Skip to content

[Snyk] Fix for 1 vulnerabilities #5389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
q1blue wants to merge 1 commit into from
Closed

[Snyk] Fix for 1 vulnerabilities #5389

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions plugins/catalog-backend-module-incremental-ingestion/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,13 @@
"postpack": "backstage-cli package postpack"
},
"dependencies": {
"@backstage/backend-common": "workspace:^",
"@backstage/backend-common": "0.24.1",
Copy link
Copy Markdown

@graphite-app graphite-app Bot Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change replaces the workspace reference (workspace:^) with a fixed version number (0.24.1), which breaks the monorepo's dependency management approach. In Yarn workspaces, internal dependencies should use workspace protocol references to ensure consistent versioning across the project.

Using fixed versions instead of workspace references can lead to:

  • Version mismatches between components
  • Duplicate package installations
  • Potential build failures
  • Difficulties when updating shared dependencies

Consider maintaining the workspace:^ reference while addressing the vulnerability through other means, such as updating the yarn.lock file or using resolutions in the root package.json to pin the vulnerable transitive dependency.

Suggested change
"@backstage/backend-common": "0.24.1",
"@backstage/backend-common": "workspace:^",

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

"@backstage/backend-plugin-api": "workspace:^",
"@backstage/backend-tasks": "workspace:^",
"@backstage/catalog-model": "workspace:^",
"@backstage/config": "workspace:^",
"@backstage/errors": "workspace:^",
"@backstage/plugin-catalog-backend": "workspace:^",
"@backstage/plugin-catalog-backend": "1.25.0",
"@backstage/plugin-catalog-node": "workspace:^",
"@backstage/plugin-events-node": "workspace:^",
"@backstage/plugin-permission-common": "workspace:^",
Expand Down
Loading