fix(deps): update dependency @backstage/plugin-scaffolder-backend to v1.15.0 [security] - autoclosed #195
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.10.1
->1.15.0
GitHub Vulnerability Alerts
CVE-2023-35926
The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been
vm2
, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.Impact
A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.
Patches
This is vulnerability is fixed in version 1.15.0 of
@backstage/plugin-scaffolder-backend
.Workarounds
Note that the Backstage Threat Model states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual reviews of changes to the scaffolder templates. The exploit is of a nature where it is easily discoverable in manual review.
Release Notes
backstage/backstage (@backstage/plugin-scaffolder-backend)
v1.15.0
Compare Source
Minor Changes
84b0e47
: AddTargetBranchName
variable and output for thepublish:gitlab:merge-request
andpublish:github:pull-request
s'cascaffolder actions.6a694ce
: Add a scaffolder action that pull-requests for bitbucket server1948845
: Addedgithub:deployKey:create
andgithub:environment:create
scaffolder actions. You will need to addread/write
permissions to your GITHUB_TOKEN and/or Github Backstage App for RepositoryAdministration
(for deploy key functionality) andEnvironments
(for Environment functionality)df84117
: Add support for Repository Variables and Secrets to thepublish:github
andgithub:repo:create
scaffolder actions. You will need to addread/write
permissions to your GITHUB_TOKEN and/or Github Backstage App for RepositorySecrets
andVariables
Upgrade octokit introduces some breaking changes.
Patch Changes
cc936b5
: Fix handling ofoptional
property incatalog:register
scaffolder actionb269da3
: Clearer error messages for actionpublish:gitlab:merge-request
11e0f62
: Fix wrong gitlabUrl format in repoUrl input descriptiona2c70cd
: Switch out the sandbox, fromvm2
toisolated-vm
.This is a native dependency, which means that it will need to be compiled with the same version of node on the same OS. This could cause some issues when running in Docker for instance, as you will need to make sure that the dependency is installed and compiled inside the docker container that it will run on.
This could mean adding in some dependencies to the container like
build-essential
to make sure that this compiles correctly.If you're having issues installing this dependency, there's some install instructions over on
isolated-vm
's repo.Updated dependencies
v1.14.0
Compare Source
Minor Changes
67115f5
: Expose both types of scaffolder permissions and rules through the metadata endpoint.The metadata endpoint now correctly exposes both types of scaffolder permissions and rules (for both the template and action resource types) through the metadata endpoint.
a73b3c0
: Add ability to usedefaultNamespace
anddefaultKind
for scaffolder actioncatalog:fetch
Patch Changes
1a48b84
: Bump minimum required version ofvm2
to be 3.9.18d20c879
: Bump minimum required version ofvm2
to be 3.9.176d954de
: Update typing forRouterOptions::actions
andScaffolderActionsExtensionPoint::addActions
to allow any kind of action being assigned to it.v1.13.1
Compare Source
This release bumps the minimum required version of
vm2
to 3.9.17v1.13.0
Compare Source
Minor Changes
2b15cb4
: The non-PR/MR Git Actions now return the commit hash of the commit pushed as a new output calledcommitHash
, isomorphic-git is now on version 1.23.030ffdae
: Addedfetch:plain:file
action to fetch a single file, this action is also added to the list of built-in actions.65e989f
: Added the possibility to authorize parameters and steps of a templateThe scaffolder plugin is now integrated with the permission framework.
It is possible to toggle parameters or actions within templates by marking each section with specific
tags
, inside abackstage:permissions
property under each parameter or action. Each parameter or action can then be permissioned by using a conditional decision containing thescaffolderTemplateRules.hasTag
rule.3b68b09
: Renamed permissionApi router option to permissionsbcae5aa
: Added the possibility to authorize actionsIt is now possible to decide who should be able to execute certain actions or who should be able to pass specific input to specified actions.
Some of the existing utility functions for creating conditional decisions have been renamed:
createScaffolderConditionalDecision
has been renamed tocreateScaffolderActionConditionalDecision
scaffolderConditions
has been renamed toscaffolderTemplateConditions
d7c8c22
: Allow for a commit message to differ from the PR title when publishing a GitHub pull request.95ea9f6
: Provide some more default filters out of the box and refactoring how the filters are applied to theSecureTemplater
.parseEntityRef
will take an string entity triplet and return a parsed object.pick
will allow you to reference a specific property in the piped object.So you can now combine things like this:
${{ parameters.entity | parseEntityRef | pick('name') }}
to get the name of a specific entity, or${{ parameters.repoUrl | parseRepoUrl | pick('owner') }}
to get the owner of a repo.Patch Changes
e23abb3
: Rename output parametermergeRequestURL
ofpublish:gitlab:merge-request
action tomergeRequestUrl
.e27ddc3
: Added a possibility to cancel the running task (executing of a scaffolder template)a7eb36c
: Improve type-check for scaffolder output parametersc9a0fdc
: Fix deprecated types.1e4f5e9
: Bumpzod
andzod-to-json-schema
dependencies.9c26e6d
: Updated the alphascaffolderPlugin
to not require options.f37a95a
: Stripped entity types and namespace before passing to GitHub APIv1.12.0
Compare Source
Minor Changes
7d724d8
: Added the ability to be able to define an actionsinput
andoutput
schema usingzod
instead of hand writing types andjsonschema
Patch Changes
860de10
: Make identity valid if subject of token is a backstage server-2-server auth token6545487
: Minor API report tweaksc6c78b4
: throw error from catalog:fetch scaffolder action when entity is null and optional is false9968f45
: catalog write action should allow any shape of object928a12a
: Internal refactor of/alpha
exports.52b0022
: Updated dependencymsw
to^1.0.0
.7af1285
: Extended scaffolder actioncatalog:fetch
to fetch multiple catalog entities by entity references.v1.11.0
Compare Source
Minor Changes
0b2952e
: Added the option to overwrite files in thetargetPath
of thetemplate:fetch
action1271549
: Renamed the exportscaffolderCatalogModule
tocatalogModuleTemplateKind
in order to follow the new recommended naming patterns of backend system items. This is technically a breaking change but in an alpha export, so take care to change your imports if you have already migrated to the new backend system.Patch Changes
0ff0331
: Updated usage ofcreateBackendPlugin
.ad3edc4
: Deprecations: The following are deprecated and should instead be imported from the new package@backstage/plugin-scaffolder-node
:ActionContext
createTemplateAction
TaskSecrets
TemplateAction
6c70919
: Provide better error messaging when GitHub fails due to missing team definitions66cf22f
: Updated dependencyesbuild
to^0.17.0
.Updated dependencies
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.