chore(deps): bump tough-cookie, @backstage/plugin-scaffolder-backend and @backstage/backend-common

[dependabot]

Bumps tough-cookie to 4.1.3 and updates ancestor dependencies tough-cookie, @backstage/plugin-scaffolder-backend and @backstage/backend-common. These dependencies need to be updated together.

Updates tough-cookie from 4.1.2 to 4.1.3

Release notes

Sourced from tough-cookie's releases.

4.1.3

Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

Commits

• 4ff4d29 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
• 12d4747 Prevent prototype pollution in cookie memstore (#283)
• f06b72d Fix documentation for store.findCookies, missing allowSpecialUseDomain proper...
• See full diff in compare view

Updates @backstage/plugin-scaffolder-backend from 1.8.0 to 1.15.0

Release notes

Sourced from @​backstage/plugin-scaffolder-backend's releases.

v1.15.0

These are the release notes for the v1.15.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for their hard work in getting this release developed and done.

Highlights

This release has a few important security fixes, along with a lot of squashed bugs and exciting additions as usual! Enjoy.

BREAKING: Scaffolder build requirements

The Scaffolder backend uses a sandboxing environment to run its nunjucks templating in, for security reasons. This used to leverage the vm2 library, but in this release it has been replaced by isolated-vm. This significantly improves the confidence level in the sandbox implementation since it builds upon v8 isolates directly. However, it comes with a cost to implementers: it is a native dependency, and as such needs to be built during yarn installation, on the exact architecture that it then executes on. For those who compile and run Backstage on stripped-down environments, you will want to ensure that you have the build basics present, e.g. build-essential or similar corresponding to your operating system of choice. The isolated-vm repo has some further information about the build environment requirements.

There is a CVE-2022-39266 that has been reported for isolated-vm, which applies only when using CachedDataOptions. We do not use that feature at all, since it is recommended against in the README; doing so can lead to breakouts and calling back to the main process. Some security tools may report that this is a vulnerability but it is safe to ignore this through your .snyk policy file or similar.

BREAKING: @backstage/plugin-linguist-backend

There have been some significant updates to the Linguist plugin, in particular the backend and its API. One breaking change is that LinguistBackendApi is now an interface rather than a class, and you should create its implementation LinguistBackendClient instead.

Contributed by @​ahhhndre in #16954

BREAKING: @backstage/plugin-github-actions

In order to make this plugin support GitHub enterprise as well as cloud, its GithubActionsClient is updated to take an scmAuthApi instead of the previous

... (truncated)

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

1.15.0

Minor Changes

• 84b0e47373db: Add TargetBranchName variable and output for the publish:gitlab:merge-request and publish:github:pull-request s'cascaffolder actions.

• 6a694ce98e32: Add a scaffolder action that pull-requests for bitbucket server

• 1948845861b0: Added github:deployKey:create and github:environment:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Administration (for deploy key functionality) and Environments (for Environment functionality)

• df8411779da1: Add support for Repository Variables and Secrets to the publish:github and github:repo:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Secrets and Variables

  Upgrade octokit introduces some breaking changes.

Patch Changes

• cc936b529676: Fix handling of optional property in catalog:register scaffolder action

• b269da39ac2d: Clearer error messages for action publish:gitlab:merge-request

• 11e0f625583f: Fix wrong gitlabUrl format in repoUrl input description

• a2c70cdda202: Switch out the sandbox, from vm2 to isolated-vm.

  This is a native dependency, which means that it will need to be compiled with the same version of node on the same OS. This could cause some issues when running in Docker for instance, as you will need to make sure that the dependency is installed and compiled inside the docker container that it will run on.

  This could mean adding in some dependencies to the container like build-essential to make sure that this compiles correctly.

  If you're having issues installing this dependency, there's some install instructions over on isolated-vm's repo.

• Updated dependencies

  • @​backstage/backend-common@​0.19.0
  • @​backstage/catalog-client@​1.4.2
  • @​backstage/types@​1.1.0
  • @​backstage/plugin-catalog-backend@​1.10.0
  • @​backstage/integration@​1.5.0
  • @​backstage/catalog-model@​1.4.0
  • @​backstage/errors@​1.2.0
  • @​backstage/backend-plugin-api@​0.5.3
  • @​backstage/backend-tasks@​0.5.3
  • @​backstage/plugin-auth-node@​0.2.15
  • @​backstage/plugin-catalog-node@​1.3.7
  • @​backstage/plugin-permission-node@​0.7.9
  • @​backstage/config@​1.0.8
  • @​backstage/plugin-catalog-common@​1.0.14
  • @​backstage/plugin-permission-common@​0.7.6
  • @​backstage/plugin-scaffolder-common@​1.3.1
  • @​backstage/plugin-scaffolder-node@​0.1.4

1.15.0-next.3

Minor Changes

• 84b0e47373db: Add TargetBranchName variable and output for the publish:gitlab:merge-request and publish:github:pull-request s'cascaffolder actions.
• 6a694ce98e32: Add a scaffolder action that pull-requests for bitbucket server
• 1948845861b0: Added github:deployKey:create and github:environment:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Administration (for deploy key functionality) and Environments (for Environment functionality)

... (truncated)

Commits

• bc0c4bc Version Packages
• fb73755 feat: replace vm2 sandbox with isolated-vm
• 7e272d1 feat: replace vm2 sandbox with isolated-vm
• 320ed50 Version Packages (next)
• 3fe56a6 Merge pull request #17921 from ohjongsung/bitbucketServer-pullRequests
• c7d401f Change objects to precise type and apply encodeURIComponent to url
• bcc8d79 Merge pull request #18110 from go-xman/feat/add-target-branch-name-for-pr-action
• d6876e7 Merge pull request #17516 from aochsner/feature/github-deployments
• e37573d Version Packages (next)
• 84b0e47 chore: Add TargetBranchName variable and output for the `publish:gitlab:mer...
• Additional commits viewable in compare view

Updates @backstage/backend-common from 0.16.0 to 0.19.0

Changelog

Sourced from @​backstage/backend-common's changelog.

0.19.0

Minor Changes

• c7f848bcea3c: Support authentication with a service principal or managed identity for Azure DevOps

  Azure DevOps recently released support, in public preview, for authenticating with a service principal or managed identity instead of a personal access token (PAT): https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/. With this change the Azure integration now supports service principals and managed identities for Azure AD backed Azure DevOps organizations. Service principal and managed identity authentication is not supported on Azure DevOps Server (on-premises) organizations.

Patch Changes

• 4ef91ab46732: Updated the backend database connection configuration schema to set the password visibility to secret

• 52d599817680: Changed the default backend CacheClient to an in-memory cache when not explicitly configured.

  Explicit configuration of an in-memory cache can be removed from app-config.yaml, as this is now the default:

  backend:
  -  cache:
  -    store: memory

• 5f2c38c70f5b: Fix SNYK-JS-FASTXMLPARSER-5668858 (fast-xml-parser) by upgrading aws-sdk to at least the current latest version.

• eeb3f801fddf: HostDiscovery now strips trailing slashes in the backend.baseUrl config.

• 9f47a743632c: Fixed typo in HostDiscovery's JSDoc

• 810c6de51604: Remove unused dev dependency aws-sdk-mock.

• Updated dependencies

  • @​backstage/types@​1.1.0
  • @​backstage/integration-aws-node@​0.1.4
  • @​backstage/config-loader@​1.3.1
  • @​backstage/integration@​1.5.0
  • @​backstage/errors@​1.2.0
  • @​backstage/backend-app-api@​0.4.4
  • @​backstage/backend-plugin-api@​0.5.3
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.8

0.19.0-next.2

Patch Changes

• 5f2c38c70f5b: Fix SNYK-JS-FASTXMLPARSER-5668858 (fast-xml-parser) by upgrading aws-sdk to at least the current latest version.
• Updated dependencies
  • @​backstage/integration-aws-node@​0.1.4-next.1
  • @​backstage/backend-app-api@​0.4.4-next.2
  • @​backstage/backend-dev-utils@​0.1.1
  • @​backstage/backend-plugin-api@​0.5.3-next.2
  • @​backstage/cli-common@​0.1.12
  • @​backstage/config@​1.0.7
  • @​backstage/config-loader@​1.3.1-next.1

... (truncated)

Commits

• d42f055 chore(deps): bump express-promise-router from 3.0.3 to 4.1.0
• 718eea4 Version Packages
• fda249f fix review comments
• 8686eb3 Introduce the @backstage/errors package.
• 0e120c5 Version Packages
• 38a8734 Merge pull request #4744 from backstage/orkohunter/move-runDockerContainer
• 3f2a0ef backend-common: Use Record<string, string> for envVars in runDockerContainer
• c0c2624 1. Use plain Record instead of Map
• 8e15b19 Merge pull request #4827 from backstage/dependabot/npm_and_yarn/knex-0.95.1
• 7616988 chore(deps): bump knex from 0.21.18 to 0.95.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.