[Snyk] Security upgrade debian from 12-slim to 13.2-slim

[johnnyhuy]

Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to debian:13.2-slim, as this image has only 23 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Integer Overflow or Wraparound SNYK-DEBIAN12-ZLIB-6008963	500
	Out-of-bounds Write SNYK-DEBIAN12-GNUPG2-14723302	471
	Directory Traversal SNYK-DEBIAN12-PAM-10378969	400
	Directory Traversal SNYK-DEBIAN12-PAM-10378969	400
	Directory Traversal SNYK-DEBIAN12-PAM-10378969	400

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Integer Overflow or Wraparound
🦉 Out-of-bounds Write
🦉 Directory Traversal

[Copilot]

Pull request overview

This PR upgrades the Debian base image from version 12-slim to 13.2-slim to address critical and high-severity security vulnerabilities in the Dockerfile dependencies, including an integer overflow in zlib, out-of-bounds write in gnupg2, and directory traversal issues in PAM.

Changes:

• Updated Debian base image from 12-slim to 13.2-slim in both build and runtime stages
• Addresses 3 unique security vulnerabilities with severity scores ranging from 400 to 500

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Overview

Greptile Summary

Updates Docker base image from debian:12-slim to debian:13.2-slim in both build and runtime stages to address 3 security vulnerabilities: a critical integer overflow in zlib (score 500), a high-severity out-of-bounds write in gnupg2 (score 471), and directory traversal issues in PAM (score 400). The change is minimal and focused solely on the base image version with no modifications to package dependencies or build logic.

Confidence Score: 4/5

• Safe to merge after testing—base image upgrade addresses critical security vulnerabilities with minimal compatibility risk
• This PR makes a straightforward base image upgrade to fix documented security vulnerabilities. The change is minimal (only two lines modified) and maintains the same Debian slim variant. While Debian 13 is relatively new, the package dependencies and build process should remain compatible. The main risk is potential package availability or version differences, which should be caught during build testing. No logical errors or breaking code changes were introduced—this is purely an infrastructure security update.
• Dockerfile requires build and runtime testing to verify package compatibility with Debian 13

Important Files Changed

File Analysis

Filename	Score	Overview
Dockerfile	4/5	Updates base image from debian:12-slim to debian:13.2-slim to fix 3 security vulnerabilities; minimal change with low compatibility risk

Sequence Diagram

sequenceDiagram
    participant Build as Build Stage
    participant Debian12 as Debian 12-slim
    participant Debian13 as Debian 13.2-slim
    participant Runtime as Runtime Stage
    
    Note over Build,Debian12: Previous: 3 Security Vulnerabilities
    Build->>Debian13: Upgrade base image
    Note over Debian13: Fixes zlib, gnupg2, PAM CVEs
    Runtime->>Debian13: Upgrade base image
    Note over Runtime,Debian13: Result: 23 known vulnerabilities

Loading

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Verify the build succeeds with Debian 13.2 and that all apt packages install correctly, especially build-essential, libssl-dev, and other development libraries which may have different versions or names in Debian 13.

Prompt To Fix With AI

This is a comment left during a code review.
Path: Dockerfile
Line: 1:1

Comment:
Verify the build succeeds with Debian 13.2 and that all apt packages install correctly, especially `build-essential`, `libssl-dev`, and other development libraries which may have different versions or names in Debian 13.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Test that the runtime image works correctly with the upgraded Debian version, particularly ensuring mise, Node.js 22.11.0, Python 3.10.12, and corepack function as expected.

Prompt To Fix With AI

This is a comment left during a code review.
Path: Dockerfile
Line: 62:62

Comment:
Test that the runtime image works correctly with the upgraded Debian version, particularly ensuring mise, Node.js 22.11.0, Python 3.10.12, and corepack function as expected.

How can I resolve this? If you propose a fix, please make it concise.

[johnnyhuy]

@copilot

This is a comment left during a code review.
Path: Dockerfile
Line: 1:1

Comment:
Verify the build succeeds with Debian 13.2 and that all apt packages install correctly, especially build-essential, libssl-dev, and other development libraries which may have different versions or names in Debian 13.

How can I resolve this? If you propose a fix, please make it concise.

This is a comment left during a code review.
Path: Dockerfile
Line: 62:62

Comment:
Test that the runtime image works correctly with the upgraded Debian version, particularly ensuring mise, Node.js 22.11.0, Python 3.10.12, and corepack function as expected.

How can I resolve this? If you propose a fix, please make it concise.

[Copilot]

@johnnyhuy I've opened a new pull request, #75, to work on those changes. Once the pull request is ready, I'll request review from you.

[johnnyhuy]

@copilot fix the lint:

Run mise run lint
  mise run lint
  shell: /usr/bin/bash -e {0}
  env:
    MISE_LOG_LEVEL: info
    MISE_GITHUB_TOKEN: ***
    MISE_TRUSTED_CONFIG_PATHS: /home/runner/work/backstage/backstage
    MISE_YES: 1
    PATH: /home/runner/.local/share/mise/installs/node/22.11.0/bin:/home/runner/.local/share/mise/installs/python/3.10.12/bin:/home/runner/.local/share/mise/installs/yarn/4.3.1/bin:/home/runner/.local/share/mise/installs/helm/3.14.1/linux-amd64:/home/runner/.local/share/mise/installs/k9s/0.31.9:/home/runner/.local/share/mise/installs/kubectl/1.29.2:/home/runner/.local/share/mise/installs/skaffold/2.10.1:/home/runner/.local/share/mise/installs/sops/3.8.1:/home/runner/.local/share/mise/installs/docker-compose/2.40.3:/home/runner/.local/share/mise/bin:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[lint] $ ./scripts/lint
Checked   1 files in packages/backend 1.09s
Checked   8 files in plugins/plausible 0.55s
Checked   3 files in plugins/permission-backend-module-default 0.18s
Checked  41 files in packages/app 2.95s
Checked   1 files in packages/backstage-theme-github 2.35s
Lint failed in packages/app

⚠  https://google.com/#q=jest%2Fno-disabled-tests

     Tests should not be skipped


     src/App.test.tsx:7:3
      5 |   // Skip this test as app.createRoot() in newer versions doesn't work with standard test utilities
      6 |   // The app structure is validated by other tests and by the build process
   >  7 |   it.skip('should render', async () => {
        |   ^
      8 |     process.env = {
      9 |       NODE_ENV: 'test',
     10 |       APP_CONFIG: [

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Aws.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Azure.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Bitbucket.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Confluence.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Discord.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Grafana.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Jira.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Prometheus.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ⚠  http://eslint.org/docs/rules/no-restricted-syntax

     React default imports are deprecated. Follow the https://backstage.io/docs/tutorials/jsx-transform-migration migration guide for details. If you need a global type that collides with a React named export (such as `MouseEvent`), try using `globalThis.MouseHandler`


     src/components/icons/Slack.tsx:1:8
   > 1 | import * as React from 'react';
       |        ^
     2 | 
     3 | interface IconProps {
     4 |   width: number;

  ✘  http://eslint.org/docs/rules/no-unused-vars

     'category' is defined but never used


     src/components/explore/CategoryFilter.tsx:9:22
      7 |   categories: ToolCategory[];
      8 |   selectedCategory: ToolCategory | 'all';
   >  9 |   onCategoryChange: (category: ToolCategory | 'all') => void;
        |                      ^
     10 |   categoryCounts?: Record<ToolCategory | 'all', number>;
     11 | }
     12 | 

  ✘  http://eslint.org/docs/rules/no-console

     Unexpected console statement


     src/components/home/HomePage.tsx:271:9
     269 |         setLoadingTemplates(false);
     270 |       } catch (err) {
   > 271 |         console.error('Failed to fetch catalog data:', err);
         |         ^
     272 |         setStats(prev => ({ ...prev, loading: false }));
     273 |         setLoadingRecent(false);
     274 |         setLoadingTemplates(false);

  ✘  http://eslint.org/docs/rules/no-nested-ternary

     Do not nest ternary expressions


     src/components/home/HomePage.tsx:581:16
     579 |                 }
     580 |               />
   > 581 |               {loadingTemplates ? (
         |                ^
     582 |                 <Grid container spacing={3}>
     583 |                   {[1, 2, 3, 4].map(i => (
     584 |                     <Grid item xs={12} sm={6} key={i}>

  ✘  http://eslint.org/docs/rules/no-nested-ternary

     Do not nest ternary expressions


     src/components/home/HomePage.tsx:687:18
     685 |               />
     686 |               <Paper sx={{ overflow: 'hidden' }}>
   > 687 |                 {loadingRecent ? (
         |                  ^
     688 |                   <Box sx={{ p: 2 }}>
     689 |                     {[1, 2, 3, 4, 5].map(i => (
     690 |                       <Skeleton key={i} height={48} sx={{ mb: 1 }} />

  ✘  http://eslint.org/docs/rules/no-nested-ternary

     Do not nest ternary expressions


     src/components/home/HomePage.tsx:787:29
     785 |                         '& .MuiLinearProgress-bar': {
     786 |                           bgcolor:
   > 787 |                             healthPercentage >= 80
         |                             ^
     788 |                               ? theme.palette.success.main
     789 |                               : healthPercentage >= 50
     790 |                               ? theme.palette.warning.main

  ✘  http://eslint.org/docs/rules/no-unused-vars

     'isNegative' is assigned a value but never used. Allowed unused vars must match /^_/u


     src/components/pulse-check/DeploymentMetrics.tsx:45:9
     43 |   const theme = useTheme();
     44 |   const isPositive = trend === 'up';
   > 45 |   const isNegative = trend === 'down';
        |         ^
     46 | 
     47 |   return (
     48 |     <Box>

  ✘  http://eslint.org/docs/rules/no-nested-ternary

     Do not nest ternary expressions


     src/components/pulse-check/PulseCheckPage.tsx:48:7
     46 |     lastChecked: new Date(Date.now() - Math.random() * 3600000),
     47 |     message:
   > 48 |       randomStatus === 'degraded'
        |       ^
     49 |         ? 'Elevated error rates detected'
     50 |         : randomStatus === 'down'
     51 |         ? 'Service unreachable'

  ✘  http://eslint.org/docs/rules/no-unused-vars

     'theme' is assigned a value but never used. Allowed unused vars must match /^_/u


     src/components/scorecard/ScorecardPage.tsx:79:9
     77 | 
     78 | export const ScorecardPage = () => {
   > 79 |   const theme = useTheme();
        |         ^
     80 |   const catalogApi = useApi(catalogApiRef);
     81 |   const [entities, setEntities] = useState<Entity[]>([]);
     82 |   const [loading, setLoading] = useState(true);

✘ 18 problems (8 errors, 10 warnings)


Errors:
  4  http://eslint.org/docs/rules/no-nested-ternary
  3  http://eslint.org/docs/rules/no-unused-vars
  1  http://eslint.org/docs/rules/no-console

Warnings:
  9  http://eslint.org/docs/rules/no-restricted-syntax
  1  https://google.com/#q=jest%2Fno-disabled-tests

[lint] ERROR task failed
Error: Process completed with exit code 1.

[Copilot]

@johnnyhuy I've opened a new pull request, #76, to work on those changes. Once the pull request is ready, I'll request review from you.