Skip to content

fix(deps): update dependency @backstage/plugin-permission-backend to ^0.6.0 #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency @backstage/plugin-permission-backend to ^0.6.0 #19

wants to merge 1 commit into from

Conversation

@mend-on-mend
Copy link

@mend-on-mend mend-on-mend bot commented Sep 3, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@backstage/plugin-permission-backend (source) ^0.5.55 -> ^0.6.0 age confidence

Permission policy information leakage in Backstage permission system

CVE-2025-32791 / GHSA-f8j4-p5cr-p777

More information

Details

Impact

A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permission policy installed in the permission backend. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact.

Patches

This issue has been resolved in version 0.6.0 of the permissions backend.

Workarounds

Administrators of the permission policies can ensure that they are crafted in such a way that conditional decisions do not contain any sensitive information.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/plugin-permission-backend)

v0.6.0

Compare Source

Minor Changes
  • 78eaa50: Improved validation for the /authorize endpoint when a resourceRef is provided alongside a basic permission. Additionally, introduced a clearer error message for cases where users attempt to directly evaluate conditional permissions.
Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

@coderabbitai
Copy link

coderabbitai bot commented Sep 3, 2025
edited
Loading

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@mend-on-mend mend-on-mend bot force-pushed the whitesource-remediate/npm-backstage-plugin-permission-backend-vulnerability branch 2 times, most recently from e733cb5 to 10aff9b Compare September 8, 2025 10:22
@mend-on-mend mend-on-mend bot changed the title Update dependency @backstage/plugin-permission-backend to ^0.6.0 fix(deps): update dependency @backstage/plugin-permission-backend to ^0.6.0 Sep 8, 2025
@mend-on-mend mend-on-mend bot force-pushed the whitesource-remediate/npm-backstage-plugin-permission-backend-vulnerability branch from 10aff9b to 0936e9f Compare September 11, 2025 10:28
@mend-on-mend
fix(deps): update dependency @backstage/plugin-permission-backend to …
5fe4440 
…^0.6.0

Signed-off-by: mend-on-mend[bot] <mend-on-mend[bot]@users.noreply.github.com>
@mend-on-mend mend-on-mend bot force-pushed the whitesource-remediate/npm-backstage-plugin-permission-backend-vulnerability branch from 0936e9f to 5fe4440 Compare September 16, 2025 07:04
@github-actions
Copy link

github-actions bot commented Sep 30, 2025

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions bot added the stale label Sep 30, 2025
@github-actions github-actions bot closed this Oct 7, 2025
@mend-on-mend
Copy link
Author

mend-on-mend bot commented Oct 7, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^0.6.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@mend-on-mend mend-on-mend bot deleted the whitesource-remediate/npm-backstage-plugin-permission-backend-vulnerability branch October 7, 2025 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies security stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant