chore(deps): bump the backstage group across 1 directory with 13 updates by dependabot[bot] · Pull Request #202 · buildkite/backstage-plugin

dependabot · 2026-04-18T03:07:07Z

Bumps the backstage group with 9 updates in the / directory:

Package	From	To
@backstage/catalog-model	`1.7.6`	`1.9.0`
@backstage/config	`1.3.6`	`1.3.8`
@backstage/core-compat-api	`0.5.7`	`0.5.11`
@backstage/frontend-defaults	`0.3.6`	`0.5.2`
@backstage/frontend-plugin-api	`0.13.4`	`0.17.1`
@backstage/cli	`0.35.4`	`0.36.2`
@backstage/dev-utils	`1.1.19`	`1.1.23`
@backstage/eslint-plugin	`0.2.1`	`0.3.0`
@backstage/test-utils	`1.7.14`	`1.7.18`

Updates @backstage/catalog-model from 1.7.6 to 1.9.0

Changelog

Sourced from @backstage/catalog-model's changelog.

1.9.0

Minor Changes

3664148: Introduced the AiResource catalog entity kind. Entity types, validators, type guards, and the model layer are exported from @backstage/catalog-model/alpha. Install @backstage/plugin-catalog-backend-module-ai-model in your backend to register the kind with the catalog.

be71476: Added spec.type: 'mcp-server' as a structured subtype of the API kind under v1alpha1/v1beta1. MCP server entities carry a spec.remotes list instead of a string definition, for representing Model Context Protocol servers in the catalog. See RFC #32062. New public exports: McpServerApiEntity, McpServerRemote, mcpServerApiEntityValidator, and isMcpServerApiEntity. Also adds addKindVersion to CatalogModelLayerBuilder (alpha) so layers can add new versions or spec types to existing kinds.

Patch Changes

ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.

Updated dependencies

@backstage/errors@1.3.1

1.8.1-next.1

Patch Changes

ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.

1.8.1-next.0

Patch Changes

Updated dependencies

@backstage/errors@1.3.1-next.0

@backstage/types@1.2.2

1.8.0

Minor Changes

e5fcfcb: Added a new catalog model layer system that allows plugins to declare and extend catalog entity kinds, annotations, labels, tags, and relations using JSON Schema. The new createCatalogModelLayer API provides a builder for composing model definitions, and a compileCatalogModel function validates and merges them into a unified model. Built-in entity kinds now include model layer definitions.

Patch Changes

Updated dependencies

@backstage/errors@1.3.0

1.7.8-next.0

Patch Changes

Updated dependencies

@backstage/errors@1.3.0-next.0

1.7.7

Patch Changes

a49a40d: Updated dependency zod to ^3.25.76 || ^4.0.0 & migrated to /v3 or /v4 imports.

Commits

See full diff in compare view

Updates @backstage/config from 1.3.6 to 1.3.8

Changelog

Sourced from @backstage/config's changelog.

1.3.8

Patch Changes

Updated dependencies

@backstage/errors@1.3.1

1.3.8-next.0

Patch Changes

Updated dependencies

@backstage/errors@1.3.1-next.0

@backstage/types@1.2.2

1.3.7

Patch Changes

Updated dependencies

@backstage/errors@1.3.0

1.3.7-next.0

Patch Changes

Updated dependencies

@backstage/errors@1.3.0-next.0

Commits

See full diff in compare view

Updates @backstage/core-compat-api from 0.5.7 to 0.5.11

Changelog

Sourced from @backstage/core-compat-api's changelog.

0.5.11

Patch Changes

744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.

Updated dependencies

@backstage/errors@1.3.1

@backstage/frontend-plugin-api@0.17.0

@backstage/core-plugin-api@1.12.6

@backstage/filter-predicates@0.1.3

@backstage/plugin-catalog-react@3.0.0

@backstage/plugin-app-react@0.2.3

0.5.11-next.0

Patch Changes

744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.

Updated dependencies

@backstage/errors@1.3.1-next.0

@backstage/plugin-catalog-react@2.1.5-next.0

@backstage/frontend-plugin-api@0.17.0-next.0

@backstage/core-plugin-api@1.12.6-next.0

@backstage/filter-predicates@0.1.3-next.0

@backstage/plugin-app-react@0.2.3-next.0

@backstage/types@1.2.2

@backstage/version-bridge@1.0.12

0.5.10

Patch Changes

77ab7d5: Hide the default page header for pages created through the compatibility wrappers, since legacy plugins already render their own headers.

49397c1: Removed unnecessary type argument from internal createRouteRef call.

Updated dependencies

@backstage/errors@1.3.0

@backstage/plugin-catalog-react@2.1.2

@backstage/frontend-plugin-api@0.16.0

@backstage/filter-predicates@0.1.2

@backstage/core-plugin-api@1.12.5

@backstage/plugin-app-react@0.2.2

0.5.10-next.2

Patch Changes

Updated dependencies

@backstage/errors@1.3.0-next.0

@backstage/plugin-catalog-react@2.1.2-next.2

@backstage/core-plugin-api@1.12.5-next.2

... (truncated)

Commits

See full diff in compare view

Updates @backstage/core-components from 0.18.6 to 0.18.10

Changelog

Sourced from @backstage/core-components's changelog.

0.18.10

Patch Changes

3846774: Added missing dependencies that were previously only available transitively.

021b368: Added stable DOM markers to the legacy Page and Header so adjacent layout components can coordinate spacing without relying on generated class names.

0c5e41f: Removed unused dependencies that had no imports in source code.

Updated dependencies

@backstage/errors@1.3.1

@backstage/core-plugin-api@1.12.6

@backstage/config@1.3.8

0.18.10-next.1

Patch Changes

021b368: Added stable DOM markers to the legacy Page and Header so adjacent layout components can coordinate spacing without relying on generated class names.

0.18.10-next.0

Patch Changes

3846774: Added missing dependencies that were previously only available transitively.

0c5e41f: Removed unused dependencies that had no imports in source code.

Updated dependencies

@backstage/errors@1.3.1-next.0

@backstage/config@1.3.8-next.0

@backstage/core-plugin-api@1.12.6-next.0

@backstage/theme@0.7.3

@backstage/version-bridge@1.0.12

0.18.9

Patch Changes

482ceed: Migrated from assertError to toError for error handling.

320eed3: Resolved DOM nesting warning in OAuthRequestDialog by rendering secondary text as block-level spans.

58b9f3f: Use Backstage Link component for markdown anchor rendering to ensure consistent internal and external link behavior.

Updated dependencies

@backstage/errors@1.3.0

@backstage/theme@0.7.3

@backstage/config@1.3.7

@backstage/core-plugin-api@1.12.5

0.18.9-next.1

Patch Changes

482ceed: Migrated from assertError to toError for error handling.

58b9f3f: Use Backstage Link component for markdown anchor rendering to ensure consistent internal and external link behavior.

... (truncated)

Commits

See full diff in compare view

Updates @backstage/core-plugin-api from 1.12.2 to 1.12.6

Changelog

Sourced from @backstage/core-plugin-api's changelog.

1.12.6

Patch Changes

ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.

Updated dependencies

@backstage/errors@1.3.1

@backstage/frontend-plugin-api@0.17.0

@backstage/config@1.3.8

1.12.6-next.1

Patch Changes

ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.

Updated dependencies

@backstage/frontend-plugin-api@0.17.0-next.1

1.12.6-next.0

Patch Changes

Updated dependencies

@backstage/errors@1.3.1-next.0

@backstage/frontend-plugin-api@0.17.0-next.0

@backstage/config@1.3.8-next.0

@backstage/types@1.2.2

@backstage/version-bridge@1.0.12

1.12.5

Patch Changes

Updated dependencies

@backstage/errors@1.3.0

@backstage/frontend-plugin-api@0.16.0

@backstage/config@1.3.7

1.12.5-next.2

Patch Changes

Updated dependencies

@backstage/errors@1.3.0-next.0

@backstage/config@1.3.7-next.0

@backstage/frontend-plugin-api@0.16.0-next.2

1.12.5-next.1

Patch Changes

... (truncated)

Commits

See full diff in compare view

Updates @backstage/frontend-defaults from 0.3.6 to 0.5.2

Changelog

Sourced from @backstage/frontend-defaults's changelog.

0.5.2

Patch Changes

482cc59: Invalid feature flag declarations are now treated as warnings rather than errors, letting the app load normally.

Updated dependencies

@backstage/core-components@0.18.10

@backstage/errors@1.3.1

@backstage/plugin-app@0.4.6

@backstage/frontend-app-api@0.16.3

@backstage/frontend-plugin-api@0.17.0

@backstage/config@1.3.8

0.5.2-next.1

Patch Changes

482cc59: Invalid feature flag declarations are now treated as warnings rather than errors, letting the app load normally.

Updated dependencies

@backstage/frontend-plugin-api@0.17.0-next.1

@backstage/frontend-app-api@0.16.3-next.1

@backstage/plugin-app@0.4.6-next.1

0.5.2-next.0

Patch Changes

Updated dependencies

@backstage/core-components@0.18.10-next.0

@backstage/errors@1.3.1-next.0

@backstage/plugin-app@0.4.6-next.0

@backstage/frontend-app-api@0.16.3-next.0

@backstage/frontend-plugin-api@0.17.0-next.0

@backstage/config@1.3.8-next.0

0.5.1

Patch Changes

Updated dependencies

@backstage/errors@1.3.0

@backstage/plugin-app@0.4.3

@backstage/frontend-plugin-api@0.16.0

@backstage/core-components@0.18.9

@backstage/frontend-app-api@0.16.2

@backstage/config@1.3.7

0.5.1-next.2

Patch Changes

... (truncated)

Commits

See full diff in compare view

Updates @backstage/frontend-plugin-api from 0.13.4 to 0.17.1

Changelog

Sourced from @backstage/frontend-plugin-api's changelog.

@backstage/frontend-plugin-api

0.17.2-next.0

Patch Changes

378784e: Moved dependencies that are re-exported in the public API from devDependencies to dependencies. These were incorrectly demoted in #33936 because the source code only uses type imports, but the types still appear in the published API surface and need to be resolvable by consumers at build time.

0.17.0

Minor Changes
44d77e9: BREAKING: Removed the deprecated NavItemBlueprint. Navigation items are now discovered from PageBlueprint extensions based on their title and icon params.

If you were still using NavItemBlueprint, migrate by moving title and icon to your PageBlueprint instead:
-const navItem = NavItemBlueprint.make({
-  params: { title: 'Example', icon: ExampleIcon, routeRef },
-});
 const page = PageBlueprint.make({
   params: {
+    title: 'Example',
+    icon: <ExampleIcon fontSize="inherit" />,
     routeRef,
     path: '/example',
     loader: () => import('./Page').then(m => <m.Page />),
   },
 });
PageBlueprint expects an IconElement rather than a Material UI IconComponent, so this is also a good time to switch to Remix Icon if you were using Material UI icons only for the nav item:
-import ExampleIcon from '@material-ui/icons/Extension';
+import { RiPuzzleLine } from '@remixicon/react';
 ...
-    icon: ExampleIcon,
+    icon: <RiPuzzleLine />,
8738203: BREAKING: Removed the deprecated property form of PortableSchema.schema. The schema member is now a plain method that must be called as schema() — direct property access like schema.type or schema.properties is no longer supported.
Patch Changes

ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.

cad156e: Replaced old config schema values from existing extensions and blueprints.

72a552f: Updated error messages and deprecation warnings to clarify that the zod/v4 subpath export from the Zod v3 package is not supported by configSchema, since it does not include JSON Schema conversion. The zod dependency has been bumped to ^4.0.0.

Updated dependencies

@backstage/errors@1.3.1

... (truncated)

Commits

See full diff in compare view

Updates @backstage/theme from 0.7.1 to 0.7.3

Changelog

Sourced from @backstage/theme's changelog.

0.7.3

Patch Changes

a0100d4: Fixes occasional duplication of v5 class name prefix for MUI 5 components.

Documentation added to explain how to resolve missing v5 prefix in class names when using MUI 5 components in main app.

0.7.3-next.0

Patch Changes

a0100d4: Fixes occasional duplication of v5 class name prefix for MUI 5 components.

Documentation added to explain how to resolve missing v5 prefix in class names when using MUI 5 components in main app.

0.7.2

Patch Changes

1c52dcc: add square shape

a7e0d50: Updated react-router-dom peer dependency to ^6.30.2 and explicitly disabled v7 future flags to suppress deprecation warnings.

0.7.2-next.1

Patch Changes

a7e0d50: Prepare for React Router v7 migration by updating to v6.30.2 across all NFS packages and enabling v7 future flags. Convert routes from splat paths to parent/child structure with Outlet components.

0.7.2-next.0

Patch Changes

1c52dcc: add square shape

Commits

See full diff in compare view

Updates @backstage/cli from 0.35.4 to 0.36.2

Changelog

Sourced from @backstage/cli's changelog.

0.36.2

Patch Changes

744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.

Updated dependencies

@backstage/eslint-plugin@0.3.0

@backstage/errors@1.3.1

@backstage/cli-module-build@0.1.3

@backstage/cli-node@0.3.2

@backstage/cli-common@0.2.2

@backstage/cli-defaults@0.1.2

@backstage/cli-module-test-jest@0.1.2

0.36.2-next.1

Patch Changes

Updated dependencies

@backstage/eslint-plugin@0.3.0-next.0

@backstage/cli-node@0.3.2-next.1

0.36.2-next.0

Patch Changes

744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.

Updated dependencies

@backstage/errors@1.3.1-next.0

@backstage/cli-module-build@0.1.3-next.0

@backstage/cli-common@0.2.2-next.0

@backstage/cli-node@0.3.2-next.0

@backstage/cli-defaults@0.1.2-next.0

@backstage/cli-module-test-jest@0.1.2-next.0

@backstage/eslint-plugin@0.2.3

0.36.1

Patch Changes

2e5c5f8: Bumped glob dependency from v7/v8/v11 to v13 to address security vulnerabilities in older versions. Bumped rollup from v4.27 to v4.59+ to fix a high severity path traversal vulnerability (GHSA-mw96-cpmx-2vgc).

482ceed: Migrated from assertError to toError for error handling.

a2f0c72: Removed the unused isDev export from the internal version module.

a7a14b7: Added DOM.AsyncIterable to the default lib in the shared TypeScript configuration, enabling standard async iteration support for DOM APIs such as FileSystemDirectoryHandle. This aligns behavior with TypeScript 6.0, where this lib is included in DOM by default.

Updated dependencies

@backstage/errors@1.3.0

@backstage/cli-module-build@0.1.1

@backstage/cli-module-test-jest@0.1.1

@backstage/cli-common@0.2.1

@backstage/cli-node@0.3.1

... (truncated)

Commits

See full diff in compare view

Updates @backstage/core-app-api from 1.19.4 to 1.20.1

Changelog

Sourced from @backstage/core-app-api's changelog.

1.20.1

Patch Changes

Updated dependencies

@backstage/ui@0.15.0

@backstage/core-plugin-api@1.12.6

@backstage/config@1.3.8

1.20.1-next.0

Patch Changes

Updated dependencies

@backstage/ui@0.15.0-next.0

@backstage/config@1.3.8-next.0

@backstage/core-plugin-api@1.12.6-next.0

@backstage/types@1.2.2

@backstage/version-bridge@1.0.12

1.20.0

Minor Changes

400aa23: Added FetchMiddlewares.clarifyFailures() which replaces the uninformative "TypeError: Failed to fetch" with a message that includes the request method and URL.

Patch Changes

9244b70: The default auth implementation now checks for a logoutUrl in the logout response body. If the auth provider returns one (e.g. Auth0 federated logout), the browser is redirected to that URL to clear the provider's session cookies. This is backward compatible — providers that return an empty response are unaffected.

Updated dependencies

@backstage/ui@0.14.0

@backstage/config@1.3.7

@backstage/core-plugin-api@1.12.5

1.20.0-next.2

Patch Changes

9244b70: The default auth implementation now checks for a logoutUrl in the logout response body. If the auth provider returns one (e.g. Auth0 federated logout), the browser is redirected to that URL to clear the provider's session cookies. This is backward compatible — providers that return an empty response are unaffected.

Updated dependencies

@backstage/ui@0.14.0-next.2

@backstage/config@1.3.7-next.0

@backstage/core-plugin-api@1.12.5-next.2

1.20.0-next.1

Minor Changes

400aa23: Added FetchMiddlewares.clarifyFailures() which replaces the uninformative "TypeError: Failed to fetch" with a message that includes the request method and URL.

... (truncated)

Commits

c8a8aac Version Packages
ce632aa fix
8345a35 Version Packages (next)
91f340c Merge pull request #20653 from szubster/add-default-scopes-on-refresh
56baf87 core-app-api: test fixes for including default scopes in initial refresh
9ab0572 core-app-api: add core.type markers for AppRouter and FlatRoutes
89d13e5 Add current and defaultScopes when refreshing session
ec1dde6 switch to @testing-library/react 14
aa2ff48 switch react version ranges to full format
fb7a94f packages: rtl 13 fixes for tests
Additional commits viewable in compare view

Updates @backstage/dev-utils from 1.1.19 to 1.1.23

Changelog

Sourced from @backstage/dev-utils's changelog.

1.1.23

Patch Changes

Updated dependencies

@backstage/catalog-model@1.9.0

@backstage/core-components@0.18.10

@backstage/ui@0.15.0

@backstage/core-plugin-api@1.12.6

@backstage/plugin-catalog-react@3.0.0

@backstage/app-defaults@1.7.8

@backstage/core-app-api@1.20.1

@backstage/integration-react@1.2.18

1.1.23-next.0

Patch Changes

Updated dependencies

@backstage/core-components@0.18.10-next.0

@backstage/ui@0.15.0-next.0

@backstage/plugin-catalog-react@2.1.5-next.0

@backstage/app-defaults@1.7.8-next.0

@backstage/integration-react@1.2.18-next.0

@backstage/core-app-api@1.20.1-next.0

@backstage/catalog-model@1.8.1-next.0

@backstage/core-plugin-api@1.12.6-next.0

@backstage/theme@0.7.3

1.1.22

Patch Changes

Updated dependencies

@backstage/ui@0.14.0

@backstage/app-defaults@1.7.7

@backstage/theme@0.7.3

@backstage/catalog-model@1.8.0

@backstage/plugin-catalog-react@2.1.2

@backstage/core-app-api@1.20.0

@backstage/core-components@0.18.9

@backstage/core-plugin-api@1.12.5

@backstage/integration-react@1.2.17

1.1.22-next.2

Patch Changes

Updated dependencies

@backstage/ui@0.14.0-next.2

... (truncated)

Commits

See full diff in compare view

Updates @backstage/eslint-plugin from 0.2.1 to 0.3.0

Changelog

Sourced from @backstage/eslint-plugin's changelog.

0.3.0

Minor Changes

ab1cdbb: Added a new no-self-package-imports lint rule, enabled as error in the recommended config, that reports when a package imports itself by its own name instead of using a relative path. This pattern causes circular initialization errors in bundled ESM and with jest.requireActual.

0.3.0-next.0

Minor Changes

ab1cdbb: Added a new no-self-package-imports lint rule, enabled as error in the recommended config, that reports when a package imports itself by its own name instead of using a relative path. This pattern causes circular initialization errors in bundled ESM and with jest.requireActual.

0.2.3

Patch Changes

df43b0e: Fixed no-mixed-plugin-imports rule to return null from non-fixable suggestion handlers and added an explicit SuggestionReportDescriptor[] type annotation, matching the stricter type checking in TypeScript 6.0.

0.2.3-next.0

Patch Changes

df43b0e: Fixed no-mixed-plugin-imports rule to return null from non-fixable suggestion handlers and added an explicit SuggestionReportDescriptor[] type annotation, matching the stricter type checking in TypeScript 6.0.

0.2.2

Patch Changes

6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1

0.2.2-next.0

Patch Changes

6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1

Commits

See full diff in compare view

Updates @backstage/test-utils from 1.7.14 to 1.7.18

Changelog

Sourced from @backstage/test-utils's changelog.

1.7.18

Patch Changes

Updated dependencies

@backstage/core-plugin-api@1.12.6

@backstage/plugin-permission-common@0.9.9

@backstage/config@1.3.8

@backstage/core-app-api@1.20.1

@backstage/plugin-permission-react@0.5.1

1.7.18-next.0

Patch Changes

Updated dependencies

@backstage/core-app-api@1.20.1-next.0

@backstage/config@1.3.8-next.0

@backstage/core-plugin-api@1.12.6-next.0

@backstage/plugin-permission-common@0.9.9-next.0

@backstage/theme@0.7.3

@backstage/types@1.2.2

@backstage/plugin-permission-react@0.5.1-next.0

1.7.17

Patch Changes

Updated dependencies

@backstage/theme@0.7.3

@backstage/core-app-api@1.20.0

@backstage/plugin-permission-react@0.5.0

@backstage/config@1.3.7

@backstage/core-plugin-api@1.12.5

@backstage/plugin-permission-common@0.9.8

1.7.17-next.2

Patch Changes

Updated dependencies

@backstage/theme@0.7.3-next.0

@backstage/core-app-api@1.20.0-next.2

@backstage/config@1.3.7-next.0

@backstage/core-plugin-api@1.12.5-next.2

@backstage/plugin-permission-common@0.9.8-next.0

@backstage/plugin-permission-react@0.4.42-next.1

1.7.17-next.1

... (truncated)

Commits

See full diff in compare view

socket-security · 2026-04-18T03:08:16Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
@backstage/frontend-defaults@0.5.2
@backstage/core-compat-api@0.5.7 ⏵ 0.5.11		⁺¹
@backstage/config@1.3.6 ⏵ 1.3.8	⁺¹	⁺¹
@backstage/dev-utils@1.1.19 ⏵ 1.1.23
@backstage/frontend-plugin-api@0.17.1
@backstage/theme@0.7.1 ⏵ 0.7.3		⁺¹
@backstage/core-plugin-api@1.12.2 ⏵ 1.12.6	⁺¹	⁺¹
@backstage/test-utils@1.7.14 ⏵ 1.7.18	⁺¹
@backstage/core-app-api@1.19.4 ⏵ 1.20.1		⁺¹
@backstage/catalog-model@1.7.6 ⏵ 1.9.0		⁺²
@backstage/core-components@0.18.6 ⏵ 0.18.10		⁺¹
@backstage/cli@0.35.4 ⏵ 0.36.2	⁺⁷	^-2	⁺¹
@backstage/eslint-plugin@0.2.1 ⏵ 0.3.0		⁺¹	⁺¹

View full report

mcncl · 2026-04-29T01:13:48Z

@dependabot rebase

Bumps the backstage group with 9 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@backstage/catalog-model](https://github.com/backstage/backstage/tree/HEAD/packages/catalog-model) | `1.7.6` | `1.9.0` | | [@backstage/config](https://github.com/backstage/backstage/tree/HEAD/packages/config) | `1.3.6` | `1.3.8` | | [@backstage/core-compat-api](https://github.com/backstage/backstage/tree/HEAD/packages/core-compat-api) | `0.5.7` | `0.5.11` | | [@backstage/frontend-defaults](https://github.com/backstage/backstage/tree/HEAD/packages/frontend-defaults) | `0.3.6` | `0.5.2` | | [@backstage/frontend-plugin-api](https://github.com/backstage/backstage/tree/HEAD/packages/frontend-plugin-api) | `0.13.4` | `0.17.1` | | [@backstage/cli](https://github.com/backstage/backstage/tree/HEAD/packages/cli) | `0.35.4` | `0.36.2` | | [@backstage/dev-utils](https://github.com/backstage/backstage/tree/HEAD/packages/dev-utils) | `1.1.19` | `1.1.23` | | [@backstage/eslint-plugin](https://github.com/backstage/backstage/tree/HEAD/packages/eslint-plugin) | `0.2.1` | `0.3.0` | | [@backstage/test-utils](https://github.com/backstage/backstage/tree/HEAD/packages/test-utils) | `1.7.14` | `1.7.18` | Updates `@backstage/catalog-model` from 1.7.6 to 1.9.0 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/catalog-model/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/v1.9.0/packages/catalog-model) Updates `@backstage/config` from 1.3.6 to 1.3.8 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/config/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/config) Updates `@backstage/core-compat-api` from 0.5.7 to 0.5.11 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/core-compat-api/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/core-compat-api) Updates `@backstage/core-components` from 0.18.6 to 0.18.10 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/core-components/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/core-components) Updates `@backstage/core-plugin-api` from 1.12.2 to 1.12.6 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/core-plugin-api/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/core-plugin-api) Updates `@backstage/frontend-defaults` from 0.3.6 to 0.5.2 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/frontend-defaults/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/frontend-defaults) Updates `@backstage/frontend-plugin-api` from 0.13.4 to 0.17.1 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/frontend-plugin-api/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/v0.17.1/packages/frontend-plugin-api) Updates `@backstage/theme` from 0.7.1 to 0.7.3 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/theme/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/theme) Updates `@backstage/cli` from 0.35.4 to 0.36.2 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/cli/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/v0.36.2/packages/cli) Updates `@backstage/core-app-api` from 1.19.4 to 1.20.1 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/core-app-api/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/v1.20.1/packages/core-app-api) Updates `@backstage/dev-utils` from 1.1.19 to 1.1.23 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/dev-utils/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/dev-utils) Updates `@backstage/eslint-plugin` from 0.2.1 to 0.3.0 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/v0.3.0/packages/eslint-plugin) Updates `@backstage/test-utils` from 1.7.14 to 1.7.18 - [Release notes](https://github.com/backstage/backstage/releases) - [Changelog](https://github.com/backstage/backstage/blob/master/packages/test-utils/CHANGELOG.md) - [Commits](https://github.com/backstage/backstage/commits/HEAD/packages/test-utils) --- updated-dependencies: - dependency-name: "@backstage/catalog-model" dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: backstage - dependency-name: "@backstage/cli" dependency-version: 0.36.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: backstage - dependency-name: "@backstage/config" dependency-version: 1.3.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/core-app-api" dependency-version: 1.20.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: backstage - dependency-name: "@backstage/core-compat-api" dependency-version: 0.5.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/core-components" dependency-version: 0.18.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/core-plugin-api" dependency-version: 1.12.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/dev-utils" dependency-version: 1.1.22 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/eslint-plugin" dependency-version: 0.2.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/frontend-defaults" dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: backstage - dependency-name: "@backstage/frontend-plugin-api" dependency-version: 0.16.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: backstage - dependency-name: "@backstage/test-utils" dependency-version: 1.7.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: backstage - dependency-name: "@backstage/theme" dependency-version: 0.7.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backstage ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-06-06T03:06:32Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@backstage/cli-module-build` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/@backstage/cli-module-build@0.1.3` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@backstage/cli-module-build@0.1.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `@internationalized/date` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/core-app-api@1.20.1` → `npm/@backstage/core-compat-api@0.5.11` → `npm/@backstage/dev-utils@1.1.23` → `npm/@backstage/frontend-defaults@0.5.2` → `npm/@internationalized/date@3.12.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@internationalized/date@3.12.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `adm-zip` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/adm-zip@0.5.10` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/adm-zip@0.5.10`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `caniuse-lite` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/caniuse-lite@1.0.30001793` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/caniuse-lite@1.0.30001793`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `caniuse-lite` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/caniuse-lite@1.0.30001793` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/caniuse-lite@1.0.30001793`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `caniuse-lite` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/caniuse-lite@1.0.30001793` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/caniuse-lite@1.0.30001793`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `caniuse-lite` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/caniuse-lite@1.0.30001793` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/caniuse-lite@1.0.30001793`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `webpack` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@backstage/cli@0.36.2` → `npm/webpack@5.105.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.105.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 18, 2026

dependabot Bot requested a review from a team as a code owner April 18, 2026 03:07

dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 18, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/backstage-e16b337cf4 branch 2 times, most recently from 7438f80 to 60df0ea Compare April 29, 2026 00:55

dependabot Bot force-pushed the dependabot/npm_and_yarn/backstage-e16b337cf4 branch from 60df0ea to 100715d Compare April 29, 2026 01:19

dependabot Bot force-pushed the dependabot/npm_and_yarn/backstage-e16b337cf4 branch from 100715d to 08dc138 Compare May 9, 2026 03:06

dependabot Bot force-pushed the dependabot/npm_and_yarn/backstage-e16b337cf4 branch from 08dc138 to 715cb72 Compare May 16, 2026 03:07

dependabot Bot force-pushed the dependabot/npm_and_yarn/backstage-e16b337cf4 branch from 715cb72 to 418802d Compare June 6, 2026 03:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the backstage group across 1 directory with 13 updates#202

chore(deps): bump the backstage group across 1 directory with 13 updates#202
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backstage-e16b337cf4

dependabot Bot commented on behalf of github Apr 18, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Apr 18, 2026 •

edited

Loading

Uh oh!

mcncl commented Apr 29, 2026

Uh oh!

socket-security Bot commented Jun 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Apr 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

1.9.0

Minor Changes

Patch Changes

1.8.1-next.1

Patch Changes

1.8.1-next.0

Patch Changes

1.8.0

Minor Changes

Patch Changes

1.7.8-next.0

Patch Changes

1.7.7

Patch Changes

1.3.8

Patch Changes

1.3.8-next.0

Patch Changes

1.3.7

Patch Changes

1.3.7-next.0

Patch Changes

0.5.11

Patch Changes

0.5.11-next.0

Patch Changes

0.5.10

Patch Changes

0.5.10-next.2

Patch Changes

0.18.10

Patch Changes

0.18.10-next.1

Patch Changes

0.18.10-next.0

Patch Changes

0.18.9

Patch Changes

0.18.9-next.1

Patch Changes

1.12.6

Patch Changes

1.12.6-next.1

Patch Changes

1.12.6-next.0

Patch Changes

1.12.5

Patch Changes

1.12.5-next.2

Patch Changes

1.12.5-next.1

Patch Changes

0.5.2

Patch Changes

0.5.2-next.1

Patch Changes

0.5.2-next.0

Patch Changes

0.5.1

Patch Changes

0.5.1-next.2

Patch Changes

@​backstage/frontend-plugin-api

0.17.2-next.0

Patch Changes

0.17.0

Minor Changes

Patch Changes

0.7.3

Patch Changes

0.7.3-next.0

Patch Changes

0.7.2

Patch Changes

0.7.2-next.1

Patch Changes

0.7.2-next.0

dependabot Bot commented on behalf of github Apr 18, 2026 •

edited

Loading

`@backstage/frontend-plugin-api`

socket-security Bot commented Apr 18, 2026 •

edited

Loading