Skip to content

Bump the npm_and_yarn group across 1 directory with 3 updates#107

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/packages/backend/npm_and_yarn-4db8fc2cf7
Open

Bump the npm_and_yarn group across 1 directory with 3 updates#107
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/packages/backend/npm_and_yarn-4db8fc2cf7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 15, 2026

Bumps the npm_and_yarn group with 3 updates in the /packages/backend directory: @backstage/backend-defaults, @backstage/plugin-auth-backend and @backstage/plugin-scaffolder-backend.

Updates @backstage/backend-defaults from 0.5.3 to 0.17.0

Changelog

Sourced from @​backstage/backend-defaults's changelog.

0.17.0

Minor Changes

  • c69e03c: Added support for AWS RDS IAM authentication for PostgreSQL connections. Set connection.type: rds along with host, user, and region to use short-lived IAM tokens instead of a static password. Requires the @aws-sdk/rds-signer package and an IAM role with rds-db:connect permission.

Patch Changes

  • 4559806: Added support for typed examples on actions registered via the actions registry. Action authors can now provide examples with compile-time-checked input and output values that match their schema definitions.
  • 5cd814f: Refactored auditor severity log level mappings to use zod/v4 with schema-driven defaults and type inference.
  • 482ceed: Migrated from assertError to toError for error handling.
  • 6e2aaab: Fixed AwsS3UrlReader failing to read files from S3 buckets configured with custom endpoint hosts. When an integration was configured with a specific endpoint like https://bucket-1.s3.eu-central-1.amazonaws.com, the URL parser incorrectly fell through to the non-AWS code path, always defaulting the region to us-east-1 instead of extracting it from the hostname.
  • 308c672: HostDiscovery now logs a warning when backend.baseUrl is set to a localhost address while NODE_ENV is production, and when backend.baseUrl is not a valid URL.
  • 85c5a46: DefaultActionsRegistryService: add json middleware to /.backstage/actions/ routes only
  • 547258f: Refactored the database creation retry loop to avoid an unnecessary delay after the final failed attempt.
  • 79453c0: Updated dependency wait-for-expect to ^4.0.0.
  • f14df56: Added experimental support for using embedded-postgres as the database for local development. Set backend.database.client to embedded-postgres in your app config to enable this. The embedded-postgres package must be installed as an explicit dependency in your project.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.9.0
    • @​backstage/errors@​1.3.0
    • @​backstage/plugin-auth-node@​0.7.0
    • @​backstage/backend-app-api@​1.6.1
    • @​backstage/cli-node@​0.3.1
    • @​backstage/config-loader@​1.10.10
    • @​backstage/integration@​2.0.1
    • @​backstage/plugin-permission-node@​0.10.12
    • @​backstage/config@​1.3.7
    • @​backstage/integration-aws-node@​0.1.21
    • @​backstage/plugin-events-node@​0.4.21
    • @​backstage/plugin-permission-common@​0.9.8

0.16.1-next.2

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • 308c672: HostDiscovery now logs a warning when backend.baseUrl is set to a localhost address while NODE_ENV is production, and when backend.baseUrl is not a valid URL.
  • 85c5a46: DefaultActionsRegistryService: add json middleware to /.backstage/actions/ routes only
  • f14df56: Added experimental support for using embedded-postgres as the database for local development. Set backend.database.client to embedded-postgres in your app config to enable this. The embedded-postgres package must be installed as an explicit dependency in your project.
  • Updated dependencies
    • @​backstage/errors@​1.3.0-next.0
    • @​backstage/plugin-auth-node@​0.7.0-next.2
    • @​backstage/backend-app-api@​1.6.1-next.2
    • @​backstage/cli-node@​0.3.1-next.1
    • @​backstage/config-loader@​1.10.10-next.1
    • @​backstage/integration@​2.0.1-next.0
    • @​backstage/backend-plugin-api@​1.9.0-next.2
    • @​backstage/config@​1.3.7-next.0
    • @​backstage/integration-aws-node@​0.1.21-next.0
    • @​backstage/plugin-events-node@​0.4.21-next.2

... (truncated)

Commits

Updates @backstage/plugin-auth-backend from 0.24.5 to 0.28.0

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

0.28.0

Minor Changes

  • d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

    With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

    To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

    The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.9.0
    • @​backstage/errors@​1.3.0
    • @​backstage/plugin-auth-node@​0.7.0
    • @​backstage/catalog-model@​1.8.0
    • @​backstage/plugin-catalog-node@​2.2.0
    • @​backstage/config@​1.3.7

0.28.0-next.2

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • Updated dependencies
    • @​backstage/errors@​1.3.0-next.0
    • @​backstage/plugin-auth-node@​0.7.0-next.2
    • @​backstage/plugin-catalog-node@​2.2.0-next.2
    • @​backstage/backend-plugin-api@​1.9.0-next.2
    • @​backstage/catalog-model@​1.7.8-next.0
    • @​backstage/config@​1.3.7-next.0

0.28.0-next.1

Patch Changes

  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.9.0-next.1
    • @​backstage/plugin-auth-node@​0.7.0-next.1
    • @​backstage/plugin-catalog-node@​2.1.1-next.1

0.28.0-next.0

Minor Changes

... (truncated)

Commits

Updates @backstage/plugin-scaffolder-backend from 1.33.0 to 3.4.0

Release notes

Sourced from @​backstage/plugin-scaffolder-backend's releases.

v1.50.0

These are the release notes for the v1.50.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

BREAKING: Identity token ownership claim removed by default

The auth.omitIdentityTokenOwnershipClaim setting now defaults to true. Backstage user tokens issued by the auth backend will no longer contain the ent claim with the user's ownership entity refs. This means tokens in large organizations no longer risk hitting HTTP header size limits.

To get ownership info for the current user, code should use the userInfo core service. The setting can still be set back to false if needed, but it will be removed entirely in a future release.

BREAKING: Standard Schema replaces createSchemaFromZod

The deprecated createSchemaFromZod helper has been removed from @backstage/frontend-plugin-api. A new configSchema option for createExtension and createExtensionBlueprint accepts direct schema values from any Standard Schema compatible library with JSON Schema support, such as zod v4 or the zod/v4 subpath from zod v3. Note that direct zod v3 schemas are not supported by the new option — use import { z } from 'zod/v4' from the zod v3 package, or upgrade to zod v4.

See the 1.50 migration documentation for more information.

BREAKING: Backstage UI updates

There are several new additions in Backstage UI, including a new Badge component for non-interactive labeling, a RangeSlider for numeric range selection, a CheckboxGroup component, and a showPaginationLabel prop for controlling pagination label visibility in tables. The TableBodySkeleton has been exported for use outside the built-in Table, and SearchAutocomplete now adapts its background based on its parent container. The useTable complete mode now supports disabling pagination via paginationOptions: { type: 'none' }. Tabs now respect prefers-reduced-motion for indicator animations, and form field descriptions are now properly connected to inputs via aria-describedby for screen reader accessibility.

The RangeSlider component was contributed by @​AmbrishRamachandiran in #33112.

There are also several breaking changes to note:

  • Header tabs: The tabs prop now uses HeaderNavTabItem[] instead of HeaderTab[]. Tabs render as a <nav> element with links instead of role="tablist". A new activeTabId prop controls which tab is highlighted, with automatic route-based detection when omitted.
  • Header tab href resolution: Tab href values are now resolved through the router context instead of being passed raw. Relative href values are resolved against the current route, and absolute values may be affected by the router's basename configuration.
  • PluginHeader: Removed the toolbarWrapper element. Update custom CSS targeting .bui-PluginHeaderToolbarWrapper to use .bui-PluginHeaderToolbar instead.
  • React 17 dropped: The minimum supported React version is now 18.

Check the BUI Changelog for more details.

BREAKING: Removed deprecated PermissionedRoute

The deprecated PermissionedRoute component has been removed from @backstage/plugin-permission-react. Use RequirePermission instead.

BREAKING: Removed deprecated signal service exports

The deprecated SignalService and DefaultSignalService exports have been removed from @backstage/plugin-signals-node. Use SignalsService and DefaultSignalsService instead.

BREAKING ALPHA: Catalog node deprecated alpha exports removed

Several deprecated exports have been removed from @backstage/plugin-catalog-node/alpha:

  • catalogServiceRef — use the stable export from @backstage/plugin-catalog-node
  • CatalogLocationsExtensionPoint / catalogLocationsExtensionPoint — use the non-alpha equivalents
  • CatalogProcessingExtensionPoint / catalogProcessingExtensionPoint — use the non-alpha equivalents
  • CatalogAnalysisExtensionPoint / catalogAnalysisExtensionPoint — use the non-alpha equivalents

... (truncated)

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

3.4.0

Minor Changes

  • 309b712: Added a new execute-template actions registry action that executes a scaffolder template with provided input values and returns a task ID for tracking progress.
  • 5af48e7: Migrated permission registration to use the PermissionsRegistryService instead of the deprecated createPermissionIntegrationRouter. This fixes an issue where scaffolder permissions were not visible to RBAC plugins because the actionsRegistryServiceRef dependency caused an empty permissions metadata router to shadow the scaffolder's actual permission metadata. The old createPermissionIntegrationRouter path is retained as a fallback for standalone createRouter usage.

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • 961e274: Migrated OpenTelemetry metrics to use the MetricsService from @backstage/backend-plugin-api/alpha instead of the raw @opentelemetry/api meter.
  • 8a42f77: Fix handling of after=0 in task events endpoint
  • 4559806: Removed unnecessary empty examples array from actions bridged via the actions registry.
  • 79453c0: Updated dependency wait-for-expect to ^4.0.0.
  • 3ef6078: Added support for conditional if filtering on output links and text items. Items where the if condition evaluates to false are now excluded from the task output.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.9.0
    • @​backstage/errors@​1.3.0
    • @​backstage/catalog-model@​1.8.0
    • @​backstage/plugin-catalog-node@​2.2.0
    • @​backstage/plugin-scaffolder-common@​2.1.0
    • @​backstage/plugin-scaffolder-node@​0.13.2
    • @​backstage/backend-openapi-utils@​0.6.8
    • @​backstage/integration@​2.0.1
    • @​backstage/plugin-permission-node@​0.10.12
    • @​backstage/config@​1.3.7
    • @​backstage/plugin-events-node@​0.4.21
    • @​backstage/plugin-permission-common@​0.9.8

3.4.0-next.2

Minor Changes

  • 5af48e7: Migrated permission registration to use the PermissionsRegistryService instead of the deprecated createPermissionIntegrationRouter. This fixes an issue where scaffolder permissions were not visible to RBAC plugins because the actionsRegistryServiceRef dependency caused an empty permissions metadata router to shadow the scaffolder's actual permission metadata. The old createPermissionIntegrationRouter path is retained as a fallback for standalone createRouter usage.

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • 961e274: Migrated OpenTelemetry metrics to use the MetricsService from @backstage/backend-plugin-api/alpha instead of the raw @opentelemetry/api meter.
  • Updated dependencies
    • @​backstage/errors@​1.3.0-next.0
    • @​backstage/plugin-catalog-node@​2.2.0-next.2
    • @​backstage/plugin-scaffolder-node@​0.13.2-next.2
    • @​backstage/integration@​2.0.1-next.0
    • @​backstage/backend-openapi-utils@​0.6.8-next.2
    • @​backstage/backend-plugin-api@​1.9.0-next.2
    • @​backstage/catalog-model@​1.7.8-next.0
    • @​backstage/config@​1.3.7-next.0
    • @​backstage/plugin-events-node@​0.4.21-next.2
    • @​backstage/plugin-permission-common@​0.9.8-next.0

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 3 updates
99d2f39 
Bumps the npm_and_yarn group with 3 updates in the /packages/backend directory: [@backstage/backend-defaults](https://github.com/backstage/backstage/tree/HEAD/packages/backend-defaults), [@backstage/plugin-auth-backend](https://github.com/backstage/backstage/tree/HEAD/plugins/auth-backend) and [@backstage/plugin-scaffolder-backend](https://github.com/backstage/backstage/tree/HEAD/plugins/scaffolder-backend).


Updates `@backstage/backend-defaults` from 0.5.3 to 0.17.0
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/packages/backend-defaults/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/v0.17.0/packages/backend-defaults)

Updates `@backstage/plugin-auth-backend` from 0.24.5 to 0.28.0
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/plugins/auth-backend/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/v0.28.0/plugins/auth-backend)

Updates `@backstage/plugin-scaffolder-backend` from 1.33.0 to 3.4.0
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/plugins/scaffolder-backend/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/HEAD/plugins/scaffolder-backend)

---
updated-dependencies:
- dependency-name: "@backstage/backend-defaults"
  dependency-version: 0.17.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@backstage/plugin-auth-backend"
  dependency-version: 0.28.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@backstage/plugin-scaffolder-backend"
  dependency-version: 3.4.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 15, 2026
@dependabot dependabot bot mentioned this pull request Apr 15, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants