fix(deps): update dependency @backstage/plugin-scaffolder-backend to v3 [security]

[shapirov103]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-scaffolder-backend (source)	^2.0.0 → ^3.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-29184

Impact

A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.

The attack requires:

• The ability to register a template in the catalog
• A victim who executes the malicious template

Patches

Patched in @backstage/plugin-scaffolder-backend version 3.1.4

Workarounds

• Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs
• Restrict who can register templates in the catalog to trusted users only

Resources

• Backstage Scaffolder permissions documentation: https://backstage.io/docs/permissions/plugin-authors/01-setup/
• Backstage Threat Model: https://backstage.io/docs/overview/threat-model/

---

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v3.1.4

Compare Source

Patch Changes

• 4e39e63: Removed unused dependencies
• Updated dependencies
  • @​backstage/integration@​1.21.0-next.0
  • @​backstage/plugin-catalog-node@​2.1.0-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/backend-openapi-utils@​0.6.7-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-events-node@​0.4.20-next.0
  • @​backstage/plugin-permission-common@​0.9.6
  • @​backstage/plugin-permission-node@​0.10.11-next.0
  • @​backstage/plugin-scaffolder-common@​1.7.7-next.0
  • @​backstage/plugin-scaffolder-node@​0.12.6-next.0

v3.1.3

Compare Source

Patch Changes

• 7455dae: Use node prefix on native imports
• 4fc7bf0: Removed unused dependency
• 0ce78b0: Support if conditions inside each loops for scaffolder steps
• 5e3ef57: Added peerModules metadata declaring recommended modules for cross-plugin integrations.
• 8148621: Moved @backstage/backend-defaults from dependencies to devDependencies.
• 1e669cc: Migrate audit events reference docs to http://backstage.io/docs.
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.3
  • @​backstage/integration@​1.20.0
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.17
  • @​backstage/plugin-catalog-node@​2.0.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.3
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.19
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.18
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.6
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.18
  • @​backstage/backend-openapi-utils@​0.6.6
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.7
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/plugin-scaffolder-node@​0.12.5
  • @​backstage/plugin-auth-node@​0.6.13
  • @​backstage/plugin-permission-common@​0.9.6
  • @​backstage/plugin-permission-node@​0.10.10
  • @​backstage/plugin-events-node@​0.4.19
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.18
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.18
  • @​backstage/plugin-scaffolder-common@​1.7.6

v3.1.2

Compare Source

Patch Changes

• 7455dae: Use node prefix on native imports
• 4fc7bf0: Removed unused dependency
• 1e669cc: Migrate audit events reference docs to http://backstage.io/docs.
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.17-next.0
  • @​backstage/plugin-catalog-node@​1.21.0-next.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.2-next.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.19-next.0
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.18-next.0
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.5-next.0
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.2-next.0
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.18-next.0
  • @​backstage/backend-openapi-utils@​0.6.6-next.0
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.7-next.0
  • @​backstage/backend-plugin-api@​1.7.0-next.0
  • @​backstage/backend-defaults@​0.15.1-next.0
  • @​backstage/plugin-scaffolder-node@​0.12.4-next.0
  • @​backstage/integration@​1.19.3-next.0
  • @​backstage/plugin-auth-node@​0.6.12-next.0
  • @​backstage/plugin-permission-common@​0.9.5-next.0
  • @​backstage/plugin-permission-node@​0.10.9-next.0
  • @​backstage/plugin-events-node@​0.4.19-next.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.18-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.18-next.0
  • @​backstage/plugin-scaffolder-common@​1.7.6-next.0

v3.1.1

Compare Source

Patch Changes

• 5012852: Remove unused abort controller in debug:wait action
• c641c14: Wrap some of the action logic with resolveSafeChildPath and improve symlink handling when fetching remote and local files
• 27f9061: REwrite]
• 872eb91: Upgrade zod-to-json-schema to latest version
• Updated dependencies
  • @​backstage/backend-defaults@​0.15.0
  • @​backstage/backend-plugin-api@​1.6.1
  • @​backstage/plugin-scaffolder-node@​0.12.3
  • @​backstage/integration@​1.19.2
  • @​backstage/backend-openapi-utils@​0.6.5
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.4
  • @​backstage/plugin-auth-node@​0.6.11
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.17
  • @​backstage/plugin-permission-common@​0.9.4
  • @​backstage/plugin-permission-node@​0.10.8
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.6
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.18
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.1
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.1
  • @​backstage/plugin-scaffolder-common@​1.7.5

v3.1.0

Compare Source

Minor Changes

• a4cd405: Add defaultEnvironment config to scaffolder to enable more flexible and custom templates. Now it's possible enable access to default parameters and secrets in templates, improving security and reducing complexity.

Patch Changes

• be5972b: Fixed a bug where config was not passed to NunjucksWorkflowRunner, causing defaultEnvironment to be undefined
• de96a60: chore(deps): bump express from 4.21.2 to 4.22.0
• 2bae83a: Updated isolated-vm to 6.0.1
• 25b560e: Internal change to support new versions of the logform library
• 8f4aded: Fixing OpenAPI definition
• 1226647: Updated dependency esbuild to ^0.27.0.
• Updated dependencies
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.0
  • @​backstage/integration@​1.19.0
  • @​backstage/plugin-auth-node@​0.6.10
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.0
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.5
  • @​backstage/backend-defaults@​0.14.0
  • @​backstage/backend-openapi-utils@​0.6.4
  • @​backstage/plugin-events-node@​0.4.18
  • @​backstage/plugin-permission-node@​0.10.7
  • @​backstage/backend-plugin-api@​1.6.0
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.3
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.17
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.15
  • @​backstage/plugin-catalog-node@​1.20.1
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.16
  • @​backstage/plugin-scaffolder-common@​1.7.4
  • @​backstage/plugin-scaffolder-node@​0.12.2

v3.0.2

Compare Source

v3.0.1

Compare Source

Patch Changes

• 05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript's erasableSyntaxOnly setting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.
• Updated dependencies
  • @​backstage/backend-defaults@​0.13.1
  • @​backstage/plugin-catalog-node@​1.20.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.16
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.4
  • @​backstage/integration@​1.18.2
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.10.0
  • @​backstage/backend-plugin-api@​1.5.0
  • @​backstage/plugin-permission-common@​0.9.3
  • @​backstage/plugin-events-node@​0.4.17
  • @​backstage/plugin-auth-node@​0.6.9
  • @​backstage/config@​1.3.6
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/plugin-scaffolder-node@​0.12.1
  • @​backstage/backend-openapi-utils@​0.6.3
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.14
  • @​backstage/plugin-permission-node@​0.10.6
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.2
  • @​backstage/plugin-scaffolder-common@​1.7.3

v3.0.0

Compare Source

Major Changes

• 9b81a90: BREAKING - Removing the deprecated types and interfaces, there's no replacement for these types, and hopefully not currently used as they offer no value with the plugin being on the new backend system and no way to consume them.

  Affected types: CreateWorkerOptions, CurrentClaimedTask, DatabaseTaskStore, DatabaseTaskStoreOptions, TaskManager, TaskStore, TaskStoreCreateTaskOptions, TaskStoreCreateTaskResult, TaskStoreEmitOptions, TaskStoreListEventsOptions, TaskStoreRecoverTaskOptions, TaskStoreShutDownTaskOptions, TaskWorker and TemplateActionRegistry.

Patch Changes

• f222a2e: Fixed distributed actions not being visible in the scaffolder template actions.

  Depending on the plugin startup order, some of the distributed actions were not being registered correctly,
  causing them to be invisible in the scaffolder template actions list.

• Updated dependencies

  • @​backstage/backend-defaults@​0.13.0
  • @​backstage/integration@​1.18.1
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.15
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.1
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.9.6
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.14
  • @​backstage/plugin-scaffolder-node@​0.12.0
  • @​backstage/config@​1.3.5
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.3
  • @​backstage/backend-openapi-utils@​0.6.2
  • @​backstage/backend-plugin-api@​1.4.4
  • @​backstage/plugin-auth-node@​0.6.8
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.13
  • @​backstage/plugin-catalog-node@​1.19.1
  • @​backstage/plugin-events-node@​0.4.16
  • @​backstage/plugin-permission-common@​0.9.2
  • @​backstage/plugin-permission-node@​0.10.5
  • @​backstage/plugin-scaffolder-common@​1.7.2

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.