Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update to newer backstage dependencies, to fix zod vulnerability #203

Closed
freben opened this issue Jan 9, 2024 · 3 comments · Fixed by #204
Closed

update to newer backstage dependencies, to fix zod vulnerability #203

freben opened this issue Jan 9, 2024 · 3 comments · Fixed by #204
Assignees
@jvilimek
Labels
bump-backstage-core Sync dependencies with latest backstage core version

Comments

@freben
Copy link

freben commented Jan 9, 2024

Feature Suggestion

Hello from the Backstage maintainers! I'd like to give a nudge toward migrating the plugins to a newer version of the Backstage framework, if possible.

Possible Implementation

Migrate the plugins to depending on a newer Backstage version.

Context

backstage/backstage#21777

Old versions of the Backstage framework depended on a zod version range that has since gotten a security report, and there's no fix within that range. Newer Backstage versions do not pull in the vulnerable library. The only remaining dependency in the main Backstage repo that does pull in this library, happens to be the score-card plugin at this point.

Thanks for all of your contributions!
@freben freben mentioned this issue Jan 9, 2024
Closed
@jvilimek
Copy link
Collaborator

Hi @freben, sure will update as soon as possible!

@jvilimek jvilimek added the bump-backstage-core Sync dependencies with latest backstage core version label Jan 20, 2024
@jvilimek jvilimek self-assigned this Jan 20, 2024
@jvilimek jvilimek pinned this issue Jan 20, 2024
@jvilimek jvilimek linked a pull request Jan 20, 2024 that will close this issue
Update to newer backstage dependencies to fix zod vulnerability #204
Merged
3 tasks
@jvilimek jvilimek reopened this Jan 22, 2024
@jvilimek
Copy link
Collaborator

jvilimek commented Jan 22, 2024
edited
Loading

Release of the new package failed as the yarn workspace publish task I have replaced previously working lerna needs newer Yarn probably. Will fix this later today. Also see the issue #206

@jvilimek
Copy link
Collaborator

package released: https://www.npmjs.com/package/@oriflame/backstage-plugin-score-card/v/0.8.0

@jvilimek jvilimek unpinned this issue Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvilimek jvilimek

Labels
bump-backstage-core Sync dependencies with latest backstage core version
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update to newer backstage dependencies to fix zod vulnerability Oriflame/backstage-plugins
2 participants
@freben @jvilimek