@backstage/backend-defaults
Backend defaults used by Backstage backend apps
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @aws-sdk/rds-signer is a legitimate AWS SDK package consistent with existing AWS deps in this package. | ai | |
| phantom-deps | phantom-dep:better-sqlite3 | AI (phantom-deps): better-sqlite3 is a database driver loaded dynamically via knex configuration, not directly imported. This is the standard pattern for optional DB drivers in Backstage's database abstraction layer. | ai | |
| dependencies | unvetted-dep:infinispan | AI (dependencies): infinispan is a legitimate distributed cache client; expected as an optional cache backend in a backend defaults library. | ai | |
| dependencies | unvetted-dep:pg-format | AI (dependencies): pg-format is a well-known PostgreSQL query formatting library; expected dependency for a backend defaults package with database support. | ai | |
| dependencies | unvetted-dep:@keyv/valkey | AI (dependencies): Official @keyv scoped package for Valkey cache adapter; expected in a backend defaults library with multiple cache backends. | ai | |
| dependencies | unvetted-dep:@keyv/memcache | AI (dependencies): Official @keyv scoped package for Memcache adapter; expected in a backend defaults library with multiple cache backends. | ai | |
| dependencies | unvetted-dep:@backstage/types | AI (dependencies): Internal Backstage monorepo package; expected dependency for any Backstage backend library. | ai | |
| dependencies | unvetted-dep:@aws-sdk/rds-signer | AI (dependencies): Official AWS SDK v3 package for RDS IAM authentication; expected for a backend defaults library with database support. | ai | |
| dependencies | unvetted-dep:express-promise-router | AI (dependencies): Well-known Express middleware for promise-based routing; expected in a backend HTTP routing library. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-codecommit | AI (dependencies): Official AWS SDK v3 CodeCommit client; expected for a backend defaults library with URL reader support for AWS repos. | ai | |
| dependencies | unvetted-dep:@backstage/backend-dev-utils | AI (dependencies): Internal Backstage monorepo package; expected dependency for any Backstage backend library. | ai | |
| dependencies | unvetted-dep:@backstage/backend-plugin-api | AI (dependencies): Core Backstage backend plugin API package from the same monorepo; expected dependency for any Backstage backend library. | ai | |
| phantom-deps | phantom-dep:@types/cors | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/types | AI (phantom-deps): AWS SDK types loaded by convention; stable false positive for this backend framework package. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:winston-transport | AI (phantom-deps): Loaded by convention for logging; stable false positive for this backend framework package. | ai | |
| phantom-deps | phantom-dep:@backstage/cli-node | AI (phantom-deps): Same-org Backstage package; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Backstage monorepo does not currently publish with Sigstore provenance; this is a known gap for the project, not a security signal. | ai | |
| phantom-deps | phantom-dep:mysql2 | AI (phantom-deps): mysql2 is a database driver loaded by convention/config in this backend framework; phantom detection is a stable false positive. | ai | |
| phantom-deps | phantom-dep:pg | AI (phantom-deps): pg is a database driver loaded by convention/config in this backend framework; phantom detection is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@octokit/rest | AI (phantom-deps): Loaded by convention for GitHub integration; stable false positive for this backend framework package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.17.2 | 73 / 21 | |
| 0.17.1 | 73 / 21 | |
| 0.17.0 | 73 / 22 | |
| 0.16.0 | 72 / 22 | |
| 0.15.2 | 71 / 22 | |
| 0.15.1 | 70 / 22 | |
| 0.15.0 | 70 / 22 | |
| 0.14.2 | 70 / 22 | |
| 0.14.1 | 70 / 22 | |
| 0.13.3 | 71 / 20 | |
| 0.13.2 | 71 / 20 | |
| 0.12.3 | 71 / 20 | |
| 0.12.2 | 71 / 20 |
v0.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.