[Snyk] Fix for 73 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 73 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/backend-next/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LINKIFYREACT-11502190	815
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	810
	Denial of Service (DoS) SNYK-JS-HTTPPROXYMIDDLEWARE-8229906	810
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	810
	Interpretation Conflict SNYK-JS-NODEFORGE-14114940	765
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	750
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	750
	Information Exposure Through an Error Message SNYK-JS-BACKSTAGEBACKENDAPPAPI-6229731	740
	Uncontrolled Recursion SNYK-JS-NODEFORGE-14125745	735
	Origin Validation Error SNYK-JS-WEBPACKDEVSERVER-10300775	730
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUEST-8730853	720
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	710
	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	700
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	700
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	695
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	690
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	690
	Remote Code Execution (RCE) SNYK-JS-JSONPATHPLUS-7945884	690
	Remote Code Execution (RCE) SNYK-JS-JSONPATHPLUS-8719585	690
	Function Call With Incorrect Argument Type SNYK-JS-CIPHERBASE-12084814	680
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	680
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	680
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	680
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495496	680
	Function Call With Incorrect Argument Type SNYK-JS-SHAJS-12089400	680
	Information Exposure SNYK-JS-ELLIPTIC-8720086	675
	Exposed Dangerous Method or Function SNYK-JS-WEBPACKDEVSERVER-10300777	675
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	670
	Prototype Pollution SNYK-JS-LINKIFYJS-11502189	665
	Prototype Pollution SNYK-JS-JSYAML-13961110	645
	Denial of Service (DoS) SNYK-JS-GRAPHQL-5905181	640
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	630
	Always-Incorrect Control Flow Implementation SNYK-JS-HTTPPROXYMIDDLEWARE-9691387	615
	Improper Check for Unusual or Exceptional Conditions SNYK-JS-HTTPPROXYMIDDLEWARE-9691389	615
	Integer Overflow or Wraparound SNYK-JS-NODEFORGE-14125097	615
	Open Redirect SNYK-JS-EXPRESS-6474509	605
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495498	605
	Denial of Service (DoS) SNYK-JS-WS-7266574	600
	Improper Handling of Unicode Encoding SNYK-JS-TAR-15038581	595
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	595
	Regular Expression Denial of Service (ReDoS) SNYK-JS-DIFF-14917201	590
	Use of a Cryptographic Primitive with a Risky Implementation SNYK-JS-ELLIPTIC-14908844	590
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	590
	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') SNYK-JS-AZUREIDENTITY-7246760	575
	Directory Traversal SNYK-JS-TAR-15032660	575
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	570
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	570
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITPLUGINPAGINATEREST-8730855	570
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUESTERROR-8730854	570
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	570
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	570
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	565
	Resource Exhaustion SNYK-JS-JOSE-6419224	565
	Symlink Attack SNYK-JS-TMP-11501554	565
	Improper Verification of Cryptographic Signature SNYK-JS-JWS-14188253	560
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	555
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	550
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	550
	Prototype Pollution SNYK-JS-LODASH-15053838	545
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	535
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	530
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	525
	Directory Traversal SNYK-JS-TAR-15127355	510
	Uncontrolled Recursion SNYK-JS-ESLINT-15102420	505
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FASTXMLPARSER-7573289	495
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	465
	Improper Input Validation SNYK-JS-NANOID-8492085	465
	Denial of Service (DoS) SNYK-JS-NWSAPI-2841516	460
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	415
	Improper Input Validation SNYK-JS-POSTCSS-5926692	415
	Arbitrary Code Injection SNYK-JS-PRISMJS-9055448	340
	Cross-site Scripting SNYK-JS-SEND-7926862	255
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	255

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
🦉 Information Exposure Through an Error Message
🦉 More lessons are available in Snyk Learn

---

EntelligenceAI PR Summary

This PR transitions backend-next package dependencies from workspace protocol references to explicit semantic versions for six Backstage packages.

• Updated @backstage/backend-defaults from workspace:^ to version 0.1.0
• Updated @backstage/backend-tasks from workspace:^ to version 0.6.1
• Updated @backstage/plugin-app-backend from workspace:^ to version 0.1.1
• Updated @backstage/plugin-catalog-backend from workspace:^ to version 0.1.1
• Updated @backstage/plugin-permission-common from workspace:^ to version 0.1.0
• Updated @backstage/plugin-scaffolder-backend from workspace:^ to version 0.1.1
• Changes made in packages/backend-next/package.json

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[snyk-io]

⛔ Snyk checks have failed. 3 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (3)
⛔	Open Source Security	0	2	1	0	3 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[entelligence-ai-pr-reviews]

Walkthrough

This pull request updates the dependency management strategy for the backend-next package by replacing workspace protocol references with explicit semantic version numbers for six Backstage packages. The changes transition from monorepo-style workspace dependencies (workspace:^) to pinned published package versions, specifying exact versions for backend-defaults (0.1.0), backend-tasks (0.6.1), plugin-app-backend (0.1.1), plugin-catalog-backend (0.1.1), plugin-permission-common (0.1.0), and plugin-scaffolder-backend (0.1.1). This modification likely supports release preparation, improves dependency reproducibility, or facilitates independent package distribution outside the monorepo context.

Changes

File(s)	Summary
packages/backend-next/package.json	Replaced workspace protocol references (workspace:^) with explicit semantic versions for six Backstage dependencies: @backstage/backend-defaults (0.1.0), @backstage/backend-tasks (0.6.1), @backstage/plugin-app-backend (0.1.1), @backstage/plugin-catalog-backend (0.1.1), @backstage/plugin-permission-common (0.1.0), and @backstage/plugin-scaffolder-backend (0.1.1).

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant PM as Package Manager
    participant Registry as NPM Registry
    
    Note over Dev,Registry: Dependency Version Update Process
    
    Dev->>PM: Update package.json dependencies
    Note right of Dev: Change workspace:^ to<br/>specific versions (0.1.0, 0.1.1, 0.6.1)
    
    Dev->>PM: Run install command
    PM->>Registry: Fetch @backstage/backend-defaults@0.1.0
    Registry-->>PM: Return package
    PM->>Registry: Fetch @backstage/backend-tasks@0.6.1
    Registry-->>PM: Return package
    PM->>Registry: Fetch @backstage/plugin-app-backend@0.1.1
    Registry-->>PM: Return package
    PM->>Registry: Fetch other updated packages
    Registry-->>PM: Return packages
    
    PM->>PM: Resolve dependency tree
    PM->>PM: Install packages
    PM-->>Dev: Dependencies updated successfully

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.