-
Notifications
You must be signed in to change notification settings - Fork 617
Update dependency @backstage/plugin-auth-backend to v0.27.1 [SECURITY] #8113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| '@backstage-community/plugin-azure-sites-backend': patch | ||
| --- | ||
|
|
||
| Updated dependency `@backstage/plugin-auth-backend` to `^0.27.0`. |
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -58,7 +58,7 @@ | |||||||||||||
| "devDependencies": { | ||||||||||||||
| "@backstage/backend-defaults": "^0.15.1", | ||||||||||||||
| "@backstage/cli": "^0.35.3", | ||||||||||||||
| "@backstage/plugin-auth-backend": "^0.26.0", | ||||||||||||||
| "@backstage/plugin-auth-backend": "^0.27.0", | ||||||||||||||
|
||||||||||||||
| "@backstage/plugin-auth-backend": "^0.27.0", | |
| "@backstage/plugin-auth-backend": "^0.27.1", |
Copilot
AI
Apr 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same security concern: ^0.27.0 includes the vulnerable 0.27.0; the patch is in 0.27.1+. Please bump the range to ^0.27.1 (or higher).
| "@backstage/plugin-auth-backend": "^0.27.0", | |
| "@backstage/plugin-auth-backend": "^0.27.1", |
Copilot
AI
Apr 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because this PR is addressing CVEs fixed in @backstage/plugin-auth-backend >= 0.27.1, using the semver range "^0.27.0" still allows installing 0.27.0 (vulnerable). Bump the minimum to at least "^0.27.1" (or pin to the patched patch-level you intend, e.g. "^0.27.3") so downstream consumers can’t resolve the vulnerable version.
| "@backstage/plugin-auth-backend": "^0.27.0", | |
| "@backstage/plugin-auth-backend": "^0.27.1", |
Large diffs are not rendered by default.
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| '@backstage-community/plugin-feedback-backend': patch | ||
| --- | ||
|
|
||
| Updated dependency `@backstage/plugin-auth-backend` to `^0.27.0`. |
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -57,7 +57,7 @@ | |||||||||
| }, | ||||||||||
| "devDependencies": { | ||||||||||
| "@backstage/cli": "^0.33.1", | ||||||||||
| "@backstage/plugin-auth-backend": "^0.25.2", | ||||||||||
| "@backstage/plugin-auth-backend": "^0.27.0", | ||||||||||
|
||||||||||
| "@backstage/plugin-auth-backend": "^0.27.0", | |
| "@backstage/plugin-auth-backend": "^0.27.1", |
Copilot
AI
Apr 16, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This security update is patched starting in @backstage/plugin-auth-backend 0.27.1, but the declared range is ^0.27.0 which still allows installing the vulnerable 0.27.0. Bump the minimum to ^0.27.1 (or higher) to ensure the patched version is always selected, and keep the changeset text in sync.
| "@backstage/plugin-auth-backend": "^0.27.0", | |
| "@backstage/plugin-auth-backend": "^0.27.1", |
Copilot
AI
Apr 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dependency range ^0.27.0 still permits selecting 0.27.0, but the PR description indicates the security fixes are in 0.27.1+. Consider bumping this to ^0.27.1 (or equivalent) to enforce the patched minimum.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dependency is updated to
^0.27.0, which still permits0.27.0. Given the PR is addressing vulnerabilities patched in0.27.1+, raise the minimum version (e.g.,^0.27.1) to ensure the vulnerable release can’t be selected in future installs.