fix(deps): update dependency @backstage/plugin-catalog-backend to v1.26.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@backstage/plugin-catalog-backend (source)	1.24.0 -> 1.26.0

---

@​backstage/plugin-catalog-backend Prototype Pollution vulnerability

CVE-2024-45815 / GHSA-3x3f-jcp3-g22j

More information

Details

Impact

A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.

Patches

This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j
• https://nvd.nist.gov/vuln/detail/CVE-2024-45815
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-catalog-backend)

v1.26.0

Compare Source

Minor Changes

• 74acf06: Add dependencyOf prop to catalog model for Component kind to enable building relationship graphs with both directions using dependsOn and dependencyOf.
• 78475c3: Allow offset mode paging in entity list provider
• bd35cdb: The analyze-location endpoint is now protected by the catalog.location.analyze permission.
  The validate-entity endpoint is now protected by the catalog.entity.validate permission.

Patch Changes

• 1882cfe: Moved getEntities ordering to utilize database instead of having it inside catalog client

  Please note that the latest version of @backstage/catalog-client will not order the entities in the same way as before. This is because the ordering is now done in the database query instead of in the client. If you rely on the ordering of the entities, you may need to update your backend plugin or code to handle this change.

• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

• c2b63ab: Updated dependency supertest to ^7.0.0.

• 53cce86: Fixed an issue with the by-query call, where ordering by a field that does not exist on all entities led to not all results being returned

• Updated dependencies

  • @​backstage/backend-common@​0.25.0
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/catalog-model@​1.7.0
  • @​backstage/catalog-client@​1.7.0
  • @​backstage/plugin-search-backend-module-catalog@​0.2.2
  • @​backstage/plugin-permission-node@​0.8.3
  • @​backstage/plugin-catalog-common@​1.1.0
  • @​backstage/plugin-catalog-node@​1.13.0
  • @​backstage/integration@​1.15.0
  • @​backstage/backend-openapi-utils@​0.1.18
  • @​backstage/plugin-events-node@​0.4.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-permission-common@​0.8.1

v1.25.2

Compare Source

This release fixes an issue where requests for the public http routes for the events-backend were authenticated causing 401 errors.

v1.25.1

Compare Source

This release fixes an bug where the kubernetes plugin would crash reading credentials from undefined.

v1.25.0

Compare Source

Minor Changes

• 163ba08: Deprecated RouterOptions, CatalogBuilder, and CatalogEnvironment. Please make sure to upgrade to the new backend system.
• fc24d9e: Stop using @backstage/backend-tasks as it will be deleted in near future.

Patch Changes

• 776eb56: ProcessorOutputCollector returns an error when receiving deferred entities that have an invalid metadata.annotations format.

  This allows to return an error on an actual validation issue instead of reporting that the location annotations are missing afterwards, which is misleading for the users.

• 389f5a4: Update deprecated url-reader-related imports.

• 93095ee: Make sure node-fetch is version 2.7.0 or greater

• a629fb2: Added setAllowedLocationTypes while introducing a new extension point called CatalogLocationsExtensionPoint

• 51240ee: Preserve default allowedLocationTypes when setAllowedLocationTypes() of CatalogLocationsExtensionPoint is not called.

• Updated dependencies

  • @​backstage/backend-plugin-api@​0.8.0
  • @​backstage/backend-common@​0.24.0
  • @​backstage/plugin-permission-common@​0.8.1
  • @​backstage/plugin-permission-node@​0.8.1
  • @​backstage/plugin-search-backend-module-catalog@​0.2.0
  • @​backstage/plugin-catalog-node@​1.12.5
  • @​backstage/integration@​1.14.0
  • @​backstage/catalog-model@​1.6.0
  • @​backstage/backend-openapi-utils@​0.1.16
  • @​backstage/catalog-client@​1.6.6
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-catalog-common@​1.0.26
  • @​backstage/plugin-events-node@​0.3.9

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.