Update dependency @backstage/backend-defaults to ^0.12.0 [SECURITY]

[alithya-oss-backstage-ci]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/backend-defaults (source)	^0.10.0 → ^0.12.0

---

Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp

More information

Details

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

• @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
• @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
• @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds

• Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
• Restrict who can create and execute Scaffolder templates using the permissions framework
• Audit existing templates for symlink usage
• Run Backstage in a containerized environment with limited filesystem access

References

• CWE-59: Improper Link Resolution Before File Access
• OWASP Path Traversal

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

References

• https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
• https://nvd.nist.gov/vuln/detail/CVE-2026-24046
• https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Backstage has a Possible SSRF when reading from allowed URL's in backend.reading.allow

CVE-2026-24048 / GHSA-q2x5-4xjx-c6p9

More information

Details

Impact

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

Patches

This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.

Workarounds

• Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects
• Ensure allowed hosts do not have open redirect vulnerabilities
• Use network-level controls to block access from Backstage to sensitive internal endpoints

References

• OWASP SSRF Prevention Cheat Sheet

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
• https://nvd.nist.gov/vuln/detail/CVE-2026-24048
• https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/backend-defaults)

v0.12.2

Compare Source

v0.12.1

Compare Source

Patch Changes

• 33bd4d0: Deduplicate discovered features discovered with discoveryFeatureLoader

• 4eda590: Fixed cache namespace and key prefix separator configuration to properly use configured values instead of hardcoded plugin ID. The cache manager now correctly combines the configured namespace with plugin IDs using the configured separator for Redis and Valkey. Memcache and memory store continue to use plugin ID as namespace.

• f244e61: Add backend.logger config options to configure the RootLoggerService.

  Read more about the new configuration options in the
  Root Logger Service
  documentation.

• Updated dependencies

  • @​backstage/config-loader@​1.10.3
  • @​backstage/plugin-auth-node@​0.6.7
  • @​backstage/plugin-events-node@​0.4.15
  • @​backstage/integration@​1.18.0
  • @​backstage/types@​1.2.2
  • @​backstage/backend-app-api@​1.2.7
  • @​backstage/backend-plugin-api@​1.4.3
  • @​backstage/plugin-permission-node@​0.10.4

v0.12.0

Compare Source

Minor Changes

• 133519b: feat: new cache manager Infinispan Data Grid

Patch Changes

• caee2eb: Fixed WinstonLogger throwing when redactions were null or undefined
• ed74af5: Fixed bug in PackageDiscoveryService where packages with "exports" field caused ERR_PACKAGE_PATH_NOT_EXPORTED error during backend startup.
• 3a7dad9: Updated better-sqlite3 to v12
• Updated dependencies
  • @​backstage/cli-node@​0.2.14
  • @​backstage/backend-app-api@​1.2.6
  • @​backstage/plugin-auth-node@​0.6.6
  • @​backstage/plugin-permission-node@​0.10.3
  • @​backstage/backend-plugin-api@​1.4.2
  • @​backstage/plugin-events-node@​0.4.14

v0.11.1

Compare Source

Patch Changes

• ead925a: Add a standard toString on credentials objects
• e0189b8: UrlReader: Fix handling of access tokens for GitLab readURL requests
• d1e4a6d: Fixed bug where the GitLab user token and GitLab integration token were being merged together
• Updated dependencies
  • @​backstage/config-loader@​1.10.2
  • @​backstage/config@​1.3.3
  • @​backstage/plugin-permission-node@​0.10.2
  • @​backstage/integration@​1.17.1
  • @​backstage/backend-app-api@​1.2.5
  • @​backstage/backend-plugin-api@​1.4.1
  • @​backstage/integration-aws-node@​0.1.17
  • @​backstage/plugin-auth-node@​0.6.5
  • @​backstage/plugin-events-node@​0.4.13

v0.11.0

Compare Source

Minor Changes

• 3ccb7fc: Enhanced error handling in the auditor service factory to pass errors as objects. Aligned WinstonRootAuditorService with the default service factory's error handling.

Patch Changes

• 1220cf8: Added new rate limit middleware to allow rate limiting requests to the backend

  If you are using the configure callback of the root HTTP router service and do NOT call applyDefaults() inside it, please see the relevant changes that were made, to see if you want to apply them as well to your custom configuration.
  Rate limiting can be turned on by adding the following configuration to app-config.yaml:

  backend:
    rateLimit:
      window: 6s
      incomingRequestLimit: 100

  Plugin specific rate limiting can be configured by adding the following configuration to app-config.yaml:

  backend:
    rateLimit:
      global: false # This will disable the global rate limiting
      plugin:
        catalog:
          window: 6s
          incomingRequestLimit: 100

• c999c25: Added some default implementations for the experimental ActionsService and ActionsRegistryService under /alpha that allow registration of actions for a particular plugin.

• Updated dependencies

  • @​backstage/plugin-auth-node@​0.6.4
  • @​backstage/backend-app-api@​1.2.4
  • @​backstage/backend-plugin-api@​1.4.0
  • @​backstage/backend-dev-utils@​0.1.5
  • @​backstage/cli-node@​0.2.13
  • @​backstage/config@​1.3.2
  • @​backstage/config-loader@​1.10.1
  • @​backstage/errors@​1.2.7
  • @​backstage/integration@​1.17.0
  • @​backstage/integration-aws-node@​0.1.16
  • @​backstage/types@​1.2.1
  • @​backstage/plugin-events-node@​0.4.12
  • @​backstage/plugin-permission-node@​0.10.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alithya-oss-backstage-ci]

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

• @alithya-oss/backstage-plugin-amazon-ecs-backend
• @alithya-oss/backstage-plugin-aws-apps-backend
• @alithya-oss/backstage-plugin-aws-codebuild-backend
• @alithya-oss/backstage-plugin-aws-codepipeline-backend
• @alithya-oss/backstage-plugin-cost-insights-aws-backend
• @alithya-oss/backstage-plugin-changelog-backend
• @alithya-oss/backstage-plugin-rag-ai-backend
• @alithya-oss/backstage-plugin-time-saver-backend

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/aws/packages/backend	none	v0.0.6
@alithya-oss/backstage-plugin-amazon-ecs-backend	workspaces/aws/plugins/amazon-ecs-backend	none	v0.4.7
@alithya-oss/backstage-plugin-aws-apps-backend	workspaces/aws/plugins/aws-apps-backend	none	v0.4.7
@alithya-oss/backstage-plugin-aws-codebuild-backend	workspaces/aws/plugins/aws-codebuild-backend	none	v0.5.7
@alithya-oss/backstage-plugin-aws-codepipeline-backend	workspaces/aws/plugins/aws-codepipeline-backend	none	v0.5.7
@alithya-oss/backstage-plugin-cost-insights-aws-backend	workspaces/aws/plugins/aws-cost-insights-backend	none	v0.1.10
@alithya-oss/backstage-plugin-changelog-backend	workspaces/changelog/plugins/changelog-backend	none	v1.0.3
@alithya-oss/backstage-plugin-rag-ai-backend	workspaces/rag-ai/plugins/rag-ai-backend	none	v2.0.8
@alithya-oss/backstage-plugin-time-saver-backend	workspaces/time-saver/plugins/time-saver-backend	none	v3.0.7