AxisCommunications · anicke · Feb 24, 2026 · Feb 9, 2026
@@ -0,0 +1,34 @@
+---
+'app-next': patch
+'app': patch
+'backend': patch
+'@axis-backstage/plugin-analytics-module-umami': patch
+'@axis-backstage/plugin-jira-dashboard-backend': patch
+'@axis-backstage/plugin-jira-dashboard': patch
+'@axis-backstage/plugin-readme-backend': patch
+'@axis-backstage/plugin-readme': patch
+'@axis-backstage/plugin-statuspage-backend': patch
+'@axis-backstage/plugin-statuspage': patch
+'@axis-backstage/plugin-vacation-calendar': patch
+---
+
+Fix critical security vulnerabilities by upgrading Backstage dependencies:
+
+**Security Fixes:**
+
+- Fixed CVE-2025-8101 (High Severity) in linkifyjs/linkify-react by upgrading @backstage/core-components from ^0.18.4 to ^0.18.6
+- Fixed CVE-2026-24046 (High Severity) - UNIX Symbolic Link Following in @backstage/backend-plugin-api by upgrading from ^1.6.0 to ^1.6.2
+- Fixed CVE-2026-24047 (High Severity) - Symlink Attack in @backstage/backend-defaults by upgrading from ^0.14.0 to ^0.15.1
+- Fixed SNYK-JS-QS-14724253 (High Severity) - Allocation of Resources Without Limits or Throttling in qs by adding resolution to ^6.14.1
+
+**Additional Package Upgrades:**
+Upgraded packages to versions that depend on patched Backstage core packages:
+
+- @backstage/plugin-mcp-actions-backend: ^0.1.6 → ^0.1.8
+- @backstage/plugin-search-backend: ^2.0.9 → ^2.0.11
+- @backstage/plugin-techdocs-backend: ^2.1.3 → ^2.1.4
+- @backstage/backend-test-utils: ^1.10.2 → ^1.10.4 (in jira-dashboard-backend and readme-backend)
+
+**Code Improvements:**
+
+- Removed redundant @backstage/backend-defaults imports from production code paths in backend plugins (jira-dashboard-backend, readme-backend, statuspage-backend)
@@ -62,7 +62,8 @@
     "@types/react-dom": "^18.3",
     "@stoplight/spectral-core@npm:1.19.4/jsonpath-plus": "^10.3.0",
     "@kubernetes/client-node@npm:0.20.0/jsonpath-plus": "^10.3.0",
-    "zod": "^3.23.8"
+    "zod": "^3.23.8",
+    "qs": "^6.14.1"
   },
   "prettier": "@spotify/prettier-config",
   "lint-staged": {

@@ -20,7 +20,7 @@
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/cli": "^0.35.1",
     "@backstage/core-compat-api": "^0.5.5",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1",
     "@backstage/frontend-app-api": "^0.13.3",
     "@backstage/frontend-defaults": "^0.3.4",

@@ -24,7 +24,7 @@
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/cli": "^0.35.1",
     "@backstage/core-app-api": "^1.19.3",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1",
     "@backstage/integration-react": "^1.2.13",
     "@backstage/plugin-api-docs": "^0.13.2",

@@ -19,8 +19,8 @@
     "@axis-backstage/plugin-jira-dashboard-backend": "workspace:^",
     "@axis-backstage/plugin-readme-backend": "workspace:^",
     "@axis-backstage/plugin-statuspage-backend": "workspace:^",
-    "@backstage/backend-defaults": "^0.14.0",
-    "@backstage/backend-plugin-api": "^1.6.0",
+    "@backstage/backend-defaults": "^0.15.1",
+    "@backstage/backend-plugin-api": "^1.6.2",
     "@backstage/catalog-client": "^1.12.1",
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/config": "^1.3.6",
@@ -30,13 +30,13 @@
     "@backstage/plugin-auth-backend-module-microsoft-provider": "^0.3.10",
     "@backstage/plugin-auth-node": "^0.6.10",
     "@backstage/plugin-catalog-backend": "^3.3.0",
-    "@backstage/plugin-mcp-actions-backend": "^0.1.6",
+    "@backstage/plugin-mcp-actions-backend": "^0.1.8",
     "@backstage/plugin-permission-common": "^0.9.3",
     "@backstage/plugin-permission-node": "^0.10.7",
-    "@backstage/plugin-search-backend": "^2.0.9",
+    "@backstage/plugin-search-backend": "^2.0.11",
     "@backstage/plugin-search-backend-module-pg": "^0.5.51",
     "@backstage/plugin-search-backend-node": "^1.4.0",
-    "@backstage/plugin-techdocs-backend": "^2.1.3",
+    "@backstage/plugin-techdocs-backend": "^2.1.4",
     "app": "workspace:^",
     "dockerode": "^3.3.1",
     "express": "^4.17.1",

@@ -29,7 +29,7 @@
   },
   "dependencies": {
     "@backstage/config": "^1.3.6",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1"
   },
   "peerDependencies": {

@@ -30,8 +30,8 @@
   },
   "dependencies": {
     "@axis-backstage/plugin-jira-dashboard-common": "workspace:^",
-    "@backstage/backend-defaults": "^0.14.0",
-    "@backstage/backend-plugin-api": "^1.6.0",
+    "@backstage/backend-defaults": "^0.15.1",
+    "@backstage/backend-plugin-api": "^1.6.2",
     "@backstage/catalog-client": "^1.12.1",
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/config": "^1.3.6",
@@ -42,7 +42,7 @@
     "node-fetch": "^2.6.7"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^1.10.2",
+    "@backstage/backend-test-utils": "^1.10.4",
     "@backstage/cli": "^0.35.1",
     "@backstage/plugin-auth-backend": "^0.25.7",
     "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.15",

@@ -4,18 +4,18 @@
 
 ```ts
 import { BackendFeature } from '@backstage/backend-plugin-api';
+import { default as fetch_2 } from 'node-fetch';
 import { Filter } from '@axis-backstage/plugin-jira-dashboard-common';
 import { JiraQueryResults } from '@axis-backstage/plugin-jira-dashboard-common';
 import { RequestInit as RequestInit_2 } from 'node-fetch';
-import { Response as Response_2 } from 'node-fetch';
 import { RootConfigService } from '@backstage/backend-plugin-api';
 
 // @public
 export function callApi(
   instance: ConfigInstance,
   url: string,
   init?: RequestInit_2,
-): Promise<Response_2>;
+): Promise<fetch_2.Response>;
 
 // @public
 export type ConfigInstance = {

@@ -42,7 +42,6 @@ export const jiraDashboardPlugin = createBackendPlugin({
           await createRouter({
             auth,
             logger,
-            rootConfig,
             config: JiraConfig.fromConfig(rootConfig),
             discovery,
             httpAuth,

@@ -15,7 +15,6 @@ describe('createRouter', () => {
     const router = await createRouter({
       auth: mockServices.auth.mock(),
       logger: mockServices.logger.mock(),
-      rootConfig,
       config: JiraConfig.fromConfig(rootConfig),
       discovery: mockServices.discovery.mock(),
       httpAuth: mockServices.httpAuth.mock(),

@@ -2,14 +2,12 @@ import express from 'express';
 import Router from 'express-promise-router';
 import stream from 'stream';
 
-import { MiddlewareFactory } from '@backstage/backend-defaults/rootHttpRouter';
 import {
   AuthService,
   CacheService,
   DiscoveryService,
   HttpAuthService,
   LoggerService,
-  RootConfigService,
   UserInfoService,
 } from '@backstage/backend-plugin-api';
 import { stringifyEntityRef, UserEntity } from '@backstage/catalog-model';
@@ -43,10 +41,6 @@ export interface RouterOptions {
    * Implementation of Logger Service
    */
   logger: LoggerService;
-  /**
-   * Implementation of Config Service
-   */
-  rootConfig: RootConfigService;
   /**
    * Parsed Jira config
    */
@@ -72,16 +66,8 @@ export interface RouterOptions {
 export async function createRouter(
   options: RouterOptions,
 ): Promise<express.Router> {
-  const {
-    auth,
-    logger,
-    rootConfig,
-    config,
-    discovery,
-    httpAuth,
-    userInfo,
-    cache,
-  } = options;
+  const { auth, logger, config, discovery, httpAuth, userInfo, cache } =
+    options;
   const catalogClient = new CatalogClient({ discoveryApi: discovery });
 
   logger.info('Initializing Jira Dashboard backend');
@@ -374,8 +360,5 @@ export async function createRouter(
     },
   );
 
-  const middleware = MiddlewareFactory.create({ logger, config: rootConfig });
-
-  router.use(middleware.error());
   return router;
 }
@@ -46,7 +46,7 @@
     "@axis-backstage/plugin-jira-dashboard-common": "workspace:^",
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/core-compat-api": "^0.5.5",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1",
     "@backstage/errors": "^1.2.7",
     "@backstage/frontend-plugin-api": "^0.13.2",

@@ -28,8 +28,7 @@
     "postpack": "backstage-cli package postpack"
   },
   "dependencies": {
-    "@backstage/backend-defaults": "^0.14.0",
-    "@backstage/backend-plugin-api": "^1.6.0",
+    "@backstage/backend-plugin-api": "^1.6.2",
     "@backstage/catalog-client": "^1.12.1",
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/config": "^1.3.6",
@@ -41,7 +40,8 @@
     "express-promise-router": "^4.1.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^1.10.2",
+    "@backstage/backend-defaults": "^0.15.1",
+    "@backstage/backend-test-utils": "^1.10.4",
     "@backstage/cli": "^0.35.1",
     "@types/supertest": "^2.0.12",
     "msw": "^2.7.3",

@@ -1,4 +1,3 @@
-import { MiddlewareFactory } from '@backstage/backend-defaults/rootHttpRouter';
 import {
   AuthService,
   CacheService,
@@ -161,7 +160,5 @@ export async function createRouter(
     throw new NotFoundError('Readme could not be found');
   });
 
-  const middleware = MiddlewareFactory.create({ logger, config });
-  router.use(middleware.error());
   return router;
 }
@@ -46,7 +46,7 @@
   "dependencies": {
     "@backstage/catalog-model": "^1.7.6",
     "@backstage/core-compat-api": "^0.5.5",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1",
     "@backstage/errors": "^1.2.7",
     "@backstage/frontend-plugin-api": "^0.13.2",

@@ -30,15 +30,15 @@
   },
   "dependencies": {
     "@axis-backstage/plugin-statuspage-common": "workspace:^",
-    "@backstage/backend-defaults": "^0.14.0",
-    "@backstage/backend-plugin-api": "^1.6.0",
+    "@backstage/backend-plugin-api": "^1.6.2",
     "@backstage/config": "^1.3.6",
     "@types/express": "*",
     "cross-fetch": "^4.0.0",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0"
   },
   "devDependencies": {
+    "@backstage/backend-defaults": "^0.15.1",
     "@backstage/cli": "^0.35.1"
   },
   "files": [

@@ -1,4 +1,3 @@
-import { MiddlewareFactory } from '@backstage/backend-defaults/rootHttpRouter';
 import {
   CacheService,
   LoggerService,
@@ -60,7 +59,5 @@ export async function createRouter(
     response.json({ url: getLink(name, statuspageConfig) || '' });
   });
 
-  const middleware = MiddlewareFactory.create({ logger, config: rootConfig });
-  router.use(middleware.error());
   return router;
 }
@@ -32,7 +32,7 @@
   "dependencies": {
     "@axis-backstage/plugin-statuspage-common": "workspace:^",
     "@backstage/catalog-model": "^1.7.6",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1",
     "@backstage/plugin-catalog-react": "^1.21.4",
     "@mui/icons-material": "^5.15.7",

@@ -29,7 +29,7 @@
   },
   "dependencies": {
     "@backstage/catalog-model": "^1.7.6",
-    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-components": "^0.18.6",
     "@backstage/core-plugin-api": "^1.12.1",
     "@backstage/errors": "^1.2.7",
     "@backstage/plugin-catalog-react": "^1.21.4",