Skip to content

chore(deps): [release-1.8] upgrade backstage packages to tar v7#4643

Draft
jonkoops wants to merge 2 commits intoredhat-developer:release-1.8from
jonkoops:tar-v7
Draft

chore(deps): [release-1.8] upgrade backstage packages to tar v7#4643
jonkoops wants to merge 2 commits intoredhat-developer:release-1.8from
jonkoops:tar-v7

Conversation

@jonkoops
Copy link
Copy Markdown
Contributor

@jonkoops jonkoops commented Apr 20, 2026

Upgrades @backstage/backend-defaults (0.12.2 -> 0.12.3), @backstage/plugin-scaffolder-backend (2.2.2 -> 2.2.3), and @backstage/plugin-scaffolder-node (0.11.2 -> 0.11.3) to replace the deprecated tar v6 with tar v7.

Backports backstage/backstage#32471 via backstage/backstage#33902.

Depends on #4640.

jonkoops added 2 commits April 20, 2026 14:54
@jonkoops
fix(deps): upgrade backstage packages to fix CVE-2026-24046
6fac6d8 
Upgrades @backstage/backend-defaults (0.12.0 -> 0.12.2),
@backstage/plugin-scaffolder-backend (2.2.0 -> 2.2.2), and
@backstage/plugin-scaffolder-node (0.11.0 -> 0.11.2) to address
symlink path traversal in Scaffolder actions (GHSA-rq6q-wr2q-7pgp).

Replaces the previous yarn patch-based mitigation with the official
fix versions. Lockfile changes were applied using yarn-lockfile-surgeon
to minimize transitive dependency impact.
@jonkoops
chore(deps): upgrade backstage packages to tar v7
c121ccc 
Upgrades @backstage/backend-defaults (0.12.2 -> 0.12.3),
@backstage/plugin-scaffolder-backend (2.2.2 -> 2.2.3), and
@backstage/plugin-scaffolder-node (0.11.2 -> 0.11.3) to replace
the deprecated tar v6 with tar v7.

Backports backstage/backstage#33902.
@openshift-ci openshift-ci Bot requested review from josephca and zdrapela April 20, 2026 13:06
@rhdh-qodo-merge
Copy link
Copy Markdown

rhdh-qodo-merge Bot commented Apr 20, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. Stale dynamic-plugins lockfile 🐞 Bug ☼ Reliability
Description 
The dynamic-plugins workspace is still pinned to @backstage/plugin-scaffolder-node@0.11.2 which
depends on tar@^6.1.12, so installing/building dynamic plugins continues to pull tar v6 despite this
PR’s intent to move to tar v7. This is caused by not updating dynamic-plugins/yarn.lock to pick up
@backstage/plugin-scaffolder-node@0.11.3 (which depends on tar@^7.4.3).
Code

dynamic-plugins/package.json[R34-39]

    "@backstage/plugin-auth-node": "0.6.6",
    "@backstage/plugin-home@^0.8.11": "patch:@backstage/plugin-home@npm%3A0.8.12#./.yarn/patches/@backstage-plugin-home-npm-0.8.12-0d7fbcc764.patch",
    "@backstage/plugin-techdocs@1.14.1": "patch:@backstage/plugin-techdocs@npm%3A1.14.1#./.yarn/patches/@backstage-plugin-techdocs-npm-1.14.1-c83e1ea3d7.patch",
-    "@backstage/backend-defaults": "patch:@backstage/backend-defaults@npm%3A0.12.0#./.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch",
-    "@backstage/plugin-scaffolder-node": "patch:@backstage/plugin-scaffolder-node@npm%3A0.11.0#./.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch",
    "@backstage/cli-common@^0.1.15": "patch:@backstage/cli-common@npm%3A0.1.15#./.yarn/patches/@backstage-cli-common-npm-0.1.15-7e1948f753.patch",
    "@backstage/backend-plugin-api": "patch:@backstage/backend-plugin-api@npm%3A1.4.3#./.yarn/patches/@backstage-backend-plugin-api-npm-1.4.3-b7f08217ef.patch",
    "@backstage/plugin-permission-node": "0.10.4",
Evidence 
dynamic-plugins/yarn.lock currently resolves @backstage/plugin-scaffolder-node to 0.11.2 and shows
it depending on tar ^6.1.12, while the repo root yarn.lock resolves
@backstage/plugin-scaffolder-node to 0.11.3 and shows it depending on tar ^7.4.3. This demonstrates
that the dynamic-plugins workspace did not receive the tar v7 migration and will keep installing tar
v6 until its lockfile is regenerated.

dynamic-plugins/yarn.lock[5918-5938]
yarn.lock[5260-5280]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The `dynamic-plugins` workspace is still locked to `@backstage/plugin-scaffolder-node@0.11.2` (pulling `tar@^6.1.12`), so it does not actually move to `tar@v7`.

### Issue Context
This PR removes/adjusts dependency pinning in `dynamic-plugins/package.json`, but the workspace lockfile still pins the older resolved versions.

### Fix Focus Areas
- dynamic-plugins/yarn.lock[5918-5938]
- dynamic-plugins/package.json[29-47]

### Expected fix
- Re-run `yarn install` (or the repo’s documented install command) within `dynamic-plugins/` so that `dynamic-plugins/yarn.lock` updates to `@backstage/plugin-scaffolder-node@0.11.3` (and therefore `tar@^7.x`).
- Commit the updated `dynamic-plugins/yarn.lock`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Accidental submodule pointer 🐞 Bug ⚙ Maintainability
Description 
The PR adds e2e-tests/.local-test/rhdh containing a Subproject commit ... line, which is the
on-disk representation of a git submodule pointer. If this isn’t intentionally adding a submodule,
it will confuse checkouts/CI and should be removed (or properly configured as a real submodule).
Code

e2e-tests/.local-test/rhdh[1]

+Subproject commit bcb94986c5fa0405c377f4736f067ba5c6bab04e
Evidence 
The added file content matches the standard git submodule pointer format (`Subproject commit
<sha>), indicating a gitlink/submodule-style entry was introduced under e2e-tests/.local-test`.

e2e-tests/.local-test/rhdh[1-1]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
A git-submodule-style pointer file was added at `e2e-tests/.local-test/rhdh`.

### Issue Context
This looks like a local testing artifact (path includes `.local-test`) and is unrelated to the dependency bump goal.

### Fix Focus Areas
- e2e-tests/.local-test/rhdh[1-1]

### Expected fix
- If unintentional: remove `e2e-tests/.local-test/rhdh` from the PR.
- If intentional: add proper submodule configuration (e.g., `.gitmodules`) and ensure CI initializes/updates the submodule accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

The container image build workflow finished with status: failure.

@jonkoops jonkoops marked this pull request as draft April 20, 2026 13:08
@rhdh-qodo-merge
Copy link
Copy Markdown

rhdh-qodo-merge Bot commented Apr 20, 2026

Review Summary by Qodo

Upgrade Backstage packages to tar v7 and fix CVE-2026-24046

✨ Enhancement 🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Upgrade Backstage packages to tar v7 (0.12.3, 2.2.3, 0.11.3)
• Replace deprecated tar v6 with tar v7 across backend packages
• Address symlink path traversal CVE-2026-24046 in Scaffolder
• Update submodule reference for e2e-tests local test environment
Diagram 
flowchart LR
  A["Backstage Packages v0.12.0/2.2.0"] -- "Upgrade to v0.12.3/2.2.3" --> B["Tar v7 Support"]
  A -- "Fix CVE-2026-24046" --> C["Symlink Path Traversal Fix"]
  B --> D["Updated Dependencies"]
  C --> D
  E["e2e-tests Submodule"] -- "Update Reference" --> F["Latest Test Environment"]
Loading

Grey Divider

File Changes

1. packages/backend/package.json Dependencies +2/-2

Upgrade Backstage backend packages to v0.12.3 and v2.2.3

packages/backend/package.json

2. plugins/licensed-users-info-backend/package.json Dependencies +1/-1

Upgrade backend-defaults to v0.12.3

plugins/licensed-users-info-backend/package.json

3. plugins/dynamic-plugins-info-backend/package.json Dependencies +1/-1

Upgrade backend-defaults to v0.12.3

plugins/dynamic-plugins-info-backend/package.json

View more (10)
4. plugins/scalprum-backend/package.json Dependencies +1/-1

Upgrade backend-defaults to v0.12.3

plugins/scalprum-backend/package.json

5. e2e-tests/.local-test/rhdh ⚙️ Configuration changes +1/-0

Update submodule commit reference

e2e-tests/.local-test/rhdh

6. .yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch Additional files +0/-67

...

.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch

7. .yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch Additional files +0/-82

...

.yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch

8. .yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch Additional files +0/-22

...

.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch

9. dynamic-plugins/.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch Additional files +0/-67

...

dynamic-plugins/.yarn/patches/@backstage-backend-defaults-npm-0.12.0-ef8b4e5984.patch

10. dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch Additional files +0/-82

...

dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-backend-npm-2.2.0-487419bad1.patch

11. dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch Additional files +0/-22

...

dynamic-plugins/.yarn/patches/@backstage-plugin-scaffolder-node-npm-0.11.0-2e81f51535.patch

12. dynamic-plugins/package.json Additional files +0/-2

...

dynamic-plugins/package.json

13. package.json Additional files +0/-4

...

package.json

Grey Divider

Qodo Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josephca josephca Awaiting requested review from josephca

@zdrapela zdrapela Awaiting requested review from zdrapela

Assignees

No one assigned

Labels

Bug fix do-not-merge/work-in-progress Enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonkoops