ugrade semver to 7.5.3

[andym0457]

Hey, I just made a Pull Request!

resolves #18439

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)
• All your commits have a Signed-off-by line in the message. (more info)

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage/cli-node	packages/cli-node	patch	v0.1.2-next.0
@backstage/cli	packages/cli	patch	v0.22.9-next.0
@backstage/plugin-devtools-backend	plugins/devtools-backend	patch	v0.1.2-next.1
@backstage/plugin-tech-insights-backend	plugins/tech-insights-backend	patch	v0.5.13-next.0

[github-actions]

Uffizzi Preview deployment-30090 was deleted.

[andym0457]

How do I verify that this upgrades have fixed the vulnerability as I do not have access to run the command sync:test.

Also what do I do for vulnerabilities in packages that are using older version of semwer which were not listed such as in @babel/core which is using version 6.3.0

[benjdlambert]

Hey 👋 so you can try and remove the older definitions from the yarn.lock manually and running yarn install, or maybe running yarn dedupe might help? There's also a spelling mistake in the changeset that needs fixing too 🤞

[benjdlambert]

Hey @andym0457 looks like there's some merge conflicts that have crept in here :(

[andym0457]

Hey @benjdlambert,

I've address the comments left and have rebased the pull request to remove the conflicts.
I still have some questions as to how to deal with packages that are using older versions of semver that I can't upgrade.
Some are using 5.71/6.3.0/7.0.0.

Here is a breakdown of which packages are still effected
5.7.1

• normalize-package-data@npm2.5.0 -> latest 5.0.0
• nodemon@npm:2.0.22 -> latest 2.0.22
• node-abi@npm:2.30.1 -> latest 3.45.0
• make-dir@npm:2.1.0 -> latest 4.0.0
• cross-spawn@npm:6.0.5 -> latest 7.0.3
• patch-package@npm:6.5.1 -> latest 7.0.0

6.3.0

• make-dir@npm:3.1.0 -> latest 4.0.0
• istanbul-lib-instrument@npm:5.1.0 -> latest 5.2.1
• eslint-plugin-react@npm:7.32.2 -> latest 7.32.2
• eslint-plugin-jsx-a11y@npm:6.7.1 -> latest 6.7.1
• eslint-plugin-import@npm:2.27.5 -> latest 2.27.5
• babel-plugin-polyfill-corejs2@npm:0.3.1 -> latest 0.4.4
• @babel/preset-env@npm:7.18.9 -> latest 7.22.7
• @babel/helper-define-polyfill-provider@npm:0.3.1 -> latest 0.4.1
• @babel/helper-compilation-targets@npm:7.19.1 -> latest 7.22.6
• @babel/core@npm:7.19.1 -> latest 7.22.8

7.0.0

• core-js-compat@npm:3.23.5 -> latest 3.31.0

I'm not sure how to deal with these as some are already on their latest and still have an old semver version in use? Or is the MR OK with upgrading the packages that can be to resolve the issue?

[cowboyd]

Also, it's hard to see if the failures are related to this change (I wouldn't expect that they are)

[cowboyd]

My recommendation would be to upgrade as far as is possible with the currently released sets of packages. For downstream packages that have not yet released fixes, or for further upgrades, we should continue to integrate them as they come because not all usages of the vulnerable semver package result in an exposure to the attack, so the more we can remove the sooner, the better.

[benjdlambert]

The changeset isn't super important here, as the fixed version is still in the accepted range for all these packages anyways, but it's nice to have. I think that this might be the best we can do right now until other packages update their semver ranges, but this is great for now!

[benjdlambert]

Going to merge this as the E2E's are failing because of upstream type issues.

[github-actions]

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.16.0 release, scheduled for Tue, 18 Jul 2023.