Skip to content

fix(deps): [release-1.9] upgrade backstage packages to fix CVE-2026-24046#4641

Open
jonkoops wants to merge 1 commit intoredhat-developer:release-1.9from
jonkoops:cve-2026-24046-1.9
Open

fix(deps): [release-1.9] upgrade backstage packages to fix CVE-2026-24046#4641
jonkoops wants to merge 1 commit intoredhat-developer:release-1.9from
jonkoops:cve-2026-24046-1.9

Conversation

@jonkoops
Copy link
Copy Markdown
Contributor

@jonkoops jonkoops commented Apr 20, 2026

Upgrades Backstage packages to their closest patched versions to address CVE-2026-24046 (GHSA-rq6q-wr2q-7pgp), a symlink path traversal vulnerability in Scaffolder actions.

Package Old New
@backstage/backend-defaults 0.13.1 0.13.2
@backstage/plugin-scaffolder-backend 3.0.2 (patch removed) 3.0.2 (official fix)
@backstage/plugin-scaffolder-node 0.12.1 0.12.3

@backstage/plugin-scaffolder-backend@3.0.2 is already the official fix version per the advisory, so the redundant yarn patch was simply removed.

Replaces the previous yarn patch: based mitigation with the official fix versions. Lockfile changes were applied using yarn-lockfile-surgeon (#4638) to resolve transitive dependencies to their minimum satisfying versions, keeping the diff minimal.

@jonkoops jonkoops force-pushed the cve-2026-24046-1.9 branch from 7dd148d to ab3a7ff Compare April 20, 2026 12:51
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

The container image build workflow finished with status: cancelled.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

The container image build workflow finished with status: failure.

@jonkoops
fix(deps): upgrade backstage packages to fix CVE-2026-24046
1a1d7c0 
Upgrades @backstage/backend-defaults (0.13.1 -> 0.13.2) and
@backstage/plugin-scaffolder-node (0.12.1 -> 0.12.3) to address
symlink path traversal in Scaffolder actions (GHSA-rq6q-wr2q-7pgp).

Also removes the redundant patch for @backstage/plugin-scaffolder-backend
3.0.2, which is already the official fix version.

Replaces the previous yarn patch-based mitigation with the official
fix versions. Lockfile changes were applied using yarn-lockfile-surgeon
to minimize transitive dependency impact.
@jonkoops jonkoops force-pushed the cve-2026-24046-1.9 branch from ab3a7ff to 1a1d7c0 Compare April 20, 2026 12:55
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jonkoops jonkoops mentioned this pull request Apr 20, 2026
Draft
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Image was built and published successfully. It is available at:

kim-tsao
kim-tsao reviewed Apr 20, 2026
View reviewed changes
Comment thread yarn.lock
linkType: hard

"@backstage/backend-plugin-api@npm:^1.6.1, @backstage/backend-plugin-api@npm:^1.9.0":
version: 1.9.0
Copy link
Copy Markdown
Member

@kim-tsao kim-tsao Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to lock this version down to 1.5.0 in RHDH 1.9 due to breaking changes. See comment

We also introduced a patch for @backstage/backend-plugin-api in this PR so we should try to resolve it to that patch version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kim-tsao kim-tsao kim-tsao requested changes

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram

@schultzp2020 schultzp2020 Awaiting requested review from schultzp2020

Assignees

@kim-tsao kim-tsao

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonkoops @kim-tsao