[Snyk] Fix for 2 vulnerabilities#5633
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-WEBPACKDEVSERVER-10300775 - https://snyk.io/vuln/SNYK-JS-WEBPACKDEVSERVER-10300777
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
Reviewer's GuideThis PR replaces workspace-based version ranges for two Backstage packages with explicit fixed versions to resolve Snyk-reported vulnerabilities, and notes that a manual lockfile update is required prior to merging. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
| "@backstage/plugin-scaffolder-common": "0.1.0", | ||
| "@backstage/types": "0.1.1", |
There was a problem hiding this comment.
This change replaces workspace references (workspace:^) with fixed versions, which breaks the monorepo's local development setup. In a workspace-based project, these references ensure packages use local development versions rather than published npm packages.
The warning about failing to update yarn.lock further indicates potential dependency resolution problems.
Recommendation:
- Retain the original
workspace:^references - If security fixes are needed, update the vulnerable dependencies within the workspace
- Ensure
yarn.lockis properly updated before merging
This approach maintains the integrity of the monorepo while addressing the security vulnerabilities in webpack-dev-server.
| "@backstage/plugin-scaffolder-common": "0.1.0", | |
| "@backstage/types": "0.1.1", | |
| "@backstage/plugin-scaffolder-common": "workspace:^", | |
| "@backstage/types": "workspace:^", |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
|
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution! |
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
plugins/scaffolder-node/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-WEBPACKDEVSERVER-10300775
SNYK-JS-WEBPACKDEVSERVER-10300777
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Summary by Sourcery
Upgrade dependencies in the scaffolder-node plugin to resolve two vulnerabilities in webpack-dev-server
Bug Fixes: