Skip to content

[Snyk] Fix for 2 vulnerabilities #12238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
q1blue wants to merge 1 commit into from
Closed

[Snyk] Fix for 2 vulnerabilities #12238

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions plugins/adr-backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,17 +28,17 @@
"postpack": "backstage-cli package postpack"
},
"dependencies": {
"@backstage/backend-common": "workspace:^",
"@backstage/backend-common": "0.24.1",
"@backstage/backend-plugin-api": "workspace:^",
"@backstage/catalog-client": "workspace:^",
"@backstage/catalog-model": "workspace:^",
"@backstage/catalog-model": "0.1.1",
"@backstage/config": "workspace:^",
"@backstage/errors": "workspace:^",
"@backstage/integration": "workspace:^",
"@backstage/plugin-adr-common": "workspace:^",
"@backstage/plugin-search-common": "workspace:^",
"@backstage/plugin-adr-common": "0.1.0",
"@backstage/plugin-search-common": "0.3.1",
Comment on lines +31 to +39
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This automated change from Snyk introduces several critical issues by pinning @backstage dependencies:

  1. Breaks Monorepo Structure: It replaces workspace:^ specifiers with pinned versions. This decouples the package from the monorepo workspace, which can lead to version conflicts, increased bundle sizes, and break local development workflows.

  2. Major Downgrades: Several packages are being downgraded to very old versions, which will likely break the application. Based on the project's structure and changelogs, here are the likely downgrades:

    • @backstage/catalog-model: from a recent version (likely ~1.4.1) to 0.1.1
    • @backstage/plugin-adr-common: from a recent version (likely ~0.2.11) to 0.1.0
    • @backstage/plugin-search-common: from a recent version (likely ~1.2.5) to 0.3.1

These changes are incorrect and will likely cause the build to fail or introduce runtime errors. The vulnerabilities should be addressed by updating the underlying dependencies within the monorepo (e.g., updating ajv in @backstage/catalog-model) and then regenerating the yarn.lock file. I recommend reverting these changes.

    "@backstage/backend-common": "workspace:^",
    "@backstage/backend-plugin-api": "workspace:^",
    "@backstage/catalog-client": "workspace:^",
    "@backstage/catalog-model": "workspace:^",
    "@backstage/config": "workspace:^",
    "@backstage/errors": "workspace:^",
    "@backstage/integration": "workspace:^",
    "@backstage/plugin-adr-common": "workspace:^",
    "@backstage/plugin-search-common": "workspace:^"

"@types/express": "^4.17.6",
"express": "^4.17.1",
"express": "^4.22.0",
"express-promise-router": "^4.1.0",
"luxon": "^3.0.0",
"marked": "^4.0.14",
Expand Down
Loading