Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions workspaces/code-coverage/.changeset/renovate-56eddd7.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@backstage-community/plugin-code-coverage-backend': patch
---

Updated dependency `body-parser` to `^2.0.0`.
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
"@backstage/errors": "backstage:^",
"@backstage/integration": "backstage:^",
"@types/express": "^4.17.6",
"body-parser": "^1.20.0",
"body-parser": "^2.0.0",

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a major body-parser upgrade, but the backend plugin’s router tests only cover the text/plain (LCOV) parsing path. Since coverageType=jacoco|cobertura relies on the XML parsing middleware (body-parser-xml wiring into body-parser), please add/extend tests to cover a text/xml POST to /report to catch any compatibility/regression issues introduced by body-parser@^2.

Copilot uses AI. Check for mistakes.

Copilot AI Apr 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

express (4.22.1) already brings in body-parser@~1.20.3 (see yarn.lock), so adding a direct body-parser@^2 dependency means the runtime will include two major versions. In this plugin, express.json() will continue to use Express’s transitive body-parser v1, while BodyParser.xml/text() will use v2, which can lead to inconsistent parsing behavior (e.g., req.body initialization) and makes the v2 upgrade less effective. Consider switching express.json() to BodyParser.json() (and other Express body helpers where applicable) so all parsing goes through the same major version, or otherwise document/justify the split.

Suggested change
"body-parser": "^2.0.0",
"body-parser": "^1.20.3",

Copilot uses AI. Check for mistakes.

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

body-parser@2.x requires Node.js 18+ per upstream release notes. If this plugin/workspace is expected to run on older Node versions, installs or runtime will break; ensure the package/workspace engines.node (and deployment/CI runtime) is aligned with Node 18+ as part of this upgrade.

Copilot uses AI. Check for mistakes.
"body-parser-xml": "^2.0.5",
Comment on lines +49 to 50

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

body-parser v2 is a major upgrade and this plugin uses both BodyParser.text() and BodyParser.xml() (via body-parser-xml), but the current router tests only exercise the text/plain path. To reduce upgrade risk, add a test that posts Content-Type: text/xml (or whichever XML content-type you support) through POST /report and asserts the request body is parsed and accepted (or errors as expected).

Copilot uses AI. Check for mistakes.
"express": "^4.17.1",
Comment on lines +49 to 51

Copilot AI Apr 20, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

body-parser v2 introduces breaking behavior changes (e.g., req.body left undefined unless parsed) and this plugin relies on both BodyParser.text() and body-parser-xml (BodyParser.xml()). There are tests for the text/plain path, but no coverage for the XML parser or the "missing/empty body" behavior; please add/extend tests to ensure XML uploads still parse correctly and that requests without a parsed body return the expected error after the major upgrade.

Copilot uses AI. Check for mistakes.
"express-promise-router": "^4.1.0",
Comment on lines 48 to 52

Copilot AI Apr 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

express@4.22.1 still pulls in body-parser@~1.20.3 (see yarn.lock), so after adding body-parser@^2 this workspace ends up with both v1 and v2 installed. If the intent of this upgrade is to pick up the v2 security fix, note that any usage of express.json() / express.urlencoded() will continue to use the v1 parser from Express. Consider switching any JSON/urlencoded parsing in the plugin to use the newly added body-parser@^2 APIs instead (or removing it if unused), otherwise scanners/runtime may still be impacted by the v1 dependency.

Copilot uses AI. Check for mistakes.
Expand Down
55 changes: 51 additions & 4 deletions workspaces/code-coverage/yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -1247,7 +1247,7 @@ __metadata:
"@types/body-parser-xml": "npm:^2.0.2"
"@types/express": "npm:^4.17.6"
"@types/supertest": "npm:^7.0.0"
body-parser: "npm:^1.20.0"
body-parser: "npm:^2.0.0"
body-parser-xml: "npm:^2.0.5"
express: "npm:^4.17.1"
express-promise-router: "npm:^4.1.0"
Expand Down Expand Up @@ -11144,7 +11144,24 @@ __metadata:
languageName: node
linkType: hard

"body-parser@npm:^1.20.0, body-parser@npm:~1.20.3":
"body-parser@npm:^2.0.0":
version: 2.2.2
resolution: "body-parser@npm:2.2.2"
dependencies:
bytes: "npm:^3.1.2"
content-type: "npm:^1.0.5"
debug: "npm:^4.4.3"
http-errors: "npm:^2.0.0"
iconv-lite: "npm:^0.7.0"
on-finished: "npm:^2.4.1"
qs: "npm:^6.14.1"
raw-body: "npm:^3.0.1"
type-is: "npm:^2.0.1"
checksum: 10/69671f67d4d5ae5974593901a92d639757231da1725ed6de4d35e86cde9ce7650afdf1cd28df9b6f7892ea7f9eb03ccb30c70fe27d679275ae4cb4aae5ce1b21
languageName: node
linkType: hard

"body-parser@npm:~1.20.3":
version: 1.20.4
resolution: "body-parser@npm:1.20.4"
dependencies:
Expand Down Expand Up @@ -11448,7 +11465,7 @@ __metadata:
languageName: node
linkType: hard

"bytes@npm:3.1.2, bytes@npm:~3.1.2":
"bytes@npm:3.1.2, bytes@npm:^3.1.2, bytes@npm:~3.1.2":
version: 3.1.2
resolution: "bytes@npm:3.1.2"
checksum: 10/a10abf2ba70c784471d6b4f58778c0beeb2b5d405148e66affa91f23a9f13d07603d0a0354667310ae1d6dc141474ffd44e2a074be0f6e2254edb8fc21445388
Expand Down Expand Up @@ -16145,6 +16162,15 @@ __metadata:
languageName: node
linkType: hard

"iconv-lite@npm:^0.7.0, iconv-lite@npm:~0.7.0":
version: 0.7.2
resolution: "iconv-lite@npm:0.7.2"
dependencies:
safer-buffer: "npm:>= 2.1.2 < 3.0.0"
checksum: 10/24c937b532f868e938386b62410b303b7c767ce3d08dc2829cbe59464d5a26ef86ae5ad1af6b34eec43ddfea39e7d101638644b0178d67262fa87015d59f983a
languageName: node
linkType: hard

"icss-replace-symbols@npm:^1.1.0":
version: 1.1.0
resolution: "icss-replace-symbols@npm:1.1.0"
Expand Down Expand Up @@ -21346,7 +21372,16 @@ __metadata:
languageName: node
linkType: hard

"qs@npm:^6.11.0, qs@npm:^6.11.2, qs@npm:^6.12.3, qs@npm:^6.9.4, qs@npm:~6.14.0":
"qs@npm:^6.11.0, qs@npm:^6.11.2, qs@npm:^6.12.3, qs@npm:^6.14.1, qs@npm:^6.9.4":
version: 6.15.1
resolution: "qs@npm:6.15.1"
dependencies:
side-channel: "npm:^1.1.0"
checksum: 10/ec10b9957446b3f4a38000940f6374720b4e2985209b89df197066038c951472ea24cd98d6bc6df73a0cbec75bc056f638032e3fb447345017ff7e0f0a2693ac
languageName: node
linkType: hard

"qs@npm:~6.14.0":
version: 6.14.1
resolution: "qs@npm:6.14.1"
dependencies:
Expand Down Expand Up @@ -21430,6 +21465,18 @@ __metadata:
languageName: node
linkType: hard

"raw-body@npm:^3.0.1":
version: 3.0.2
resolution: "raw-body@npm:3.0.2"
dependencies:
bytes: "npm:~3.1.2"
http-errors: "npm:~2.0.1"
iconv-lite: "npm:~0.7.0"
unpipe: "npm:~1.0.0"
checksum: 10/4168c82157bd69175d5bd960e59b74e253e237b358213694946a427a6f750a18b8e150f036fed3421b3e83294b071a4e2bb01037a79ccacdac05360c63d3ebba
languageName: node
linkType: hard

"raw-loader@npm:^4.0.2":
version: 4.0.2
resolution: "raw-loader@npm:4.0.2"
Expand Down
Loading