Skip to content

fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security]#306

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
Open

fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security]#306
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Aug 15, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@backstage/plugin-scaffolder-backend (source) ^1.20.0^2.0.0 age confidence

Template Secret leakage in logs in Scaffolder when using fetch:template

CVE-2025-55285 / GHSA-3x3q-ghcp-whf7

More information

Details

A logging flaw in Backstage Scaffolder’s fetch:template action up to @backstage/plugin-scaffolder-backend 2.1.0 may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the `` bag could appear in local/server logs when the action ran. Exploitation requires use of the secrets argument and access to Scaffolder/build logs; integrity and availability are unaffected.

  • Fix: upgrade to 2.1.1, which removes the duplicate log path and ensures secrets are redacted.
  • Mitigation: avoid passing `` to fetch:template if upgrade is not possible.

Open an issue in the Backstage repository

Visit our Discord, linked to in Backstage README

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v2.1.1

Compare Source

v2.1.0

Compare Source

Minor Changes

  • c1ce316: BREAKING /alpha: Converted scaffolder.task.read and scaffolder.task.cancel into Resource Permissions.

    BREAKING /alpha: Added a new scaffolder rule isTaskOwner for scaffolder.task.read and scaffolder.task.cancel to allow for conditional permission policies such as restricting access to tasks and task events based on task creators.

    BREAKING /alpha: Retrying a task now requires both scaffolder.task.read and scaffolder.task.create permissions, replacing the previous requirement of scaffolder.task.read and scaffolder.task.cancel.

Patch Changes

v2.0.0

Compare Source

Major Changes

  • 33394db: BREAKING CHANGES

    Removal of deprecated re-exports from module packages.

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • createPublishAzureAction should be imported from @backstage/plugin-scaffolder-backend-module-azure instead.

    • createPublishBitbucketCloudAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-cloud instead.

    • createPublishBitbucketServerAction and createPublishBitbucketServerPullRequestAction can be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-server instead.

    • createPublishBitbucketAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket instead.

    • createPublishGerritAction and createPublishGerritReviewAction can be imported from @backstage/plugin-scaffolder-backend-module-gerrit instead.

    • createGithubActionsDispatchAction, createGithubDeployKeyAction, createGithubEnvironmentAction, createGithubIssuesLabelAction, CreateGithubPullRequestActionOptions, createGithubRepoCreateAction, createGithubRepoPushAction, createGithubWebhookAction, and createPublishGithubAction can be imported from @backstage/plugin-scaffolder-backend-module-github instead.

    • createPublishGitlabAction should be imported from @backstage/plugin-scaffolder-backend-module-gitlab instead.

    • ActionContext. createTemplateAction, executeShellCommand, ExecuteShellCommandOptions, fetchContents, TaskSecrets, and TemplateAction should be imported from @backstage/plugin-scaffolder-node instead.

    • ScaffolderEntitiesProcessor should be imported from @backstage/plugin-catalog-backend-module-scaffolder-entity-model instead.

  • a8fcf04: BREAKING ALPHA: The /alpha export no longer exports the plugin. Please use import('@​backstage/plugin-scaffolder-backend') instead as this has been removed.

    BREAKING CHANGES: The old createRouter function which was used in the old backend system has been removed along with the RouterOptions type.

  • 73b94d7: BREAKING CHANGES

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • SerializedTask, SerializedTaskEvent, TaskBroker, TaskBrokerDispatchOptions, TaskBrokerDispatchResult, TaskCompletionState, TaskContext, TaskEventType, TaskStatus, TemplateFilter, and TemplateGlobal should be imported from @backstage/plugin-scaffolder-node instead.

    • The deprecated copyWithoutRender option has been removed from fetch:template action. You should rename the option to copyWithoutTemplating instead.

  • 5863b04: BREAKING CHANGES

    • The createBuiltinActions method has been removed, as this should no longer be needed with the new backend system route, and was only useful when passing the default list of actions again in the old backend system. You should be able to rely on the default behaviour of the new backend system which is to merge the actions.

    • The createCatalogRegisterAction and createFetchCatalogEntityAction actions no longer require an AuthService, and now accepts a CatalogService instead of CatalogClient.

    Unless you're providing your own override action to the default, this should be a non-breaking change.

    You can migrate using the following if you're getting typescript errors:

    import { catalogServiceRef } from '@​backstage/plugin-catalog-node';
import { scaffolderActionsExtensionPoint } from '@​backstage/plugin-scaffolder-node/alpha';

export const myModule = createBackendModule({
  pluginId: 'scaffolder',
  moduleId: 'test',
  register({ registerInit }) {
    registerInit({
      deps: {
        scaffolder: scaffolderActionsExtensionPoint,
        catalog: catalogServiceRef,
      },
      async init({ scaffolder, catalog }) {
        scaffolder.addActions(
          createCatalogRegisterAction({
            catalog,
          }),
          createFetchCatalogEntityAction({
            catalog,
            integrations,
          }),
        );
      },
    });
  },
});
Minor Changes

  • 73b94d7: DEPRECATIONS

    The following types and implementations have been deprecated, either because they're no longer relevant, or because upcoming changes to the scaffolder-backend after 2.0.0 will influence the changes to these API surfaces.

    • CreateWorkerOptions
    • DatabaseTaskStore
    • DatabaseTaskStoreOptions
    • TaskManager
    • TaskStoreCreateTaskOptions
    • TaskStoreCreateTaskResult
    • TaskStoreEmitOptions
    • TaskStoreListEventsOptions
    • TaskStoreRecoverTaskOptions
    • TaskStoreShutDownTaskOptions

    There is no current path off deprecation, these types are going to be removed and rethought with a better way to define workers in the new backend system.

Patch Changes

v1.33.0

Compare Source

Minor Changes
  • 587cb05: Added workspace:template and workspace:template:file actions to complement respective fetch:* actions
Patch Changes

v1.32.1

Compare Source

This release fixes an issue where the scaffolder did not forward the token from the user to the task properly, and also fixes another issue where the scaffolder tasks page would not list correctly on PostgreSQL.

v1.32.0

Compare Source

Minor Changes
  • 75e4db4: add template-extensions scaffolder service endpoint
Patch Changes

v1.31.0

Compare Source

Minor Changes
  • 36677bb: Support new createTemplateAction type, and convert catalog:fetch action to new way of defining actions.
  • 2b1e50d: use CreatedTemplate[Filter|Global*] as canonical template extensions in scaffolder plugin
Patch Changes

v1.30.0

Compare Source

Minor Changes

  • dc8dd4b: Added new createTemplateFilter, createTemplateGlobalFunction, createTemplateGlobalValue for template extensions.

  • a4aa244: This change integrates the auditor service into the Scaffolder plugin.

  • 3d6ef79: Support file globbing in fs:delete

  • 91f3313: Added experimental flag for scaffolder to wait for running tasks to complete on shutdown

    Enabling the EXPERIMENTAL_gracefulShutdown flag in the scaffolder config will make the
    scaffolder block the shutdown process until all running tasks have completed. This is useful
    when there is a need to ensure that all tasks have completed before the scaffolder is shut down.

    Please note, that the TaskWorker stop method is now asynchronous and awaited for the
    tasks to complete when the experimental flag is enabled.

Patch Changes

v1.29.0

Compare Source

Minor Changes
  • 5d9e5c8: Added the ability to use ${{ context.task.id }} in nunjucks templating, as well as ctx.task.id in actions to get the current task ID.
Patch Changes

v1.28.0

Compare Source

Minor Changes
  • c05a343: Emit scaffolder events using the optional EventsService
Patch Changes

v1.27.2

Compare Source

This release fixes the following issues:

  • Fix logger crash on logging because of cyclical structures in the meta fields.
  • Fix an issue with external config schemas in the app-backend plugin which was previously broken.
  • Fix issue where MUI v5 components would not properly receive a v5- class prefix.
  • Fix issue with search-backend startup not happening in the correct order

v1.27.1

Compare Source

This release fixes an issue where the backend logger services would throw an error when passing a log meta object with a null prototype.

v1.27.0

Compare Source

Minor Changes

  • 0587633: Bumped the isolated-vm dependency from v4 to v5, which drops support for Node.js v16.

  • e61d5ef: BREAKING EXPERIMENTAL: The checkpoint method now takes an object instead of previous arguments.

    await ctx.checkpoint({ key: 'repo.create', fn: () => ockokit.repo.create({...})})

    You can also now return void from the checkpoint if the method returns void inside the checkpoint handler.

Patch Changes

v1.26.3

Compare Source

Patch Changes

v1.26.2

Compare Source

This release is the official start of the community-plugins repository! 🎉

Out of the back of the discussions in #​20266, we aligned with the help of RedHat to move some plugins which are maintained by the community out of this repo, and have a dedicated space. There they will have their own independent workspaces, with their own release cycles not coupled to the Backstage mainline / next release.

With the move comes a new NPM scope, @backstage-community. Upgrading to these packages is as easy as running yarn backstage-cli versions:bump followed by yarn backstage-cli versions:migrate, in which these scripts will update both code references under ./src and package.json references to the old namespace.

If you have already upgraded to v1.26.1 make sure to run yarn backstage-cli versions:bump --skip-migrate and then yarn backstage-cli versions:migrate separately in order to take advantage of the inline code replacements that shipped in this release!

From this release versions:bump will also try to migrate any packages over time for you, without needing to do versions:migrate separately.

Please reach out on Discord, or file an issue, if you're having issues with moving to the new packages.

v1.26.1

Compare Source

This release deprecates @backstage/plugin-todo and @backstage/plugin-todo-backend has they have now been moved to the @backstage-community/* namespace over in the community-plugins repository.

You should be able to do yarn backstage-cli versions:bump if you're already on v1.26.0+ of Backstage.
Otherwise, you can do do yarn backstage-cli versions:bump followed by yarn backstage-cli versions:migrate to switch over to the new packages, if you're on versions <v1.26.0

v1.26.0

Compare Source

Minor Changes
  • 3ec4e6d: Added pagination support for listing of tasks and the ability to filter on several users and task statuses.
  • 3109c24: The export for the new backend system at the /alpha export is now also available via the main entry point, which means that you can remove the /alpha suffix from the import.
Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from f2be326 to 74c8869 Compare August 19, 2025 19:13
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 74c8869 to dcf7f72 Compare August 31, 2025 13:36
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from dcf7f72 to 6fa75e3 Compare September 25, 2025 15:09
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 6fa75e3 to a6dcb17 Compare October 21, 2025 11:11
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from a6dcb17 to 9f560f9 Compare November 10, 2025 20:44
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 9f560f9 to 7d6555e Compare November 18, 2025 11:35
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 7d6555e to 5df7882 Compare December 3, 2025 17:53
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 5df7882 to b9afb42 Compare December 31, 2025 17:28
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from b9afb42 to 7e8fbb2 Compare January 8, 2026 18:38
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 7e8fbb2 to 94f3e1a Compare January 19, 2026 16:28
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 94f3e1a to 2a0d66e Compare February 2, 2026 19:49
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch 2 times, most recently from 102c728 to 5e4d44a Compare February 17, 2026 19:16
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 5e4d44a to 10d8d49 Compare March 5, 2026 16:00
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 10d8d49 to cadc106 Compare March 13, 2026 16:37
@renovate renovate Bot changed the title fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch March 27, 2026 05:23
@renovate renovate Bot changed the title fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] - autoclosed fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch 3 times, most recently from aed9646 to 77924d1 Compare April 1, 2026 18:00
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 77924d1 to c43f8b8 Compare April 8, 2026 14:41
@renovate renovate Bot changed the title fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] - autoclosed Apr 22, 2026
@renovate renovate Bot closed this Apr 22, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] - autoclosed fix(deps): update dependency @backstage/plugin-scaffolder-backend to v2 [security] Apr 22, 2026
@renovate renovate Bot reopened this Apr 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch 2 times, most recently from c43f8b8 to daeb474 Compare April 22, 2026 06:38
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from daeb474 to 205fe58 Compare April 29, 2026 10:06
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 205fe58 to 6310b10 Compare May 12, 2026 10:06
@renovate renovate Bot force-pushed the renovate/npm-backstage-plugin-scaffolder-backend-vulnerability branch from 6310b10 to ad9add9 Compare May 18, 2026 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jvilimek jvilimek

Labels

dependencies packages

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jvilimek