リリース
CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。
v1.52.0 has three breaking changes (discovery API default, immediate stitching removed, BUI union types) alongside significant catalog PostgreSQL performance fixes and a batch of UX and reliability improvements.
breakingCheck discovery.endpoints and remove immediate stitching config
Two breaking changes need attention before upgrading. First, if you use `discovery.endpoints` with internal-only string targets, convert them to object form with `target.internal` set to the internal URL and `target.external` set to a browser-reachable URL — otherwise the frontend will try to reach internal addresses directly. Second, remove `catalog.stitchingStrategy.mode: 'immediate'` from your config; it's now a no-op and will log deprecation warnings. Both changes are straightforward config edits.
breakingMigrate ComboboxProps and SelectProps extensions before upgrading
`ComboboxProps` and `SelectProps` are now union types. If your codebase has interfaces that extend either type, they will fail to compile — switch them to type intersections. Also audit CSS selectors that target list content as a direct child of `.bui-SelectPopover`, as that structure changed. These are frontend component-layer changes with no runtime fallback.
enhancementCatalog query performance improvements for PostgreSQL — no action needed, just upgrade
Several PostgreSQL-specific query planner fixes ship in this release: multi-column statistics on the search table, a dropped redundant index, tuned vacuum thresholds, and a split count/list query. If your catalog list views are slow with large entity counts, this upgrade is worth prioritizing. No config changes needed — the improvements apply automatically via migration. Teams on MySQL/SQLite won't see the same gains.
主な変更 (7)
- Default discovery API in @backstage/plugin-app changed to FrontendHostDiscovery; internal-only string targets in discovery.endpoints must be migrated to object form
- catalog.stitchingStrategy.mode: 'immediate' removed — configs still using it will be silently ignored with a warning
- ComboboxProps and SelectProps changed to union types, breaking any interface that extended them directly
- Catalog backend gets multiple PostgreSQL query planner fixes — extended statistics, dropped legacy index, split count query — targeting 10-40x slower list views
- @backstage/connections experimental package added as a preview of the future integrations replacement; not for production use
- Lazy-loading of react-syntax-highlighter and @dagrejs/dagre cuts ~10 MB from the initial module load of @backstage/core-components
- Newly scaffolded apps now use Yarn 4.13.0 with npmMinimalAgeGate: 3d enabled as a supply-chain defense
v1.51.0 lands six breaking changes alongside major catalog performance wins, a new AiResource entity kind, and MCP/OIDC hardening. Plan migration time before upgrading.
breakingRun catalog DB migration SQL before deploying to large installs
The new catalog migration adds covering indices and a UNIQUE constraint on the search table, which can be slow on large datasets. The release notes explicitly recommend running the provided SQL commands manually before deploying v1.51.0. Skipping this turns a controlled maintenance window into an uncontrolled deployment stall. Check the changelog for the exact SQL before you upgrade.
breakingAudit six breaking changes before upgrading — OIDC and MsgGraph need immediate config review
The OIDC CIMD/DCR patterns changed from wildcard '*' to specific MCP client defaults — any custom MCP clients will silently stop working unless you explicitly add their patterns to the allow list. Separately, Microsoft Graph now excludes disabled user accounts; if your org tracks disabled users in Backstage, add an explicit filter before upgrading. Also migrate NavItemBlueprint usages to PageBlueprint title/icon params, and update PolicyQueryUser code to use credentials instead of the removed token/expiresInSeconds fields.
enhancementAdopt incremental Microsoft Graph ingestion for large orgs
The new msgraph-incremental module processes users and groups one page at a time and persists cursor state, meaning a pod restart no longer forces a full re-ingest. For orgs with tens of thousands of users, this is a practical operational improvement worth switching to. Install the new module and migrate your provider config — the old MicrosoftGraphOrgEntityProvider remains available but holds the full dataset in memory.
主な変更 (6)
- Six breaking changes: NavItemBlueprint removed, PortableSchema.schema now method-only, OIDC/CIMD/DCR patterns hardened, PolicyQueryUser cleaned up, catalog pagination excludes null-sort entities, Microsoft Graph now filters disabled users by default
- Catalog backend gets substantial query performance improvements — paginated entity lists drop from seconds to milliseconds via index-aware PostgreSQL queries; large installs should run provided SQL migration commands before deploying
- New AiResource catalog entity kind and mcp-server API subtype added, expanding Backstage's model for AI workloads
- Microsoft Graph incremental ingestion module added — memory-efficient cursor-based ingestion that resumes from last page after pod restarts
- Scaffolder form decorators promoted to stable (public API); always() and failure() step control functions added
- TechDocs gains disableExternalFonts option for air-gapped environments; scheduler fixed for tasks longer than ~24.8 days
v1.50.0 is a wide-ranging release with several breaking changes across auth, frontend APIs, and catalog. Key practical upgrades: AWS RDS IAM auth, Auth0 federated logout, catalog deadlock fixes, and security patches for rollup/glob.
securityUpdate CLI and build tooling to pick up rollup path traversal fix
rollup < v4.59 has a high severity path traversal vulnerability (GHSA-mw96-cpmx-2vgc). The @backstage/cli, repo-tools, and several CLI modules have been updated. Run the upgrade helper and update your lockfile. If you pin rollup versions anywhere in your workspace, update those pins to v4.59+. The glob dependency was also bumped to v13 to address vulnerabilities in v7/v8/v11.
breakingVerify token decoding code before upgrading — ent claim removed by default
auth.omitIdentityTokenOwnershipClaim now defaults to true, so Backstage user tokens no longer include the ent ownership claim. Any code that manually decodes tokens and reads ent will silently get nothing. Audit your codebase for raw token decoding and replace it with the userInfo core service. If you need time, set auth.omitIdentityTokenOwnershipClaim: false in your config temporarily, but plan to remove it — the setting will be dropped in a future release.
breakingMigrate createSchemaFromZod to configSchema before upgrading frontend-plugin-api
The deprecated createSchemaFromZod helper is gone in @backstage/[email protected]. Any extension or blueprint using it will fail at runtime. Check the 1.50 migration docs at backstage.io/docs/frontend-system/architecture/migrations#150 and switch to the configSchema option. Note that plain zod v3 schemas are not supported — use import { z } from 'zod/v4' from the zod v3 package or upgrade to zod v4.
主な変更 (7)
- BREAKING: auth.omitIdentityTokenOwnershipClaim now defaults to true — tokens no longer carry the ent claim, which eliminates header size issues in large orgs but may affect code that explicitly decodes Backstage tokens
- BREAKING: frontend-plugin-api removes deprecated createSchemaFromZod helper; migrate to the new configSchema option with zod v4
- BREAKING: @backstage/ui drops React 17 support — minimum is now React 18
- Catalog backend deadlock fix: SELECT ... FOR UPDATE SKIP LOCKED was missing transaction wrapping, causing PostgreSQL deadlocks (40P01) in multi-replica deployments
- Security: rollup upgraded to v4.59+ (GHSA-mw96-cpmx-2vgc path traversal) and glob bumped to v13 across CLI and repo-tools packages
- AWS RDS IAM authentication for PostgreSQL now supported in backend-defaults — use short-lived tokens instead of static passwords
- Auth0 provider now performs federated logout, clearing the Auth0 session on sign-out; set federatedLogout: true to also clear upstream IdP sessions
Backstage v1.49.1 is a patch release cleaning up new frontend system rough edges, fixing UI issues in TechDocs/Scaffolder, and adding small DX improvements to the create-app template.
enhancementUnprocessed entities DevTools tab is now on by default
If you're debugging entity ingestion issues, you no longer need to configure the DevTools unprocessed entities tab manually. Upgrade and it's there. Useful for catching catalog processing failures faster in development and staging environments.
enhancementNew frontend system adopters: pick up layout fixes now
If your team is migrating to or testing the new Backstage frontend system, this patch fixes concrete layout problems in both the Scaffolder and Catalog entity pages. Skip 1.49.0 and go straight to 1.49.1 to avoid dealing with those visual regressions.
enhancementPlugin headers can now carry navigation links
The new titleLink prop on PageLayoutProps lets plugin header titles act as navigation anchors back to the plugin root. Worth adopting if you're building or maintaining custom plugins — it aligns with the expected UX pattern for Backstage's evolving plugin header system.
主な変更 (5)
- TechDocs alpha plugin pages migrated to BUI header system, resolving the double scrollbar bug
- Scaffolder plugin page layout fixed for the new frontend system
- Catalog entity page header disabled in new frontend system to avoid layout conflicts
- Unprocessed entities now appear as a DevTools tab by default — no manual wiring needed
- titleLink prop added to PageLayoutProps so plugin headers can link back to the plugin root
v1.49.0 is a landmark release: the New Frontend System hits 1.0 RC, the CLI becomes extensible via modules, and there are multiple breaking changes in UI components, integrations, and entity cards requiring migration work.
breakingMigrate entity cards and BUI components before upgrading `@backstage/plugin-catalog`
The major version bump on `@backstage/plugin-catalog` means direct action is required. Remove all `variant` prop usage from EntityAboutCard, EntityLinksCard, EntityLabelsCard, GroupProfileCard, and UserProfileCard. Wrap your app in a `BUIProvider` inside a React Router context — without it, Link, ButtonLink, Tabs, Menu, and Table lose client-side navigation. Also rename any CSS selectors using old `bui-HeaderPage` class patterns and camelCase data attributes. Audit custom components that implement the old `Checkbox` `selected`/`indeterminate` props and switch to `isSelected`/`isIndeterminate`.
breakingRemove all deprecated Bitbucket and legacy integration config immediately
The old `bitbucket` config key and Azure DevOps `token`/`credential` fields are gone — not deprecated, gone. If your `app-config.yaml` still references these, your backend will fail to start after upgrading. Replace `bitbucket` with `bitbucketCloud` or `bitbucketServer`, migrate Azure DevOps to the `credentials` array, and update any Gerrit URL utility calls. Check scaffolder templates too, as `parseRepoUrl` no longer handles `bitbucket`.
enhancementAdd `@backstage/cli-defaults` as a devDependency now, not later
The CLI module system is live, and the fallback to built-in commands already emits a deprecation warning. Add `@backstage/cli-defaults` to your root `devDependencies` today to silence the warning and future-proof your setup before the fallback is removed entirely. If you maintain custom CLI tooling, look at `createCliModule` in `@backstage/cli-node` to package it properly as a first-class CLI extension.
主な変更 (7)
- New Frontend System reaches 1.0 RC — new apps use it by default, `--next` flag replaced by `--legacy`
- Multiple breaking UI changes in Backstage UI (BUI): Checkbox props renamed, CSS classes renamed, `BUIProvider` now required for routing, deprecated types removed
- Entity cards (`EntityAboutCard`, `EntityLinksCard`, etc.) migrated from MUI to BUI with `variant` prop removed — `@backstage/plugin-catalog` receives a major version bump
- Deprecated Bitbucket integration and legacy fields fully removed from `@backstage/integration`, `@backstage/backend-defaults`, and scaffolder packages
- CLI refactored into modular `cli-module` packages — add `@backstage/cli-defaults` as a devDependency now to avoid future fallback removal warning
- Predicate-based catalog filtering added to `queryEntities()`, `getEntitiesByRefs()`, and `getEntityFacets()` via new POST endpoints
- Permission checks batched per tick for better performance on permission-heavy pages