Skip to content

Update dependency @azure/identity to v4 [SECURITY]#12480

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-azure-identity-vulnerability
Open

Update dependency @azure/identity to v4 [SECURITY]#12480
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-azure-identity-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Apr 15, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@azure/identity (source) ^3.2.1^4.0.0 age confidence

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

CVE-2024-35255 / GHSA-m5vv-6r4h-3vj9

More information

Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Azure/azure-sdk-for-js (@​azure/identity)

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.0

Compare Source

4.1.0 (2024-08-07)
Features Added
  • Vector Search: This feature introduces vector indexes, vector embedding policy and vector queries to enable vector similarity search in JS SDK. docs
  • All versions and deletes mode in change feed: The All versions and deletes mode is added in change feed mode which captures every version and every change (create, update, and delete) made to items. docs
  • Bypassing integrated cache: The option to bypass integrated cache is now available in RequestOptions. docs
  • Computed Properties: Support for adding Computed Properties in items is added. docs
  • Composite Indexing: The JS SDK now supports including composite indexes in the indexing policy, improving query performance on multiple fields. docs
  • Correlated Activity Id: Correlated Activity Id is added in header of every query request on Items. This helps in troubleshooting by linking all requests for a query that involves multiple server interactions and partitions. Correlated Activity Id can be accessed through query response headers or response.correlatedActivityId.
  • Split proof Bulk API: Earlier, whenever Bulk API encountered a partition split during processing, it would return an error message. Now, JS SDK ensures that the Bulk API is resistant to partition split. #​18682
  • Improved samples: The samples have been updated in this release, now organized into two folders: v3 for features up to the v3 release, and v4 for features up to the v4 release.
  • Added support for MakeList and MakeSet query aggregators
Vector Search
  • The following sample shows how to create a container with vector embedding and indexing policies.
// define vector indexing policy
const vectorEmbeddingPolicy = {
  vectorEmbeddings: [
    {
      path: "/vector1",
      dataType: VectorEmbeddingDataType.UInt8,
      dimensions: 1000,
      distanceFunction: VectorEmbeddingDistanceFunction.Euclidean,
    },
    {
      path: "/vector2",
      dataType: VectorEmbeddingDataType.Int8,
      dimensions: 200,
      distanceFunction: VectorEmbeddingDistanceFunction.DotProduct,
    },
    {
      path: "/vector3",
      dataType: VectorEmbeddingDataType.UInt8,
      dimensions: 400,
      distanceFunction: VectorEmbeddingDistanceFunction.Cosine,
    },
  ],
};

// add vector indexes in Indexing Policy
const indexingPolicy = {
  automatic: true,
  indexingMode: "consistent",
  vectorIndexes: [
    { path: "/vector1", type: VectorIndexType.Flat },
    { path: "/vector2", type: VectorIndexType.QuantizedFlat },
    { path: "/vector3", type: VectorIndexType.DiskANN },
  ],
};

// define and create container with vector Embedding Policy
const containerDefinition = {
  id: containerId,
  partitionKey: { paths: ["/id"] },
  indexingPolicy: indexingPolicy,
  vectorEmbeddingPolicy: vectorEmbeddingPolicy,
};
await database.containers.createIfNotExists(containerDefinition);
  • Vector Search queries without TOP or LIMIT+OFFSET are blocked by default, with an option to disable this check using allowUnboundedNonStreamingQueries in query FeedOptions. Also added an internal buffer size check to prevent excessive memory consumption, throwing errors if the buffer size exceeds the default. The max buffer size can be increased using the vectorSearchBufferSize option from query FeedOptions.
Change Feed - All versions and deletes mode
  • The AllVersionsAndDeletes mode is only supported with ChangeFeedStartFrom.Now and ChangeFeedStartFrom.Continuation.
  • To read from the change feed in all versions and deletes mode, include changeFeedMode in changeFeedIteratorOptions:
    const changeFeedIteratorOptions: ChangeFeedIteratorOptions = {
      maxItemCount: 5,
      changeFeedStartFrom: ChangeFeedStartFrom.Now(),
      changeFeedMode: ChangeFeedMode.AllVersionsAndDeletes,
    };
    const iterator = container.items.getChangeFeedIterator(changeFeedIteratorOptions);
Bypassing Integrated Cache
  • Here is a sample showing how to enable bypassIntegratedCache in RequestOptions.
  const options: RequestOptions = {bypassIntegratedCache: true};
  const response = await container.item("1").read(options);
Computed Properties
  • The following snippet configures computed properties for a container:
    const computedProperties: ComputedProperty[] = [{
      name: "lowerLastName",
      query:
        "SELECT VALUE LOWER(IS_DEFINED(c.lastName) ? c.lastName : c.parents[0].familyName) FROM c",
    },];
    const { resource: containerdef } = await database.containers.createIfNotExists({
      id: containerName,
      computedProperties: computedProperties,
      indexingPolicy: indexingPolicy,
    });
    const container: Container = database.container(containerdef.id);
Composite Indexing
  • Here's a sample of adding composite indexes for a container:
    const containerDefinition: ContainerDefinition = {
      id: "containerWithCompositeIndexingPolicy",
      indexingPolicy: {
        automatic: true,
        indexingMode: IndexingMode.consistent,
        includedPaths: [
          {
            path: "/*",
          },
        ],
        excludedPaths: [],
        compositeIndexes: [
          [
            { path: "/key", order: "ascending" },
            { path: "/field", order: "ascending" },
          ],
        ],
      },
    };
    await database.containers.create(containerDefinition);
  • Added support for passing a custom HttpClient when constructing a CosmosClient.
Breaking Changes
Dropped Support for TypeScript 4.1
  • We have opted to discontinue support for TypeScript version 4.1. Consequently, the minimum supported TypeScript version has been elevated to 4.2. Kindly ensure that your environment is promptly updated to align with these changes.
Bugs Fixed
  • Fix Bulk operations(Read, Delete, and Patch) failing due to wrong format of partition key in non-partitioned container.

v4.0.1

Compare Source

v4.0.0

Compare Source

v3.4.2

Compare Source

v3.4.1

Compare Source

v3.4.0

Compare Source

v3.3.2

Compare Source

v3.3.1

Compare Source

v3.3.0

Compare Source

v3.2.4

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Apr 15, 2026
@codesandbox
Copy link
Copy Markdown

codesandbox Bot commented Apr 15, 2026

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@entelligence-ai-pr-reviews
Copy link
Copy Markdown

entelligence-ai-pr-reviews Bot commented Apr 15, 2026
edited
Loading

EntelligenceAI PR Summary

Upgrades @azure/identity from ^3.2.1 to ^4.0.0 across all affected packages in the monorepo, with cascading lockfile updates.

  • packages/integration, plugins/azure-sites-backend, plugins/catalog-backend-module-msgraph, plugins/kubernetes-backend, plugins/techdocs-node: @azure/identity bumped to ^4.0.0
  • yarn.lock: Resolves @azure/identity to v4.13.x; updates @azure/core-auth, core-client, core-rest-pipeline, core-tracing, core-util, and logger to latest major versions
  • yarn.lock: Replaces @azure/msal-browser v2 / @azure/msal-node v1 with v5 / v16 counterparts
  • yarn.lock: Adds new transitive dependencies: @typespec/ts-http-runtime, agent-base@7.x, http-proxy-agent@7.x, https-proxy-agent@7.x, open@10.x
  • yarn.lock: Introduces pinned older @backstage/* packages (config, core-components, core-plugin-api, version-bridge, theme, types, errors) to satisfy legacy peer dependencies from plugin-gitops-profiles
  • yarn.lock: Pulls in a set of older npm packages (react-markdown@5, remark-gfm@1, material-table@1.69, jspdf@2.1, canvg@3, html2canvas@1, d3 v2 variants, micromark@2.x, mdast-util v0.x) required by the pinned legacy Backstage component versions

Confidence Score: 2/5 - Changes Needed

Not safe to merge — this PR upgrades @azure/identity to v4 across multiple packages, which is a legitimate security update, but two unresolved concerns block safe merging: the repo's engines.node field still declares Node.js 16 as supported while @azure/identity v4 requires Node.js >= 18, meaning Node 16 environments will silently or loudly break. Additionally, v4 introduced breaking API changes including removal and renaming of credential classes, and no validation has been performed (nor tests run) to confirm that plugins like techdocs-node, catalog-backend-module-msgraph, kubernetes-backend, and azure-sites-backend continue to function correctly after the upgrade.

Key Findings:

  • The engines.node field in packages/integration/package.json (and likely other affected package.json files) still declares 16 || 18, but @azure/identity v4 requires Node.js >= 18 — this creates a guaranteed runtime failure for any consumer or CI environment still running Node 16, which the monorepo explicitly claims to support.
  • @azure/identity v4 is a major version bump that removed and renamed credential classes and options; without explicit confirmation that plugins/techdocs-node, plugins/catalog-backend-module-msgraph, plugins/azure-sites-backend, and plugins/kubernetes-backend have been tested against v4, there is real risk of runtime credential failures in production.
  • Zero of the 6 changed files were reviewed in the current pass, and the two most critical concerns from previous reviews remain open and unresolved, indicating this PR has not yet been validated for correctness or compatibility.
  • The PR does accomplish a genuine security goal by upgrading a flagged dependency, and the lockfile changes appear consistent with the declared version bumps — the intent is sound, but the safety validation is incomplete.
Files requiring special attention
  • packages/integration/package.json
  • plugins/techdocs-node/package.json
  • plugins/catalog-backend-module-msgraph/package.json
  • plugins/kubernetes-backend/package.json
  • plugins/azure-sites-backend/package.json
  • yarn.lock

entelligence-ai-pr-reviews[bot]
entelligence-ai-pr-reviews Bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@entelligence-ai-pr-reviews entelligence-ai-pr-reviews Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Walkthrough

This PR upgrades the @azure/identity dependency from ^3.2.1 to ^4.0.0 across five packages in the monorepo. The yarn.lock file reflects the resolved version as v4.13.1 and includes cascading updates to related Azure SDK packages, MSAL libraries, and several other transitive dependencies, along with pinned Backstage package versions for compatibility.

Changes

File(s) Summary
packages/integration/package.json
plugins/azure-sites-backend/package.json
plugins/catalog-backend-module-msgraph/package.json
plugins/kubernetes-backend/package.json
plugins/techdocs-node/package.json Bumps @azure/identity dependency from ^3.2.1 to ^4.0.0 (major version upgrade).
yarn.lock Resolves @azure/identity to v4.13.1; updates cascading Azure SDK packages (@azure/core-auth, @azure/core-client, @azure/core-rest-pipeline, @azure/core-tracing, @azure/core-util, @azure/logger); upgrades MSAL libraries (@azure/msal-browser v5, @azure/msal-common v16, @azure/msal-node v5); adds @typespec/ts-http-runtime; pins several @backstage/* packages to older versions; upgrades node-fetch to 2.7.0, cross-fetch to 3.2.0, core-js to 3.49.0, tslib to 2.8.1, dompurify to 2.5.9, react-syntax-highlighter to 15.6.6, and open to v10; adds large set of new transitive dependencies for older Backstage component versions.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title @azure/identity v3 -> v4 Upgrade Across Backstage Packages

    participant Integration as "@backstage/integration"
    participant AzSites as "azure-sites-backend"
    participant MsGraph as "catalog-backend-module-msgraph"
    participant K8s as "kubernetes-backend"
    participant TechDocs as "techdocs-node"
    participant Identity as "@azure/identity ^4.0.0"
    participant MSALNode as "@azure/msal-node ^5.1.0"
    participant MSALBrowser as "@azure/msal-browser ^5.5.0"
    participant MSALCommon as "@azure/msal-common 16.4.1"
    participant CoreRest as "@azure/core-rest-pipeline ^1.22.0"
    participant TypeSpec as "@typespec/ts-http-runtime ^0.3.4"
    participant OpenPkg as "open ^10.1.0"

    Note over Integration, TechDocs: All 5 packages upgrade @azure/identity 3.2.1 -> 4.0.0
    Integration->>Identity: depends on
    AzSites->>Identity: depends on
    MsGraph->>Identity: depends on
    K8s->>Identity: depends on
    TechDocs->>Identity: depends on

    Note over Identity: @azure/identity ^4.0.0 (was ^3.2.1)
    Identity->>MSALNode: @azure/msal-node ^5.1.0
    Note over MSALNode: was ^1.17.3
    Identity->>MSALBrowser: @azure/msal-browser ^5.5.0
    Note over MSALBrowser: was ^2.37.1
    MSALNode-->>MSALCommon: @azure/msal-common 16.4.1
    MSALBrowser-->>MSALCommon: @azure/msal-common 16.4.1
    Note over MSALCommon: was 13.1.0
    Identity->>CoreRest: @azure/core-rest-pipeline ^1.22.0
    Note over CoreRest: was ^1.1.0
    CoreRest->>TypeSpec: @typespec/ts-http-runtime ^0.3.4
    Note over TypeSpec: NEW — replaces direct http/https-proxy-agent deps
    TypeSpec->>TypeSpec: http-proxy-agent ^7.0.0
    TypeSpec->>TypeSpec: https-proxy-agent ^7.0.0

    Identity->>OpenPkg: open ^10.1.0
    Note over OpenPkg: was ^8.0.0
    Note over OpenPkg: New transitive deps: default-browser, is-inside-container, wsl-utils
    Note over Identity: Removed: jws, stoppable, events, uuid (direct deps)
Loading

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

  • Automatically identifies repositories that depend on this code
  • Analyzes potential breaking changes across your entire codebase
  • Provides risk assessment before merging to prevent cross-repo issues

How to Enable

  1. Visit Settings → Code Management
  2. Configure repository dependencies
  3. Future PRs will automatically include cross-repo impact analysis!

Benefits

  • 🛡️ Prevent breaking changes across repositories
  • 🔍 Catch integration issues before they reach production
  • 📊 Better visibility into your multi-repo architecture

Comment thread plugins/techdocs-node/package.json
"@aws-sdk/node-http-handler": "^3.350.0",
"@aws-sdk/types": "^3.347.0",
"@azure/identity": "^3.2.1",
"@azure/identity": "^4.0.0",
Copy link
Copy Markdown

@entelligence-ai-pr-reviews entelligence-ai-pr-reviews Bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: Upgrading @azure/identity from ^3.2.1 to ^4.0.0 is a major version bump — v4 introduced breaking changes including removal/renaming of certain credential classes and options. The PR includes no source code changes (only package.json and yarn.lock), so any usage of removed APIs in the codebase will break at runtime without corresponding code updates.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In plugins/techdocs-node/package.json at line 47, `@azure/identity` was bumped from `^3.2.1` to `^4.0.0`. This is a major version upgrade with breaking changes. Search all source files in plugins/techdocs-node/src that import from `@azure/identity` and verify they are compatible with the v4 API (e.g., check for renamed or removed credential classes such as `InteractiveBrowserCredential` options changes, `TokenCredentialOptions` restructuring, etc.). Update any incompatible usages to match the v4 API surface.

@augmentcode
Copy link
Copy Markdown

augmentcode Bot commented Apr 15, 2026

🤖 Augment PR Summary

Summary: This PR upgrades the Azure Identity client library used across the repo to the v4 major line, in response to a reported security vulnerability.

Changes:

  • Bumped @azure/identity from ^3.2.1 to ^4.0.0 in packages/integration.
  • Bumped @azure/identity from ^3.2.1 to ^4.0.0 in Azure-related backend plugins (Azure Sites, MS Graph catalog module, Kubernetes backend, TechDocs node).
  • Updated the lockfile to pull in the resolved v4 dependency graph.

Technical Notes: This is a major-version upgrade; consumers should validate Azure auth flows and any Node/runtime requirements introduced by the new major.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode Bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@augmentcode augmentcode Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 1 suggestion posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

Comment thread packages/integration/package.json
},
"dependencies": {
"@azure/identity": "^3.2.1",
"@azure/identity": "^4.0.0",
Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@azure/identity v4 has an upstream breaking change of requiring Node.js >= 18; this repo still declares engines.node as 16 || 18, so Node 16 installs/runs are likely to fail once this is merged.

Severity: high

Other Locations
  • plugins/azure-sites-backend/package.json:37
  • plugins/catalog-backend-module-msgraph/package.json:48
  • plugins/kubernetes-backend/package.json:55
  • plugins/techdocs-node/package.json:47

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 15, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm polished under OFL-1.1

License: OFL-1.1 - The applicable license policy does not permit this license (5) (package/docs/assets/fonts/LICENSE.txt)

From: ?npm/@storybook/addon-actions@6.5.16npm/polished@4.2.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/polished@4.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm typescript under W3C-20150513

License: W3C-20150513 - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

From: storybook/package.jsonnpm/typescript@4.7.4

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@4.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 28, 2026

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions Bot added the stale label Apr 28, 2026
@renovate
Update dependency @azure/identity to v4 [SECURITY]
64fb6b9 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/npm-azure-identity-vulnerability branch from c9979de to 64fb6b9 Compare April 30, 2026 02:25
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 30, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedreact@​17.0.21001007897100
Addedtypescript@​4.7.41001001009980
Addedswc-loader@​0.2.31001009281100
Addedstorybook-dark-mode@​1.1.29910010083100
Addedreact-hot-loader@​4.13.19710010085100
Addedreact-dom@​17.0.2931009098100

View full report

@github-actions github-actions Bot removed the stale label Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@entelligence-ai-pr-reviews entelligence-ai-pr-reviews[bot] entelligence-ai-pr-reviews[bot] left review comments

+1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area:catalog area:techdocs dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants