Skip to content

fix(deps): update backstage core#1091

Open
secustors-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/backstage-core
Open

fix(deps): update backstage core#1091
secustors-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/backstage-core

Conversation

@secustors-renovate
Copy link
Copy Markdown
Contributor

@secustors-renovate secustors-renovate Bot commented May 19, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@backstage/backend-defaults (source) 0.17.00.17.1 age confidence dependencies patch
@backstage/cli (source) 0.36.10.36.2 age confidence devDependencies patch
@backstage/cli (source) 0.36.10.36.2 age confidence dependencies patch
@backstage/cli-defaults (source) 0.1.10.1.2 age confidence devDependencies patch
@backstage/config (source) 1.3.71.3.8 age confidence dependencies patch
@backstage/core-compat-api (source) 0.5.100.5.11 age confidence dependencies patch
@backstage/core-components (source) 0.18.90.18.10 age confidence dependencies patch
@backstage/core-plugin-api (source) 1.12.51.12.6 age confidence dependencies patch
@backstage/frontend-defaults (source) 0.5.10.5.2 age confidence dependencies patch
@backstage/frontend-plugin-api (source) ^0.16.0^0.17.0 age confidence dependencies minor
@backstage/frontend-test-utils (source) 0.5.20.6.0 age confidence devDependencies minor
@backstage/integration-react (source) 1.2.171.2.18 age confidence dependencies patch
@backstage/plugin-app-backend (source) 0.5.130.5.14 age confidence dependencies patch
@backstage/plugin-app-react (source) 0.2.20.2.3 age confidence dependencies patch
@backstage/plugin-app-visualizer (source) 0.2.30.2.4 age confidence dependencies patch
@backstage/plugin-auth-backend (source) ^0.28.0^0.29.0 age confidence dependencies minor
@backstage/plugin-auth-backend-module-github-provider (source) 0.5.20.5.3 age confidence dependencies patch
@backstage/plugin-auth-backend-module-guest-provider (source) 0.2.180.2.19 age confidence dependencies patch
@backstage/plugin-auth-node (source) 0.7.00.7.1 age confidence dependencies patch
@backstage/plugin-catalog (source) 2.0.42.0.5 age confidence dependencies patch
@backstage/plugin-catalog-backend (source) 3.6.13.7.0 age confidence dependencies minor
@backstage/plugin-catalog-backend-module-logs (source) 0.1.210.1.22 age confidence dependencies patch
@backstage/plugin-catalog-backend-module-scaffolder-entity-model (source) 0.2.190.2.20 age confidence dependencies patch
@backstage/plugin-catalog-react (source) ^2.0.0^3.0.0 age confidence dependencies major
@backstage/plugin-kubernetes-backend (source) 0.21.30.21.4 age confidence dependencies patch
@backstage/plugin-notifications (source) 0.5.160.5.17 age confidence dependencies patch
@backstage/plugin-notifications-backend (source) 0.6.40.6.5 age confidence dependencies patch
@backstage/plugin-org (source) 0.7.30.7.4 age confidence dependencies patch
@backstage/plugin-permission-backend (source) 0.7.110.7.12 age confidence dependencies patch
@backstage/plugin-permission-backend-module-allow-all-policy (source) 0.2.180.2.19 age confidence dependencies patch
@backstage/plugin-permission-common (source) 0.9.80.9.9 age confidence dependencies patch
@backstage/plugin-permission-node (source) ^0.10.7^0.11.0 age confidence dependencies minor
@backstage/plugin-scaffolder (source) 1.36.21.37.0 age confidence dependencies minor
@backstage/plugin-search (source) 1.7.31.7.4 age confidence dependencies patch
@backstage/plugin-search-backend (source) 2.1.12.1.2 age confidence dependencies patch
@backstage/plugin-search-backend-module-catalog (source) 0.3.140.3.15 age confidence dependencies patch
@backstage/plugin-search-backend-module-pg (source) 0.5.540.5.55 age confidence dependencies patch
@backstage/plugin-search-backend-node (source) 1.4.31.4.4 age confidence dependencies patch
@backstage/plugin-signals (source) ^0.0.30^0.0.31 age confidence dependencies patch
@backstage/plugin-signals-backend (source) 0.3.140.3.15 age confidence dependencies patch
@backstage/plugin-user-settings (source) 0.9.20.9.3 age confidence dependencies patch
@backstage/ui (source) ^0.14.0^0.15.0 age confidence dependencies minor
backstage/backstage 1.50.41.51.0 age confidence minor

Release Notes

backstage/backstage (@​backstage/backend-defaults)

v0.17.1

Compare Source

Patch Changes
  • 90b572e: Adds an alpha TracingService to provide a unified interface for emitting trace spans across Backstage plugins.
  • 97d3bd4: Fixed a race condition in CachedUserInfoService where a failed request could incorrectly evict a newer cache entry for the same token. The error handler now verifies the map entry is still the same promise before deleting it.
  • 3595c97: Exported defaultServiceFactories to allow use with createSpecializedBackend for advanced configuration like extensionPointFactoryMiddleware.
  • 89d3248: Fixed scheduler sleep firing immediately for durations longer than ~24.8 days, caused by Node.js setTimeout overflowing its 32-bit millisecond limit.
  • d00a44b: Fixed Valkey cluster mode to use iovalkey's Cluster class instead of
    createCluster from @keyv/redis. The previous implementation passed a
    @redis/client RedisCluster instance to @keyv/valkey, which expects an
    iovalkey Cluster instance. This caused the cluster client to not be
    recognized correctly, as the two libraries have incompatible object models.
  • 2f0519c: Added a new CachedUserInfoService decorator that wraps DefaultUserInfoService with a 5-second TTL cache and in-flight request coalescing. The decorator is wired in via userInfoServiceFactory using a shared root-level cache. Repeated getUserInfo() calls for the same user token within the TTL window return the cached result without making an HTTP call to the auth backend. Note that custom UserInfoService implementations registered via their own factory will not benefit from this cache automatically.
  • 744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.
  • e9b78e9: Removed the uuid dependency and replaced usage with the built-in crypto.randomUUID().
  • 6209065: Added context and propagation to the alpha TracingService. Plugins can bridge OpenTelemetry context across async boundaries via tracing.propagation.extract(tracing.context.active(), carrier) followed by tracing.context.with(ctx, fn), and read propagated baggage via tracing.propagation.getActiveBaggage() or tracing.propagation.getBaggage(ctx).
  • Updated dependencies
backstage/backstage (@​backstage/cli)

v0.36.2

Compare Source

Patch Changes
backstage/backstage (@​backstage/cli-defaults)

v0.1.2

Compare Source

Patch Changes
backstage/backstage (@​backstage/config)

v1.3.8

Compare Source

Patch Changes
backstage/backstage (@​backstage/core-compat-api)

v0.5.11

Compare Source

Patch Changes
backstage/backstage (@​backstage/core-components)

v0.18.10

Compare Source

Patch Changes
backstage/backstage (@​backstage/core-plugin-api)

v1.12.6

Compare Source

Patch Changes
  • ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.
  • Updated dependencies
backstage/backstage (@​backstage/frontend-defaults)

v0.5.2

Compare Source

Patch Changes
backstage/backstage (@​backstage/frontend-plugin-api)

v0.17.0

Compare Source

Minor Changes

  • 44d77e9: BREAKING: Removed the deprecated NavItemBlueprint. Navigation items are now discovered from PageBlueprint extensions based on their title and icon params.

    If you were still using NavItemBlueprint, migrate by moving title and icon to your PageBlueprint instead:

    -const navItem = NavItemBlueprint.make({
-  params: { title: 'Example', icon: ExampleIcon, routeRef },
-});
 const page = PageBlueprint.make({
   params: {
+    title: 'Example',
+    icon: <ExampleIcon fontSize="inherit" />,
     routeRef,
     path: '/example',
     loader: () => import('./Page').then(m => <m.Page />),
   },
 });

    PageBlueprint expects an IconElement rather than a Material UI IconComponent, so this is also a good time to switch to Remix Icon if you were using Material UI icons only for the nav item:

    -import ExampleIcon from '@&#8203;material-ui/icons/Extension';
+import { RiPuzzleLine } from '@&#8203;remixicon/react';
 ...
-    icon: ExampleIcon,
+    icon: <RiPuzzleLine />,

  • 8738203: BREAKING: Removed the deprecated property form of PortableSchema.schema. The schema member is now a plain method that must be called as schema() — direct property access like schema.type or schema.properties is no longer supported.

Patch Changes
  • ab1cdbb: Removed a handful of internal imports that referenced the package by its own name. Value imports were switched to relative paths, and type-only imports to import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.
  • cad156e: Replaced old config schema values from existing extensions and blueprints.
  • 72a552f: Updated error messages and deprecation warnings to clarify that the zod/v4 subpath export from the Zod v3 package is not supported by configSchema, since it does not include JSON Schema conversion. The zod dependency has been bumped to ^4.0.0.
  • Updated dependencies
backstage/backstage (@​backstage/frontend-test-utils)

v0.6.0

Compare Source

Minor Changes

  • 44d77e9: BREAKING: renderInTestApp no longer renders a sidebar or legacy nav-item extensions. The app nav extension is now disabled in the minimal test app shell, along with the layout and routes extensions.

    If your tests passed features containing nav-item extensions and asserted on links or labels in that stub sidebar, switch to renderTestApp instead — it uses the real app shell and discovers nav items from page extensions.

    If you only use renderInTestApp to mount a component with APIs or route refs, there is no change.

Patch Changes
backstage/backstage (@​backstage/integration-react)

v1.2.18

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-app-backend)

v0.5.14

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-app-react)

v0.2.3

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-app-visualizer)

v0.2.4

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-auth-backend)

v0.29.0

Compare Source

Minor Changes

  • 29d398b: BREAKING: Hardened the default allowed patterns for CIMD and DCR to replace the previous permissive ['*'] wildcards with specific defaults for known MCP clients. If you previously relied on the default ['*'] patterns, you will need to explicitly configure the patterns you need in your app-config.yaml.

    CIMD (experimentalClientIdMetadataDocuments):

    • allowedClientIdPatterns now defaults to Claude, VS Code, and the built-in Backstage CLI instead of ['*']
    • allowedRedirectUriPatterns now defaults to loopback addresses (localhost, 127.0.0.1, [::1]) instead of ['*']

    DCR (experimentalDynamicClientRegistration):

    • allowedRedirectUriPatterns now defaults to Cursor and loopback addresses instead of ['*']

    If you need to allow additional clients or redirect URIs, you can override these defaults in your app-config.yaml:

    auth:
  experimentalClientIdMetadataDocuments:
    enabled: true
    allowedClientIdPatterns:
      - 'https://claude.ai/*'
      - 'https://vscode.dev/*'
      - 'https://my-custom-client.example.com/*'
    allowedRedirectUriPatterns:
      - 'http://localhost:*'
      - 'http://127.0.0.1:*'
      - 'https://my-app.example.com/callback'
  experimentalDynamicClientRegistration:
    enabled: true
    allowedRedirectUriPatterns:
      - 'cursor://*'
      - 'http://localhost:*'
      - 'http://127.0.0.1:*'
      - 'myapp://*'
Patch Changes
  • 9f269d7: Limit the size of fetched client ID metadata documents to prevent oversized responses from being accepted.
  • 3f5e7ec: Improved OIDC error messages to include the rejected redirect URI or client ID, making it easier to debug client registration failures.
  • e9b78e9: Removed the uuid dependency and replaced usage with the built-in crypto.randomUUID().
  • 27f24a9: Refresh token usage now verifies that the user's catalog entity still exists before issuing a new access token. If the user has been removed from the catalog, the refresh is rejected and the session is revoked. Transient catalog errors reject the refresh but preserve the session for retry. This check can be disabled by setting auth.experimentalRefreshToken.dangerouslyDisableCatalogPresenceCheck to true.
  • 4f62755: Improved the OAuth consent dialog for MCP authorization by showing more client details, including the client metadata host for CIMD clients, the metadata URL, callback URL, and requested scopes.
  • Updated dependencies
backstage/backstage (@​backstage/plugin-auth-backend-module-github-provider)

v0.5.3

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-auth-backend-module-guest-provider)

v0.2.19

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-auth-node)

v0.7.1

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-catalog)

v2.0.5

Compare Source

Patch Changes
backstage/backstage (@​backstage/plugin-catalog-backend)

v3.7.0

Compare Source

Minor Changes

  • c2de113: BREAKING: When paginating entities with an order field via /entities/by-query, entities that lack the order field are now excluded from both the result set and the totalItems count. Previously these entities appeared at the end of the sorted result via NULLS LAST, but cursor-based pagination could not actually reach them past the first page — the count over-reported the number of navigable entities. The new behavior aligns the count with what is actually returned.

    This also removes the DISTINCT deduplication from the sort-field CTE, which is a prerequisite for the planner to

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@secustors-renovate secustors-renovate Bot force-pushed the renovate/backstage-core branch from 9363c64 to f2b226c Compare May 21, 2026 13:45
@secustors-renovate secustors-renovate Bot force-pushed the renovate/backstage-core branch from f2b226c to aa2ca60 Compare May 21, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants