Skip to content

[Snyk] Fix for 8 vulnerabilities #10699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
q1blue wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 8 vulnerabilities #10699

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions plugins/scaffolder-backend-module-yeoman/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@
"clean": "backstage-cli package clean"
},
"dependencies": {
"@backstage/config": "workspace:^",
"@backstage/plugin-scaffolder-node": "workspace:^",
"@backstage/types": "workspace:^",
"@backstage/config": "0.1.1",
"@backstage/plugin-scaffolder-node": "0.11.2",
"@backstage/types": "0.1.1",
Comment on lines +25 to +27
Copy link

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Replacing workspace:^ with pinned versions is incorrect for this monorepo, which uses yarn workspaces. This change will cause this package to use old, published versions of @backstage/config and @backstage/types from the npm registry instead of the up-to-date versions from this workspace.

Specifically:

  • @backstage/config would be downgraded from the workspace version (which appears to be 1.0.8) to 0.1.1.
  • @backstage/types would be downgraded from the workspace version (which appears to be 1.1.0) to 0.1.1.

This will almost certainly lead to build failures or runtime errors. While the goal of fixing vulnerabilities is important, these changes are not the correct way to do it in this project structure.

The correct approach would be to:

  1. Keep the workspace:^ specifiers.
  2. Identify which transitive dependencies are vulnerable.
  3. Use resolutions in the root package.json to force a secure version of the vulnerable packages across the entire workspace.

I recommend reverting these changes and using resolutions instead.

    "@backstage/config": "workspace:^",
    "@backstage/plugin-scaffolder-node": "workspace:^",
    "@backstage/types": "workspace:^"

"winston": "^3.2.1",
"yeoman-environment": "^3.9.1"
"yeoman-environment": "^4.0.0"
Copy link

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This is a major version upgrade for yeoman-environment (from ^3.9.1 to ^4.0.0). Major versions can introduce breaking changes, and the Snyk metadata for this PR indicates isBreakingChange:true. Please carefully review the yeoman-environment v4 release notes and update the code in this module to be compatible with the new version before merging.

},
"devDependencies": {
"@backstage/backend-common": "workspace:^",
Expand Down
Loading