npmpackage.info

@backstage/plugin-scaffolder-backend

Backstage is an open framework for building developer portals

1.28.0

28,869

Apache-2.0

TypeScript

1.13 MB

5,342,491 6.3

Installations

npm install @backstage/plugin-scaffolder-backend

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS, ESM

Score

60.4

Supply Chain

73.8

Quality

92.9

Maintenance

Vulnerability

License

Pull Requests

Open

116

Total

20,647

Closed

3,162

Merged

17,369

Issues

Open

361

Total

6,387

Closed

6,026

Releases

394

v1.34.1

Published on 20 Dec 2024

v1.34.0

Published on 17 Dec 2024

v1.33.6

Published on 12 Dec 2024

v1.34.0-next.2

Published on 10 Dec 2024

v1.34.0-next.1

Published on 03 Dec 2024

v1.33.5

Published on 29 Nov 2024

View all 394 releases

Contributors

1,621

View all 1,621 contributors

Languages

TypeScript

MDX

JavaScript

CSS

Handlebars

Mustache

HTML

Dockerfile

SCSS

Shell

Makefile

HCL

PowerShell

TypeScript (94.69%)

MDX (2.11%)

JavaScript (1.92%)

CSS (0.73%)

Handlebars (0.22%)

Mustache (0.11%)

HTML (0.05%)

Dockerfile (0.05%)

SCSS (0.05%)

Shell (0.03%)

Makefile (0.03%)

HCL (0.01%)

Developer

backstage

Download Statistics

Total Downloads

5,342,491

Last Day

6,337

Last Week

46,866

Last Month

216,024

Last Year

2,205,325

GitHub Statistics

28,869 Stars

61,370 Commits

6,113 Forks

232 Watching

515 Branches

1,621 Contributors

Maintainers

Package Meta Information

Latest Version

1.28.0

Package Id

@backstage/plugin-scaffolder-backend@1.28.0

Unpacked Size

1.13 MB

Size

223.75 kB

File Count

114

Publised On

17 Dec 2024

Total Downloads

Cumulative downloads

Total Downloads

5,342,491

Last day

-33.2%

6,337

Compared to previous day

Last week

-6.3%

46,866

Compared to previous week

Last month

5.2%

216,024

Compared to previous month

Last year

23.8%

2,205,325

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

@backstage/backend-app-api @backstage/backend-defaults @backstage/backend-test-utils @backstage/cli @backstage/plugin-scaffolder-node-test-utils @types/fs-extra @types/nunjucks @types/supertest @types/zen-observable esbuild strip-ansi supertest wait-for-expect

Versions

Backstage

English | 한국어 | 中文版 | Français

What is Backstage?

Backstage is an open source framework for building developer portals. Powered by a centralized software catalog, Backstage restores order to your microservices and infrastructure and enables your product teams to ship high-quality code quickly without compromising autonomy.

Backstage unifies all your infrastructure tooling, services, and documentation to create a streamlined development environment from end to end.

software-catalog

Out of the box, Backstage includes:

Backstage Software Catalog for managing all your software such as microservices, libraries, data pipelines, websites, and ML models
Backstage Software Templates for quickly spinning up new projects and standardizing your tooling with your organization’s best practices
Backstage TechDocs for making it easy to create, maintain, find, and use technical documentation, using a "docs like code" approach
Plus, a growing ecosystem of open source plugins that further expand Backstage’s customizability and functionality

Backstage was created by Spotify but is now hosted by the Cloud Native Computing Foundation (CNCF) as an Incubation level project. For more information, see the announcement.

Project roadmap

For information about the detailed project roadmap including delivered milestones, see the Roadmap.

Getting Started

To start using Backstage, see the Getting Started documentation.

Documentation

The documentation of Backstage includes:

Community

To engage with our community, you can use the following resources:

Discord chatroom - Get support or discuss the project
Contributing to Backstage - Start here if you want to contribute
RFCs - Help shape the technical direction
FAQ - Frequently Asked Questions
Code of Conduct - This is how we roll
Adopters - Companies already using Backstage
Blog - Announcements and updates
Newsletter - Subscribe to our email newsletter
Backstage Community Sessions - Join monthly meetups and explore Backstage community
Give us a star ⭐️ - If you are using Backstage or think it is an interesting project, we would love a star ❤️

Governance

See the GOVERNANCE.md document in the backstage/community repository.

License

Copyright 2020-2024 © The Backstage Authors. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page: https://www.linuxfoundation.org/trademark-usage

Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

Security

Please report sensitive security issues using Spotify's bug-bounty program rather than GitHub.

For further details, see our complete security release process.

Stable Version

1.28.0

HIGH

8.1/10

Summary

Backstage Scaffolder plugin has insecure sandbox

Affected Versions

< 1.15.0

Patched Versions

1.15.0

HIGH

8.5/10

Summary

Path Traversal in @backstage/plugin-scaffolder-backend

Affected Versions

< 0.15.14

Patched Versions

0.15.14

HIGH

0/10

Summary

RCE vulnerability affecting v1beta3 templates in @backstage/plugin-scaffolder-backend

Affected Versions

< 0.15.14

Patched Versions

0.15.14

MODERATE

6.8/10

Summary

Path Traversal in @backstage/plugin-scaffolder-backend

Affected Versions

>= 0.9.4, < 0.15.9

Patched Versions

0.15.9

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

CI-Tests

Determines if the project runs tests before pull requests are merged.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Contributors

Determines if the project has a set of contributors from multiple organizations (e.g., companies).

10

Dependency-Update-Tool

Determines if the project uses a dependency update tool.

10

License

Determines if the project has defined a license.

10

Maintained

Determines if the project is "actively maintained".

10

Packaging

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

10

SAST

Determines if the project uses static code analysis.

10

Security-Policy

Determines if the project has published a security policy.

8

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 8

Details

Warn: containerImage not pinned by hash: contrib/.devcontainer/Dockerfile:1: pin your Docker image by updating mcr.microsoft.com/devcontainers/typescript-node:20 to mcr.microsoft.com/devcontainers/typescript-node:20@sha256:6a200731ff2e66af7d342c8118f989822e81ab98c2ad2e5c180fa308d057e395
Warn: containerImage not pinned by hash: contrib/docker/devops/Dockerfile:3
Warn: containerImage not pinned by hash: contrib/docker/frontend-with-nginx/Dockerfile.dockerbuild:38
Warn: containerImage not pinned by hash: contrib/docker/frontend-with-nginx/Dockerfile.dockerbuild:49: pin your Docker image by updating nginx:mainline to nginx:mainline@sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be
Warn: containerImage not pinned by hash: contrib/docker/frontend-with-nginx/Dockerfile.hostbuild:30: pin your Docker image by updating nginx:mainline to nginx:mainline@sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be
Warn: containerImage not pinned by hash: contrib/docker/minimal-hardened-image/Dockerfile:15
Warn: containerImage not pinned by hash: contrib/docker/minimal-hardened-image/Dockerfile:24
Warn: containerImage not pinned by hash: contrib/docker/minimal-hardened-image/Dockerfile:53: pin your Docker image by updating cgr.dev/chainguard/wolfi-base:latest to cgr.dev/chainguard/wolfi-base:latest@sha256:3b271f8bff9356a38aa23118ffdea3c0d659f39e207feedacf01bdea4b900871
Warn: containerImage not pinned by hash: packages/backend/Dockerfile:12: pin your Docker image by updating node:20-bookworm-slim to node:20-bookworm-slim@sha256:f44fa8d6d0ef15fe252459ac5d3d178362231a7948d7d07e147bae891006e2e5
Warn: containerImage not pinned by hash: packages/create-app/templates/default-app/packages/backend/Dockerfile:12: pin your Docker image by updating node:20-bookworm-slim to node:20-bookworm-slim@sha256:f44fa8d6d0ef15fe252459ac5d3d178362231a7948d7d07e147bae891006e2e5
Warn: containerImage not pinned by hash: plugins/scaffolder-backend-module-rails/Rails.dockerfile:1: pin your Docker image by updating ruby:3.3 to ruby:3.3@sha256:7738097e604fac41fd39eb0030ea0ed5b40968f89c6268911bc96e58c32e31fd
Warn: containerImage not pinned by hash: plugins/scaffolder-backend/scripts/Cookiecutter.dockerfile:1: pin your Docker image by updating alpine:3.21 to alpine:3.21@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45
Warn: pipCommand not pinned by hash: contrib/docker/minimal-hardened-image/Dockerfile:19-21
Warn: pipCommand not pinned by hash: packages/backend/Dockerfile:29
Warn: pipCommand not pinned by hash: plugins/scaffolder-backend/scripts/Cookiecutter.dockerfile:3-11
Warn: pipCommand not pinned by hash: contrib/.devcontainer/postCreate.sh:6
Warn: downloadThenRun not pinned by hash: .github/workflows/automate_merge_message.yml:44
Warn: downloadThenRun not pinned by hash: .github/workflows/sync_release-manifest.yml:54
Warn: pipCommand not pinned by hash: .github/workflows/verify_e2e-techdocs.yml:56
Warn: downloadThenRun not pinned by hash: .github/workflows/verify_fossa.yml:26
Warn: pipCommand not pinned by hash: .github/workflows/verify_microsite.yml:43
Info: 85 out of 85 GitHub-owned GitHubAction dependencies pinned
Info: 84 out of 84 third-party GitHubAction dependencies pinned
Info: 0 out of 12 containerImage dependencies pinned
Info: 0 out of 6 pipCommand dependencies pinned
Info: 0 out of 3 downloadThenRun dependencies pinned

2

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

0

Fuzzing

Determines if the project uses fuzzing.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

Reason

detected GitHub workflow tokens with excessive permissions

Details

Info: jobLevel 'actions' permission set to 'read': .github/workflows/api-breaking-changes-comment.yml:18
Info: jobLevel 'contents' permission set to 'read': .github/workflows/api-breaking-changes-comment.yml:88
Info: jobLevel 'contents' permission set to 'read': .github/workflows/automate_area-labels.yml:11
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/deploy_microsite.yml:142
Info: jobLevel 'contents' permission set to 'read': .github/workflows/issue.yaml:12
Info: jobLevel 'contents' permission set to 'read': .github/workflows/sync_snyk-monitor.yml:23
Info: jobLevel 'actions' permission set to 'read': .github/workflows/verify_codeql.yml:28
Info: jobLevel 'contents' permission set to 'read': .github/workflows/verify_codeql.yml:29
Warn: no topLevel permission defined: .github/workflows/api-breaking-changes-comment.yml:1
Warn: no topLevel permission defined: .github/workflows/api-breaking-changes.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/automate_area-labels.yml:6
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:8
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:10
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:13
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:12
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:14
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:15
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:16
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:17
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:9
Info: found token with 'none' permissions: .github/workflows/automate_changeset_feedback.yml:11
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:12
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:13
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:15
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:16
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:9
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:10
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:11
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:17
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:18
Info: found token with 'none' permissions: .github/workflows/automate_merge_message.yml:14
Info: topLevel 'contents' permission set to 'read': .github/workflows/automate_stale.yml:8
Info: topLevel 'contents' permission set to 'read': .github/workflows/ci-noop.yml:12
Warn: no topLevel permission defined: .github/workflows/ci.yml:1
Warn: no topLevel permission defined: .github/workflows/cron.yml:1
Warn: no topLevel permission defined: .github/workflows/deploy_docker-image.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy_microsite.yml:8
Warn: no topLevel permission defined: .github/workflows/deploy_packages.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/issue.yaml:7
Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-review-comment-trigger.yaml:11
Warn: no topLevel permission defined: .github/workflows/pr-review-comment.yaml:1
Warn: no topLevel permission defined: .github/workflows/pr.yaml:1
Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
Warn: no topLevel permission defined: .github/workflows/sync_canon.yml:1
Warn: no topLevel permission defined: .github/workflows/sync_code-formatting.yml:1
Warn: no topLevel permission defined: .github/workflows/sync_dependabot-changesets.yml:1
Warn: no topLevel permission defined: .github/workflows/sync_release-manifest.yml:1
Warn: no topLevel permission defined: .github/workflows/sync_renovate-changesets.yml:1
Warn: no topLevel permission defined: .github/workflows/sync_snyk-github-issues.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/sync_snyk-monitor.yml:18
Warn: no topLevel permission defined: .github/workflows/sync_version-packages.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_accessibility-noop.yml:21
Warn: no topLevel permission defined: .github/workflows/verify_accessibility.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_codeql.yml:23
Warn: no topLevel permission defined: .github/workflows/verify_docs-quality.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_e2e-linux-noop.yml:19
Warn: no topLevel permission defined: .github/workflows/verify_e2e-linux.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_e2e-techdocs.yml:18
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_e2e-windows-noop.yml:15
Warn: no topLevel permission defined: .github/workflows/verify_e2e-windows.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_fossa.yml:9
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_microsite-noop.yml:15
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_microsite.yml:13
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_microsite_accessibility-noop.yml:19
Warn: no topLevel permission defined: .github/workflows/verify_microsite_accessibility.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_storybook-noop.yml:22
Warn: no topLevel permission defined: .github/workflows/verify_storybook.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/verify_windows.yml:11

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Score

6.3

/10

Last Scanned on 2024-12-23T11:06:03Z

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to @backstage/plugin-scaffolder-backend

@backstage/plugin-scaffolder-backend-module-gitlab

0.7.0

@backstage/plugin-scaffolder-backend-module-github

0.5.4

The github module for @backstage/plugin-scaffolder-backend

@backstage/plugin-scaffolder-backend-module-azure

0.2.4

The azure module for @backstage/plugin-scaffolder-backend

@backstage/plugin-scaffolder-backend-module-gerrit

0.2.4

The gerrit module for @backstage/plugin-scaffolder-backend