fix(deps): update dependency @backstage/plugin-scaffolder-backend to v3.1.5 [security]#4405
Conversation
|
Hi @renovate[bot]. Thanks for your PR. I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
bcfe435 to
159dd7d
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
159dd7d to
d717bb7
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
d717bb7 to
f1b884f
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
f1b884f to
28fc407
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
28fc407 to
3e3c78f
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
3e3c78f to
2bcb7cd
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
2bcb7cd to
8ea24cb
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
8ea24cb to
675722d
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
675722d to
81b2f8c
Compare
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
81b2f8c to
07d91fe
Compare
…v3.1.5 [security] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
branch
from
07d91fe to
c500e87
Compare
|
This PR contains the following updates:
3.1.3→3.1.5GitHub Vulnerability Alerts
CVE-2026-32237
Impact
Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly
redacted in log output but not in all parts of the response payload.
Deployments that have configured
scaffolder.defaultEnvironment.secretsare affected.Patches
This is patched in
@backstage/plugin-scaffolder-backendversion 3.1.5Workarounds
Remove or empty the
scaffolder.defaultEnvironment.secretsconfiguration fromapp-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via thepermissions framework.
References
Release Notes
backstage/backstage (@backstage/plugin-scaffolder-backend)
v3.1.5Compare Source
v3.1.4Compare Source
Patch Changes
4e39e63: Removed unused dependenciesConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.