[Snyk] Fix for 10 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/app/package.json
  • packages/app/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	539/1000 Why? Has a fix available, CVSS 6.5	Directory Traversal SNYK-JS-BACKSTAGETECHDOCSCOMMON-1300041	No	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Cross-site Scripting (XSS) SNYK-JS-BACKSTAGETECHDOCSCOMMON-1300048	No	No Known Exploit
	630/1000 Why? Has a fix available, CVSS 8.1	Directory Traversal SNYK-JS-BACKSTAGETECHDOCSCOMMON-1314354	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-1298035	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-IMMER-1540542	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @backstage/cli

The new version differs by 250 commits.

• e3718ad Merge pull request Version Packages backstage/backstage#4926 from backstage/changeset-release/master
• 42b67c3 create-app: revert to 0.3.14
• 718eea4 Version Packages
• 20d539e Merge pull request changesets: add changeset for null return from component extensions backstage/backstage#5002 from backstage/rugvip/null
• 34ff49b changesets: add changeset for null return from component extensions
• 58cb5d4 Merge pull request core-api: remove duplicate element check during traversal backstage/backstage#5000 from backstage/rugvip/duped
• 2854450 Merge pull request Changed the signature of createComponentExtension to be aligned with that of React.lazy backstage/backstage#4843 from bleathem/createComponentExtension-signature
• e906570 Merge pull request Force a release of test-utils, forgotten changeset in #4857 backstage/backstage#4998 from backstage/freben/release-test-utils
• e7f9b94 core-api: remove duplicate element check during traversal
• 8dd6d03 Merge pull request Ignore vale check for ADOPTERS.md backstage/backstage#4999 from backstage/jhaals/ignore-adopters
• 81d9883 Update .changeset/unlucky-chairs-accept.md
• 22416ce Ignore vale check for ADOPTERS.md
• 4e0b505 Force a release of test-utils, forgotten changeset in core: add SubRoutesRefs and refactor routing system backstage/backstage#4857
• e1bd13d Merge pull request chore(deps): bump @babel/plugin-transform-modules-commonjs from 7.10.4 to 7.13.8 backstage/backstage#4997 from backstage/dependabot/npm_and_yarn/babel/plugin-transform-modules-commonjs-7.13.8
• f2f5d33 chore(deps): bump @ babel/plugin-transform-modules-commonjs
• d4f2eba Changed the signature of createComponentExtension to include null
• 98e95f7 Merge pull request Add example org entities to default create-app backstage/backstage#4973 from backstage/timbonicus/add-example-org
• a0098ba Merge pull request use local version of all case conversion methods backstage/backstage#4941 from erdoganoksuz/bug-fix/locale-case
• b5fc764 Merge pull request techdocs: Update example documentation backstage/backstage#4983 from adamdmharvey/doco-examples
• cac8a2e Merge pull request Add TELUS to Adopters List backstage/backstage#4990 from mijailr/telus-adopter
• b53182b docs(adopters): add TELUS
• 9b3a205 PIP8 alignment
• 450342e Merge pull request Add Stalebot configuration backstage/backstage#4988 from backstage/jhaals/stalebot
• cd566ad Add Stalebot configuration

See the full diff

Package name: @backstage/plugin-explore

The new version differs by 250 commits.

• c7ea6b6 Merge pull request Version Packages backstage/backstage#4659 from backstage/changeset-release/master
• 801bdb9 chore: fixing versioning change
• ff2ab4f Version Packages
• 5577fcb Merge pull request cli: fix plugin template by using renderInTestApp in component test backstage/backstage#4807 from backstage/rugvip/plugtempfix
• f7f9a46 Merge pull request cli: fix for type declarations being required even if not built backstage/backstage#4806 from backstage/rugvip/typiskt
• 7117828 Merge pull request chore: make sure to throw when e2e fails backstage/backstage#4808 from backstage/blam/e2e-borked
• 946615d cli: fix plugin template by using renderInTestApp in component test
• abf64c8 Merge pull request core-api: skip wrapping the component data store in an object backstage/backstage#4802 from backstage/rugvip/onestore
• b93538a cli: fix for type declarations being required even if not built
• 3a680d5 Merge pull request changesets: add changeset for kafka-backend config packaging fix backstage/backstage#4804 from backstage/rugvip/keffka
• 2f98cf1 chore: make sure to throw when e2e fails
• 4fbc9df changesets: add changeset for kafka-backend config packaging fix
• c5a4d04 core-api: skip wrapping the component data store in an object
• f6171e4 Merge pull request chore: updating scaffolder v2 template backstage/backstage#4801 from backstage/blam/fix-scaffolder-v2
• eed2656 chore: updating scaffolder v2 template
• f5096bc Merge pull request chore(deps): bump @roadiehq/backstage-plugin-travis-ci from 0.2.8 to 0.4.5 backstage/backstage#4798 from backstage/dependabot/npm_and_yarn/roadiehq/backstage-plugin-travis-ci-0.4.5
• 9dd1e71 Merge pull request TechDocs: Improve tests to Azure Storage backstage/backstage#4567 from viavarejo/techdocs-azure-tests
• 141e9d3 Merge pull request core-api: add parameters to external type refs + reactor types backstage/backstage#4792 from backstage/feat/external-route-ref
• 0755fc6 core-api: tweak route ref types
• b9ac206 Merge pull request chore(deps): bump swagger-ui-react from 3.38.0 to 3.44.0 backstage/backstage#4795 from backstage/dependabot/npm_and_yarn/swagger-ui-react-3.44.0
• 7c71af2 Merge pull request chore(deps-dev): bump start-server-and-test from 1.11.2 to 1.12.0 backstage/backstage#4796 from backstage/dependabot/npm_and_yarn/start-server-and-test-1.12.0
• a084064 Merge pull request chore(deps): bump logform from 2.1.2 to 2.2.0 backstage/backstage#4799 from backstage/dependabot/npm_and_yarn/logform-2.2.0
• a5129f6 chore(deps): bump logform from 2.1.2 to 2.2.0
• a509894 chore(deps): bump @ roadiehq/backstage-plugin-travis-ci

See the full diff

Package name: @backstage/plugin-techdocs

The new version differs by 250 commits.

• 6305a5a Merge pull request Version Packages backstage/backstage#5131 from backstage/changeset-release/master
• 818a25e changeset(create-app): fix major version
• 8e00ab7 Version Packages
• 39f4128 Merge pull request Fix GitHubApp URL parsing so we can get a token backstage/backstage#5185 from backstage/blam/fix-github-apps-auth
• 77893b6 chore: add todo for later refactor
• 164cc4c chore: changeset
• 94d393b bug: git-url-parse needs https prefix otherwise it fails to parse. Lovely.
• d53d01d Merge pull request badges: improve test coverage. backstage/backstage#5027 from kaos/badges_test_coverage
• afd4512 Merge pull request Export apiDocsConfigRef from api-docs plugin to allow extending it with custom API renderers. backstage/backstage#5180 from SDA-SE/feat/api-docs-export
• 1eddf3c Merge pull request chore(deps): bump @testing-library/react from 11.2.5 to 11.2.6 backstage/backstage#5182 from backstage/dependabot/npm_and_yarn/testing-library/react-11.2.6
• 7aabf97 Merge pull request Make GitHub workflow run source.commit.url optional backstage/backstage#5181 from backstage/timbonicus/workflow-runs-deleted-fork
• 420b917 chore(deps): bump @ testing-library/react from 11.2.5 to 11.2.6
• 2c29611 Make source commit url optional
• 60bddef Export `apiDocsConfigRef` from `api-docs` plugin to allow extending it with custom API renderers
• aa618e5 Merge pull request Add a Bitbucket Discovery processor backstage/backstage#5149 from goober/feature/bitbucket-discovery
• bd90c8f Merge pull request #5051 entity name updated backstage/backstage#5053 from shoebsd31/master
• 1ba5d52 Merge pull request chore(deps): bump typescript from 4.1.3 to 4.2.3 backstage/backstage#5174 from backstage/dependabot/npm_and_yarn/typescript-4.2.3
• 13abbc1 Refactor the Bitbucket Discovery processor
• 4196c1e Merge pull request Avoid using Headers as it is not supported in the backend backstage/backstage#5179 from SDA-SE/feat/fix-headers
• b196a45 Avoid using Headers as it is not supported in the backend
• dd880a6 chore: fixing typescript compile errors with new `DateTimeFormatOptions`
• ee01dcf Merge pull request Make sure that Group is taken into account when filling out an org hierarchy backstage/backstage#5177 from backstage/freben/group-members
• e3f7335 Merge pull request chore(deps): bump swagger-ui-react from 3.44.0 to 3.45.1 backstage/backstage#5176 from backstage/dependabot/npm_and_yarn/swagger-ui-react-3.45.1
• 173adf6 Merge pull request feat(devops): containerized devops tasks example backstage/backstage#5172 from ericis/ericis/containerized-devops-tasks

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic