chore(deps): update dependency @backstage/plugin-catalog-backend to v1.26.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-catalog-backend (source)	1.16.1 → 1.26.0

---

@​backstage/plugin-catalog-backend Prototype Pollution vulnerability

CVE-2024-45815 / GHSA-3x3f-jcp3-g22j

More information

Details

Impact

A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.

Patches

This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j
• https://nvd.nist.gov/vuln/detail/CVE-2024-45815
• https://github.com/advisories/GHSA-3x3f-jcp3-g22j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-catalog-backend)

v1.26.0

Compare Source

Minor Changes

• 74acf06: Add dependencyOf prop to catalog model for Component kind to enable building relationship graphs with both directions using dependsOn and dependencyOf.
• 78475c3: Allow offset mode paging in entity list provider
• bd35cdb: The analyze-location endpoint is now protected by the catalog.location.analyze permission.
  The validate-entity endpoint is now protected by the catalog.entity.validate permission.

Patch Changes

• 1882cfe: Moved getEntities ordering to utilize database instead of having it inside catalog client

  Please note that the latest version of @backstage/catalog-client will not order the entities in the same way as before. This is because the ordering is now done in the database query instead of in the client. If you rely on the ordering of the entities, you may need to update your backend plugin or code to handle this change.

• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

• c2b63ab: Updated dependency supertest to ^7.0.0.

• 53cce86: Fixed an issue with the by-query call, where ordering by a field that does not exist on all entities led to not all results being returned

• Updated dependencies

  • @​backstage/backend-common@​0.25.0
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/catalog-model@​1.7.0
  • @​backstage/catalog-client@​1.7.0
  • @​backstage/plugin-search-backend-module-catalog@​0.2.2
  • @​backstage/plugin-permission-node@​0.8.3
  • @​backstage/plugin-catalog-common@​1.1.0
  • @​backstage/plugin-catalog-node@​1.13.0
  • @​backstage/integration@​1.15.0
  • @​backstage/backend-openapi-utils@​0.1.18
  • @​backstage/plugin-events-node@​0.4.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-permission-common@​0.8.1

v1.25.2

Compare Source

This release fixes an issue where requests for the public http routes for the events-backend were authenticated causing 401 errors.

v1.25.1

Compare Source

This release fixes an bug where the kubernetes plugin would crash reading credentials from undefined.

v1.25.0

Compare Source

Minor Changes

• 163ba08: Deprecated RouterOptions, CatalogBuilder, and CatalogEnvironment. Please make sure to upgrade to the new backend system.
• fc24d9e: Stop using @backstage/backend-tasks as it will be deleted in near future.

Patch Changes

• 776eb56: ProcessorOutputCollector returns an error when receiving deferred entities that have an invalid metadata.annotations format.

  This allows to return an error on an actual validation issue instead of reporting that the location annotations are missing afterwards, which is misleading for the users.

• 389f5a4: Update deprecated url-reader-related imports.

• 93095ee: Make sure node-fetch is version 2.7.0 or greater

• a629fb2: Added setAllowedLocationTypes while introducing a new extension point called CatalogLocationsExtensionPoint

• 51240ee: Preserve default allowedLocationTypes when setAllowedLocationTypes() of CatalogLocationsExtensionPoint is not called.

• Updated dependencies

  • @​backstage/backend-plugin-api@​0.8.0
  • @​backstage/backend-common@​0.24.0
  • @​backstage/plugin-permission-common@​0.8.1
  • @​backstage/plugin-permission-node@​0.8.1
  • @​backstage/plugin-search-backend-module-catalog@​0.2.0
  • @​backstage/plugin-catalog-node@​1.12.5
  • @​backstage/integration@​1.14.0
  • @​backstage/catalog-model@​1.6.0
  • @​backstage/backend-openapi-utils@​0.1.16
  • @​backstage/catalog-client@​1.6.6
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.26
  • @​backstage/plugin-events-node@​0.3.9

v1.24.0

Compare Source

Minor Changes

• b9ed1bb: bumped better-sqlite3 from ^9.0.0 to ^11.0.0

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​0.7.0
  • @​backstage/backend-common@​0.23.3
  • @​backstage/backend-tasks@​0.5.27
  • @​backstage/plugin-permission-common@​0.8.0
  • @​backstage/plugin-permission-node@​0.8.0
  • @​backstage/integration@​1.13.0
  • @​backstage/plugin-events-node@​0.3.8
  • @​backstage/backend-openapi-utils@​0.1.15
  • @​backstage/plugin-catalog-node@​1.12.4
  • @​backstage/plugin-search-backend-module-catalog@​0.1.28
  • @​backstage/plugin-catalog-common@​1.0.25
  • @​backstage/catalog-client@​1.6.5
  • @​backstage/catalog-model@​1.5.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v1.23.2

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​0.6.21-next.0
  • @​backstage/backend-common@​0.23.2-next.0
  • @​backstage/backend-tasks@​0.5.26-next.0
  • @​backstage/integration@​1.13.0-next.0
  • @​backstage/backend-openapi-utils@​0.1.14-next.0
  • @​backstage/plugin-catalog-node@​1.12.3-next.0
  • @​backstage/plugin-events-node@​0.3.7-next.0
  • @​backstage/plugin-permission-node@​0.7.32-next.0
  • @​backstage/plugin-search-backend-module-catalog@​0.1.27-next.0
  • @​backstage/catalog-client@​1.6.5
  • @​backstage/catalog-model@​1.5.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.24
  • @​backstage/plugin-permission-common@​0.7.14

v1.23.1

Compare Source

This release fixes an issue with the @backstage/plugin-auth-backend package, in particular the providerInfo not being set properly for some proxy providers.

v1.23.0

Compare Source

Minor Changes

• c7528b0: Pass through EventsService too in the new backend system

Patch Changes

• 8869b8e: Updated local development setup.
• 78a0b08: Internal refactor to handle BackendFeature contract change.
• d44a20a: Added additional plugin metadata to package.json.
• d779e3b: Added a regex test to check commit hash. If url is from git commit branch ignore the edit url.
• 6c5cab1: Fix bug in getLocationByEntity
• 0f55f5c: Ensure name and title are both indexed by the DefaultCatalogCollator
• 1779188: Start using the isDatabaseConflictError helper from the @backstage/backend-plugin-api package in order to avoid dependency with the soon to deprecate @backstage/backend-common package.
• Updated dependencies
  • @​backstage/backend-common@​0.23.0
  • @​backstage/backend-plugin-api@​0.6.19
  • @​backstage/backend-tasks@​0.5.24
  • @​backstage/integration@​1.12.0
  • @​backstage/plugin-search-backend-module-catalog@​0.1.25
  • @​backstage/plugin-catalog-node@​1.12.1
  • @​backstage/plugin-events-node@​0.3.5
  • @​backstage/plugin-permission-node@​0.7.30
  • @​backstage/plugin-permission-common@​0.7.14
  • @​backstage/plugin-catalog-common@​1.0.24
  • @​backstage/backend-openapi-utils@​0.1.12
  • @​backstage/catalog-client@​1.6.5
  • @​backstage/catalog-model@​1.5.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v1.22.0

Compare Source

Minor Changes

• f2a2a83: Deprecated the LocationAnalyzer type, which has been moved to @backstage/plugin-catalog-node.
• f2a2a83: The /alpha plugin export has had its implementation of the catalogAnalysisExtensionPoint updated to reflect the new API.
• 8d14475: Emit well known relationships for the Domain entity kind.

Patch Changes

• 131e5cb: Fix broken links in README.
• c6cb568: Add lifecycle monitoring for the catalog processing
• d229dc4: Move path utilities from backend-common to the backend-plugin-api package.
• 8479a0b: Fixed bug in stitching queue gauge that included entities that are scheduled in the future.
• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.12.0
  • @​backstage/plugin-search-backend-module-catalog@​0.1.24
  • @​backstage/catalog-model@​1.5.0
  • @​backstage/backend-common@​0.22.0
  • @​backstage/backend-plugin-api@​0.6.18
  • @​backstage/backend-tasks@​0.5.23
  • @​backstage/plugin-events-node@​0.3.4
  • @​backstage/integration@​1.11.0
  • @​backstage/backend-openapi-utils@​0.1.11
  • @​backstage/catalog-client@​1.6.5
  • @​backstage/plugin-catalog-common@​1.0.23
  • @​backstage/plugin-permission-node@​0.7.29

v1.21.1

Compare Source

Patch Changes

• cfdc5e7: Fixes an issue where /analyze-location would incorrectly throw a 500 error on an invalid url.

• d5a1fe1: Replaced winston logger with LoggerService

• c52f7ac: Make entity collection errors a little quieter in the logs.

  Instead of logging a warning line when an entity has an error
  during processing, it will now instead emit an event on the event
  broker.

  This only removes a single log line, however it is possible to
  add the log line back if it is required by subscribing to the
  CATALOG_ERRORS_TOPIC as shown below.

  env.eventBroker.subscribe({
    supportsEventTopics(): string[] {
      return [CATALOG_ERRORS_TOPIC];
    },
  
    async onEvent(
      params: EventParams<{
        entity: string;
        location?: string;
        errors: Array<Error>;
      }>,
    ): Promise<void> {
      const { entity, location, errors } = params.eventPayload;
      for (const error of errors) {
        env.logger.warn(error.message, {
          entity,
          location,
        });
      }
    },
  });

• Updated dependencies

  • @​backstage/backend-common@​0.21.7
  • @​backstage/plugin-permission-node@​0.7.28
  • @​backstage/backend-plugin-api@​0.6.17
  • @​backstage/backend-tasks@​0.5.22
  • @​backstage/catalog-client@​1.6.4
  • @​backstage/integration@​1.10.0
  • @​backstage/plugin-events-node@​0.3.3
  • @​backstage/plugin-search-backend-module-catalog@​0.1.22
  • @​backstage/plugin-catalog-node@​1.11.1
  • @​backstage/backend-openapi-utils@​0.1.10
  • @​backstage/catalog-model@​1.4.5
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.22
  • @​backstage/plugin-permission-common@​0.7.13

v1.21.0

Compare Source

Minor Changes

• f3e2e86: Added the ability to inject custom permissions from modules, on CatalogBuilder and CatalogPermissionExtensionPoint

Patch Changes

• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.11.0
  • @​backstage/catalog-client@​1.6.3
  • @​backstage/backend-common@​0.21.6
  • @​backstage/plugin-search-backend-module-catalog@​0.1.21
  • @​backstage/backend-plugin-api@​0.6.16
  • @​backstage/plugin-permission-node@​0.7.27
  • @​backstage/backend-tasks@​0.5.21
  • @​backstage/plugin-events-node@​0.3.2
  • @​backstage/backend-openapi-utils@​0.1.9
  • @​backstage/catalog-model@​1.4.5
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/integration@​1.9.1
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.22
  • @​backstage/plugin-permission-common@​0.7.13

v1.20.0

Compare Source

Minor Changes

• f3e2e86: Added the ability to inject custom permissions from modules, on CatalogBuilder and CatalogPermissionExtensionPoint

Patch Changes

• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.10.0
  • @​backstage/catalog-client@​1.6.2
  • @​backstage/backend-common@​0.21.5
  • @​backstage/plugin-search-backend-module-catalog@​0.1.20
  • @​backstage/backend-tasks@​0.5.20
  • @​backstage/plugin-events-node@​0.3.1
  • @​backstage/plugin-permission-node@​0.7.26
  • @​backstage/backend-openapi-utils@​0.1.8
  • @​backstage/backend-plugin-api@​0.6.15
  • @​backstage/catalog-model@​1.4.5
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/integration@​1.9.1
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.22
  • @​backstage/plugin-permission-common@​0.7.13

v1.19.0

Compare Source

Minor Changes

• 9c7fb30: Added the ability to inject custom permissions from modules, on CatalogBuilder and CatalogPermissionExtensionPoint

Patch Changes

• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.9.0
  • @​backstage/plugin-search-backend-module-catalog@​0.1.19

v1.18.0

Compare Source

Minor Changes

• df12231: Allow setting EntityDataParser using CatalogModelExtensionPoint
• 15ba00f: Migrated to support new auth services. The CatalogBuilder.create method now accepts a discovery option, which is recommended to forward from the plugin environment, as it will otherwise fall back to use the HostDiscovery implementation.

Patch Changes

• 2bd1410: Removed unused dependencies
• 999224f: Bump dependency minimatch to v9
• 6f830bb: Allow passing optional filter to getEntitiesByRefs
• 0fb419b: Updated dependency uuid to ^9.0.0.
  Updated dependency @types/uuid to ^9.0.0.
• b65788b: Move @​backstage/repo-tools to dev dependencies
• 280edeb: Add index for original value in search table for faster entity facet response
• dad018f: Do not fail on stitching when the entity contains null values associated to deeply nested or long keys.
• Updated dependencies
  • @​backstage/plugin-events-node@​0.3.0
  • @​backstage/backend-common@​0.21.4
  • @​backstage/integration@​1.9.1
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/backend-plugin-api@​0.6.14
  • @​backstage/plugin-permission-common@​0.7.13
  • @​backstage/plugin-search-backend-module-catalog@​0.1.18
  • @​backstage/plugin-catalog-node@​1.8.0
  • @​backstage/catalog-client@​1.6.1
  • @​backstage/backend-openapi-utils@​0.1.7
  • @​backstage/backend-tasks@​0.5.19
  • @​backstage/plugin-permission-node@​0.7.25
  • @​backstage/catalog-model@​1.4.5
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.22

v1.17.3

Compare Source

This release provides further fixes for the Gitiles integration, and relaxes the validation of the encoding of all query parameters of the catalog backend as well as allowing limit=0 queries.

v1.17.2

Compare Source

This release fixes an issue where certain Gerrit integration setups were broken, and where it was not possible to query multiple facets from the catalog at the same time.

v1.17.1

Compare Source

This release fixes an issue where the EntitySwitch component from @backstage/plugin-catalog was preventing the display of entity errors. It also fixes the alpha catalogModuleTemplateKind export from @backstage/plugin-scaffolder-backend, which had incorrect plugin and module IDs.

v1.17.0

Compare Source

Minor Changes

• 43dad25: Add API to get location by entity

• 126c2f9: Updates the OpenAPI spec to use plugin as info.title instead of package name.

• 04907c3: Updates the OpenAPI specification title to plugin ID instead of package name.

• d8a54d0: Adds support for supplying field validators to the new backend's catalog plugin. If you're using entity policies, you should use the new transformLegacyPolicyToProcessor function to install them as processors instead.

  import {
    catalogProcessingExtensionPoint,
    catalogModelExtensionPoint,
  } from '@​backstage/plugin-catalog-node/alpha';
  import {myPolicy} from './my-policy';
  
  export const catalogModulePolicyProvider = createBackendModule({
    pluginId: 'catalog',
    moduleId: 'internal-policy-provider',
    register(reg) {
      reg.registerInit({
        deps: {
          modelExtensions: catalogModelExtensionPoint,
          processingExtensions: catalogProcessingExtensionPoint,
        },
        async init({ modelExtensions, processingExtensions }) {
          modelExtensions.setFieldValidators({
            ...
          });
          processingExtensions.addProcessors(transformLegacyPolicyToProcessor(myPolicy))
        },
      });
    },
  });

Patch Changes

• 9aac2b0: Use --cwd as the first yarn argument

• 89b674c: Minor performance improvement for queryEntities when the limit is 0.

• 81e19b1: Replace uses of deprecated types with replacements internally.

• efa8160: Rollback the change for wildcard discovery, this fixes a bug with the AzureUrlReader not working with wildcard paths

• d208a93: Fixed a bug where fullTextFilter wasn't preserved correctly in the cursor.

• 6bb6f3e: Updated dependency fs-extra to ^11.2.0.
  Updated dependency @types/fs-extra to ^11.0.0.

• 1cae748: Updated dependency git-url-parse to ^14.0.0.

• 0a395b3: Upgraded prom-client to version 15

• 9b2eb3f: Add support for onProcessingError handler at the catalog plugin (new backend system).

  You can use setOnProcessingErrorHandler at the catalogProcessingExtensionPoint
  as replacement for

  catalogBuilder.subscribe({
    onProcessingError: hander,
  });

• Updated dependencies

  • @​backstage/repo-tools@​0.6.0
  • @​backstage/backend-common@​0.21.0
  • @​backstage/plugin-auth-node@​0.4.4
  • @​backstage/plugin-search-backend-module-catalog@​0.1.14
  • @​backstage/backend-plugin-api@​0.6.10
  • @​backstage/backend-tasks@​0.5.15
  • @​backstage/catalog-model@​1.4.4
  • @​backstage/backend-openapi-utils@​0.1.3
  • @​backstage/integration@​1.9.0
  • @​backstage/catalog-client@​1.6.0
  • @​backstage/plugin-catalog-node@​1.7.0
  • @​backstage/plugin-permission-node@​0.7.21
  • @​backstage/config@​1.1.1
  • @​backstage/errors@​1.2.3
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.21
  • @​backstage/plugin-events-node@​0.2.19
  • @​backstage/plugin-permission-common@​0.7.12

v1.16.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.