Update dependency @backstage/plugin-scaffolder-backend to v2 [SECURITY] - abandoned

[alithya-oss-backstage-ci]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-scaffolder-backend (source)	^1.33.0 -> ^2.0.0

---

Template Secret leakage in logs in Scaffolder when using fetch:template

CVE-2025-55285 / GHSA-3x3q-ghcp-whf7

More information

Details

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through $ to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of $ being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

• CVSS Score: 2.6 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7
• https://nvd.nist.gov/vuln/detail/CVE-2025-55285
• https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v2.1.1

Compare Source

v2.1.0

Compare Source

Minor Changes

• c1ce316: BREAKING /alpha: Converted scaffolder.task.read and scaffolder.task.cancel into Resource Permissions.

  BREAKING /alpha: Added a new scaffolder rule isTaskOwner for scaffolder.task.read and scaffolder.task.cancel to allow for conditional permission policies such as restricting access to tasks and task events based on task creators.

  BREAKING /alpha: Retrying a task now requires both scaffolder.task.read and scaffolder.task.create permissions, replacing the previous requirement of scaffolder.task.read and scaffolder.task.cancel.

Patch Changes

• 424610a: Scaffolder audit Log now includes taskId and createdBy
• dbde180: An internal refactor which adds additional types to experimental checkpoints
• fc70b43: Replaced deprecated uses of @backstage/backend-common with the equivalents in @backstage/backend-defaults and @backstage/backend-plugin-api.
• Updated dependencies
  • @​backstage/config@​1.3.3
  • @​backstage/plugin-permission-common@​0.9.1
  • @​backstage/plugin-permission-node@​0.10.2
  • @​backstage/catalog-model@​1.7.5
  • @​backstage/backend-defaults@​0.11.1
  • @​backstage/plugin-scaffolder-node@​0.10.0
  • @​backstage/integration@​1.17.1
  • @​backstage/plugin-scaffolder-backend-module-github@​0.8.1
  • @​backstage/plugin-scaffolder-common@​1.6.0
  • @​backstage/backend-plugin-api@​1.4.1
  • @​backstage/plugin-auth-node@​0.6.5
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.1
  • @​backstage/[email protected]
  • @​backstage/plugin-catalog-node@​1.17.2
  • @​backstage/plugin-events-node@​0.4.13
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.11
  • @​backstage/[email protected]
  • @​backstage/[email protected]
  • @​backstage/[email protected]
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.11
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.11
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.9.3

v2.0.0

Compare Source

Major Changes

• 33394db: BREAKING CHANGES

  Removal of deprecated re-exports from module packages.

  The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

  • createPublishAzureAction should be imported from @backstage/plugin-scaffolder-backend-module-azure instead.

  • createPublishBitbucketCloudAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-cloud instead.

  • createPublishBitbucketServerAction and createPublishBitbucketServerPullRequestAction can be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-server instead.

  • createPublishBitbucketAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket instead.

  • createPublishGerritAction and createPublishGerritReviewAction can be imported from @backstage/plugin-scaffolder-backend-module-gerrit instead.

  • createGithubActionsDispatchAction, createGithubDeployKeyAction, createGithubEnvironmentAction, createGithubIssuesLabelAction, CreateGithubPullRequestActionOptions, createGithubRepoCreateAction, createGithubRepoPushAction, createGithubWebhookAction, and createPublishGithubAction can be imported from @backstage/plugin-scaffolder-backend-module-github instead.

  • createPublishGitlabAction should be imported from @backstage/plugin-scaffolder-backend-module-gitlab instead.

  • ActionContext. createTemplateAction, executeShellCommand, ExecuteShellCommandOptions, fetchContents, TaskSecrets, and TemplateAction should be imported from @backstage/plugin-scaffolder-node instead.

  • ScaffolderEntitiesProcessor should be imported from @backstage/plugin-catalog-backend-module-scaffolder-entity-model instead.

• a8fcf04: BREAKING ALPHA: The /alpha export no longer exports the plugin. Please use import('@​backstage/plugin-scaffolder-backend') instead as this has been removed.

  BREAKING CHANGES: The old createRouter function which was used in the old backend system has been removed along with the RouterOptions type.

• 73b94d7: BREAKING CHANGES

  The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

  • SerializedTask, SerializedTaskEvent, TaskBroker, TaskBrokerDispatchOptions, TaskBrokerDispatchResult, TaskCompletionState, TaskContext, TaskEventType, TaskStatus, TemplateFilter, and TemplateGlobal should be imported from @backstage/plugin-scaffolder-node instead.

  • The deprecated copyWithoutRender option has been removed from fetch:template action. You should rename the option to copyWithoutTemplating instead.

• 5863b04: BREAKING CHANGES

  • The createBuiltinActions method has been removed, as this should no longer be needed with the new backend system route, and was only useful when passing the default list of actions again in the old backend system. You should be able to rely on the default behaviour of the new backend system which is to merge the actions.

  • The createCatalogRegisterAction and createFetchCatalogEntityAction actions no longer require an AuthService, and now accepts a CatalogService instead of CatalogClient.

  Unless you're providing your own override action to the default, this should be a non-breaking change.

  You can migrate using the following if you're getting typescript errors:

  import { catalogServiceRef } from '@​backstage/plugin-catalog-node';
  import { scaffolderActionsExtensionPoint } from '@​backstage/plugin-scaffolder-node/alpha';
  
  export const myModule = createBackendModule({
    pluginId: 'scaffolder',
    moduleId: 'test',
    register({ registerInit }) {
      registerInit({
        deps: {
          scaffolder: scaffolderActionsExtensionPoint,
          catalog: catalogServiceRef,
        },
        async init({ scaffolder, catalog }) {
          scaffolder.addActions(
            createCatalogRegisterAction({
              catalog,
            }),
            createFetchCatalogEntityAction({
              catalog,
              integrations,
            }),
          );
        },
      });
    },
  });

Minor Changes

• 73b94d7: DEPRECATIONS

  The following types and implementations have been deprecated, either because they're no longer relevant, or because upcoming changes to the scaffolder-backend after 2.0.0 will influence the changes to these API surfaces.

  • CreateWorkerOptions
  • DatabaseTaskStore
  • DatabaseTaskStoreOptions
  • TaskManager
  • TaskStoreCreateTaskOptions
  • TaskStoreCreateTaskResult
  • TaskStoreEmitOptions
  • TaskStoreListEventsOptions
  • TaskStoreRecoverTaskOptions
  • TaskStoreShutDownTaskOptions

  There is no current path off deprecation, these types are going to be removed and rethought with a better way to define workers in the new backend system.

Patch Changes

• 89a941d: Migrating to latest action format

• 023629e: Enable usage of secrets within 'each' step of software templates. For example, you can now structure your each step like this:

  each:
    [
      { name: "Service1", token: "${{ secrets.token1 }}" },
      { name: "Service2", token: "${{ secrets.token2 }}" },
    ]
  

• e92e481: Add tests for Scaffolder

• Updated dependencies

  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.9.2
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.10
  • @​backstage/[email protected]
  • @​backstage/plugin-scaffolder-backend-module-github@​0.8.0
  • @​backstage/backend-defaults@​0.11.0
  • @​backstage/plugin-scaffolder-node@​0.9.0
  • @​backstage/[email protected]
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.10
  • @​backstage/plugin-catalog-node@​1.17.1
  • @​backstage/plugin-auth-node@​0.6.4
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.10
  • @​backstage/[email protected]
  • @​backstage/backend-plugin-api@​1.4.0
  • @​backstage/catalog-model@​1.7.4
  • @​backstage/config@​1.3.2
  • @​backstage/errors@​1.2.7
  • @​backstage/integration@​1.17.0
  • @​backstage/types@​1.2.1
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.0
  • @​backstage/[email protected]
  • @​backstage/plugin-events-node@​0.4.12
  • @​backstage/plugin-permission-common@​0.9.0
  • @​backstage/plugin-permission-node@​0.10.1
  • @​backstage/plugin-scaffolder-common@​1.5.11

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alithya-oss-backstage-ci]

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

• @alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/aws/packages/backend	none	v0.0.6
@alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps	workspaces/aws/plugins/scaffolder-backend-module-aws-apps	none	v0.3.12

[alithya-oss-backstage-ci]

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

• @alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/aws/packages/backend	none	v0.0.6
@alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps	workspaces/aws/plugins/scaffolder-backend-module-aws-apps	none	v0.3.12

[alithya-oss-backstage-ci]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[alithya-oss-backstage-ci]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!