[Snyk] Fix for 4 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 4 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• plugins/techdocs-backend/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-DIFF-14917201	590
	UNIX Symbolic Link (Symlink) Following SNYK-JS-BACKSTAGEBACKENDPLUGINAPI-15054291	550
	Prototype Pollution SNYK-JS-LODASH-15053838	545
	Prototype Pollution SNYK-JS-LODASHES-15053836	545

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution

---

EntelligenceAI PR Summary

This PR standardizes dependency versions in the techdocs-backend plugin by replacing workspace references with explicit version numbers and updating lodash for security.

• Pinned @backstage/backend-common to 0.24.1
• Pinned @backstage/backend-plugin-api to 1.6.1
• Pinned @backstage/plugin-catalog-common to 0.1.0
• Pinned @backstage/plugin-search-backend-module-techdocs to 0.2.2
• Pinned @backstage/plugin-search-common to 0.3.1
• Pinned @backstage/plugin-techdocs-node to 1.7.2
• Updated lodash from ^4.17.21 to ^4.17.23

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[entelligence-ai-pr-reviews]

Walkthrough

This PR updates dependency management in the techdocs-backend plugin by converting workspace protocol references to explicit version numbers for multiple Backstage packages. The changes pin six Backstage dependencies to specific versions: backend-common (0.24.1), backend-plugin-api (1.6.1), plugin-catalog-common (0.1.0), plugin-search-backend-module-techdocs (0.2.2), plugin-search-common (0.3.1), and plugin-techdocs-node (1.7.2). Additionally, the lodash dependency is upgraded from version 4.17.21 to 4.17.23, likely addressing known security vulnerabilities. This change appears to be preparation for a release or to ensure version compatibility across the dependency tree.

Changes

File(s)	Summary
plugins/techdocs-backend/package.json	Converted Backstage package dependencies from workspace protocol (workspace:^) to explicit version numbers, pinning 6 packages to specific versions. Updated lodash from ^4.17.21 to ^4.17.23.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant Package as techdocs-backend
    participant Backend as @backstage/backend-common<br/>(0.24.1)
    participant PluginAPI as @backstage/backend-plugin-api<br/>(1.6.1)
    participant TechDocsNode as @backstage/plugin-techdocs-node<br/>(1.7.2)
    participant SearchModule as @backstage/plugin-search-backend-module-techdocs<br/>(0.2.2)
    participant CatalogCommon as @backstage/plugin-catalog-common<br/>(0.1.0)
    
    Note over Dev,CatalogCommon: Dependency Version Update
    
    Dev->>Package: Update package.json dependencies
    Note over Package: Change workspace:^ to specific versions
    
    Package->>Backend: Pin to version 0.24.1
    Package->>PluginAPI: Pin to version 1.6.1
    Package->>TechDocsNode: Pin to version 1.7.2
    Package->>SearchModule: Pin to version 0.2.2
    Package->>CatalogCommon: Pin to version 0.1.0
    
    Note over Package,CatalogCommon: Dependencies now use fixed versions<br/>instead of workspace references

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.