chore(deps): bump knex from 0.95.6 to 1.0.2

.changeset/dependabot-e379ac7.md

@@ -0,0 +1,18 @@
+---
+'@backstage/backend-common': patch
+'@backstage/backend-tasks': patch
+'@backstage/backend-test-utils': patch
+'@backstage/plugin-app-backend': patch
+'@backstage/plugin-auth-backend': patch
+'@backstage/plugin-bazaar-backend': patch
+'@backstage/plugin-catalog-backend': patch
+'@backstage/plugin-code-coverage-backend': patch
+'@backstage/plugin-scaffolder-backend': patch
+'@backstage/plugin-search-backend-module-pg': patch
+'@backstage/plugin-tech-insights-backend': patch
+'@backstage/plugin-techdocs-backend': patch
+---
+
+chore(deps): bump `knex` from 0.95.6 to 1.0.2
+
+This also replaces `sqlite3` with `@vscode/sqlite3` 5.0.7

.changeset/popular-planes-lay.md

@@ -0,0 +1,58 @@
+---
+'@backstage/create-app': patch
+---
+
+**BREAKING:** Updated `knex` to major version 1, which also implies changing out
+the underlying `sqlite` implementation.
+
+The old `sqlite3` NPM library has been abandoned by its maintainers, which has
+led to unhandled security reports and other issues. Therefore, in the `knex` 1.x
+release line they have instead switched over to the [`@vscode/sqlite3`
+library](https://github.com/microsoft/vscode-node-sqlite3) by default, which is
+actively maintained by Microsoft.
+
+This means that as you update to this version of Backstage, there are two
+breaking changes that you will have to address in your own repository:
+
+## Bumping `knex` itself
+
+All `package.json` files of your repo that used to depend on a 0.x version of
+`knex`, should now be updated to depend on the 1.x release line. This applies in
+particular to `packages/backend`, but may also occur in backend plugins or
+libraries.
+
+```diff
+-    "knex": "^0.95.1",
++    "knex": "^1.0.2",
+```
+
+Almost all existing database code will continue to function without modification
+after this bump. The only significant difference that we discovered in the main
+repo, is that the `alter()` function had a slightly different signature in
+migration files. It now accepts an object with `alterType` and `alterNullable`
+fields that clarify a previous grey area such that the intent of the alteration
+is made explicit. This is caught by `tsc` and your editor if you are using the
+`@ts-check` and `@param` syntax in your migration files
+([example](https://github.com/backstage/backstage/blob/master/plugins/catalog-backend/migrations/20220116144621_remove_legacy.js#L17)),
+which we strongly recommend.
+
+See the [`knex` documentation](https://knexjs.org/#Schema-alter) for more
+information about the `alter` syntax.
+
+Also see the [`knex` changelog](https://knexjs.org/#changelog) for information
+about breaking changes in the 1.x line; if you are using `RETURNING` you may
+want to make some additional modifications in your code.
+
+## Switching out `sqlite3`
+
+All `package.json` files of your repo that used to depend on `sqlite3`, should
+now be updated to depend on `@vscode/sqlite3`. This applies in particular to
+`packages/backend`, but may also occur in backend plugins or libraries.
+
+```diff
+-    "sqlite3": "^5.0.1",
++    "@vscode/sqlite3": "^5.0.7",
+```
+
+These should be functionally equivalent, except that the new library will have
+addressed some long standing problems with old transitive dependencies etc.

packages/backend-common/api-report.md

@@ -177,7 +177,7 @@ export const createDatabase: typeof createDatabaseClient;
 export function createDatabaseClient(
   dbConfig: Config,
   overrides?: Partial<Knex.Config>,
-): Knex<any, unknown[]>;
+): Knex<any, Record<string, any>[]>;
 
 // @public
 export function createRootLogger(

packages/backend-common/package.json

@@ -58,7 +58,7 @@
     "jose": "^1.27.1",
     "keyv": "^4.0.3",
     "keyv-memcache": "^1.2.5",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "logform": "^2.3.2",
     "luxon": "^2.0.2",

packages/backend-tasks/package.json

@@ -34,7 +34,7 @@
     "@backstage/errors": "^0.2.0",
     "@backstage/types": "^0.1.1",
     "@types/luxon": "^2.0.4",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "node-abort-controller": "^3.0.1",

packages/backend-test-utils/package.json

@@ -33,10 +33,10 @@
     "@backstage/backend-common": "^0.10.6",
     "@backstage/cli": "^0.13.1",
     "@backstage/config": "^0.1.13",
-    "knex": "^0.95.1",
+    "@vscode/sqlite3": "^5.0.7",
+    "knex": "^1.0.2",
     "mysql2": "^2.2.5",
     "pg": "^8.3.0",
-    "sqlite3": "^5.0.1",
     "testcontainers": "^8.1.2",
     "uuid": "^8.0.0"
   },

packages/backend/package.json

@@ -58,17 +58,17 @@
     "@backstage/plugin-todo-backend": "^0.1.20",
     "@gitbeaker/node": "^35.1.0",
     "@octokit/rest": "^18.5.3",
+    "@vscode/sqlite3": "^5.0.7",
     "azure-devops-node-api": "^11.0.1",
     "dockerode": "^3.3.1",
     "example-app": "link:../app",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
     "express-prom-bundle": "^6.3.6",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "pg": "^8.3.0",
     "pg-connection-string": "^2.3.0",
     "prom-client": "^14.0.1",
-    "sqlite3": "^5.0.1",
     "winston": "^3.2.1"
   },
   "devDependencies": {

packages/create-app/src/lib/tasks.test.ts

@@ -208,6 +208,6 @@ describe('templatingTask', () => {
     // backend dependencies include `sqlite3` from `context.SQLite`
     expect(
       fs.readFileSync('templatedApp/packages/backend/package.json', 'utf-8'),
-    ).toContain('"sqlite3"');
+    ).toContain('sqlite3"');
   });
 });

packages/create-app/templates/default-app/packages/backend/package.json.hbs

@@ -40,7 +40,7 @@
     "pg": "^8.3.0",
     {{/if}}
     {{#if dbTypeSqlite}}
-    "sqlite3": "^5.0.1",
+    "@vscode/sqlite3": "^5.0.7",
     {{/if}}
     "winston": "^3.2.1"
   },

plugins/app-backend/package.json

@@ -40,7 +40,7 @@
     "express-promise-router": "^4.1.0",
     "fs-extra": "9.1.0",
     "helmet": "^4.0.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "winston": "^3.2.1",

plugins/auth-backend/migrations/20210326100300_timestamptz.js

@@ -28,7 +28,7 @@ exports.up = async function up(knex) {
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')
-        .alter();
+        .alter({ alterType: true });
     });
   }
 };
@@ -45,7 +45,7 @@ exports.down = async function down(knex) {
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')
-        .alter();
+        .alter({ alterType: true });
     });
   }
 };

plugins/auth-backend/package.json

@@ -50,7 +50,7 @@
     "helmet": "^4.0.0",
     "jose": "^1.27.1",
     "jwt-decode": "^3.1.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "minimatch": "^3.0.3",

plugins/bazaar-backend/package.json

@@ -26,7 +26,7 @@
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "winston": "^3.2.1",
     "yn": "^4.0.0"
   },

plugins/catalog-backend/migrations/20200807120600_entitySearch.js

@@ -23,7 +23,7 @@ exports.up = async function up(knex) {
   // Sqlite does not support alter column.
   if (knex.client.config.client !== 'sqlite3') {
     await knex.schema.alterTable('entities_search', table => {
-      table.text('value').nullable().alter();
+      table.text('value').nullable().alter({ alterType: true });
     });
   }
 };
@@ -35,7 +35,7 @@ exports.down = async function down(knex) {
   // Sqlite does not support alter column.
   if (knex.client.config.client !== 'sqlite3') {
     await knex.schema.alterTable('entities_search', table => {
-      table.string('value').nullable().alter();
+      table.string('value').nullable().alter({ alterType: true });
     });
   }
 };

plugins/catalog-backend/migrations/20201005122705_add_entity_full_name.js

@@ -33,7 +33,7 @@ exports.up = async function up(knex) {
   // SQLite does not support alter column
   if (knex.client.config.client !== 'sqlite3') {
     await knex.schema.alterTable('entities', table => {
-      table.text('full_name').notNullable().alter();
+      table.text('full_name').notNullable().alter({ alterNullable: true });
     });
   }
 

plugins/catalog-backend/migrations/20201006130744_entity_data_column.js

@@ -43,7 +43,7 @@ exports.up = async function up(knex) {
   // SQLite does not support ALTER COLUMN.
   if (knex.client.config.client !== 'sqlite3') {
     await knex.schema.alterTable('entities', table => {
-      table.text('data').notNullable().alter();
+      table.text('data').notNullable().alter({ alterNullable: true });
     });
   }
 };

plugins/catalog-backend/migrations/20201230103504_update_log_varchar.js

@@ -26,8 +26,8 @@ exports.up = async function up(knex) {
     await knex.schema
       .raw('DROP VIEW location_update_log_latest;')
       .alterTable('location_update_log', table => {
-        table.text('message').alter();
-        table.text('entity_name').nullable().alter();
+        table.text('message').alter({ alterType: true });
+        table.text('entity_name').nullable().alter({ alterType: true });
       }).raw(`
         CREATE VIEW location_update_log_latest AS
         SELECT t1.* FROM location_update_log t1
@@ -53,8 +53,8 @@ exports.down = async function down(knex) {
     await knex.schema
       .raw('DROP VIEW location_update_log_latest;')
       .alterTable('location_update_log', table => {
-        table.string('message').alter();
-        table.string('entity_name').nullable().alter();
+        table.string('message').alter({ alterType: true });
+        table.string('entity_name').nullable().alter({ alterType: true });
       }).raw(`
         CREATE VIEW location_update_log_latest AS
         SELECT t1.* FROM location_update_log t1

plugins/catalog-backend/package.json

@@ -52,7 +52,7 @@
     "fs-extra": "9.1.0",
     "git-url-parse": "^11.6.0",
     "glob": "^7.1.6",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "node-fetch": "^2.6.1",
@@ -75,9 +75,9 @@
     "@types/supertest": "^2.0.8",
     "@types/uuid": "^8.0.0",
     "@types/yup": "^0.29.13",
+    "@vscode/sqlite3": "^5.0.7",
     "aws-sdk-mock": "^5.2.1",
     "msw": "^0.35.0",
-    "sqlite3": "^5.0.1",
     "supertest": "^6.1.3",
     "wait-for-expect": "^3.0.2",
     "luxon": "^2.0.2"

plugins/code-coverage-backend/package.json

@@ -30,7 +30,7 @@
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
     "express-xml-bodyparser": "^0.3.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "uuid": "^8.3.2",
     "winston": "^3.2.1",
     "yn": "^4.0.0"

plugins/scaffolder-backend/package.json

@@ -59,7 +59,7 @@
     "isbinaryfile": "^4.0.8",
     "isomorphic-git": "^1.8.0",
     "jsonschema": "^1.2.6",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "morgan": "^1.10.0",

plugins/search-backend-module-pg/package.json

@@ -24,7 +24,7 @@
     "@backstage/search-common": "^0.2.2",
     "@backstage/plugin-search-backend-node": "^0.4.5",
     "lodash": "^4.17.21",
-    "knex": "^0.95.1"
+    "knex": "^1.0.2"
   },
   "devDependencies": {
     "@backstage/backend-test-utils": "^0.1.16",

plugins/tech-insights-backend/package.json

@@ -41,7 +41,7 @@
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "node-cron": "^3.0.0",

plugins/techdocs-backend/package.json

@@ -46,7 +46,7 @@
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
     "fs-extra": "9.1.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "node-fetch": "^2.6.1",
     "p-limit": "^3.1.0",