[Snyk] Security upgrade @backstage/theme from 0.0.0-use.local to 0.1.1

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• plugins/stackstorm/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15127355	510

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

---

EntelligenceAI PR Summary

This PR pins the @backstage/theme dependency to version 0.1.1 in the StackStorm plugin, replacing the workspace reference.

• Modified dependency resolution from workspace:^ to fixed version 0.1.1
• Affects theme package dependency management in plugins/stackstorm/package.json
• Establishes version stability and explicit compatibility requirements
• May impact how theme updates propagate to the plugin

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[entelligence-ai-pr-reviews]

Walkthrough

This pull request updates the dependency management for the StackStorm plugin by changing the @backstage/theme package from a workspace reference to a pinned version. The modification replaces the flexible workspace protocol (workspace:^) with a fixed version number (0.1.1), establishing a hard dependency on a specific theme package version. This change impacts how the plugin resolves its theme dependency, moving from dynamic workspace-based resolution to static version pinning. The update may be driven by requirements for version stability, compatibility assurance with specific theme APIs, or preparation for publishing the plugin as a standalone package.

Changes

File(s)	Summary
plugins/stackstorm/package.json	Changed @backstage/theme dependency from workspace reference (workspace:^) to pinned version 0.1.1.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Build as Build System
    participant Package as StackStorm Plugin
    participant Registry as NPM Registry
    participant Workspace as Local Workspace

    Note over Build,Workspace: Before: workspace:^ reference
    Build->>Package: Resolve dependencies
    Package->>Workspace: Request @backstage/theme (workspace:^)
    Workspace-->>Package: Return local workspace version
    Package-->>Build: Dependencies resolved locally

    Note over Build,Workspace: After: Pinned to version 0.1.1
    Build->>Package: Resolve dependencies
    Package->>Registry: Request @backstage/theme@0.1.1
    Registry-->>Package: Return version 0.1.1 from registry
    Package-->>Build: Dependencies resolved from registry

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

Correctness: The change to @backstage/theme from workspace:^ to 0.1.1 in package.json breaks monorepo dependency consistency. This can lead to runtime version conflicts with other @backstage/* packages. Revert @backstage/theme to workspace:^.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

File: plugins/stackstorm/package.json
Line: 40

Problem: The dependency `@backstage/theme` has been changed from `workspace:^` to a pinned version `0.1.1`, which is inconsistent with all other `@backstage/*` dependencies in this package that use the workspace protocol.

Fix Instructions:
1. Revert the change to use `workspace:^` instead of `0.1.1`
2. If there's a specific reason for pinning this version (e.g., breaking changes in newer versions), document it in a comment or commit message
3. Verify that the workspace version of `@backstage/theme` is compatible with this plugin
4. Ensure all `@backstage/*` dependencies follow the same versioning strategy for maintainability

✨ Committable Code Suggestion

💡 This is a one-click fix! Click "Commit suggestion" to apply this change directly to your branch.

Suggested change

	"@backstage/theme": "0.1.1",
	"dependencies": {
	"@backstage/core-components": "workspace:^",
	"@backstage/core-plugin-api": "workspace:^",
	"@backstage/errors": "workspace:^",
	"@backstage/theme": "workspace:^",
	"@material-ui/core": "^4.12.2",
	"@material-ui/icons": "^4.9.1",
	"@types/react": "^16.13.1 || ^17.0.0",

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.