[Snyk] Upgrade @swc/core from 1.3.68 to 1.13.20

[q1blue]

Snyk has created this PR to upgrade @swc/core from 1.3.68 to 1.13.20.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 457 versions ahead of your current version.

• The recommended version was released a month ago.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

EntelligenceAI PR Summary

This PR upgrades the SWC (Speedy Web Compiler) in the Backstage microsite from version ^1.3.46 to ^1.13.20 (resolving to 1.14.0). The upgrade includes updates to all platform-specific binaries and introduces new transitive dependencies @swc/counter and @swc/types, along with updated peer dependency requirements for @swc/helpers.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​commander@​2.12.2
	@​types/​jwt-decode@​3.1.0
	@​types/​highlightjs@​10.1.0
	@​types/​express-xml-bodyparser@​0.3.2
	@​types/​command-exists@​1.2.0
	@​date-io/​core@​1.3.13
	@​stoplight/​spectral-parsers@​1.0.2
	isomorphic-form-data@​2.0.0
	@​kubernetes-models/​base@​4.0.3
	@​graphql-codegen/​typescript-resolvers@​3.2.0
	@​graphql-codegen/​graphql-modules-preset@​3.1.2
	@​stoplight/​spectral-runtime@​1.1.2
	@​graphql-codegen/​typescript@​3.0.3
	@​types/​regression@​2.0.2
	@​types/​ping@​0.4.1
	@​types/​pluralize@​0.0.29
	@​types/​mime-types@​2.1.1
	@​types/​passport-saml@​1.1.3
	@​types/​http-proxy-middleware@​0.19.3
	@​date-io/​luxon@​1.3.13
	@​types/​jest-when@​3.5.2
	@​types/​uuid@​8.3.4
	@​spotify/​prettier-config@​14.0.1
	@​types/​passport-strategy@​0.2.35
	@​types/​passport-github2@​1.2.5
	@​types/​ndjson@​2.0.1
	@​types/​react-sparklines@​1.7.2
	@​types/​is-glob@​4.0.2
	@​types/​event-source-polyfill@​1.0.1
	@​stoplight/​spectral-functions@​1.7.2
See 189 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		@babel/traverse@7.19.1 has a Critical CVE. CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: < 7.23.2; >= 8.0.0-alpha.0 < 8.0.0-alpha.4 Patched version: 7.23.2 From: ? → npm/@graphql-codegen/cli@3.3.0 → npm/@graphql-codegen/typescript@3.0.3 → npm/@graphql-codegen/typescript-resolvers@3.2.0 → npm/jscodeshift@0.15.0 → npm/jscodeshift-add-imports@1.0.10 → npm/@graphql-codegen/graphql-modules-preset@3.1.2 → npm/@babel/traverse@7.19.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/traverse@7.19.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		form-data@2.3.3 has a Critical CVE. CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: ? → npm/cypress@10.11.0 → npm/@types/node-fetch@2.6.4 → npm/@azure/storage-blob@12.14.0 → npm/isomorphic-form-data@2.0.0 → npm/@graphql-codegen/cli@3.3.0 → npm/@azure/arm-appservice@13.0.3 → npm/@asyncapi/react-component@1.0.0-next.48 → npm/@gitbeaker/core@35.8.1 → npm/@gitbeaker/node@35.8.1 → npm/@azure/arm-resourcegraph@4.2.1 → npm/@azure/identity@3.2.3 → npm/form-data@2.3.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		jsonpath-plus@5.1.0 has a Critical CVE. CVE: GHSA-pppg-cpfq-h7wr JSONPath Plus Remote Code Execution (RCE) Vulnerability (CRITICAL) Affected versions: < 10.2.0 Patched version: 10.2.0 From: ? → npm/@kubernetes/client-node@0.18.1 → npm/@stoplight/spectral-core@1.18.0 → npm/json-rules-engine@6.1.2 → npm/jsonpath-plus@5.1.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jsonpath-plus@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[entelligence-ai-pr-reviews]

📝 Walkthrough

This PR performs a significant version upgrade of the SWC compiler used in the Backstage microsite, jumping approximately 10 minor versions from 1.3.46 to 1.13.20/1.14.0. The microsite is a Docusaurus-based documentation site that uses SWC through swc-loader for TypeScript/JSX transpilation. This upgrade brings potential performance improvements but introduces compatibility risks due to the large version jump.

The changes are isolated to the microsite component, updating both the package.json dependency declaration and the complete yarn.lock file with new dependency resolutions. New transitive dependencies are introduced (@swc/counter and @swc/types), and peer dependency requirements are updated, requiring @swc/helpers version >=0.5.17 instead of the previous ^0.5.0.

⚠️ Critical concerns include potential compatibility issues with the existing swc-loader@0.2.3 configuration, missing verification of Docusaurus integration, and peer dependency version mismatches that could cause runtime errors.

---

📊 Changes

File	Change
microsite/package.json	Updated @swc/core dependency from ^1.3.46 to ^1.13.20
microsite/yarn.lock	Complete lockfile update with SWC 1.14.0 resolution, new transitive dependencies (@swc/counter, @swc/types), and updated platform-specific binaries

---

🔍 Key Dependency Changes

• @swc/core: 1.3.46 → 1.14.0 (resolved version)
• @swc/helpers peer dependency: ^0.5.0 → >=0.5.17
• New dependencies: @swc/counter@^0.1.3, @swc/types@^0.1.25
• All platform binaries: Updated to 1.14.0 (darwin-arm64, darwin-x64, linux-arm-gnueabihf, etc.)

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant PM as Package Manager
    participant PKG as package.json
    participant SWC as @swc/core
    participant Counter as @swc/counter
    participant Types as @swc/types
    participant Binary as Platform Binary

    Note over PM,PKG: Dependency Upgrade: @swc/core ^1.3.46 → ^1.13.20

    PM->>PKG: Read dependency requirements
    PKG-->>PM: @swc/core: ^1.13.20
    
    PM->>SWC: Resolve @swc/core version
    Note over SWC: Resolves to v1.14.0
    
    SWC->>PM: Declare new dependencies
    activate PM
    
    alt New dependency in v1.14.0
        SWC->>Counter: Require @swc/counter ^0.1.3
        Counter-->>SWC: v0.1.3 available
    end
    
    alt New dependency in v1.14.0
        SWC->>Types: Require @swc/types ^0.1.25
        Types->>Counter: Require @swc/counter ^0.1.3
        Counter-->>Types: v0.1.3 available
        Types-->>SWC: v0.1.25 available
    end
    
    deactivate PM
    
    Note over PM,Binary: Platform-Specific Binary Selection
    
    PM->>Binary: Detect OS and architecture
    Binary-->>PM: Platform metadata
    
    alt os=darwin & cpu=arm64
        PM->>Binary: Install @swc/core-darwin-arm64@1.14.0
    else os=darwin & cpu=x64
        PM->>Binary: Install @swc/core-darwin-x64@1.14.0
    else os=linux & cpu=x64
        PM->>Binary: Install @swc/core-linux-x64-gnu@1.14.0
    else os=win32 & cpu=x64
        PM->>Binary: Install @swc/core-win32-x64-msvc@1.14.0
    else Other platforms
        PM->>Binary: Install appropriate platform binary
    end
    
    Binary-->>PM: Binary installed (optional)
    
    Note over PM,PKG: Peer Dependency Updated<br/>@swc/helpers: ^0.5.0 → >=0.5.17
    
    PM->>PKG: Update yarn.lock with new resolutions
    PKG-->>PM: Lock file updated

Loading

🔒 Security Analysis

• Vulnerabilities: 0
• Bugs: 0
• Code Smells: 0
• Security Hotspots: 0

Caution

3 comments are outside the diff range and can't be posted inline due to platform limitations.

⚠️ View Outside Diff Range Comments (3)

🔴 Critical High Priority  ·  1 issue

microsite/yarn.lock  ·  1 comment

1. Lines 155 · Correctness

🐛 Peer Dependency Version Mismatch Risk: The new SWC version requires @swc/helpers: ">=0.5.17" but the current project may not have this version installed. If @swc/helpers is not updated to 0.5.17+, runtime errors may occur. The main repository yarn.lock shows @swc/helpers: ^0.5.0 which may resolve to an incompatible version.

🟡 Medium Medium Priority  ·  2 issues

microsite/yarn.lock  ·  2 comments

1. Lines 168-180 · Performance

⚡ New Transitive Dependencies Without Justification: Introduction of new dependencies @swc/counter and @swc/types without clear necessity. @swc/counter is used only for download analytics tracking, and @swc/types provides TypeScript definitions for SWC APIs. These dependencies should be verified as actually needed for the microsite use case.

---

2. Lines 197 · Correctness

⚡ Lock File Hash Changes: TypeScript patch hash changed, indicating potential changes to how TypeScript is processed. This could indicate changes in TypeScript compilation behavior or compatibility that need verification.

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

Correctness: 🐛 Significant Version Jump Without Gradual Migration: The upgrade jumps from 1.3.46 to 1.13.20/1.14.0, skipping numerous intermediate versions that contained breaking changes. Multiple AST breaking changes occurred between these versions, creating risk of build failures, transpilation errors, or runtime issues in the microsite.

[entelligence-ai-pr-reviews]

Correctness: 🔒 Missing Compatibility Verification: No evidence of compatibility testing with the current Docusaurus version and SWC loader configuration. The microsite uses swc-loader version 0.2.3 which has peer dependency @swc/core: ^1.2.147. SWC 1.14.0 may introduce compatibility issues with this older loader version, and Docusaurus webpack configuration may not be compatible with SWC 1.14.x.

[entelligence-ai-pr-reviews]

Correctness: ✨ Build Pipeline Impact Unknown: The microsite deployment workflow may be affected by SWC changes. The deploy_microsite.yml workflow builds the microsite with yarn build which uses SWC for transpilation, and this needs to be tested to ensure no breakage.

[entelligence-ai-pr-reviews]

Style: ✨ Version Specification Inconsistency: Version specified as ^1.13.20 but resolves to 1.14.0. Consider using exact version pinning for critical build tools like SWC to ensure reproducible builds.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	"@swc/core": "^1.13.20",
	"@swc/core": "1.14.0",

[entelligence-ai-pr-reviews]

Style: ✨ Missing Changelog or Migration Notes: No documentation of the upgrade reasoning or migration steps. Add context about why this upgrade is needed and what testing was performed to help future maintainers understand the change.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!