Skip to content
This repository was archived by the owner on Jan 27, 2026. It is now read-only.

fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] #2683

Open
renovate wants to merge 1 commit into
base: release-1.7
Choose a base branch
from
Open

fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] #2683

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 19, 2025

This PR contains the following updates:

Package Change Age Confidence
@backstage/plugin-scaffolder-backend (source) ^1.29.0 -> ^2.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-55285

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through $ to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of $ being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Template Secret leakage in logs in Scaffolder when using fetch:template

CVE-2025-55285 / GHSA-3x3q-ghcp-whf7

More information

Details

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through $ to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of $ being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v2.1.1

Compare Source

v2.1.0

Compare Source

Minor Changes

  • c1ce316: BREAKING /alpha: Converted scaffolder.task.read and scaffolder.task.cancel into Resource Permissions.

    BREAKING /alpha: Added a new scaffolder rule isTaskOwner for scaffolder.task.read and scaffolder.task.cancel to allow for conditional permission policies such as restricting access to tasks and task events based on task creators.

    BREAKING /alpha: Retrying a task now requires both scaffolder.task.read and scaffolder.task.create permissions, replacing the previous requirement of scaffolder.task.read and scaffolder.task.cancel.

Patch Changes

v2.0.0

Compare Source

Major Changes

  • 33394db: BREAKING CHANGES

    Removal of deprecated re-exports from module packages.

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • createPublishAzureAction should be imported from @backstage/plugin-scaffolder-backend-module-azure instead.

    • createPublishBitbucketCloudAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-cloud instead.

    • createPublishBitbucketServerAction and createPublishBitbucketServerPullRequestAction can be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-server instead.

    • createPublishBitbucketAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket instead.

    • createPublishGerritAction and createPublishGerritReviewAction can be imported from @backstage/plugin-scaffolder-backend-module-gerrit instead.

    • createGithubActionsDispatchAction, createGithubDeployKeyAction, createGithubEnvironmentAction, createGithubIssuesLabelAction, CreateGithubPullRequestActionOptions, createGithubRepoCreateAction, createGithubRepoPushAction, createGithubWebhookAction, and createPublishGithubAction can be imported from @backstage/plugin-scaffolder-backend-module-github instead.

    • createPublishGitlabAction should be imported from @backstage/plugin-scaffolder-backend-module-gitlab instead.

    • ActionContext. createTemplateAction, executeShellCommand, ExecuteShellCommandOptions, fetchContents, TaskSecrets, and TemplateAction should be imported from @backstage/plugin-scaffolder-node instead.

    • ScaffolderEntitiesProcessor should be imported from @backstage/plugin-catalog-backend-module-scaffolder-entity-model instead.

  • a8fcf04: BREAKING ALPHA: The /alpha export no longer exports the plugin. Please use import('@​backstage/plugin-scaffolder-backend') instead as this has been removed.

    BREAKING CHANGES: The old createRouter function which was used in the old backend system has been removed along with the RouterOptions type.

  • 73b94d7: BREAKING CHANGES

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • SerializedTask, SerializedTaskEvent, TaskBroker, TaskBrokerDispatchOptions, TaskBrokerDispatchResult, TaskCompletionState, TaskContext, TaskEventType, TaskStatus, TemplateFilter, and TemplateGlobal should be imported from @backstage/plugin-scaffolder-node instead.

    • The deprecated copyWithoutRender option has been removed from fetch:template action. You should rename the option to copyWithoutTemplating instead.

  • 5863b04: BREAKING CHANGES

    • The createBuiltinActions method has been removed, as this should no longer be needed with the new backend system route, and was only useful when passing the default list of actions again in the old backend system. You should be able to rely on the default behaviour of the new backend system which is to merge the actions.

    • The createCatalogRegisterAction and createFetchCatalogEntityAction actions no longer require an AuthService, and now accepts a CatalogService instead of CatalogClient.

    Unless you're providing your own override action to the default, this should be a non-breaking change.

    You can migrate using the following if you're getting typescript errors:

    import { catalogServiceRef } from '@​backstage/plugin-catalog-node';
import { scaffolderActionsExtensionPoint } from '@​backstage/plugin-scaffolder-node/alpha';

export const myModule = createBackendModule({
  pluginId: 'scaffolder',
  moduleId: 'test',
  register({ registerInit }) {
    registerInit({
      deps: {
        scaffolder: scaffolderActionsExtensionPoint,
        catalog: catalogServiceRef,
      },
      async init({ scaffolder, catalog }) {
        scaffolder.addActions(
          createCatalogRegisterAction({
            catalog,
          }),
          createFetchCatalogEntityAction({
            catalog,
            integrations,
          }),
        );
      },
    });
  },
});
Minor Changes

  • 73b94d7: DEPRECATIONS

    The following types and implementations have been deprecated, either because they're no longer relevant, or because upcoming changes to the scaffolder-backend after 2.0.0 will influence the changes to these API surfaces.

    • CreateWorkerOptions
    • DatabaseTaskStore
    • DatabaseTaskStoreOptions
    • TaskManager
    • TaskStoreCreateTaskOptions
    • TaskStoreCreateTaskResult
    • TaskStoreEmitOptions
    • TaskStoreListEventsOptions
    • TaskStoreRecoverTaskOptions
    • TaskStoreShutDownTaskOptions

    There is no current path off deprecation, these types are going to be removed and rethought with a better way to define workers in the new backend system.

Patch Changes

v1.33.0

Compare Source

Minor Changes
  • 587cb05: Added workspace:template and workspace:template:file actions to complement respective fetch:* actions
Patch Changes

v1.32.1

Compare Source

This release fixes an issue where the scaffolder did not forward the token from the user to the task properly, and also fixes another issue where the scaffolder tasks page would not list correctly on PostgreSQL.

v1.32.0

Compare Source

Minor Changes
  • 75e4db4: add template-extensions scaffolder service endpoint
Patch Changes

v1.31.0

Compare Source

Minor Changes
  • 36677bb: Support new createTemplateAction type, and convert catalog:fetch action to new way of defining actions.
  • 2b1e50d: use CreatedTemplate[Filter|Global*] as canonical template extensions in scaffolder plugin
Patch Changes

v1.30.0

Compare Source

Minor Changes

  • dc8dd4b: Added new createTemplateFilter, createTemplateGlobalFunction, createTemplateGlobalValue for template extensions.

  • a4aa244: This change integrates the auditor service into the Scaffolder plugin.

  • 3d6ef79: Support file globbing in fs:delete

  • 91f3313: Added experimental flag for scaffolder to wait for running tasks to complete on shutdown

    Enabling the EXPERIMENTAL_gracefulShutdown flag in the scaffolder config will make the
    scaffolder block the shutdown process until all running tasks have completed. This is useful
    when there is a need to ensure that all tasks have completed before the scaffolder is shut down.

    Please note, that the TaskWorker stop method is now asynchronous and awaited for the
    tasks to complete when the experimental flag is enabled.

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 19, 2025 16:09
@changeset-bot
Copy link

changeset-bot bot commented Aug 19, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: da6bf79

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 19, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate
fix(deps): update dependency @backstage/plugin-scaffolder-backend to …
da6bf79 
…v2 [security]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 453a329 to da6bf79 Compare August 20, 2025 12:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Fortune-Ndlovu Fortune-Ndlovu Awaiting requested review from Fortune-Ndlovu

@its-mitesh-kumar its-mitesh-kumar Awaiting requested review from its-mitesh-kumar

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

kind/dependency upgrade kind/security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants