554c: Replaced dependencies on the Logger type from winston with LoggerService from @backstage/backend-plugin-api. This is not a breaking change as the LoggerService is a subset of the Logger interface.
• 5437fe4: Migrated types related to TokenManagerService, CacheService and DatabaseService into backend-plugin-api.
• 6f02d23: Moved PluginEndpointDiscovery type from backend-common to backend-plugin-api.
• d592ec4: Updated the logger created by createRootLogger to make it possible to override the default service log label.
• b99c030: Refactor to rely on @backstage/backend-app-api for the implementation of createServiceBuilder.
• f23eef3: Updated dependency better-sqlite3 to ^8.0.0.
• Updated dependencies
  • @​backstage/backend-plugin-api@​0.3.0
  • @​backstage/backend-app-api@​0.3.0
  • @​backstage/config@​1.0.6
  • @​backstage/cli-common@​0.1.11
  • @​backstage/config-loader@​1.1.8
  • @​backstage/errors@​1.1.4
  • @​backstage/integration@​1.4.2
  • @​backstage/types@​1.0.2

v0.17.0

Compare Source

Minor Changes

• de8a975: Changed to use native AbortController and AbortSignal from Node.js, instead
  of the one from node-abort-controller. This is possible now that the minimum
  supported Node.js version of the project is 16.

  Note that their interfaces are very slightly different, but typically not in a
  way that matters to consumers. If you see any typescript errors as a direct
  result from this, they are compatible with each other in the ways that we
  interact with them, and should be possible to type-cast across without ill
  effects.

Patch Changes

• d3fea4a: Internal fixes to avoid implicit usage of globals
• 98776e6: Fixed GitlabUrlReader to include api tokens in API calls
• 1f2b2de: exported KubernetesContainerRunner, KubernetesContainerRunnerOptions, KubernetesContainerRunnerMountBase
• 840f211: Fix GitlabUrlReader.readTree bug when there were no matching commits
• 20a5161: Adds MySQL support for the catalog-backend
• 3280711: Updated dependency msw to ^0.49.0.
• 9ce7866: Updated dependency @kubernetes/client-node to 0.18.0.
• 3c1302c: Updated dependency @types/http-errors to ^2.0.0.
• 6b82598: Added the ability to understand Job Artifact URLs to the GitLab integration
• dfc8edf: Internal refactor to avoid usage of deprecated symbols.
• 8015ff1: Tweaked wording to use inclusive terminology
• 8646067: Fixed SingleHostDiscovery so that it properly handles single-string backend.listen configurations such as :80.
• Updated dependencies
  • @​backstage/errors@​1.1.4
  • @​backstage/config-loader@​1.1.7
  • @​backstage/integration@​1.4.1
  • @​backstage/types@​1.0.2
  • @​backstage/cli-common@​0.1.11
  • @​backstage/config@​1.0.5

v0.16.0

Compare Source

Minor Changes

• a7607b5: BREAKING CHANGE: The UrlReader interface has been updated to require that readUrl is implemented. readUrl has previously been optional to implement but a warning has been logged when calling its predecessor read.
  The read method is now deprecated and will be removed in a future release.

Patch Changes

• 88f99b8: Bumped tar dependency to ^6.1.12 in order to ensure Node.js v18 compatibility.
• 5522771: Generated development HTTPS backend certificate is now checked for expiration date instead of file age.
• d05e184: This patch adds GiteaURLReader to the available classes. It currently only reads single files via gitea's public repos api
• e6ced24: Change to using @keyv/memcache now that keyv-memcache is deprecated
• 210a3b5: Small update to fix compatibility with newer versions of the keyv library
• cfb30b7: Pin @kubernetes/client-node version to 0.17.0.
• c1784a4: Replaces in-code uses of GitHub with Github and deprecates old versions.
• Updated dependencies
  • @​backstage/integration@​1.4.0
  • @​backstage/types@​1.0.1
  • @​backstage/cli-common@​0.1.10
  • @​backstage/config@​1.0.4
  • @​backstage/config-loader@​1.1.6
  • @​backstage/errors@​1.1.3

v0.15.2

Compare Source

Patch Changes

• e8d7976: Added back support for when no branch is provided for the Bitbucket Server UrlReader
• c44cf41: Fix BitBucket server integration
• c31f7cd: Fixed an issue where getClient() for a pluginId would return different clients and not share them
• 2d3a5f0: Use response.json rather than response.send where appropriate, as outlined in SECURITY.md
• Updated dependencies
  • @​backstage/cli-common@​0.1.10
  • @​backstage/config@​1.0.3
  • @​backstage/config-loader@​1.1.5
  • @​backstage/errors@​1.1.2
  • @​backstage/integration@​1.3.2
  • @​backstage/types@​1.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

Internal Error: Error when performing the request to https://registry.npmjs.org/yarn; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
    at fetch (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22878:11)
    at async fetchAsJson (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22892:20)
    at async fetchLatestStableVersion (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22942:20)
    at async fetchLatestStableVersion2 (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22975:14)
    at async Engine.getDefaultVersion (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:23537:25)
    at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:23644:30)
    at async BinaryCommand.validateAndExecute (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:21164:22)
    at async _Cli.run (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22139:18)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.26.0/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:24371:12)