Skip to content

feat: upgrade Backstage from 1.46.0 to 1.51.1#89

Merged
johnnyhuy merged 2 commits into
mainfrom
feat/backstage-upgrade-1.51.1
May 31, 2026
Merged

feat: upgrade Backstage from 1.46.0 to 1.51.1#89
johnnyhuy merged 2 commits into
mainfrom
feat/backstage-upgrade-1.51.1

Conversation

@johnnyhuy
Copy link
Copy Markdown
Contributor

@johnnyhuy johnnyhuy commented May 31, 2026

Summary

  • Upgraded Backstage from 1.46.0 to 1.51.1 using backstage-cli versions:bump
  • Fixed runtime error: toastApiRef was not implemented (notifications plugin 0.5.17 requires it)
  • Fixed lint/type errors: removed deprecated variant="gridItem" prop from EntityPage cards
  • Fixed lint errors: changed PolicyQueryUser.identityPolicyQueryUser.info in permission backend
  • Updated @testing-library/* to v16 across plugins
  • Added missing jest/react dependencies to backstage-theme-github, plausible, and permission-backend-module-default packages
  • Added ESLint config to backstage-theme-github package
  • Imported Backstage Yarn plugin for version management
  • Created backstage-upgrade skill in .claude/skills/

Consequences

  • App now requires @backstage/frontend-plugin-api as explicit dependency (was previously transitive)
  • Entity cards no longer accept variant prop (deprecated in newer Backstage)
  • Permission policy uses user.info?.ownershipEntityRefs instead of user.identity?.ownershipEntityRefs

Testing

  • yarn lint and backstage-cli repo lint pass
  • Tests pass (6 passed, 1 skipped - CSS @layer cosmetic issue)
  • Dev server runs successfully at localhost:3000
  • App renders correctly with all pages accessible

Breaking Changes

  • Minimum Node.js version is still 22.x via mise

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 31, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​backstage/​theme@​0.6.6 ⏵ 0.7.39910076 +195100
Updated@​backstage/​core-plugin-api@​1.10.7 ⏵ 1.12.69910077 -198100
Updated@​backstage/​core-components@​0.17.2 ⏵ 0.18.109710080 +198100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 31, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL)

Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4

Patched version: 4.5.4

From: ?npm/fast-xml-parser@4.4.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: ?npm/entities@6.0.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@johnnyhuy
feat: upgrade Backstage from 1.46.0 to 1.51.1
37b1556 
- Bumped backstage version to 1.51.1 via backstage-cli versions:bump
- Added @backstage/frontend-plugin-api to packages/app
- Fixed toastApiRef runtime error with no-op implementation in apis.ts
- Removed deprecated variant='gridItem' prop from EntityPage cards
- Fixed PolicyQueryUser.identity → PolicyQueryUser.info in permission backend
- Updated @testing-library/* to v16 across plugins
- Added jest/react dependencies to backstage-theme-github, plausible, permission-backend-module-default
- Added ESLint config to backstage-theme-github package
- Created backstage-upgrade skill in .claude/skills/
- Imported Backstage Yarn plugin for version management
@johnnyhuy johnnyhuy force-pushed the feat/backstage-upgrade-1.51.1 branch from 530c30b to 37b1556 Compare May 31, 2026 08:29
@johnnyhuy
chore: remove redundant yarn tsc from lint script
e1ae36a 
The backstage-cli repo lint already does type checking, making yarn tsc redundant. yarn tsc fails due to a pre-existing bug in @backstage/cli tsconfig.
@johnnyhuy johnnyhuy enabled auto-merge (squash) May 31, 2026 09:45
@johnnyhuy johnnyhuy merged commit 982677e into main May 31, 2026
2 of 4 checks passed
@johnnyhuy johnnyhuy deleted the feat/backstage-upgrade-1.51.1 branch May 31, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnnyhuy