Fix security vulnerabilities#353
Open
callebstrom wants to merge 1 commit intoAxisCommunications:mainfrom
Open
Conversation
🦋 Changeset detectedLatest commit: 4d2a8aa The changes in this PR will be included in the next version bump. This PR includes changesets to release 11 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
Thank you! We need a changeset as well! Do we need to dedupe these? If I run "yarn why @backstage/backend-plugin-api" other dependencies pull in the older versions? |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
callebstrom
force-pushed
the
fix/security-vulnerabilities-2026-02-09
branch
from
3ef0a21 to
3b52ae4
Compare
Author
|
@anicke yes good point, I will generate that changeset! In terms of the other vulnerable paths, they are not part of the production code path for the published plugins it seems. However, I will patch these as well for consistency 👍 |
Upgrade @backstage/core-components from ^0.18.4 to ^0.18.6 to fix CVE-2025-8101 (high severity vulnerability in linkifyjs/linkify-react). Upgrade @backstage/backend-defaults from ^0.14.0 to ^0.15.1 and @backstage/backend-plugin-api from ^1.6.0 to ^1.6.2 to fix CVE-2026-24046 and CVE-2026-24047 (high severity vulnerabilities). Affected packages: - @axis-backstage/plugin-jira-dashboard - @axis-backstage/plugin-jira-dashboard-backend - @axis-backstage/plugin-readme - @axis-backstage/plugin-readme-backend - @axis-backstage/plugin-statuspage - @axis-backstage/plugin-statuspage-backend - @axis-backstage/plugin-analytics-module-umami - @axis-backstage/plugin-vacation-calendar - packages/app - packages/app-next - packages/backend fix(security): remove redundant backend-defaults dependencies from prod code paths
callebstrom
force-pushed
the
fix/security-vulnerabilities-2026-02-09
branch
from
3b52ae4 to
4d2a8aa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
Please describe what you added, and add a screenshot if possible.
faster.
That makes it easier to understand the change so we can
Context
This PR fixes high severity security vulnerabilities in the Backstage plugins.
Issue ticket number and link
qs@6.13.0/6.14.0 - Allocation of Resources Without Limits or Throttling
@backstage/backend-defaults@0.14.0 - Symlink Attack
@backstage/backend-plugin-api@1.6.0 - UNIX Symbolic Link Following
Remove redundant
@backstage/backend-defaultsusage aserror()middleware is provided by default.Checklist before requesting a review