[Snyk] Fix for 77 vulnerabilities

[q1blue]

Snyk has created this PR to fix 77 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/backend-next/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Remote Code Execution (RCE) SNYK-JS-JSONPATHPLUS-8719585	606
	Remote Code Execution (RCE) SNYK-JS-JSONPATHPLUS-7945884	605
	Prototype Pollution SNYK-JS-LINKIFYREACT-11502190	459
	Interpretation Conflict SNYK-JS-NODEFORGE-14114940	370
	Information Exposure Through an Error Message SNYK-JS-BACKSTAGEBACKENDAPPAPI-6229731	366
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	351
	Denial of Service (DoS) SNYK-JS-HTTPPROXYMIDDLEWARE-8229906	331
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	331
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	330
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	330
	Function Call With Incorrect Argument Type SNYK-JS-CIPHERBASE-12084814	326
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495496	326
	Function Call With Incorrect Argument Type SNYK-JS-SHAJS-12089400	326
	Information Exposure SNYK-JS-ELLIPTIC-8720086	314
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	311
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	303
	Origin Validation Error SNYK-JS-WEBPACKDEVSERVER-10300775	296
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	286
	Prototype Pollution SNYK-JS-LINKIFYJS-11502189	276
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	276
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	273
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	269
	Exposed Dangerous Method or Function SNYK-JS-WEBPACKDEVSERVER-10300777	268
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	262
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	262
	Improper Handling of Unicode Encoding SNYK-JS-TAR-15038581	260
	Uncontrolled Recursion SNYK-JS-NODEFORGE-14125745	258
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495498	232
	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	232
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	215
	Arbitrary Code Injection SNYK-JS-BACKSTAGEPLUGINTECHDOCSNODE-15166604	211
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	211
	Denial of Service (DoS) SNYK-JS-WS-7266574	199
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	189
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	187
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	186
	Directory Traversal SNYK-JS-TAR-15032660	186
	Use of a Cryptographic Primitive with a Risky Implementation SNYK-JS-ELLIPTIC-14908844	182
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	175
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	175
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	164
	Symlink Attack SNYK-JS-TMP-11501554	162
	Directory Traversal SNYK-JS-TAR-15127355	159
	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') SNYK-JS-AZUREIDENTITY-7246760	156
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	148
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	147
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	144
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	143
	Directory Traversal SNYK-JS-BACKSTAGEPLUGINTECHDOCSNODE-15166605	139
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUEST-8730853	139
	Open Redirect SNYK-JS-EXPRESS-6474509	138
	Improper Verification of Cryptographic Signature SNYK-JS-JWS-14188253	138
	Arbitrary Code Injection SNYK-JS-PRISMJS-9055448	138
	Denial of Service (DoS) SNYK-JS-GRAPHQL-5905181	132
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	128
	Prototype Pollution SNYK-JS-LODASH-15053838	108
	Denial of Service (DoS) SNYK-JS-NWSAPI-2841516	108
	Server-side Request Forgery (SSRF) SNYK-JS-WEBPACK-15235959	105
	Server-side Request Forgery (SSRF) SNYK-JS-WEBPACK-15235969	105
	Prototype Pollution SNYK-JS-JSYAML-13961110	101
	Resource Exhaustion SNYK-JS-JOSE-6419224	94
	Always-Incorrect Control Flow Implementation SNYK-JS-HTTPPROXYMIDDLEWARE-9691387	92
	Improper Check for Unusual or Exceptional Conditions SNYK-JS-HTTPPROXYMIDDLEWARE-9691389	92
	Integer Overflow or Wraparound SNYK-JS-NODEFORGE-14125097	91
	Cross-site Scripting SNYK-JS-SEND-7926862	87
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	87
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITPLUGINPAGINATEREST-8730855	83
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUESTERROR-8730854	83
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	78
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	78
	Regular Expression Denial of Service (ReDoS) SNYK-JS-DIFF-14917201	77
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FASTXMLPARSER-7573289	57
	Uncontrolled Recursion SNYK-JS-ESLINT-15102420	56
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	56
	Improper Input Validation SNYK-JS-POSTCSS-5926692	56
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	50
	Improper Input Validation SNYK-JS-NANOID-8492085	50

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
🦉 Information Exposure Through an Error Message
🦉 More lessons are available in Snyk Learn

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[gemini-code-assist]

Summary of Changes

Hello @q1blue, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, addresses 77 security vulnerabilities detected in the project's yarn dependencies. The core change involves updating several @backstage package versions within packages/backend-next/package.json to their latest secure releases. This is a critical update designed to significantly enhance the project's security posture by patching a wide array of issues.

Highlights

• Dependency Updates: Several @backstage dependencies in packages/backend-next/package.json have been updated to specific, newer versions (e.g., @backstage/backend-defaults from workspace:^ to 0.1.0, @backstage/backend-tasks from workspace:^ to 0.6.1).
• Vulnerability Remediation: This pull request aims to fix 77 identified security vulnerabilities across various yarn dependencies, including critical and high-severity issues such as Remote Code Execution (RCE), Prototype Pollution, and Denial of Service (DoS).
• Yarn Lock Warning: A warning is present indicating that the yarn.lock file was not automatically updated by Snyk and requires manual intervention before merging, which is particularly important for projects using Yarn's zero-installs feature.

Changelog

• packages/backend-next/package.json
  • Updated @backstage/backend-defaults from workspace:^ to 0.1.0
  • Updated @backstage/backend-tasks from workspace:^ to 0.6.1
  • Updated @backstage/plugin-app-backend from workspace:^ to 0.1.1
  • Updated @backstage/plugin-catalog-backend from workspace:^ to 0.1.1
  • Updated @backstage/plugin-permission-common from workspace:^ to 0.1.0
  • Updated @backstage/plugin-scaffolder-backend from workspace:^ to 0.1.1
  • Updated @backstage/plugin-techdocs-backend from workspace:^ to 0.1.1

Activity

• This pull request was automatically created by Snyk to address 77 security vulnerabilities detected in the project's dependencies.
• The PR description provides a detailed table listing all vulnerabilities being fixed, including their severity, type, and Snyk ID.
• A specific warning is included, noting that the yarn.lock file failed to update and requires manual attention.
• Guidance is provided for users utilizing Yarn's zero-installs feature, explaining the necessary step of running yarn to update the .yarn/cache/ directory.
• Links to Snyk project reports, template customization options, project settings, and interactive lessons on various vulnerability types are included for further information.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[snyk-io]

⛔ Snyk checks have failed. 3 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (3)
⛔	Open Source Security	0	2	1	0	3 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, attempts to fix 77 vulnerabilities by updating dependencies. However, there are critical issues with the proposed changes. The PR replaces workspace:^ dependencies with pinned, older versions. This breaks the monorepo's dependency structure, as it decouples this package from others in the workspace, and the significant downgrades are likely to cause breaking changes. Furthermore, the PR description explicitly states that the yarn.lock file failed to update, which means the vulnerability fixes would not be applied correctly even if the changes were valid. These changes should be rejected, and dependency vulnerabilities should be addressed by updating the relevant packages within the workspace and regenerating the lockfile.

[gemini-code-assist]

These changes are incorrect and will likely break the application.

1. Incorrectly handling Yarn Workspaces: The workspace:^ protocol is used to link packages within a monorepo. By replacing it with pinned versions, you are breaking this linkage. This package will no longer use the code from the corresponding packages in this repository, but will instead download old versions from the public registry.
2. Downgrading Dependencies: Most of the version changes are significant downgrades (e.g., @backstage/plugin-app-backend from 0.3.48-next.0 to 0.1.1). This will likely lead to build failures or runtime errors due to missing features or API changes.
3. Incomplete Fix: As noted in the PR description, yarn.lock was not updated. Without updating the lock file, these dependency changes will not take effect, and the vulnerabilities will remain.

These changes should be reverted. Vulnerabilities in workspace packages should be addressed by updating the source of the vulnerability within the monorepo and then running yarn to update the yarn.lock file.

    "@backstage/backend-defaults": "workspace:^",
    "@backstage/backend-tasks": "workspace:^",
    "@backstage/plugin-adr-backend": "workspace:^",
    "@backstage/plugin-app-backend": "workspace:^",
    "@backstage/plugin-auth-node": "workspace:^",
    "@backstage/plugin-azure-devops-backend": "workspace:^",
    "@backstage/plugin-badges-backend": "workspace:^",
    "@backstage/plugin-catalog-backend": "workspace:^",
    "@backstage/plugin-catalog-backend-module-unprocessed": "workspace:^",
    "@backstage/plugin-devtools-backend": "workspace:^",
    "@backstage/plugin-entity-feedback-backend": "workspace:^",
    "@backstage/plugin-kubernetes-backend": "workspace:^",
    "@backstage/plugin-lighthouse-backend": "workspace:^",
    "@backstage/plugin-linguist-backend": "workspace:^",
    "@backstage/plugin-permission-backend": "workspace:^",
    "@backstage/plugin-permission-common": "workspace:^",
    "@backstage/plugin-permission-node": "workspace:^",
    "@backstage/plugin-scaffolder-backend": "workspace:^",
    "@backstage/plugin-search-backend": "workspace:^",
    "@backstage/plugin-search-backend-module-catalog": "workspace:^",
    "@backstage/plugin-search-backend-module-explore": "workspace:^",
    "@backstage/plugin-search-backend-module-techdocs": "workspace:^",
    "@backstage/plugin-search-backend-node": "workspace:^",
    "@backstage/plugin-techdocs-backend": "workspace:^"

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!