Skip to content

Update dependency @backstage/plugin-scaffolder-backend to v2 [SECURITY] #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alithya-oss-backstage-ci wants to merge 1 commit into from
Closed

Update dependency @backstage/plugin-scaffolder-backend to v2 [SECURITY] #169

alithya-oss-backstage-ci wants to merge 1 commit into from

Conversation

@alithya-oss-backstage-ci
Copy link
Contributor

@alithya-oss-backstage-ci alithya-oss-backstage-ci bot commented Oct 3, 2025

This PR contains the following updates:

Package Change Age Confidence
@backstage/plugin-scaffolder-backend (source) ^1.33.0 -> ^2.0.0 age confidence

Template Secret leakage in logs in Scaffolder when using fetch:template

CVE-2025-55285 / GHSA-3x3q-ghcp-whf7

More information

Details

A logging flaw in Backstage Scaffolder’s fetch:template action up to @backstage/plugin-scaffolder-backend 2.1.0 may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the `` bag could appear in local/server logs when the action ran. Exploitation requires use of the secrets argument and access to Scaffolder/build logs; integrity and availability are unaffected.

  • Fix: upgrade to 2.1.1, which removes the duplicate log path and ensures secrets are redacted.
  • Mitigation: avoid passing `` to fetch:template if upgrade is not possible.

Open an issue in the Backstage repository

Visit our Discord, linked to in Backstage README

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v2.1.1

Compare Source

v2.1.0

Compare Source

Minor Changes

  • c1ce316: BREAKING /alpha: Converted scaffolder.task.read and scaffolder.task.cancel into Resource Permissions.

    BREAKING /alpha: Added a new scaffolder rule isTaskOwner for scaffolder.task.read and scaffolder.task.cancel to allow for conditional permission policies such as restricting access to tasks and task events based on task creators.

    BREAKING /alpha: Retrying a task now requires both scaffolder.task.read and scaffolder.task.create permissions, replacing the previous requirement of scaffolder.task.read and scaffolder.task.cancel.

Patch Changes

v2.0.0

Compare Source

Major Changes

  • 33394db: BREAKING CHANGES

    Removal of deprecated re-exports from module packages.

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • createPublishAzureAction should be imported from @backstage/plugin-scaffolder-backend-module-azure instead.

    • createPublishBitbucketCloudAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-cloud instead.

    • createPublishBitbucketServerAction and createPublishBitbucketServerPullRequestAction can be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-server instead.

    • createPublishBitbucketAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket instead.

    • createPublishGerritAction and createPublishGerritReviewAction can be imported from @backstage/plugin-scaffolder-backend-module-gerrit instead.

    • createGithubActionsDispatchAction, createGithubDeployKeyAction, createGithubEnvironmentAction, createGithubIssuesLabelAction, CreateGithubPullRequestActionOptions, createGithubRepoCreateAction, createGithubRepoPushAction, createGithubWebhookAction, and createPublishGithubAction can be imported from @backstage/plugin-scaffolder-backend-module-github instead.

    • createPublishGitlabAction should be imported from @backstage/plugin-scaffolder-backend-module-gitlab instead.

    • ActionContext. createTemplateAction, executeShellCommand, ExecuteShellCommandOptions, fetchContents, TaskSecrets, and TemplateAction should be imported from @backstage/plugin-scaffolder-node instead.

    • ScaffolderEntitiesProcessor should be imported from @backstage/plugin-catalog-backend-module-scaffolder-entity-model instead.

  • a8fcf04: BREAKING ALPHA: The /alpha export no longer exports the plugin. Please use import('@​backstage/plugin-scaffolder-backend') instead as this has been removed.

    BREAKING CHANGES: The old createRouter function which was used in the old backend system has been removed along with the RouterOptions type.

  • 73b94d7: BREAKING CHANGES

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • SerializedTask, SerializedTaskEvent, TaskBroker, TaskBrokerDispatchOptions, TaskBrokerDispatchResult, TaskCompletionState, TaskContext, TaskEventType, TaskStatus, TemplateFilter, and TemplateGlobal should be imported from @backstage/plugin-scaffolder-node instead.

    • The deprecated copyWithoutRender option has been removed from fetch:template action. You should rename the option to copyWithoutTemplating instead.

  • 5863b04: BREAKING CHANGES

    • The createBuiltinActions method has been removed, as this should no longer be needed with the new backend system route, and was only useful when passing the default list of actions again in the old backend system. You should be able to rely on the default behaviour of the new backend system which is to merge the actions.

    • The createCatalogRegisterAction and createFetchCatalogEntityAction actions no longer require an AuthService, and now accepts a CatalogService instead of CatalogClient.

    Unless you're providing your own override action to the default, this should be a non-breaking change.

    You can migrate using the following if you're getting typescript errors:

    import { catalogServiceRef } from '@​backstage/plugin-catalog-node';
import { scaffolderActionsExtensionPoint } from '@​backstage/plugin-scaffolder-node/alpha';

export const myModule = createBackendModule({
  pluginId: 'scaffolder',
  moduleId: 'test',
  register({ registerInit }) {
    registerInit({
      deps: {
        scaffolder: scaffolderActionsExtensionPoint,
        catalog: catalogServiceRef,
      },
      async init({ scaffolder, catalog }) {
        scaffolder.addActions(
          createCatalogRegisterAction({
            catalog,
          }),
          createFetchCatalogEntityAction({
            catalog,
            integrations,
          }),
        );
      },
    });
  },
});
Minor Changes

  • 73b94d7: DEPRECATIONS

    The following types and implementations have been deprecated, either because they're no longer relevant, or because upcoming changes to the scaffolder-backend after 2.0.0 will influence the changes to these API surfaces.

    • CreateWorkerOptions
    • DatabaseTaskStore
    • DatabaseTaskStoreOptions
    • TaskManager
    • TaskStoreCreateTaskOptions
    • TaskStoreCreateTaskResult
    • TaskStoreEmitOptions
    • TaskStoreListEventsOptions
    • TaskStoreRecoverTaskOptions
    • TaskStoreShutDownTaskOptions

    There is no current path off deprecation, these types are going to be removed and rethought with a better way to define workers in the new backend system.

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alithya-oss-backstage-ci alithya-oss-backstage-ci bot added the dependencies Pull requests that update a dependency file label Oct 3, 2025
@alithya-oss-backstage-ci alithya-oss-backstage-ci bot requested a review from a team as a code owner October 3, 2025 19:12
@alithya-oss-backstage-ci alithya-oss-backstage-ci bot added dependencies Pull requests that update a dependency file security labels Oct 3, 2025
@alithya-oss-backstage-ci
Copy link
Contributor Author

alithya-oss-backstage-ci bot commented Oct 3, 2025

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

  • @alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name Package Path Changeset Bump Current Version
backend workspaces/aws/packages/backend none v0.0.6
@alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps workspaces/aws/plugins/scaffolder-backend-module-aws-apps none v0.3.12

@alithya-oss-backstage-ci
Copy link
Contributor Author

alithya-oss-backstage-ci bot commented Oct 3, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 18, 2025

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions bot added the stale label Oct 18, 2025
@github-actions github-actions bot closed this Oct 25, 2025
@alithya-oss-backstage-ci
Copy link
Contributor Author

alithya-oss-backstage-ci bot commented Oct 25, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@alithya-oss-backstage-ci alithya-oss-backstage-ci bot deleted the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch October 25, 2025 02:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fjudith fjudith Awaiting requested review from fjudith fjudith is a code owner

@nizarajroud nizarajroud Awaiting requested review from nizarajroud nizarajroud is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants