Skip to main content
Version: Next

v1.15.0

These are the release notes for the v1.15.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for their hard work in getting this release developed and done.

Highlights

This release has a few important security fixes, along with a lot of squashed bugs and exciting additions as usual! Enjoy.

BREAKING: Scaffolder build requirements

The Scaffolder backend uses a sandboxing environment to run its nunjucks templating in, for security reasons. This used to leverage the vm2 library, but in this release it has been replaced by isolated-vm. This significantly improves the confidence level in the sandbox implementation since it builds upon v8 isolates directly. However, it comes with a cost to implementers: it is a native dependency, and as such needs to be built during yarn installation, on the exact architecture that it then executes on. For those who compile and run Backstage on stripped-down environments, you will want to ensure that you have the build basics present, e.g. build-essential or similar corresponding to your operating system of choice. The isolated-vm repo has some further information about the build environment requirements.

There is a CVE-2022-39266 that has been reported for isolated-vm, which applies only when using CachedDataOptions. We do not use that feature at all, since it is recommended against in the README; doing so can lead to breakouts and calling back to the main process. Some security tools may report that this is a vulnerability but it is safe to ignore this through your .snyk policy file or similar.

BREAKING: @backstage/plugin-linguist-backend

There have been some significant updates to the Linguist plugin, in particular the backend and its API. One breaking change is that LinguistBackendApi is now an interface rather than a class, and you should create its implementation LinguistBackendClient instead.

Contributed by @ahhhndre in #16954

BREAKING: @backstage/plugin-github-actions

In order to make this plugin support GitHub enterprise as well as cloud, its GithubActionsClient is updated to take an scmAuthApi instead of the previous githubAuthApi.

Contributed by @koalaty-code in #17781

New module: Unprocessed Entities

This frontend plugin and accompanying backend module lets you peek under the covers of your catalog instance, finding those pesky unprocessed entities that may be stuck in limbo because of an otherwise tricky-to-debug validation issue or similar.

Check out the plugin’s README for details and installation instructions.

Contributed by @alde in #17828

More movement toward Material UI v5 and React v18 compatibility

There have been some tweaks here or there to types and the theme system to ensure a smooth future migration toward Material UI version 5. This should be mostly transparent to adopters, but please let us know if you encounter any oddities around the theme system after upgrading to this release.

To ensure your future compatibility with v5 plugins, you may want to upgrade your theme provider to use the new unified one:

     Provider: ({ children }) => (
-    <ThemeProvider theme={lightTheme}>
-      <CssBaseline>{children}</CssBaseline>
-    </ThemeProvider>
+    <UnifiedThemeProvider theme={builtinThemes.light} children={children} />
     ),

We’ve also ensured to be more thorough with how we use PropsWithChildren to ensure that there’s a smooth transition to the non-implicit children in the React v18 types.

New Backend System lifecycle changes

When using the new Backend system, plugins are now started up concurrently instead of serially. This improves startup times significantly in some cases.

If you were relying on feature registration order to make sure that one plugin was completely initialized before being consumed by other plugins, we at the same time introduced a new addStartupHook method to the coreServices.lifecycle that you can use instead to act after all plugin initializations have completed.

At the same time, the default HTTP server implementation adds a middleware to the top of the chain, which stalls incoming requests for a short period of time while waiting for service startup. If it takes longer than that predefined time, it responds with a 503 Service Unavailable error. The end result is that as long as startup is typically fast, callers should only see slightly higher turnaround times for requests to services that are starting up, instead of getting 404 errors or similar which was often the case in the past.

Azure identity improvements

On the Azure front, there’s been work toward ensuring support for service principals, managed identities, and workload identities.

Contributed by @sanderaernouts in #17780 and @afscrome in #18324

Resource utilization and error display for k8s pods

You can now see some resource utilization statistics and errors, where present, for your Kubernetes pods.

Contributed by @mclarke47 in #17563 and #18169

Printable TechDocs

There have been some changes to the TechDocs styles, to properly handle print media. This should make PDF exports and printing of documentation work better. Let us know how it goes!

Contributed by @maapteh in #18007

OpenAPI linting

The backstage-repo-tools CLI’s OpenAPI features now have a new lint subcommand. This lets you automatically lint the OpenAPI schemas of plugins for correctness and best practices.

Contributed by @sennyeya in #18185

Catalog conflict events (experimental)

If you pass in an event broker to the catalog backend, it now has the experimental ability to emit events onto the event bus describing entity conflicts as they happen internally. This can then be observed and acted upon by external consumers.

Contributed by @sblausten in #16977

Security Fixes

  • See the note above about the Scaffolder replacing vm2 with isolated-vm.
  • There were some cases where sensitive configuration settings could be seen by the browser. The configuration schemas have been tightened up accordingly in a few places to counter this.
  • The TechDocs base Docker image has been upgraded to include a few security fixes. This will get picked up automatically for future Docker based TechDocs runs, after upgrading Backstage.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest release. For more guidance on how to upgrade, check out the documentation for keeping Backstage updated.

Below you can find a list of links and references to help you learn about and start using this new release.

Sign up for our newsletter if you want to be informed about what is happening in the world of Backstage.