docs/releases/v1.51.0-changelog.md
Upgrade Helper: https://backstage.github.io/upgrade-helper/?to=1.51.0
ExtensionPointFactoryMiddleware type and createExtensionPointFactoryMiddleware helper to reimplement extension point outputs at backend creation time.AiResource catalog entity kind. Entity types, validators, type guards, and the model layer are exported from @backstage/catalog-model/alpha. Install @backstage/plugin-catalog-backend-module-ai-model in your backend to register the kind with the catalog.spec.type: 'mcp-server' as a structured subtype of the API kind under v1alpha1/v1beta1. MCP server entities carry a spec.remotes list instead of a string definition, for representing Model Context Protocol servers in the catalog. See RFC #32062. New public exports: McpServerApiEntity, McpServerRemote, mcpServerApiEntityValidator, and isMcpServerApiEntity. Also adds addKindVersion to CatalogModelLayerBuilder (alpha) so layers can add new versions or spec types to existing kinds.import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.no-self-package-imports lint rule, enabled as error in the recommended config, that reports when a package imports itself by its own name instead of using a relative path. This pattern causes circular initialization errors in bundled ESM and with jest.requireActual.44d77e9: BREAKING: Removed the deprecated NavItemBlueprint. Navigation items are now discovered from PageBlueprint extensions based on their title and icon params.
If you were still using NavItemBlueprint, migrate by moving title and icon to your PageBlueprint instead:
-const navItem = NavItemBlueprint.make({
- params: { title: 'Example', icon: ExampleIcon, routeRef },
-});
const page = PageBlueprint.make({
params: {
+ title: 'Example',
+ icon: <ExampleIcon fontSize="inherit" />,
routeRef,
path: '/example',
loader: () => import('./Page').then(m => <m.Page />),
},
});
PageBlueprint expects an IconElement rather than a Material UI IconComponent, so this is also a good time to switch to Remix Icon if you were using Material UI icons only for the nav item:
-import ExampleIcon from '@material-ui/icons/Extension';
+import { RiPuzzleLine } from '@remixicon/react';
...
- icon: ExampleIcon,
+ icon: <RiPuzzleLine />,
8738203: BREAKING: Removed the deprecated property form of PortableSchema.schema. The schema member is now a plain method that must be called as schema() — direct property access like schema.type or schema.properties is no longer supported.
import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.zod/v4 subpath export from the Zod v3 package is not supported by configSchema, since it does not include JSON Schema conversion. The zod dependency has been bumped to ^4.0.0.44d77e9: BREAKING: renderInTestApp no longer renders a sidebar or legacy nav-item extensions. The app nav extension is now disabled in the minimal test app shell, along with the layout and routes extensions.
If your tests passed features containing nav-item extensions and asserted on links or labels in that stub sidebar, switch to renderTestApp instead — it uses the real app shell and discovers nav items from page extensions.
If you only use renderInTestApp to mount a component with APIs or route refs, there is no change.
mockWithApiFactory helper in favor of using attachMockApiFactory directly.ExternalRouteRef in the mountedRoutes option of renderInTestApp and renderTestApp..map() callback parameters in renderInTestApp to avoid implicit any errors with newer TypeScript versions.8df06ec: Added webIdentityTokenFile to AwsIntegrationAccountConfig and
AwsIntegrationDefaultAccountConfig. When set along with a roleName,
DefaultAwsCredentialsManager retrieves credentials by calling
AssumeRoleWithWebIdentity (via fromTokenFile) using the file's
contents as the web identity token. The file is re-read on each
credential refresh.
The validator rejects combining webIdentityTokenFile with
accessKeyId/secretAccessKey, profile, or externalId, and
rejects setting it without a roleName.
techdocs-cli generate --disableExternalFonts, useful for air-gapped Backstage instances.a281469: Add support for flex item props (grow, shrink, and basis) to Box, Card, Grid, and Flex itself.
Affected components: Box, Card, Grid, Flex
5351d8a: Added a sticky prop to the Header component. When true, the title-and-actions bar stays fixed to the top of its scroll container while the rest of the header (tags, description, metadata) scrolls away. The sticky bar background color automatically matches the container surface using the bg-consumer system.
BREAKING: Removed the main header class from the Header component. Custom styles that target this class should be updated to target the component sections that remain.
Affected components: Header
3846774: Added missing dependencies that were previously only available transitively.
e8a1a35: Added isPending prop to Alert, Button, ButtonIcon, Table, and TableRoot as a replacement for the loading prop, aligning with React Aria naming conventions. The loading prop is now deprecated but still supported as an alias. CSS selectors now use data-ispending instead of data-loading for styling pending states; data-loading is still emitted for backward compatibility but will be removed alongside the loading prop.
Affected components: Alert, Button, ButtonIcon, Table, TableRoot
37535b2: Added a public --bui-bg-inherit CSS variable that resolves to the background
color of the nearest enclosing bg provider (Box, Flex, Grid, Card,
Accordion, or any element with a data-bg attribute), falling back to
--bui-bg-app. Use it from CSS for sticky or fixed elements that need to match
their surrounding surface without hardcoding a specific level.
.searchBarContainer {
position: sticky;
top: 0;
background-color: var(--bui-bg-inherit);
}
As part of this change, the data-bg painting rules previously duplicated in
Box, Flex, Grid, Accordion, and Card have been centralized into a
single source in core.css. Painting and component behavior are unchanged for
all existing usages, with one minor expansion: any element with a data-bg
attribute (including provider elements and any element that sets it directly)
is now painted, not only Box/Flex/Grid/Card/Accordion elements.
e2d9831: Tightened React Aria dependency version ranges from ^ to ~ to prevent unintended minor version upgrades.
e7fc79f: Added support for grouping options into sections in the Select component. You can now pass section objects with a title and a nested options array alongside (or instead of) regular options to render grouped dropdowns with section headers.
Affected components: Select
76635ae: Disabled Card scroll shadow in browsers that don't support animation-timeline: scroll(). Prevents the shadow from being always visible over the CardBody when there's nothing to scroll or the body is not scrolled.
Affected components: Card
de75f7c: Fixed CardBody showing an unwanted scrollbar when constrained below the scroll shadow height.
Affected components: Card
a42766e: Fixed dark mode background for Dialog component by correcting the theme attribute selector from data-theme to data-theme-mode.
Affected components: Dialog
c6fc76f: Fixed an issue where the active tab indicator would disappear shortly after page load for uncontrolled Tabs.
Affected components: Tabs
5520e07: Updated field components to grow within flex layouts instead of forcing their width to remain fixed.
11699ac: Updated PasswordField to visually match TextField, including consistent focus rings, error states, disabled appearance, and background colour behaviour.
Affected components: PasswordField
d1be10c: Updated React Aria dependencies to v1.17.0 and migrated imports from individual @react-aria/* and @react-stately/* packages to the monopackages (react-aria, react-stately). This fixes a type resolution error for @react-types/table that occurred in new app installations.
c96e2b3: Added description, tags, and metadata props to the Header component. The description prop accepts a markdown string with support for inline links. The tags prop renders a row of text or link items above the title. The metadata prop renders key-value pairs below the description. The breadcrumbs prop has been deprecated and will be removed in a future release.
Affected components: Header
4bb649d: Fixed Table with row selection creating phantom scroll height on ancestor elements by establishing a containing block for visually-hidden checkbox inputs.
Affected components: Table, TableRoot
f635139: Limited @remixicon/react dependency to versions below 4.9.0 due to a license change in that release.
5b85902: Fix Card href=... not showing a focus indicator on keyboard navigation. Link now composes useFocusRing, emits data-focus-visible, and renders a --bui-ring outline when keyboard-focused. The Card's existing focus-ring CSS matches when the trigger is focused.
Affected components: Card, Link
23ee789: Added invalid-state styling for Checkbox and corresponding Storybook variants for verification.
Affected components: Checkbox, CheckboxGroup
38bb056: Adjusted PluginHeader spacing and borders so headers with and without tabs align more consistently with surrounding page content, including when paired with page headers.
Affected components: PluginHeader, Header
df705bb: Fixed external URLs in BUI link components being rewritten as in-app paths when the app is served under a non-root base path. Absolute URLs (http://, https://, //, mailto:, tel:) are now passed through unchanged. Internal href values are resolved against the current basename exactly once, which also fixes a latent issue where internal link clicks under a non-root base path could navigate to a URL with the basename prefix doubled.
Affected components: ButtonLink, Card, Link, Menu, Tab, Table, Tag
3e0ff6c: Added container alignment to Header sections so tags, title actions, descriptions, metadata, and tabs use the same width as surrounding page content.
Affected components: Header
b67a862: Updated Storybook development tooling for @backstage/ui to version 10.4.
d726bcd: Added new DatePicker component — combines a date field and a calendar popover for selecting a date, built on React Aria with full keyboard and screen reader accessibility. Uses BUI design tokens throughout, including auto-incremented backgrounds via the bg consumer pattern.
Affected components: DatePicker
401916d: Added new DateRangePicker component — combines two date fields and a calendar popover for selecting a date range, built on React Aria with full keyboard and screen reader accessibility. Uses BUI design tokens throughout, including auto-incremented backgrounds via the bg consumer pattern.
25909ba: Added searchDebounceMs and filterDebounceMs options to useTable in complete mode. Both default to 0 (no debounce, no observable change for existing consumers); set them to defer the client-side filter/search/sort pipeline on large datasets without reimplementing input-layer debouncing. The controlled search / onSearchChange and filter / onFilterChange callbacks continue to fire on every change.
Affected components: Table
ddca41f: Added a new Combobox component. It pairs a text input with a filterable dropdown of options and supports single selection, sectioned options, icons, sizes, and custom typed values via allowsCustomValue.
Affected components: Combobox
29d398b: BREAKING: Hardened the default allowed patterns for CIMD and DCR to replace the previous permissive ['*'] wildcards with specific defaults for known MCP clients. If you previously relied on the default ['*'] patterns, you will need to explicitly configure the patterns you need in your app-config.yaml.
CIMD (experimentalClientIdMetadataDocuments):
allowedClientIdPatterns now defaults to Claude, VS Code, and the built-in Backstage CLI instead of ['*']allowedRedirectUriPatterns now defaults to loopback addresses (localhost, 127.0.0.1, [::1]) instead of ['*']DCR (experimentalDynamicClientRegistration):
allowedRedirectUriPatterns now defaults to Cursor and loopback addresses instead of ['*']If you need to allow additional clients or redirect URIs, you can override these defaults in your app-config.yaml:
auth:
experimentalClientIdMetadataDocuments:
enabled: true
allowedClientIdPatterns:
- 'https://claude.ai/*'
- 'https://vscode.dev/*'
- 'https://my-custom-client.example.com/*'
allowedRedirectUriPatterns:
- 'http://localhost:*'
- 'http://127.0.0.1:*'
- 'https://my-app.example.com/callback'
experimentalDynamicClientRegistration:
enabled: true
allowedRedirectUriPatterns:
- 'cursor://*'
- 'http://localhost:*'
- 'http://127.0.0.1:*'
- 'myapp://*'
uuid dependency and replaced usage with the built-in crypto.randomUUID().auth.experimentalRefreshToken.dangerouslyDisableCatalogPresenceCheck to true.c2de113: BREAKING: When paginating entities with an order field via /entities/by-query, entities that lack the order field are now excluded from both the result set and the totalItems count. Previously these entities appeared at the end of the sorted result via NULLS LAST, but cursor-based pagination could not actually reach them past the first page — the count over-reported the number of navigable entities. The new behavior aligns the count with what is actually returned.
This also removes the DISTINCT deduplication from the sort-field CTE, which is a prerequisite for the planner to use the (key, value, entity_id) index in sort order and short-circuit on LIMIT. Installations with duplicate search rows should land the search-table deduplication migration before adopting this change.
3f5e7ec: Added catalog.actions.experimentalCatalogLayersDescriptions.enabled config option. When enabled, the query-catalog-entities action description references get-catalog-model-description for field information instead of embedding a static model description.
ccbad9d: Improved the performance of the catalog_entities_count metric.
The legacy Prometheus and OpenTelemetry observable gauges previously each ran their own copy of the per-kind count query against the search table on every metrics scrape. On large catalogs this could pile up faster than the queries completed, contending for buffers and stalling the database.
The two callbacks now share a single query result with a short in-process TTL cache, and the underlying query reads from final_entities instead of search, avoiding the bitmap heap scans that dominated the previous form. The emitted labels and values are unchanged.
17a9550: Deprecated immediate mode stitching (catalog.stitchingStrategy.mode: 'immediate'). A warning is now logged on startup when immediate mode is configured. Immediate mode will be removed in the next Backstage release. Migrate to deferred mode (the default) by removing the stitchingStrategy configuration or setting mode: 'deferred'.
add5d1a: Restructured the entity listing endpoint so that, when a sort field is specified, the search-by-key index drives the query rather than being side-joined onto final_entities. This lets PostgreSQL walk the (key, value, entity_id) index in already-sorted order and short-circuit on LIMIT, reducing typical broad-filter paginated list times from seconds to milliseconds. Entities that lack the sort field still appear at the end of sorted results (NULLS LAST semantics preserved), ordered by entity_id.
387ea7d: Simplified the entity facets aggregation from COUNT(DISTINCT entity_id) to COUNT(*). The unique constraint on (entity_id, key, value) guarantees each entity appears at most once per search row group, making the DISTINCT unnecessary. This allows the database to use a simpler aggregation plan.
3f55b73: Improved the performance of the entity facets endpoint when filters are applied. The filtered entity set is now combined with the search table through an inner join rather than a WHERE entity_id IN (subquery). Results are unchanged; on large catalogs the query planner is able to choose dramatically cheaper plans, with measured improvements ranging from roughly 1.2× on already-fast cases to 7× or more on high-cardinality facets.
b33f845: Fixed several database migration down functions that were not properly reversible, causing the SQL report to show warnings:
20241003170511_alter_target_in_locations.js: both up and down now include .notNullable() when altering the locations.target column, preventing the NOT NULL constraint from being accidentally dropped when widening the column type from varchar(255) to text.20220116144621_remove_legacy.js: the down function now properly recreates the three dropped legacy tables (entities, entities_search, entities_relations) with correct columns and indices.20210302150147_refresh_state.js: the down function now drops dependent tables in the correct order (avoiding a FK constraint violation) and fixes a typo where the table was referred to as references instead of refresh_state_references.20201005122705_add_entity_full_name.js: the down function now drops the full_name column from entities (not entities_search), and restores the entities_unique_name index with the correct column order (kind, name, namespace).20200702153613_entities.js: the down function now uses table.integer('generation') instead of table.string('generation'), restoring the correct column type.cde3643: Added missing description to the type parameter on the unregister-entity MCP action.
cf195de: Fixed a performance regression in the /entity-facets endpoint when filters or permission conditions are applied, by routing the EXISTS-based filter through final_entities instead of correlating against the much larger search table.
07ec25d: Moved generateStableHash out of shared utility file to avoid pulling node:crypto into browser bundles
bc32c13: Added a missing index on relations.target_entity_ref. Several query paths (orphan deletion, entity ancestry, eager pruning) join or filter on this column, but no index existed — causing full sequential scans of the relations table on every invocation. On a production catalog with ~3.5M relation rows, individual lookups were taking ~122ms (full table scan) instead of <1ms (index scan).
744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.
e9b78e9: Removed the uuid dependency and replaced usage with the built-in crypto.randomUUID().
7445f0f: Added a migration that removes duplicate rows from the search table, creates covering indices for improved query performance, and adds a UNIQUE constraint on (entity_id, key, value).
This is a long-running migration on large catalogs. On PostgreSQL with millions of search rows, the index creation may take 5-15 minutes per index. During this time, other pods running the previous version will continue to serve traffic normally — the index creation does not block reads or writes. However, if a Kubernetes liveness probe kills the pod before the index build completes, the build is lost and the next startup will start over. On large tables this can repeat indefinitely.
For large installations, it is recommended to run the following SQL commands against your PostgreSQL database before deploying this version. Each index build takes a few minutes but does not block reads or writes. If these have already completed, the migration will detect the existing indices and skip all work — startup will be instant.
-- Step 1: Remove duplicate search rows
WITH cte AS (
SELECT ctid, row_number() OVER (PARTITION BY entity_id, key, value) AS rn
FROM search
)
DELETE FROM search USING cte WHERE search.ctid = cte.ctid AND cte.rn > 1;
-- Step 2: Create new indices (run each separately)
CREATE UNIQUE INDEX CONCURRENTLY IF NOT EXISTS
search_entity_key_value_idx ON search (entity_id, key, value);
CREATE INDEX CONCURRENTLY IF NOT EXISTS
search_key_value_entity_idx ON search (key, value, entity_id);
CREATE INDEX CONCURRENTLY IF NOT EXISTS
search_facets_covering_idx ON search (key, original_value, entity_id)
WHERE original_value IS NOT NULL;
-- Step 3: Drop old indices that are no longer needed
DROP INDEX CONCURRENTLY IF EXISTS search_key_value_idx;
DROP INDEX CONCURRENTLY IF EXISTS search_key_original_value_idx;
Also fixed buildEntitySearch to remove duplicate output for entities with duplicate array values, and added ON CONFLICT DO UPDATE to syncSearchRows so that concurrent stitching races are handled gracefully.
Updated dependencies
AiResource catalog entity kind. Entity types, validators, type guards, and the model layer are exported from @backstage/catalog-model/alpha. Install @backstage/plugin-catalog-backend-module-ai-model in your backend to register the kind with the catalog.accountEnabled eq true filter, combining it with any custom user.filter you provide. If you previously included accountEnabled eq true in your user filter, it is safe to remove it, but leaving it in will not cause any issues.uuid dependency and replaced usage with the built-in crypto.randomUUID().accountEnabled eq true filter, combining it with any custom user.filter you provide. If you previously included accountEnabled eq true in your user filter, it is safe to remove it, but leaving it in will not cause any issues.MicrosoftGraphOrgEntityProvider, this module never holds the full dataset in memory — each burst processes a single page (up to 999 users or 100 groups). The @odata.nextLink cursor is persisted so a pod restart resumes from the last completed page rather than starting over.2f0519c: BREAKING: Cleaned up the PolicyQueryUser type:
token — Removed. Was previously deprecated in favor of credentials with coreServices.auth.expiresInSeconds — Removed. Was previously deprecated.identity — Removed. Was previously deprecated in favor of info.info — Deprecated. Still required and populated for now; will be made optional and then removed in a future release.credentials — Unchanged.dbeb7aa: Added experimental BUI (Backstage UI) form theme for scaffolder forms. All default field extensions render BUI variants when enabled.
Extension config:
app:
extensions:
- sub-page:scaffolder/templates:
config:
enableBackstageUi: true
JSX props:
<ScaffolderPage formProps={{ EXPERIMENTAL_theme: 'bui' }} />
8006acf: Promoted formDecoratorsApiRef, ScaffolderFormDecoratorsApi,
DefaultScaffolderFormDecoratorsApi, and formDecoratorsApi from @alpha
to @public.
d09c21c: The sub-page:scaffolder/templates extension now accepts a groups config
field that lets you define template groups on the template list page. Each group
has a title and a filter predicate. Templates not matched by any
configured group fall into an automatically appended "Other Templates" group.
With no groups configured, the page renders a single "Templates" group as
before.
Example:
app:
extensions:
- sub-page:scaffolder/templates:
config:
groups:
- title: Recommended Services
filter:
spec.type: service
- title: Documentation
filter:
spec.type: documentation
@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.OwnerEntityColumn in the task list to rely on EntityRefLink and the entity presentation API instead of manually fetching entities from the catalog.title and icon on each plugin's page extension..default()
are applied and invalid input is reported through the error API instead of
silently passing through.spec.formDecorators field on a template, falling back to the deprecated
spec.EXPERIMENTAL_formDecorators for templates that have not been migrated.list-scaffolder-tasks action to support the new "status" filter parameter, allowing the action to return tasks matching a specific status.always() and failure() status check functions for scaffolder steps. These functions can be used in the if field of a step to control execution after failures. always() ensures a step runs regardless of previous step outcomes, while failure() runs a step only when a previous step has failed.formDecorators field
instead of EXPERIMENTAL_formDecorators. Templates that still declare
spec.EXPERIMENTAL_formDecorators are read transparently and surfaced under
the new field.uuid dependency and replaced usage with the built-in crypto.randomUUID().formDecorators field on the Template spec out of experimental.
The previous EXPERIMENTAL_formDecorators field continues to work and is
kept as a deprecated alias.dbeb7aa: Added experimental BUI (Backstage UI) form theme for scaffolder forms. All default field extensions render BUI variants when enabled.
Extension config:
app:
extensions:
- sub-page:scaffolder/templates:
config:
enableBackstageUi: true
JSX props:
<ScaffolderPage formProps={{ EXPERIMENTAL_theme: 'bui' }} />
8006acf: Promoted FormDecoratorBlueprint and ScaffolderFormDecorator from @alpha
to @public.
d09c21c: The TemplateCard component is now a swappable component. Apps using the new
frontend system can replace it by registering a SwappableComponentBlueprint
that targets TemplateCard. Components used as the swappable implementation
receive TemplateCardComponentProps, where onSelected is a zero-argument
callback bound to the rendered template. Existing usage continues to work
unchanged.
techdocs.generator.mkdocs.disableExternalFonts, useful for air-gapped Backstage instances.techdocs.generator.mkdocs.disableExternalFonts, useful for air-gapped Backstage instances.--legacyCopyReadmeMdToIndexMd option to fail if docs directory is not presentTracingService to provide a unified interface for emitting trace spans across Backstage plugins.CachedUserInfoService where a failed request could incorrectly evict a newer cache entry for the same token. The error handler now verifies the map entry is still the same promise before deleting it.defaultServiceFactories to allow use with createSpecializedBackend for advanced configuration like extensionPointFactoryMiddleware.sleep firing immediately for durations longer than ~24.8 days, caused by Node.js setTimeout overflowing its 32-bit millisecond limit.iovalkey's Cluster class instead of
createCluster from @keyv/redis. The previous implementation passed a
@redis/client RedisCluster instance to @keyv/valkey, which expects an
iovalkey Cluster instance. This caused the cluster client to not be
recognized correctly, as the two libraries have incompatible object models.CachedUserInfoService decorator that wraps DefaultUserInfoService with a 5-second TTL cache and in-flight request coalescing. The decorator is wired in via userInfoServiceFactory using a shared root-level cache. Repeated getUserInfo() calls for the same user token within the TTL window return the cached result without making an HTTP call to the auth backend. Note that custom UserInfoService implementations registered via their own factory will not benefit from this cache automatically.dependencies and devDependencies.uuid dependency and replaced usage with the built-in crypto.randomUUID().context and propagation to the alpha TracingService. Plugins can bridge OpenTelemetry context across async boundaries via tracing.propagation.extract(tracing.context.active(), carrier) followed by tracing.context.with(ctx, fn), and read propagated baggage via tracing.propagation.getActiveBaggage() or tracing.propagation.getBaggage(ctx).@module-federation/enhanced, @module-federation/runtime, and @module-federation/sdk from ^0.21.6 to ^2.3.3 to address known vulnerabilities.TracingService to provide a unified interface for emitting trace spans across Backstage plugins.context and propagation to the alpha TracingService. Plugins can bridge OpenTelemetry context across async boundaries via tracing.propagation.extract(tracing.context.active(), carrier) followed by tracing.context.with(ctx, fn), and read propagated baggage via tracing.propagation.getActiveBaggage() or tracing.propagation.getBaggage(ctx).mockCredentials to include the internal version: 'v1' field on all credential objects (none(), user(), limitedUser(), service()), and fixed user() to encode the user entity ref into the token (matching user.token(ref) behavior). This makes mock credentials compatible with toInternalBackstageCredentials(), which validates the version field, and ensures that credentials for different users produce different tokens.uuid dependency and replaced usage with the built-in crypto.randomUUID().context and propagation to the alpha TracingService. Plugins can bridge OpenTelemetry context across async boundaries via tracing.propagation.extract(tracing.context.active(), carrier) followed by tracing.context.with(ctx, fn), and read propagated baggage via tracing.propagation.getActiveBaggage() or tracing.propagation.getBaggage(ctx).dependencies and devDependencies.host, port, user, or password under backend.database.connection alongside the embedded-postgres database client, those values will be forwarded to the embedded Postgres instance. Only values that you have not configured will be filled in with defaults. This makes it possible to run the embedded database on a specific host and port, for example to connect to it externally with psql.@module-federation/enhanced, @module-federation/runtime, and @module-federation/sdk from ^0.21.6 to ^2.3.3 to address known vulnerabilities.uuid dependency and replaced usage with the built-in crypto.randomUUID().PackageGraph.listChangedPackages where removed dependencies were not detected during lockfile analysis. The dependency graph from the previous lockfile was not being merged, causing transitive dependency removals to be missed.dependencies and devDependencies.import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.~30.2.0 to prevent automatic upgrades to Jest 30.4.x, which requires Node.js v24.9+ and breaks tests on Node 22.@backstage/cli-common.name property to ServiceUnavailableError for consistency with all other error classes, making it resilient to minification.$all, $any, $not) with other keys are now rejected. Previously, a predicate like { kind: 'API', $not: { 'spec.type': 'dataset' } } would silently drop the kind check. The correct form wraps conditions in $all.@module-federation/enhanced, @module-federation/runtime, and @module-federation/sdk from ^0.21.6 to ^2.3.3 to address known vulnerabilities.6b112d3: Fixed two issues in the GitLab integration's fetch behavior:
mode: 'same-origin' on every request. This had no practical effect server-side, but would have caused cross-origin requests to be rejected when the integration is used from a browser. Requests now use the default fetch mode and work correctly in both browser and Node environments.maxRetries and exponential delay as retryable HTTP status codes. Previously, a thrown fetch error would propagate immediately on the first failure regardless of the retry configuration. Caller-initiated aborts continue to surface immediately without being retried.b62781f: Moved registerMswTestHooks to test files.
Updated dependencies
@module-federation/enhanced, @module-federation/runtime, and @module-federation/sdk from ^0.21.6 to ^2.3.3 to address known vulnerabilities.@backstage/cli-common.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.title and icon on each plugin's page extension.a345820: The app/routes redirect config now supports path parameter substitution in the to target. Named params (:userId) and splat params (*) captured by the from path are replaced in the to string before navigating, making it possible to express redirects like:
app:
extensions:
- app/routes:
config:
redirects:
- from: /users/:userId
to: /profile/:userId
- from: /old-docs
to: /docs/*
d1be10c: Migrated React Aria imports from individual packages (@react-aria/toast, @react-aria/button, @react-stately/toast) to the monopackages (react-aria, react-stately).
e2d9831: Tightened React Aria dependency version ranges from ^ to ~ to prevent unintended minor version upgrades.
f635139: Limited @remixicon/react dependency to versions below 4.9.0 due to a license change in that release.
2ba8c10: Following the removal of NavItemBlueprint in @backstage/frontend-plugin-api, the built-in app nav was updated to keep accepting legacy nav-item extensions so older plugins continue to work until they migrate.
cad156e: Replaced old config schema values from existing extensions and blueprints.
085133f: The zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.
Updated dependencies
dependencies and devDependencies.^ to ~ to prevent unintended minor version upgrades.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.title and icon on each plugin's page extension.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.uuid dependency and replaced usage with the built-in crypto.randomUUID().dependencies and devDependencies.dependencies and devDependencies.uuid dependency and replaced usage with the built-in crypto.randomUUID()./catalog/default/component/foo/blob) would silently render the first available route. Unknown paths now show the standard not-found page instead.title and icon on each plugin's page extension.zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().suspendedAt field. Enable by setting both excludeSuspendedUsers: true and experimental_checkForSuspendedUsersWithRest: true in the provider config. When enabled, responses are cached using conditional HTTP requests to minimize REST API rate limit usage.uuid dependency and replaced usage with the built-in crypto.randomUUID().GithubMultiOrgEntityProvider now emits entities in a stable order during full mutations. Entities are sorted by entity ref, with the location annotation as a tiebreaker for entities that share the same ref. This prevents entity data from flickering between different GitHub orgs across refresh cycles when alwaysUseDefaultNamespace is enabled and teams with identical slugs exist in multiple orgs.suspendedAt field. Enable by setting both excludeSuspendedUsers: true and experimental_checkForSuspendedUsersWithRest: true in the provider config. When enabled, responses are cached using conditional HTTP requests to minimize REST API rate limit usage.uuid dependency and replaced usage with the built-in crypto.randomUUID().WHERE ref IN ($1, $2, ..., $N) queries on the ingestion_mark_entities table now use = ANY($1) with a single array parameter instead. This reduces prepared statement bloat in the query plan cache when the number of entity refs varies between calls.uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.dependencies and devDependencies.zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.title and icon on each plugin's page extension.unprocessedEntitiesReadPermission for authorizing read access to unprocessed entity endpoints.ConfigContent component from Material UI to Backstage UI (BUI).title and icon on each plugin's page extension.isDraggable and isResizable.title and icon on each plugin's page extension.import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.import type. These self-referential imports could trigger circular initialization errors in bundled ESM and when the package was loaded via jest.requireActual — most visibly Cannot access '_AppRootElementBlueprintesm' before initialization from @backstage/frontend-plugin-api. There are no user-facing API changes.structuredContent field for model context protocol responses.tools/call invocations, following OpenTelemetry server-side MCP semantic conventions.^ to ~ to prevent unintended minor version upgrades.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.uuid dependency and replaced usage with the built-in crypto.randomUUID().dependencies and devDependencies.scope and notification.updated is set, the processor now calls chat.update() on the existing Slack message instead of sending a duplicate via chat.postMessage(). Message timestamps are persisted in a new slack_message_timestamps database table with automatic daily cleanup. The processor gracefully degrades to the previous behavior when no database is provided.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.token and identity fields on PolicyQueryUser, and no longer calls auth.getPluginRequestToken() during policy evaluation. This removes one internal round-trip per authorize request.uuid dependency and replaced usage with the built-in crypto.randomUUID().allowEmpty input option to the gitlab:repo:push action, allowing empty commits. Required from GitLab 18.8 or later.status filter to ScaffolderService.listTasks, allowing callers to retrieve tasks matching a specific status.title and icon on each plugin's page extension.zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.uuid dependency and replaced usage with the built-in crypto.randomUUID().uuid dependency and replaced usage with the built-in crypto.randomUUID().--techdocs-sidebar-closed-offset-pinned, --techdocs-sidebar-closed-offset-collapsed, and --techdocs-sidebar-open-translate.@remixicon/react dependency to versions below 4.9.0 due to a license change in that release.title and icon on each plugin's page extension.zod dependency has been bumped from ^3.25.76 || ^4.0.0 to ^4.0.0, since configSchema requires the full Zod v4 package for JSON Schema support.theme.title for built-in light/dark theme names in UserSettingsThemeToggle, so that translation overrides are no longer silently ignored.title and icon on each plugin's page extension.