fix(deps): update dependency @backstage/plugin-scaffolder-backend to v3 [security]#145
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.0.0→^3.0.0Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp
More information
Details
Impact
Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:
debug:logaction by creating a symlink pointing to sensitive files (e.g.,/etc/passwd, configuration files, secrets)fs:deleteaction by creating symlinks pointing outside the workspaceThis affects any Backstage deployment where users can create or execute Scaffolder templates.
Patches
This vulnerability is fixed in the following package versions:
@backstage/backend-defaultsversion 0.12.2, 0.13.2, 0.14.1, 0.15.0@backstage/plugin-scaffolder-backendversion 2.2.2, 3.0.2, 3.1.1@backstage/plugin-scaffolder-nodeversion 0.11.2, 0.12.3Users should upgrade to these versions or later.
Workarounds
References
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass
CVE-2026-29184 / GHSA-8qp7-fhr9-fw53
More information
Details
Impact
A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.
The attack requires:
Patches
Patched in
@backstage/plugin-scaffolder-backendversion 3.1.4Workarounds
Resources
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
backstage/backstage (@backstage/plugin-scaffolder-backend)
v3.1.4Compare Source
Patch Changes
4e39e63: Removed unused dependenciesv3.1.3Compare Source
Patch Changes
7455dae: Use node prefix on native imports4fc7bf0: Removed unused dependency0ce78b0: Supportifconditions insideeachloops for scaffolder steps5e3ef57: AddedpeerModulesmetadata declaring recommended modules for cross-plugin integrations.8148621: Moved@backstage/backend-defaultsfromdependenciestodevDependencies.1e669cc: Migrate audit events reference docs to http://backstage.io/docs.69d880e: Bump to latest zod to ensure it has the latest featuresv3.1.2Compare Source
Patch Changes
7455dae: Use node prefix on native imports4fc7bf0: Removed unused dependency1e669cc: Migrate audit events reference docs to http://backstage.io/docs.69d880e: Bump to latest zod to ensure it has the latest featuresv3.1.1Compare Source
Patch Changes
5012852: Remove unused abort controller in debug:wait actionc641c14: Wrap some of the action logic withresolveSafeChildPathand improve symlink handling when fetching remote and local files27f9061: REwrite]872eb91: Upgradezod-to-json-schemato latest versionv3.1.0Compare Source
Minor Changes
a4cd405: AdddefaultEnvironmentconfig to scaffolder to enable more flexible and custom templates. Now it's possible enable access to default parameters and secrets in templates, improving security and reducing complexity.Patch Changes
be5972b: Fixed a bug where config was not passed to NunjucksWorkflowRunner, causing defaultEnvironment to be undefinedde96a60: chore(deps): bumpexpressfrom 4.21.2 to 4.22.02bae83a: Updatedisolated-vmto6.0.125b560e: Internal change to support new versions of thelogformlibrary8f4aded: Fixing OpenAPI definition1226647: Updated dependencyesbuildto^0.27.0.v3.0.3Compare Source
v3.0.2Compare Source
v3.0.1Compare Source
Patch Changes
05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript'serasableSyntaxOnlysetting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.v3.0.0Compare Source
Major Changes
9b81a90: BREAKING - Removing the deprecated types and interfaces, there's no replacement for these types, and hopefully not currently used as they offer no value with the plugin being on the new backend system and no way to consume them.Affected types:
CreateWorkerOptions,CurrentClaimedTask,DatabaseTaskStore,DatabaseTaskStoreOptions,TaskManager,TaskStore,TaskStoreCreateTaskOptions,TaskStoreCreateTaskResult,TaskStoreEmitOptions,TaskStoreListEventsOptions,TaskStoreRecoverTaskOptions,TaskStoreShutDownTaskOptions,TaskWorkerandTemplateActionRegistry.Patch Changes
f222a2e: Fixed distributed actions not being visible in the scaffolder template actions.Depending on the plugin startup order, some of the distributed actions were not being registered correctly,
causing them to be invisible in the scaffolder template actions list.
Updated dependencies
v2.2.3Compare Source
v2.2.2Compare Source
v2.2.1Compare Source
Patch Changes
a57185f: Added support for executing actions from theActionsRegistryin thescaffolder-backendc3405db: Fixed a regression that prevented uploads greater than 100KB. Uploads up to 10MB are supported again.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.