RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

Backstage

CI/CD & App DeliveryYesterdayJul 14, 2026

Backstage v1.53.0 is a feature release with seven breaking changes across auth, CLI, and API layers. The SSE MCP transport, proxy agent bootstrap, and OpenAPI testing CLI commands are removed; OAuth redirect validation is tightened to reject wildcards crossing host-path boundaries and embedded credentials; config-loader enforces strict type checking; and EntityContextMenuItemBlueprint changes output structure. Optic is replaced by oasdiff for OpenAPI tooling. Numerous bugfixes address TechDocs, Scaffolder, and catalog issues; new features include breadcrumbs framework, user settings storage, and extended auth/database options. No security fixes are included.

  • breakingSSE MCP transport removed

    The Server-Sent Events (SSE) transport for MCP actions has been removed from @backstage/plugin-mcp-actions-backend. If your deployment uses the SSE transport, switch to the Streamable HTTP endpoint or update your MCP configuration.

  • breakingStricter config-loader type validation

    Config-loader now validates imported types in TypeScript configuration schemas instead of treating them as unconstrained. Invalid imports will cause schema loading to fail. Review your configuration schemas for unresolved or missing type imports.

  • breakingTighter OAuth redirect URI and CIMD allowlist matching

    Wildcard patterns in OAuth redirect URIs are now constrained: patterns must include an explicit protocol, wildcards no longer match across host and path boundaries, and embedded credentials are always rejected. Patterns like http://localhost:* now match only the root path; use http://localhost:*/* to allow any path. Update your auth configuration to match this stricter syntax.

  • breakingEntityContextMenuItemBlueprint output type change

    The EntityContextMenuItemBlueprint API now outputs menu item data instead of a rendered MUI element; the icon type is now IconElement. Update any code that depends on the catalog entity context menu to use the new data structure.

  • breakingLegacy proxy agent bootstrap removed

    The bootstrapEnvProxyAgents export has been removed from @backstage/cli-common, along with global-agent and undici dependencies. If you rely on this export, use Node's native NODE_USE_ENV_PROXY environment variable instead.

  • breakingOpenAPI CLI commands and wrapInOpenApiTestServer removed

    The package schema openapi init and repo schema openapi test CLI commands have been removed. Runtime OpenAPI validation is still available via wrapServer from @backstage/backend-openapi-utils/testUtils. The wrapInOpenApiTestServer function has also been removed; use wrapServer instead.

  • breakingOpenAPI tooling switched from Optic to oasdiff

    Optic (@useoptic/optic and @useoptic/openapi-utilities) has been replaced with oasdiff in @backstage/repo-tools for OpenAPI breaking change detection. Update any tooling or CI/CD pipelines that reference Optic.

Key changes (10)
  • SSE MCP transport removed from @backstage/plugin-mcp-actions-backend; use Streamable HTTP endpoint
  • Config-loader now enforces strict type validation; invalid imports cause schema load failure
  • OAuth redirect URI validation tightened: explicit protocol required, credentials rejected, wildcards constrained (http://localhost:* matches root only; use http://localhost:*/* for any path)
  • EntityContextMenuItemBlueprint changed to output data instead of MUI elements (icon is now IconElement)
  • bootstrapEnvProxyAgents removed from @backstage/cli-common; use NODE_USE_ENV_PROXY instead
  • OpenAPI CLI commands (package schema openapi init, repo schema openapi test) and wrapInOpenApiTestServer removed; use wrapServer
  • Optic replaced with oasdiff for OpenAPI breaking change detection in @backstage/repo-tools
  • Catalog entity page migration to BUI and entity header extension deprecation in progress
  • Fixes for TechDocs metadata loop, DatabaseTaskStore string cast, Bitbucket pickers, catalog export crashes, EntityTypePicker regression, scheduled task registration, React key warnings, Kubernetes schema inclusion, yeoman-environment v4 compatibility, and TechDocs blank page rendering
  • Enhancements: breadcrumbs framework, TextAreaField UI component, react-aria-components re-export, user settings plugin, multi-config BACKSTAGE_ENV stacking, Azure DevOps webhooks, CIMD token revocation, Redis connection options, S3 PrivateLink, Auth0 prompt parameters, embedded postgres flags, extension predicate action attributes
Source

Flux

CI/CD & App DeliveryJul 13, 2026

Flux v2.9.2 is a routine patch that resolves a v2.9.1 regression breaking Kustomization reconciliation with URL-based OpenAPI schema paths, corrects several CRD field descriptions, and updates dependencies.

Key changes (4)
  • Fixes Kustomization reconciliation regression in v2.9.1 when openapi.path points to a URL
  • Corrects HelmChart CRD description (.status.url) and ImageRepository CRD description (.status.observedExclusionList)
  • Fixes ImageUpdateAutomation CRD description (.status.observedSourceRevision) removing leaked Go struct declaration
  • Updates fluxcd/pkg dependencies and toolkit components
Source

Argo

CI/CD & App DeliveryJul 9, 2026

Argo CD v3.4.5 is a routine patch addressing seven bug fixes across reposerver manifest generation, SSA auth handling, sync behavior, UI display, and Dex configuration, plus dependency updates. No breaking or security changes.

Key changes (7)
  • Reposerver now honors source repository depth instead of primary source when generating manifests
  • Server-Side Apply (SSA) auth reconcile disabled to prevent incorrect reconciliation
  • Fixed auto-sync skip when newer commits arrived during manifest-generate-paths sync
  • Deleted resources no longer incorrectly displayed as present in the UI
  • Replace sync option no longer clobbers non-ignored fields
  • Dex config environment variable substitution regression fixed
  • golang.org/x/crypto bumped to 0.53.0; Ubuntu base image updated to 26.04 LTS
Source

Tekton

CI/CD & App DeliveryJul 8, 2026

Tekton v1.6.5 is a routine patch release that upgrades the Go toolchain to 1.25.10 to address medium-severity CVEs. No breaking changes or new features are included.

  • securityApply Go toolchain CVE fixes

    Tekton v1.6.5 upgrades Go to 1.25.10 to fix medium-severity CVEs in the toolchain. Upgrade to v1.6.5 to apply the patch.

Key changes (1)
  • Go bumped to 1.25.10 for CVE remediation
Source

Tekton

CI/CD & App DeliveryJul 8, 2026

Tekton v1.9.6 is a security patch that remediates CVEs by bumping Go and two key golang.org dependencies. A build hygiene fix replacing LICENSE symlinks with files is also included.

  • securityApply dependency CVE remediations

    Tekton v1.9.6 bumps Go to 1.25.10 and updates golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 to address CVEs in those dependencies. Upgrade to receive these remediation fixes.

Key changes (2)
  • Go bumped to 1.25.10, golang.org/x/crypto to v0.52.0, and golang.org/x/net to v0.55.0 for CVE remediation
  • Build hygiene: kodata LICENSE symlinks replaced with actual files
Source

Flux

CI/CD & App DeliveryJul 7, 2026

Flux v2.9.1 is a patch release fixing a CRD schema corruption bug where post-build variable substitution could clobber Flux's own CRD fields, plus smaller fixes for SOPS .ini decryption and a dry-run strategic merge patch error. No breaking changes, deprecations, or CVEs are disclosed.

  • breakingCRD schema corruption from post-build substitution is fixed

    Post-build variable substitution in Kustomizations could accidentally match and corrupt Flux's own CRD schema fields when a manifest contained ${...} sequences overlapping those field names. This affected Kustomizations with post-build substitution enabled. Fixed by annotating Flux CRDs with kustomize.toolkit.fluxcd.io/substitute: disabled. Upgrade to v2.9.1 if you use post-build substitution.

Key changes (3)
  • Fixed CRD schema corruption caused by post-build variable substitution matching Flux's own CRD fields; Flux CRDs are now annotated with kustomize.toolkit.fluxcd.io/substitute: disabled
  • Fixed SOPS .ini file decryption
  • Fixed a dry-run error in strategic merge patch handling
Source
Browse by month