[Snyk] Security upgrade @backstage/theme from 0.0.0-use.local to 0.1.1 #9882
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-REMIXRUNROUTER-14908530 - https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 - https://snyk.io/vuln/SNYK-JS-REMIXRUNROUTER-14908287
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
Author
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![entelligence-ai-pr-reviews[bot]](https://avatars.githubusercontent.com/in/932812?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sequence Diagram
This diagram shows the interactions between components:
sequenceDiagram
participant Dev as Developer
participant PM as Package Manager
participant WS as Workspace
participant NPM as NPM Registry
participant Plugin as Splunk-on-Call Plugin
Note over Dev,Plugin: Dependency Resolution Change
Dev->>PM: Install dependencies for splunk-on-call plugin
alt Before Change (workspace:^)
PM->>WS: Resolve @backstage/theme from workspace
WS-->>PM: Return local workspace version
PM->>Plugin: Link workspace theme package
else After Change (0.1.1)
PM->>NPM: Fetch @backstage/theme@0.1.1
NPM-->>PM: Return published version 0.1.1
PM->>Plugin: Install pinned theme version
end
Note over Plugin: Plugin now uses fixed theme version<br/>instead of workspace reference
Install the extension
Note for Windsurf
Please change the default marketplace provider to the following in the windsurf settings:Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery
Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items
Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below
Emoji Descriptions:
⚠️ Potential Issue - May require further investigation.- 🔒 Security Vulnerability - Fix to ensure system safety.
- 💻 Code Improvement - Suggestions to enhance code quality.
- 🔨 Refactor Suggestion - Recommendations for restructuring code.
- ℹ️ Others - General comments and information.
Interact with the Bot:
- Send a message or request using the format:
@entelligenceai + *your message*
Example: @entelligenceai Can you suggest improvements for this code?
- Help the Bot learn by providing feedback on its responses.
@entelligenceai + *feedback*
Example: @entelligenceai Do not comment on `save_auth` function !
Also you can trigger various commands with the bot by doing
@entelligenceai command
The current supported commands are
config- shows the current configretrigger_review- retriggers the review
More commands to be added soon.
Comment on lines
37
to
43
| "@backstage/core-components": "workspace:^", | ||
| "@backstage/core-plugin-api": "workspace:^", | ||
| "@backstage/plugin-catalog-react": "workspace:^", | ||
| "@backstage/theme": "workspace:^", | ||
| "@backstage/theme": "0.1.1", | ||
| "@material-ui/core": "^4.12.2", | ||
| "@material-ui/icons": "^4.9.1", | ||
| "@material-ui/lab": "4.0.0-alpha.61", |
There was a problem hiding this comment.
Correctness: Line 6: Pinning @backstage/theme to 0.1.1 breaks monorepo resolution—all other deps use workspace:^. Revert to "@backstage/theme": "workspace:^".
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
File: plugins/splunk-on-call/package.json, Line 40
Problem: The dependency `@backstage/theme` has been changed from `workspace:^` to a pinned version `0.1.1`, breaking the monorepo workspace protocol used by all other Backstage dependencies in this file.
Fix Instructions:
1. Revert the change to use the workspace protocol
2. Change `"@backstage/theme": "0.1.1"` back to `"@backstage/theme": "workspace:^"`
3. This ensures consistency with other Backstage dependencies (@backstage/catalog-model, @backstage/core-components, @backstage/core-plugin-api, @backstage/plugin-catalog-react) which all use `workspace:^`
4. The workspace protocol ensures the local monorepo version is used during development and properly resolved during publishing
✨ Committable Code Suggestion
💡 This is a one-click fix! Click "Commit suggestion" to apply this change directly to your branch.
Suggested change
| "@backstage/core-components": "workspace:^", | |
| "@backstage/core-plugin-api": "workspace:^", | |
| "@backstage/plugin-catalog-react": "workspace:^", | |
| "@backstage/theme": "workspace:^", | |
| "@backstage/theme": "0.1.1", | |
| "@material-ui/core": "^4.12.2", | |
| "@material-ui/icons": "^4.9.1", | |
| "@material-ui/lab": "4.0.0-alpha.61", | |
| "@backstage/catalog-model": "workspace:^", | |
| "@backstage/core-components": "workspace:^", | |
| "@backstage/core-plugin-api": "workspace:^", | |
| "@backstage/plugin-catalog-react": "workspace:^", | |
| "@backstage/theme": "workspace:^", | |
| "@material-ui/core": "^4.12.2", | |
| "@material-ui/icons": "^4.9.1", | |
| "@material-ui/lab": "4.0.0-alpha.61", |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
plugins/splunk-on-call/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-REMIXRUNROUTER-14908530
SNYK-JS-REACTROUTER-14908286
SNYK-JS-REMIXRUNROUTER-14908287
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Open Redirect
🦉 Cross-site Scripting (XSS)