[Snyk] Fix for 20 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 20 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• plugins/todo/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	695
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	690
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	690
	Remote Code Execution (RCE) SNYK-JS-JSONPATHPLUS-7945884	690
	Remote Code Execution (RCE) SNYK-JS-JSONPATHPLUS-8719585	690
	Function Call With Incorrect Argument Type SNYK-JS-CIPHERBASE-12084814	680
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	680
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	680
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	680
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495496	680
	Function Call With Incorrect Argument Type SNYK-JS-SHAJS-12089400	680
	Information Exposure SNYK-JS-ELLIPTIC-8720086	675
	Prototype Pollution SNYK-JS-LINKIFYJS-11502189	665
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	655
	Prototype Pollution SNYK-JS-MYSQL2-6861580	635
	Server-side Request Forgery (SSRF) SNYK-JS-IP-12704893	620
	Server-side Request Forgery (SSRF) SNYK-JS-IP-12761655	620
	Improper Handling of Unicode Encoding SNYK-JS-TAR-15038581	595
	Regular Expression Denial of Service (ReDoS) SNYK-JS-DIFF-14917201	590
	Use of a Cryptographic Primitive with a Risky Implementation SNYK-JS-ELLIPTIC-14908844	590

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Predictable Value Range from Previous Values
🦉 Remote Code Execution (RCE)
🦉 Information Exposure
🦉 More lessons are available in Snyk Learn

---

EntelligenceAI PR Summary

Updated dependency management strategy in the todo plugin to use explicit version pinning instead of workspace protocol.

• Replaced workspace:^ with fixed version 0.8.6 for @backstage/core-components
• Replaced workspace:^ with fixed version 0.1.0 for @backstage/core-plugin-api
• Replaced workspace:^ with fixed version 0.1.1 for @backstage/errors
• Replaced workspace:^ with fixed version 0.1.1 for @backstage/theme
• Changes made in plugins/todo/package.json

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[snyk-io]

⛔ Snyk checks have failed. 1 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (1)
⛔	Open Source Security	0	0	1	0	1 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[entelligence-ai-pr-reviews]

Walkthrough

This PR updates the dependency management strategy for the todo plugin by replacing workspace protocol references with explicit version pinning. Four Backstage packages are affected: core-components (0.8.6), core-plugin-api (0.1.0), errors (0.1.1), and theme (0.1.1). The change moves away from monorepo workspace resolution (workspace:^) to fixed version specifications. This modification likely supports independent plugin publishing or establishes stricter dependency version control to ensure consistent behavior across different deployment scenarios.

Changes

File(s)	Summary
plugins/todo/package.json	Changed dependency resolution from workspace protocol (workspace:^) to explicit version pinning for four Backstage packages: @backstage/core-components (0.8.6), @backstage/core-plugin-api (0.1.0), @backstage/errors (0.1.1), and @backstage/theme (0.1.1).

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant PM as Package Manager
    participant Todo as @backstage/plugins/todo
    participant Core as @backstage/core-components
    participant API as @backstage/core-plugin-api
    participant Errors as @backstage/errors
    participant Theme as @backstage/theme

    Dev->>PM: npm install / yarn install
    PM->>Todo: Read package.json
    Note over Todo: Dependencies changed from<br/>workspace:^ to fixed versions
    PM->>Core: Resolve @backstage/core-components@0.8.6
    Core-->>PM: Return package
    PM->>API: Resolve @backstage/core-plugin-api@0.1.0
    API-->>PM: Return package
    PM->>Errors: Resolve @backstage/errors@0.1.1
    Errors-->>PM: Return package
    PM->>Theme: Resolve @backstage/theme@0.1.1
    Theme-->>PM: Return package
    PM-->>Dev: Dependencies installed with fixed versions

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.