7422430: Resolve the basePath before constructing the target path
999224f: Bump dependency minimatch to v9
e0b997c: Fix issue where resolveSafeChildPath path would incorrectly resolve when operating on a symlink
9802004: Added the UserInfoApi as both an optional input and as an output for createLegacyAuthAdapters
2af5354: Bump dependency jose to v5
ff40ada: Updated dependency mysql2 to ^3.0.0.
0fb419b: Updated dependency uuid to ^9.0.0.
Updated dependency @types/uuid to ^9.0.0.
568881f: Updated dependency yauzl to ^3.0.0.
4a3d434: Added a createLegacyAuthAdapters function that can be used as a compatibility adapter for backend plugins who want to start using the new auth and httpAuth services that were created as part of BEP-0003.
4a3d434: BREAKING: For users that have migrated to the new backend system, incoming requests will now be rejected if they are not properly authenticated (e.g. with a Backstage bearer token or a backend token). Please see the Auth Service Migration tutorial for more information on how to circumvent this behavior in the short term and how to properly leverage it in the longer term.
Added service factories for the new auth, httpAuth, and userInfo services that were created as part of BEP-0003.
Patch Changes
999224f: Bump dependency minimatch to v9
81e0120: Fixed an issue where configuration schema for the purpose of redacting secrets from logs was not being read correctly.
15fda44: Provide some sane defaults for WinstonLogger.create making some of the arguments optional
0502d82: Updated the permissionsServiceFactory to forward the AuthService to the implementation.
9d91128: Add the possibility to disable watching files in the new backend system
a5d341e: Adds an initial rate-limiting implementation so that any incoming requests that have a 'none' principal are rate-limited automatically.
9802004: Made the DefaultUserInfoService claims check stricter
f235ca7: Make sure to not filter out schemas in createConfigSecretEnumerator
af5f7a6: The experimental feature discovery service exported at the /alpha sub-path will no longer attempt to load packages that are not Backstage backend packages.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/back-stack/showcase/network/alerts).
Bumps the npm_and_yarn group with 10 updates in the /backstage directory:
0.19.8
0.19.10
4.18.2
4.19.2
4.3.1
4.3.3
10.9.1
10.9.2
4.2.1
4.2.3
1.15.3
1.15.6
2.0.0
2.0.1
4.15.4
4.15.5
5.26.5
5.28.3
5.3.3
5.3.4
Updates
@backstage/backend-common
from 0.19.8 to 0.19.10Changelog
Sourced from
@backstage/backend-common
's changelog.... (truncated)
Commits
Updates
express
from 4.18.2 to 4.19.2Release notes
Sourced from express's releases.
... (truncated)
Changelog
Sourced from express's changelog.
Commits
04bc627
4.19.2da4d763
Improved fix for open redirect allow list bypass4f0f6cc
4.19.1a003cfa
Allow passing non-strings to res.location with new encoding handling checks f...a1fa90f
fixed un-edited version in history.md for 4.19.011f2b1d
build: fix build due to inconsistent supertest behavior in older versions084e365
4.19.00867302
Prevent open redirect allow list bypass due to encodeurl567c9c6
Add note on how to update docs for new release (#5541)69a4cf2
deps: cookie@0.6.0Maintainer changes
This version was pushed to npm by wesleytodd, a new releaser for express since your current version.
Updates
@adobe/css-tools
from 4.3.1 to 4.3.3Changelog
Sourced from
@adobe/css-tools
's changelog.Commits
Updates
@backstage/backend-app-api
from 0.5.7 to 0.5.14Changelog
Sourced from
@backstage/backend-app-api
's changelog.... (truncated)
Commits
Updates
@octokit/webhooks
from 10.9.1 to 10.9.2Release notes
Sourced from
@octokit/webhooks
's releases.Commits
09ca15c
Update release.yml2618438
fix: Handle verify error (#916)Updates
browserify-sign
from 4.2.1 to 4.2.3Changelog
Sourced from browserify-sign's changelog.
Commits
bf2c3ec
v4.2.39247adf
[patch] widen support to 0.12f427270
[Deps] update `parse-asn187f3a35
[Dev Deps] updateaud
,npmignore
,tape
fb261ce
[Deps] updateelliptic
4d0ee49
[patch] drop minimum node support to v19e2bf12
[Deps] pinhash-base
to ~3.0, due to a breaking change168e16f
[Deps] pinelliptic
due to a breaking change37a4758
[actions] remove redundant finisher4af5a90
v4.2.2Maintainer changes
This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.
Updates
follow-redirects
from 1.15.3 to 1.15.6Commits
35a517c
Release version 1.15.6 of the npm package.c4f847f
Drop Proxy-Authorization across hosts.8526b4a
Use GitHub for disclosure.b1677ce
Release version 1.15.5 of the npm package.d8914f7
Preserve fragment in responseUrl.6585820
Release version 1.15.4 of the npm package.7a6567e
Disallow bracketed hostnames.05629af
Prefer native URL instead of deprecated url.parse.1cba8e8
Prefer native URL instead of legacy url.resolve.72bc2a4
Simplify _processResponse error handling.Updates
ip
from 2.0.0 to 2.0.1Commits
3b0994a
2.0.132f468f
lib: fixed CVE-2023-42282 and added unit testUpdates
jose
from 4.15.4 to 4.15.5Release notes
Sourced from jose's releases.
Changelog
Sourced from jose's changelog.
Commits
765aafd
chore(release): 4.15.5b36e45e
test: add export check to x509 pem import testse839ecb
test: stop testing JWE RSA1_5 Algorithm1b91d88
fix: add a maxOutputLength option to zlib inflate9ca2b24
build: remove release actionf3035d8
chore: cleanup after releaseUpdates
undici
from 5.26.5 to 5.28.3Release notes
Sourced from undici's releases.
... (truncated)
Commits
e71cb4c
Bumped v5.28.320c65b8
Fix tests for Node.js v20.11.0 (#2618)8ec52cd
Fix tests for Node.js v21 (#2609)d3aa574
Merge pull request from GHSA-3787-6prv-h9w39a14e5f
Bumped v5.28.2fcdfe87
build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#2302)169c157
build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)9788177
build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 (#2392)1f6d159
build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 (#2395)a393a86
build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 (#2396)Updates
webpack-dev-middleware
from 5.3.3 to 5.3.4Release notes
Sourced from webpack-dev-middleware's releases.
Changelog
Sourced from webpack-dev-middleware's changelog.
Commits
86071ea
chore(release): 5.3.4189c4ac
fix(security): do not allow to read files above (#1779)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show