chore(deps): update dependency @backstage/plugin-app-backend to v0.3.75 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-app-backend (source)	0.3.57 → 0.3.75

---

Unexpected visibility of environment variable configurations in @​backstage/plugin-app-backend

CVE-2024-47762 / GHSA-qc4v-xq2m-65wc

More information

Details

Impact

Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.

Patches

The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. Users are encouraged to upgrade to this version to mitigate the vulnerability.

Workarounds

As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
• https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
• https://nvd.nist.gov/vuln/detail/CVE-2024-47762
• https://github.com/advisories/GHSA-qc4v-xq2m-65wc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-app-backend)

v0.3.75

Compare Source

Patch Changes

• 094eaa3: Remove references to in-repo backend-common
• Updated dependencies
  • @​backstage/plugin-auth-node@​0.5.3-next.0
  • @​backstage/backend-plugin-api@​1.0.1-next.0
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.9.1
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.26-next.0

v0.3.74

Compare Source

Patch Changes

• 72a8c7b: Return HTTP status 400 rather than 500 when receiving an unknown POST request.

• d3f79d1: Fixing dependency metadata with the new @backstage/plugin-app package

• 590fb2d: BREAKING: The app backend now supports the new index.html.tmpl output from @backstage/cli. If available, the index.html will be templated at runtime with the current configuration of the app backend.

  This is marked as a breaking change because you must now supply the app build-time configuration to the backend. This change also affects the public path behavior, where it is no longer necessary to build the app with the correct public path upfront. You now only need to supply a correct app.baseUrl to the app backend plugin at runtime.

  An effect that this change has is that the index.html will now contain and present the frontend configuration in an easily readable way, which can aid in debugging. This data was always available in the frontend, but it was injected and hidden in the static bundle.

  This templating behavior is enabled by default, but it can be disabled by setting the app.disableConfigInjection configuration option to true.

• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

• c2b63ab: Updated dependency supertest to ^7.0.0.

• Updated dependencies

  • @​backstage/backend-common@​0.25.0
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/plugin-auth-node@​0.5.2
  • @​backstage/plugin-app-node@​0.1.25
  • @​backstage/config-loader@​1.9.1
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v0.3.73

Compare Source

v0.3.72

Compare Source

Patch Changes

• 93095ee: Make sure node-fetch is version 2.7.0 or greater
• 6bd6fda: Deprecate createRouter and its options in favour of the new backend system.
• Updated dependencies
  • @​backstage/backend-plugin-api@​0.8.0
  • @​backstage/backend-common@​0.24.0
  • @​backstage/config-loader@​1.9.0
  • @​backstage/plugin-auth-node@​0.5.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.23

v0.3.71

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​0.7.0
  • @​backstage/backend-common@​0.23.3
  • @​backstage/plugin-auth-node@​0.4.17
  • @​backstage/plugin-app-node@​0.1.22
  • @​backstage/config-loader@​1.8.1
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v0.3.70

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​0.6.21-next.0
  • @​backstage/backend-common@​0.23.2-next.0
  • @​backstage/plugin-app-node@​0.1.21-next.0
  • @​backstage/plugin-auth-node@​0.4.16-next.0
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.8.1
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v0.3.69

Compare Source

v0.3.68

Compare Source

Patch Changes

• 8869b8e: Updated local development setup.
• 78a0b08: Internal refactor to handle BackendFeature contract change.
• 82c2b90: Restore the support of external config schema in the router of the app-backend plugin, which was broken in release 1.26.0.
  This support is critical for dynamic frontend plugins to have access to their config values.
• d44a20a: Added additional plugin metadata to package.json.
• Updated dependencies
  • @​backstage/backend-common@​0.23.0
  • @​backstage/backend-plugin-api@​0.6.19
  • @​backstage/plugin-auth-node@​0.4.14
  • @​backstage/plugin-app-node@​0.1.19
  • @​backstage/config-loader@​1.8.1
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v0.3.67

Compare Source

v0.3.66

Compare Source

Patch Changes

• d229dc4: Move path utilities from backend-common to the backend-plugin-api package.
• Updated dependencies
  • @​backstage/backend-common@​0.22.0
  • @​backstage/backend-plugin-api@​0.6.18
  • @​backstage/plugin-auth-node@​0.4.13
  • @​backstage/plugin-app-node@​0.1.18

v0.3.65

Compare Source

Patch Changes

• d5a1fe1: Replaced winston logger with LoggerService
• c884b9a: Track assets namespace in the cache store, implement a cookie authentication for when the public entry is enabled and used with the new auth services.
• Updated dependencies
  • @​backstage/backend-common@​0.21.7
  • @​backstage/config-loader@​1.8.0
  • @​backstage/backend-plugin-api@​0.6.17
  • @​backstage/plugin-auth-node@​0.4.12
  • @​backstage/plugin-app-node@​0.1.17
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

v0.3.64

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-common@​0.21.6
  • @​backstage/backend-plugin-api@​0.6.16
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.7.0
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.16

v0.3.63

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-common@​0.21.5
  • @​backstage/backend-plugin-api@​0.6.15
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.7.0
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.15

v0.3.62

Compare Source

Patch Changes

• 52e43f2: Disable default auth policy, allowing unauthenticated access to app bundle.
• Updated dependencies
  • @​backstage/backend-common@​0.21.4
  • @​backstage/config@​1.2.0
  • @​backstage/backend-plugin-api@​0.6.14
  • @​backstage/config-loader@​1.7.0
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.14

v0.3.61

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-common@​0.21.3-next.0
  • @​backstage/backend-plugin-api@​0.6.13-next.0
  • @​backstage/config-loader@​1.6.3-next.0
  • @​backstage/config@​1.1.2-next.0
  • @​backstage/plugin-app-node@​0.1.13-next.0
  • @​backstage/types@​1.1.1

v0.3.60

Compare Source

v0.3.59

Compare Source

v0.3.58

Compare Source

Patch Changes

• 9aac2b0: Use --cwd as the first yarn argument
• 998ccf6: Support injecting config multiple times in a single bundle
• 6bb6f3e: Updated dependency fs-extra to ^11.2.0.
  Updated dependency @types/fs-extra to ^11.0.0.
• 54ad8e1: Allow the app-backend plugin to use a global configuration schema provided externally through an extension.
• 9dfd57d: Do not force caching of the Javascript asset that contains the injected config.
• Updated dependencies
  • @​backstage/backend-common@​0.21.0
  • @​backstage/backend-plugin-api@​0.6.10
  • @​backstage/config-loader@​1.6.2
  • @​backstage/plugin-app-node@​0.1.10
  • @​backstage/config@​1.1.1
  • @​backstage/types@​1.1.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.