Commit 1a1d7c0
committed
fix(deps): upgrade backstage packages to fix CVE-2026-24046
Upgrades @backstage/backend-defaults (0.13.1 -> 0.13.2) and
@backstage/plugin-scaffolder-node (0.12.1 -> 0.12.3) to address
symlink path traversal in Scaffolder actions (GHSA-rq6q-wr2q-7pgp).
Also removes the redundant patch for @backstage/plugin-scaffolder-backend
3.0.2, which is already the official fix version.
Replaces the previous yarn patch-based mitigation with the official
fix versions. Lockfile changes were applied using yarn-lockfile-surgeon
to minimize transitive dependency impact.1 parent 369c7df commit 1a1d7c0
13 files changed
Lines changed: 383 additions & 955 deletions
File tree
- .yarn/patches
- dynamic-plugins
- .yarn/patches
- packages/backend
- plugins
- dynamic-plugins-info-backend
- licensed-users-info-backend
- scalprum-backend
Lines changed: 0 additions & 280 deletions
This file was deleted.
Lines changed: 0 additions & 9 deletions
This file was deleted.
0 commit comments