Skip to main content
Version: Next

v1.39.0

These are the release notes for the v1.39.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

BREAKING: Removals of Old Backend System support

We are gradually removing support for the old backend system from plugins and modules. In this release, the following backend features no longer support the old backend system:

  • auth-backend
  • catalog-backend
  • permission-backend
  • catalog-backend-module-incremental-ingestion
  • catalog-backend-module-unprocessed

If you have already migrated to the new backend system, you will not be required to do any code changes, except perhaps removing the /alpha suffix on your imports if you had that.

If you have not yet migrated, now would be a great time to do so.

Note that for the @backstage/plugin-catalog-backend, this necessitated a major semantic version bump. The others are on version 0.x still and received a minor level bump. If you are using the Backstage yarn plugin, you will get on the new versions automatically. If you do not, you may want to bump your dependency ranges (to e.g. ^2.0.0 for the major bumps) for these to ensure that you keep getting the most recent updates.

Along with the major bump, most of the previously already deprecated exports were finally removed as well from these packages. There are a bit too many to list here, but as an example, some of the old deprecated exports from the Catalog backend have been available from their new home in @backstage/plugin-catalog-node instead.

An upshot of these changes is that we have nearly entirely eliminated the usage of the old @backstage/backend-common package. We hope to get rid of the very final remnants of it as soon as possible.

BREAKING: CodeOwnersProcessor removed from built-in processors

As part of the major bump of the catalog backend the CodeOwnersProcessor has been removed from the set of default processors, because it's quite expensive to run and has vague semantics. You need to update your backend to add it to the catalogProcessingExtensionPoint if you wish to continue using it.

Deprecating React 17

React 17 is now deprecated and the Backstage CLI will warn if you are using it. Please follow the migration guide to upgrade to React 18.

Scheduler Service REST API

The core scheduler service now comes with its own REST API that you can use to list and trigger tasks. For more information, see the scheduler service documentation.

Canon 0.4.0

Our new design system Canon has reached 0.4.0 in this release. You can read more about the changes in the canon changelog.

Omitting ownership claims in issued identity tokens

The auth plugin backend now supports omitting the ownership claims in issued Backstage identity tokens. By setting the auth.omitIdentityTokenOwnershipClaim configuration flag the issued tokens will no longer contain the ent claim that represents the ownership references of the user.

The benefit of this new flag is that issued user tokens will be much smaller in size, but they will no longer be self-contained. This means that any consumers of the token that require access to the ownership claims now need to call the /api/auth/v1/userinfo endpoint instead. Within the Backstage ecosystem this is done automatically, as clients will still receive the full set of claims during authentication, while plugin backends will need to use the UserInfoService which already calls the user info endpoint if necessary.

When enabling this flag, it is important that any custom sign-in resolvers directly return the result of the sign-in method. For example, the following would not work:

const { token } = await ctx.issueToken({
  claims: { sub: entityRef, ent: [entityRef] },
});
return { token }; // WARNING: This will not work with the flag enabled

Instead, the sign-in resolver should return the entire result:

return ctx.issueToken({
  claims: { sub: entityRef, ent: [entityRef] },
});

JSX elements in I18n interpolation

The internationalization APIs now transparently supports interpolation of JSX elements. If any of the provided replacements are a JSX element, the translation function will also return a JSX element where the parts are joined together in a fragment. This makes it much easier to include things like links in a message while keeping the translations flexible.

Built-in sign-in fallback for users not in the catalog

It is sometimes useful to allow users to sign-in without existing in the catalog, even though care must be taken when allowing this. There is now a new dangerousEntityRefFallback option for the signInWithCatalogUser method that lets you supply a fallback user identity in case the catalog lookup returns an empty response, which makes it even easier to implement this pattern.

In addition, many of the available auth provider modules now support a new dangerouslyAllowSignInWithoutUserInCatalog configuration option that enables this using a provider-specific fallback.

Contributed by @JessicaJHee in #28967

Improved compatibility for Yarn plugin

The yarn plugin will now add both npm: and backstage: ranges to lockfile entries, in order to ensure better compatibility with tools that parse the lockfile and ensure dependencies stay locked when building dist workspaces.

Federated Credentials for Azure DevOps integration

If you have configured your Azure DevOps organization to use Entra ID for authentication, you can now use federated credentials using a managed identity. This allows you to authenticate for an app registration without using a client secret. This is mostly useful when you have to authenticate against an Azure DevOps organization in a different Entra ID tenant, and effectively eliminates the need to manage and expose secrets for other tenants.

Contributed by @sanderaernouts in #28437

Valkey support for cache service

The cache service implementation provided by @backstage/backend-defaults now also supports Valkey as one of the configurable clients.

Contributed by @j1bulbul in #29762

Custom AuthConnector implementations

The frontend OAuth2 class now lets you provide a custom AuthConnector implementation, which can be useful if you need to integrate with auth providers that take a bit more liberty in their OAuth implementation.

Contributed by @gusega in #28004

Security Fixes

This release does not contain any security fixes.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest release. For more guidance on how to upgrade, check out the documentation for keeping Backstage updated.

Below you can find a list of links and references to help you learn about and start using this new release.

Sign up for our newsletter if you want to be informed about what is happening in the world of Backstage.