Update dependency @azure/identity to v4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@azure/identity (source)	^3.2.1 → ^4.0.0

---

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

CVE-2024-35255 / GHSA-m5vv-6r4h-3vj9

More information

Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-35255
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255
• https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499
• https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492
• https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178
• https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d
• https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53
• https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340
• https://github.com/advisories/GHSA-m5vv-6r4h-3vj9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Azure/azure-sdk-for-js (@​azure/identity)

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.0

Compare Source

4.1.0 (2024-08-07)

Features Added

• Vector Search: This feature introduces vector indexes, vector embedding policy and vector queries to enable vector similarity search in JS SDK. docs
• All versions and deletes mode in change feed: The All versions and deletes mode is added in change feed mode which captures every version and every change (create, update, and delete) made to items. docs
• Bypassing integrated cache: The option to bypass integrated cache is now available in RequestOptions. docs
• Computed Properties: Support for adding Computed Properties in items is added. docs
• Composite Indexing: The JS SDK now supports including composite indexes in the indexing policy, improving query performance on multiple fields. docs
• Correlated Activity Id: Correlated Activity Id is added in header of every query request on Items. This helps in troubleshooting by linking all requests for a query that involves multiple server interactions and partitions. Correlated Activity Id can be accessed through query response headers or response.correlatedActivityId.
• Split proof Bulk API: Earlier, whenever Bulk API encountered a partition split during processing, it would return an error message. Now, JS SDK ensures that the Bulk API is resistant to partition split. #​18682
• Improved samples: The samples have been updated in this release, now organized into two folders: v3 for features up to the v3 release, and v4 for features up to the v4 release.
• Added support for MakeList and MakeSet query aggregators

Vector Search

• The following sample shows how to create a container with vector embedding and indexing policies.

// define vector indexing policy
const vectorEmbeddingPolicy = {
  vectorEmbeddings: [
    {
      path: "/vector1",
      dataType: VectorEmbeddingDataType.UInt8,
      dimensions: 1000,
      distanceFunction: VectorEmbeddingDistanceFunction.Euclidean,
    },
    {
      path: "/vector2",
      dataType: VectorEmbeddingDataType.Int8,
      dimensions: 200,
      distanceFunction: VectorEmbeddingDistanceFunction.DotProduct,
    },
    {
      path: "/vector3",
      dataType: VectorEmbeddingDataType.UInt8,
      dimensions: 400,
      distanceFunction: VectorEmbeddingDistanceFunction.Cosine,
    },
  ],
};

// add vector indexes in Indexing Policy
const indexingPolicy = {
  automatic: true,
  indexingMode: "consistent",
  vectorIndexes: [
    { path: "/vector1", type: VectorIndexType.Flat },
    { path: "/vector2", type: VectorIndexType.QuantizedFlat },
    { path: "/vector3", type: VectorIndexType.DiskANN },
  ],
};

// define and create container with vector Embedding Policy
const containerDefinition = {
  id: containerId,
  partitionKey: { paths: ["/id"] },
  indexingPolicy: indexingPolicy,
  vectorEmbeddingPolicy: vectorEmbeddingPolicy,
};
await database.containers.createIfNotExists(containerDefinition);

• Vector Search queries without TOP or LIMIT+OFFSET are blocked by default, with an option to disable this check using allowUnboundedNonStreamingQueries in query FeedOptions. Also added an internal buffer size check to prevent excessive memory consumption, throwing errors if the buffer size exceeds the default. The max buffer size can be increased using the vectorSearchBufferSize option from query FeedOptions.

Change Feed - All versions and deletes mode

• The AllVersionsAndDeletes mode is only supported with ChangeFeedStartFrom.Now and ChangeFeedStartFrom.Continuation.
• To read from the change feed in all versions and deletes mode, include changeFeedMode in changeFeedIteratorOptions:

    const changeFeedIteratorOptions: ChangeFeedIteratorOptions = {
      maxItemCount: 5,
      changeFeedStartFrom: ChangeFeedStartFrom.Now(),
      changeFeedMode: ChangeFeedMode.AllVersionsAndDeletes,
    };
    const iterator = container.items.getChangeFeedIterator(changeFeedIteratorOptions);

Bypassing Integrated Cache

• Here is a sample showing how to enable bypassIntegratedCache in RequestOptions.

  const options: RequestOptions = {bypassIntegratedCache: true};
  const response = await container.item("1").read(options);

Computed Properties

• The following snippet configures computed properties for a container:

    const computedProperties: ComputedProperty[] = [{
      name: "lowerLastName",
      query:
        "SELECT VALUE LOWER(IS_DEFINED(c.lastName) ? c.lastName : c.parents[0].familyName) FROM c",
    },];
    const { resource: containerdef } = await database.containers.createIfNotExists({
      id: containerName,
      computedProperties: computedProperties,
      indexingPolicy: indexingPolicy,
    });
    const container: Container = database.container(containerdef.id);

Composite Indexing

• Here's a sample of adding composite indexes for a container:

    const containerDefinition: ContainerDefinition = {
      id: "containerWithCompositeIndexingPolicy",
      indexingPolicy: {
        automatic: true,
        indexingMode: IndexingMode.consistent,
        includedPaths: [
          {
            path: "/*",
          },
        ],
        excludedPaths: [],
        compositeIndexes: [
          [
            { path: "/key", order: "ascending" },
            { path: "/field", order: "ascending" },
          ],
        ],
      },
    };
    await database.containers.create(containerDefinition);

• Added support for passing a custom HttpClient when constructing a CosmosClient.

Breaking Changes

Dropped Support for TypeScript 4.1

• We have opted to discontinue support for TypeScript version 4.1. Consequently, the minimum supported TypeScript version has been elevated to 4.2. Kindly ensure that your environment is promptly updated to align with these changes.

Bugs Fixed

• Fix Bulk operations(Read, Delete, and Patch) failing due to wrong format of partition key in non-partitioned container.

v4.0.1

Compare Source

v4.0.0

Compare Source

v3.4.2

Compare Source

v3.4.1

Compare Source

v3.4.0

Compare Source

v3.3.2

Compare Source

v3.3.1

Compare Source

v3.3.0

Compare Source

v3.2.4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

This PR performs a major version upgrade of @azure/identity from ^3.2.1 to ^4.0.0 across all relevant packages in the monorepo.

• Affected packages: packages/integration, plugins/azure-sites-backend, plugins/catalog-backend-module-msgraph, plugins/kubernetes-backend, plugins/techdocs-node
• yarn.lock resolves @azure/identity to v4.13.1 with cascading Azure SDK and MSAL v5/v16 updates
• Adds @typespec/ts-http-runtime as a new transitive dependency for the Azure REST pipeline
• Pins several @backstage/* packages to specific older versions for plugin compatibility
• Upgrades miscellaneous dependencies: node-fetch, cross-fetch, core-js, tslib, dompurify, react-syntax-highlighter, and open

---

Confidence Score: 3/5 - Review Recommended

Likely safe but review recommended — this PR upgrades @azure/identity from ^3.2.1 to ^4.0.0 across five packages (packages/integration, plugins/azure-sites-backend, plugins/catalog-backend-module-msgraph, plugins/kubernetes-backend, plugins/techdocs-node), which is a well-motivated security update, but the absence of any source code changes alongside a major version bump is a red flag. The v4 release of @azure/identity includes breaking changes such as removed or renamed credential classes and configuration options, and without corresponding code updates the consuming modules may silently rely on APIs that no longer exist or behave differently at runtime. The transitive pull-in of MSAL v5/v16 and the new @typespec/ts-http-runtime dependency also warrants verification that no authentication flows in these plugins are subtly broken.

Key Findings:

• No source code changes accompany the @azure/identity major version bump in any of the five affected packages — if any plugin uses credential classes or options that were removed or renamed in v4 (e.g., ClientSecretCredential option shape changes, removed AuthorityHost patterns, or altered ManagedIdentityCredential behavior), those failures will only surface at runtime, not at build time.
• The yarn.lock resolution to v4.13.1 brings in MSAL v5/v16 as transitive dependencies, which have their own breaking changes around token caching and authentication flows; plugins like catalog-backend-module-msgraph and kubernetes-backend that perform interactive or service-principal authentication are particularly exposed to silent behavioral regressions.
• The addition of @typespec/ts-http-runtime as a new transitive dependency for the Azure REST pipeline is unreviewed — its surface area, license compatibility, and whether it introduces any peer-dependency conflicts across the monorepo has not been validated.
• This is a security-motivated upgrade (SECURITY label), which is a strong positive — the intent is correct and deferring this upgrade would leave known vulnerabilities unaddressed, but the lack of integration test evidence or explicit compatibility confirmation weakens confidence.

Files requiring special attention

• plugins/catalog-backend-module-msgraph/package.json
• plugins/kubernetes-backend/package.json
• plugins/techdocs-node/package.json
• plugins/azure-sites-backend/package.json
• yarn.lock

[entelligence-ai-pr-reviews]

Walkthrough

This PR upgrades the @azure/identity dependency from ^3.2.1 to ^4.0.0 across five packages in the monorepo. The yarn.lock file reflects the resolved version as v4.13.1 and includes cascading updates to related Azure SDK packages, MSAL libraries, and several other transitive dependencies, along with pinned Backstage package versions for compatibility.

Changes

File(s)	Summary
packages/integration/package.json
plugins/azure-sites-backend/package.json
plugins/catalog-backend-module-msgraph/package.json
plugins/kubernetes-backend/package.json
plugins/techdocs-node/package.json	Bumps @azure/identity dependency from ^3.2.1 to ^4.0.0 (major version upgrade).
yarn.lock	Resolves @azure/identity to v4.13.1; updates cascading Azure SDK packages (@azure/core-auth, @azure/core-client, @azure/core-rest-pipeline, @azure/core-tracing, @azure/core-util, @azure/logger); upgrades MSAL libraries (@azure/msal-browser v5, @azure/msal-common v16, @azure/msal-node v5); adds @typespec/ts-http-runtime; pins several @backstage/* packages to older versions; upgrades node-fetch to 2.7.0, cross-fetch to 3.2.0, core-js to 3.49.0, tslib to 2.8.1, dompurify to 2.5.9, react-syntax-highlighter to 15.6.6, and open to v10; adds large set of new transitive dependencies for older Backstage component versions.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title @azure/identity v3 -> v4 Upgrade Across Backstage Packages

    participant Integration as "@backstage/integration"
    participant AzSites as "azure-sites-backend"
    participant MsGraph as "catalog-backend-module-msgraph"
    participant K8s as "kubernetes-backend"
    participant TechDocs as "techdocs-node"
    participant Identity as "@azure/identity ^4.0.0"
    participant MSALNode as "@azure/msal-node ^5.1.0"
    participant MSALBrowser as "@azure/msal-browser ^5.5.0"
    participant MSALCommon as "@azure/msal-common 16.4.1"
    participant CoreRest as "@azure/core-rest-pipeline ^1.22.0"
    participant TypeSpec as "@typespec/ts-http-runtime ^0.3.4"
    participant OpenPkg as "open ^10.1.0"

    Note over Integration, TechDocs: All 5 packages upgrade @azure/identity 3.2.1 -> 4.0.0
    Integration->>Identity: depends on
    AzSites->>Identity: depends on
    MsGraph->>Identity: depends on
    K8s->>Identity: depends on
    TechDocs->>Identity: depends on

    Note over Identity: @azure/identity ^4.0.0 (was ^3.2.1)
    Identity->>MSALNode: @azure/msal-node ^5.1.0
    Note over MSALNode: was ^1.17.3
    Identity->>MSALBrowser: @azure/msal-browser ^5.5.0
    Note over MSALBrowser: was ^2.37.1
    MSALNode-->>MSALCommon: @azure/msal-common 16.4.1
    MSALBrowser-->>MSALCommon: @azure/msal-common 16.4.1
    Note over MSALCommon: was 13.1.0
    Identity->>CoreRest: @azure/core-rest-pipeline ^1.22.0
    Note over CoreRest: was ^1.1.0
    CoreRest->>TypeSpec: @typespec/ts-http-runtime ^0.3.4
    Note over TypeSpec: NEW — replaces direct http/https-proxy-agent deps
    TypeSpec->>TypeSpec: http-proxy-agent ^7.0.0
    TypeSpec->>TypeSpec: https-proxy-agent ^7.0.0

    Identity->>OpenPkg: open ^10.1.0
    Note over OpenPkg: was ^8.0.0
    Note over OpenPkg: New transitive deps: default-browser, is-inside-container, wsl-utils
    Note over Identity: Removed: jws, stoppable, events, uuid (direct deps)

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---

[entelligence-ai-pr-reviews]

Correctness: Upgrading @azure/identity from ^3.2.1 to ^4.0.0 is a major version bump — v4 introduced breaking changes including removal/renaming of certain credential classes and options. The PR includes no source code changes (only package.json and yarn.lock), so any usage of removed APIs in the codebase will break at runtime without corresponding code updates.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In plugins/techdocs-node/package.json at line 47, `@azure/identity` was bumped from `^3.2.1` to `^4.0.0`. This is a major version upgrade with breaking changes. Search all source files in plugins/techdocs-node/src that import from `@azure/identity` and verify they are compatible with the v4 API (e.g., check for renamed or removed credential classes such as `InteractiveBrowserCredential` options changes, `TokenCredentialOptions` restructuring, etc.). Update any incompatible usages to match the v4 API surface.

[augmentcode]

🤖 Augment PR Summary

Summary: This PR upgrades the Azure Identity client library used across the repo to the v4 major line, in response to a reported security vulnerability.

Changes:

• Bumped @azure/identity from ^3.2.1 to ^4.0.0 in packages/integration.
• Bumped @azure/identity from ^3.2.1 to ^4.0.0 in Azure-related backend plugins (Azure Sites, MS Graph catalog module, Kubernetes backend, TechDocs node).
• Updated the lockfile to pull in the resolved v4 dependency graph.

Technical Notes: This is a major-version upgrade; consumers should validate Azure auth flows and any Node/runtime requirements introduced by the new major.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

@azure/identity v4 has an upstream breaking change of requiring Node.js >= 18; this repo still declares engines.node as 16 || 18, so Node 16 installs/runs are likely to fail once this is merged.

Severity: high

Other Locations

• plugins/azure-sites-backend/package.json:37
• plugins/catalog-backend-module-msgraph/package.json:48
• plugins/kubernetes-backend/package.json:55
• plugins/techdocs-node/package.json:47

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm atob under CC-BY-3.0 License: CC-BY-3.0 - The applicable license policy does not permit this license (5) (package/LICENSE.DOCS) From: ? → npm/atob@2.1.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/atob@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report