Skip to content

Bump the npm_and_yarn group across 1 directory with 3 updates#106

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/packages/backend/npm_and_yarn-641156677b
Open

Bump the npm_and_yarn group across 1 directory with 3 updates#106
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/packages/backend/npm_and_yarn-641156677b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 7, 2026

Bumps the npm_and_yarn group with 3 updates in the /packages/backend directory: @backstage/backend-defaults, @backstage/plugin-auth-backend and @backstage/plugin-scaffolder-backend.

Updates @backstage/backend-defaults from 0.5.3 to 0.16.0

Changelog

Sourced from @​backstage/backend-defaults's changelog.

0.16.0

Minor Changes

  • 42960f1: The actions registry invoke endpoint now accepts direct user credentials in addition to service principals, enabling CLI and other direct user clients to invoke actions.
  • 0e7d8f9: The scheduler service now uses the metrics service to create metrics, providing plugin-scoped attribution.
  • 527cf88: BREAKING Removed deprecated BitbucketUrlReader. Use the BitbucketCloudUrlReader or the BitbucketServerUrlReader instead.

Patch Changes

  • cc8348e: Added permissions integration to the actions registry. Actions registered with a visibilityPermission field are now checked against the permissions framework when listing and invoking. Denied actions are filtered from list results, and invoking a denied action returns a 404 Not Found as if the action does not exist. Permissions are automatically registered with the PermissionsRegistryService so they appear in the permission policy system.
  • dee4283: Added pluginId field to ActionsServiceAction type, populated from the registering plugin's metadata.
  • 015668c: Added cancelTask method to the SchedulerService interface and implementation, allowing cancellation of currently running scheduled tasks. For global tasks, the database lock is released and a periodic liveness check aborts the running task function. For local tasks, the task's abort signal is triggered directly. A new POST /.backstage/scheduler/v1/tasks/:id/cancel endpoint is also available.
  • 638e6c7: chore(deps): bump yauzl from 3.2.0 to 3.2.1
  • 6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1
  • 62f0a53: Fixed error forwarding in the actions registry so that known errors like InputError and NotFoundError thrown by actions preserve their original status codes and messages instead of being wrapped in ForwardedError and coerced to 500.
  • d933f62: Add configurable throttling and retry mechanism for GitLab integration.
  • b99158a: Fixed yarn backstage-cli config:check --strict --config app-config.yaml config validation error by adding an optional default type discriminator to PostgreSQL connection configuration, allowing config:check to properly validate default connection configurations.
  • 1ee5b28: Adds an alpha MetricsService to provide a unified interface for metrics instrumentation across Backstage plugins.
  • 5fcbef2: Updated dependency express-rate-limit to ^8.0.0.
  • a49a40d: Updated dependency zod to ^3.25.76 || ^4.0.0 & migrated to /v3 or /v4 imports.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.8.0
    • @​backstage/cli-node@​0.3.0
    • @​backstage/integration@​2.0.0
    • @​backstage/config-loader@​1.10.9
    • @​backstage/plugin-permission-common@​0.9.7
    • @​backstage/plugin-permission-node@​0.10.11
    • @​backstage/plugin-auth-node@​0.6.14
    • @​backstage/backend-app-api@​1.6.0
    • @​backstage/plugin-events-node@​0.4.20

0.16.0-next.2

Patch Changes

  • 015668c: Added cancelTask method to the SchedulerService interface and implementation, allowing cancellation of currently running scheduled tasks. For global tasks, the database lock is released and a periodic liveness check aborts the running task function. For local tasks, the task's abort signal is triggered directly. A new POST /.backstage/scheduler/v1/tasks/:id/cancel endpoint is also available.
  • 5fcbef2: Updated dependency express-rate-limit to ^8.0.0.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.8.0-next.1
    • @​backstage/integration@​2.0.0-next.2
    • @​backstage/backend-app-api@​1.6.0-next.1
    • @​backstage/plugin-auth-node@​0.6.14-next.2
    • @​backstage/plugin-events-node@​0.4.20-next.1
    • @​backstage/plugin-permission-node@​0.10.11-next.1

0.16.0-next.1

... (truncated)

Commits

Updates @backstage/plugin-auth-backend from 0.24.5 to 0.27.3

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

@​backstage/plugin-auth-backend

0.28.0-next.2

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • Updated dependencies
    • @​backstage/errors@​1.3.0-next.0
    • @​backstage/plugin-auth-node@​0.7.0-next.2
    • @​backstage/plugin-catalog-node@​2.2.0-next.2
    • @​backstage/backend-plugin-api@​1.9.0-next.2
    • @​backstage/catalog-model@​1.7.8-next.0
    • @​backstage/config@​1.3.7-next.0

0.28.0-next.1

Patch Changes

  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.9.0-next.1
    • @​backstage/plugin-auth-node@​0.7.0-next.1
    • @​backstage/plugin-catalog-node@​2.1.1-next.1

0.28.0-next.0

Minor Changes

  • d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

    With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

    To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

    The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

  • dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.8.1-next.0
    • @​backstage/plugin-auth-node@​0.6.15-next.0
    • @​backstage/plugin-catalog-node@​2.1.1-next.0
    • @​backstage/catalog-model@​1.7.7
    • @​backstage/config@​1.3.6
    • @​backstage/errors@​1.2.7
    • @​backstage/types@​1.2.2

0.27.2

... (truncated)

Commits

Updates @backstage/plugin-scaffolder-backend from 1.33.0 to 3.3.0

Release notes

Sourced from @​backstage/plugin-scaffolder-backend's releases.

v1.50.0-next.2

See docs/releases/v1.50.0-next.2-changelog.md for more information.

v1.50.0-next.1

See docs/releases/v1.50.0-next.1-changelog.md for more information.

v1.50.0-next.0

See docs/releases/v1.50.0-next.0-changelog.md for more information.

v1.49.4

This patch release fixes the following issues:

  • Fix OAuth 2.0 Protected Resource Metadata endpoint returning wrong URL
  • Fixed incorrect name of the legacy-frontend-plugin template
  • Fix issue with missing permissions on the /.well-known endpoint for the scaffolder plugin

v1.49.3

This patch release fixes the following issues:

  • Add showPaginationLabel prop to TablePagination
  • Fix relative href resolution for BUI link components
  • Fix entity relation cards showing only one entity

v1.49.2

This patch release fixes the following issues:

  • Fixed CIMD redirect URI matching to allow any port for loopback addresses.

v1.49.1

This patch release fixes the following issues:

  • Added titleLink prop to PageLayoutProps so the plugin header title can link back to the plugin root
  • Removed the unnecessary @backstage/cli-module-new dependency from the default create-app template.
  • Fixed broken API reference links in documentation.
  • Migrates TechDocs alpha plugin pages to BUI header system, fixing double scrollbar issue with the new plugin header.
  • Integrate unprocessed entities as a DevTools tab by default
  • Add apis to BootstrapSpecializedApp and FinalizedSpecializedApp types
  • Disable page layout header for the catalog entity page in the new frontend system
  • Various fixes and improvements for the @backstage/create-app template.
  • Fix scaffolder plugin page layout in the new frontend system

v1.49.0

These are the release notes for the v1.49.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

New Frontend System: 1.0 Release Candidate

... (truncated)

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

@​backstage/plugin-scaffolder-backend

3.4.0-next.2

Minor Changes

  • 5af48e7: Migrated permission registration to use the PermissionsRegistryService instead of the deprecated createPermissionIntegrationRouter. This fixes an issue where scaffolder permissions were not visible to RBAC plugins because the actionsRegistryServiceRef dependency caused an empty permissions metadata router to shadow the scaffolder's actual permission metadata. The old createPermissionIntegrationRouter path is retained as a fallback for standalone createRouter usage.

Patch Changes

  • 482ceed: Migrated from assertError to toError for error handling.
  • 961e274: Migrated OpenTelemetry metrics to use the MetricsService from @backstage/backend-plugin-api/alpha instead of the raw @opentelemetry/api meter.
  • Updated dependencies
    • @​backstage/errors@​1.3.0-next.0
    • @​backstage/plugin-catalog-node@​2.2.0-next.2
    • @​backstage/plugin-scaffolder-node@​0.13.2-next.2
    • @​backstage/integration@​2.0.1-next.0
    • @​backstage/backend-openapi-utils@​0.6.8-next.2
    • @​backstage/backend-plugin-api@​1.9.0-next.2
    • @​backstage/catalog-model@​1.7.8-next.0
    • @​backstage/config@​1.3.7-next.0
    • @​backstage/plugin-events-node@​0.4.21-next.2
    • @​backstage/plugin-permission-common@​0.9.8-next.0
    • @​backstage/plugin-permission-node@​0.10.12-next.2
    • @​backstage/plugin-scaffolder-common@​2.0.1-next.0

3.3.0-next.1

Minor Changes

  • 309b712: Added a new execute-template actions registry action that executes a scaffolder template with provided input values and returns a task ID for tracking progress.

Patch Changes

  • 4559806: Removed unnecessary empty examples array from actions bridged via the actions registry.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.9.0-next.1
    • @​backstage/backend-openapi-utils@​0.6.8-next.1
    • @​backstage/plugin-catalog-node@​2.1.1-next.1
    • @​backstage/plugin-events-node@​0.4.21-next.1
    • @​backstage/plugin-permission-node@​0.10.12-next.1
    • @​backstage/plugin-scaffolder-node@​0.13.1-next.1

3.2.1-next.0

Patch Changes

  • 79453c0: Updated dependency wait-for-expect to ^4.0.0.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.8.1-next.0

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 3 updates
6e1b7dd 
Bumps the npm_and_yarn group with 3 updates in the /packages/backend directory: [@backstage/backend-defaults](https://github.com/backstage/backstage/tree/HEAD/packages/backend-defaults), [@backstage/plugin-auth-backend](https://github.com/backstage/backstage/tree/HEAD/plugins/auth-backend) and [@backstage/plugin-scaffolder-backend](https://github.com/backstage/backstage/tree/HEAD/plugins/scaffolder-backend).


Updates `@backstage/backend-defaults` from 0.5.3 to 0.16.0
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/packages/backend-defaults/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/v0.16.0/packages/backend-defaults)

Updates `@backstage/plugin-auth-backend` from 0.24.5 to 0.27.3
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/plugins/auth-backend/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/HEAD/plugins/auth-backend)

Updates `@backstage/plugin-scaffolder-backend` from 1.33.0 to 3.3.0
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/plugins/scaffolder-backend/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/HEAD/plugins/scaffolder-backend)

---
updated-dependencies:
- dependency-name: "@backstage/backend-defaults"
  dependency-version: 0.16.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@backstage/plugin-auth-backend"
  dependency-version: 0.27.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@backstage/plugin-scaffolder-backend"
  dependency-version: 3.3.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 7, 2026
@dependabot dependabot bot mentioned this pull request Apr 7, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants