[Snyk] Fix for 1 vulnerabilities by snyk-io[bot] · Pull Request #5408 · https-quantumblockchainai-atlassian-net/backstage

snyk-io · 2025-06-04T08:20:23Z

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

packages/techdocs-cli-embedded-app/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️

Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Link Resolution Before File Access ('Link Following') SNYK-JS-TARFS-10293725	721

Important

Check the changes in this PR to ensure they won't cause issues with your project.
Max score is 1000. Note that the real score may have changed since the PR was raised.
This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Link Resolution Before File Access ('Link Following')

Summary by Sourcery

Upgrade backstage dependencies in techdocs-cli-embedded-app to released versions to fix a high severity tar-fs vulnerability.

Bug Fixes:

Address SNYK-JS-TARFS-10293725 (Improper Link Resolution Before File Access) vulnerability by updating dependency versions

Enhancements:

Pin @backstage/core-components to v0.1.0, @backstage/integration-react to v0.1.1, and @backstage/plugin-techdocs to v0.1.1 in package.json

…abilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TARFS-10293725

codesandbox · 2025-06-04T08:20:27Z

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

sourcery-ai · 2025-06-04T08:20:28Z

Reviewer's Guide

This PR pins three Backstage dependencies in the embedded TechDocs CLI app from workspace ranges to fixed versions to resolve a high-severity path traversal vulnerability in tar-fs.

File-Level Changes

Change	Details	Files
Dependencies pinned to fixed versions	Replaced workspace:^ for @backstage/core-components with version 0.1.0 Replaced workspace:^ for @backstage/integration-react with version 0.1.1 Replaced workspace:^ for @backstage/plugin-techdocs with version 0.1.1	`packages/techdocs-cli-embedded-app/package.json`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

snyk-io · 2025-06-04T08:20:37Z

⛔ Snyk checks have failed. 2 issues have been found so far.

Icon	Severity	Issues
	Critical	0
	High	0
	Medium	2
	Low	0

⛔ security/snyk check is complete. 2 issues have been found. (View Details)

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

socket-security · 2025-06-04T08:21:31Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@types/uuid@8.3.4
	@types/humanize-duration@3.27.4
	@types/git-url-parse@9.0.3
	humanize-duration@3.32.2
	@backstage/core-components@0.0.0-use.local
	@backstage/theme@0.0.0-use.local
	@backstage/integration-react@0.0.0-use.local
	@backstage/plugin-catalog-react@0.0.0-use.local
	@backstage/catalog-client@0.0.0-use.local
	@backstage/catalog-model@0.0.0-use.local
	@backstage/config@0.0.0-use.local
	@backstage/core-plugin-api@0.0.0-use.local
	@backstage/integration@0.0.0-use.local
	@backstage/plugin-permission-common@0.0.0-use.local
	@backstage/plugin-permission-react@0.0.0-use.local
	@backstage/plugin-search-common@0.0.0-use.local
	@backstage/types@0.0.0-use.local
	@backstage/version-bridge@0.0.0-use.local
	@backstage/app-defaults@0.0.0-use.local
See 26 more rows in the dashboard

View full report

socket-security · 2025-06-04T08:21:32Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		`tree-sitter@=0.22.1` has a License Policy Violation. License: Unicode-3.0 (package/vendor/tree-sitter/lib/src/unicode/LICENSE) From: `?` → `npm/tree-sitter@=0.22.1` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tree-sitter@=0.22.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

graphite-app · 2025-06-04T08:21:41Z

+    "@backstage/core-components": "0.1.0",
    "@backstage/core-plugin-api": "workspace:^",
-    "@backstage/integration-react": "workspace:^",
+    "@backstage/integration-react": "0.1.1",
    "@backstage/plugin-catalog": "workspace:^",
-    "@backstage/plugin-techdocs": "workspace:^",
+    "@backstage/plugin-techdocs": "0.1.1",


This change introduces dependency management inconsistency by replacing workspace:^ references with fixed, outdated versions (0.1.0, 0.1.1). In a monorepo, mixing workspace references with pinned versions disrupts the dependency resolution system and can create compatibility issues with other packages that continue using workspace references.

The warning in the PR description ("Failed to update the yarn.lock") further indicates that this approach may not properly resolve the security vulnerability.

A more appropriate solution would be to maintain the workspace:^ references while updating the vulnerable dependencies at their source within the monorepo. This preserves the integrity of the workspace dependency model while addressing the security concern.

Suggested change

"@backstage/core-components": "0.1.0",

"@backstage/core-plugin-api": "workspace:^",

"@backstage/integration-react": "workspace:^",

"@backstage/integration-react": "0.1.1",

"@backstage/plugin-catalog": "workspace:^",

"@backstage/plugin-techdocs": "workspace:^",

"@backstage/plugin-techdocs": "0.1.1",

"@backstage/core-components": "workspace:^",

"@backstage/core-plugin-api": "workspace:^",

"@backstage/integration-react": "workspace:^",

"@backstage/plugin-catalog": "workspace:^",

"@backstage/plugin-techdocs": "workspace:^",

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

github-actions · 2025-06-11T08:22:51Z

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

fix: packages/techdocs-cli-embedded-app/package.json to reduce vulner…

796956a

…abilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TARFS-10293725

github-actions Bot added the area:techdocs label Jun 4, 2025

graphite-app Bot reviewed Jun 4, 2025

View reviewed changes

github-actions Bot added the stale label Jun 11, 2025

github-actions Bot closed this Jun 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 1 vulnerabilities#5408

[Snyk] Fix for 1 vulnerabilities#5408
snyk-io[bot] wants to merge 1 commit intomasterfrom
snyk-fix-dd738d269f5cdd06ba0c91743af614a2

snyk-io Bot commented Jun 4, 2025 •

edited by sourcery-ai Bot

Loading

Uh oh!

codesandbox Bot commented Jun 4, 2025

Uh oh!

sourcery-ai Bot commented Jun 4, 2025 •

edited

Loading

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

snyk-io Bot commented Jun 4, 2025

Uh oh!

socket-security Bot commented Jun 4, 2025

Uh oh!

socket-security Bot commented Jun 4, 2025

Uh oh!

graphite-app Bot Jun 4, 2025

Uh oh!

github-actions Bot commented Jun 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

snyk-io Bot commented Jun 4, 2025 • edited by sourcery-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

Note for zero-installs users

Vulnerabilities that will be fixed with an upgrade:

Summary by Sourcery

Uh oh!

codesandbox Bot commented Jun 4, 2025

Review or Edit in CodeSandbox

Uh oh!

sourcery-ai Bot commented Jun 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

snyk-io Bot commented Jun 4, 2025

⛔ Snyk checks have failed. 2 issues have been found so far.

Uh oh!

socket-security Bot commented Jun 4, 2025

Uh oh!

socket-security Bot commented Jun 4, 2025

Uh oh!

graphite-app Bot Jun 4, 2025

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented Jun 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

snyk-io Bot commented Jun 4, 2025 •

edited by sourcery-ai Bot

Loading

sourcery-ai Bot commented Jun 4, 2025 •

edited

Loading