Skip to content

[Snyk] Fix for 2 vulnerabilities #12423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
q1blue wants to merge 1 commit into from
Closed

[Snyk] Fix for 2 vulnerabilities #12423

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions plugins/azure-sites/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@
"postpack": "backstage-cli package postpack"
},
"dependencies": {
"@backstage/catalog-model": "workspace:^",
"@backstage/catalog-model": "0.1.1",
"@backstage/core-components": "workspace:^",
"@backstage/core-plugin-api": "workspace:^",
"@backstage/plugin-azure-sites-common": "workspace:^",
"@backstage/plugin-catalog-react": "workspace:^",
"@backstage/plugin-azure-sites-common": "0.1.0",
"@backstage/plugin-catalog-react": "1.0.0",
Comment on lines +35 to +39
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

These changes introduce significant downgrades to several packages, which is likely to cause breaking changes and conflicts within the monorepo. Changing from workspace:^ to specific, older versions breaks the linkage to the local packages in the workspace and introduces outdated code.

For example:

  • @backstage/catalog-model is downgraded from a workspace version (likely 1.4.1) to 0.1.1.
  • @backstage/plugin-catalog-react is downgraded from a workspace version (likely 1.8.1-next.0) to 1.0.0.

This is a very risky approach to fixing transitive dependency vulnerabilities. A better approach in a yarn workspace monorepo is to use the resolutions field in the root package.json to enforce a specific, non-vulnerable version of the transitive dependencies (ajv and qs) across all packages. This avoids downgrading direct dependencies and maintains consistency across the monorepo.

The fact that Snyk failed to update yarn.lock is a strong indication that these changes introduce dependency conflicts.

It is strongly recommended to revert these changes and use resolutions instead.

    "@backstage/catalog-model": "workspace:^",
    "@backstage/core-components": "workspace:^",
    "@backstage/core-plugin-api": "workspace:^",
    "@backstage/plugin-azure-sites-common": "workspace:^",
    "@backstage/plugin-catalog-react": "workspace:^"

"@backstage/theme": "workspace:^",
"@material-ui/core": "^4.12.2",
"@material-ui/icons": "^4.9.1",
Expand Down
Loading