fix(deps): update backstage monorepo

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/backend-defaults (source)	^0.16.0 → ^0.17.0
@backstage/backend-plugin-api (source)	1.8.0 → 1.9.0
@backstage/backend-test-utils (source)	1.11.1 → 1.11.2
@backstage/catalog-client (source)	1.14.0 → 1.15.0
@backstage/catalog-model (source)	1.7.7 → 1.8.0
@backstage/cli (source)	0.36.0 → 0.36.1
@backstage/cli-defaults (source)	0.1.0 → 0.1.1
@backstage/config (source)	1.3.6 → 1.3.7
@backstage/core-components (source)	0.18.8 → 0.18.9
@backstage/core-plugin-api (source)	1.12.4 → 1.12.5
@backstage/errors (source)	1.2.7 → 1.3.0
@backstage/frontend-defaults (source)	0.5.0 → 0.5.1
@backstage/frontend-plugin-api (source)	^0.14.0 || ^0.15.0 → ^0.14.0 || ^0.15.0 || ^0.16.0
@backstage/frontend-plugin-api (source)	^0.15.0 → ^0.16.0
@backstage/plugin-app-backend (source)	0.5.12 → 0.5.13
@backstage/plugin-auth-backend (source)	^0.27.0 → ^0.28.0
@backstage/plugin-auth-backend-module-guest-provider (source)	0.2.17 → 0.2.18
@backstage/plugin-catalog (source)	2.0.1 → 2.0.4
@backstage/plugin-catalog-backend (source)	3.5.0 → 3.6.1
@backstage/plugin-catalog-backend-module-scaffolder-entity-model (source)	0.2.18 → 0.2.19
@backstage/plugin-catalog-common (source)	1.1.8 → 1.1.9
@backstage/plugin-catalog-node (source)	2.1.0 → 2.2.0
@backstage/plugin-catalog-react (source)	2.1.1 → 2.1.4
@backstage/plugin-permission-backend (source)	0.7.10 → 0.7.11
@backstage/plugin-permission-backend-module-allow-all-policy (source)	0.2.17 → 0.2.18
@backstage/plugin-permission-common (source)	0.9.7 → 0.9.8
@backstage/plugin-search (source)	1.7.0 → 1.7.3
@backstage/plugin-search-backend (source)	2.1.0 → 2.1.1
@backstage/plugin-search-backend-module-catalog (source)	0.3.13 → 0.3.14
@backstage/plugin-search-backend-node (source)	1.4.2 → 1.4.3
@backstage/plugin-search-common (source)	1.2.22 → 1.2.23
@backstage/plugin-search-react (source)	1.11.0 → 1.11.3
@backstage/plugin-user-settings (source)	0.9.1 → 0.9.2
@backstage/test-utils (source)	1.7.16 → 1.7.17
@backstage/ui (source)	^0.13.0 → ^0.14.0

---

Release Notes

backstage/backstage (@​backstage/backend-defaults)

v0.17.0

Compare Source

Minor Changes

• c69e03c: Added support for AWS RDS IAM authentication for PostgreSQL connections. Set connection.type: rds along with host, user, and region to use short-lived IAM tokens instead of a static password. Requires the @aws-sdk/rds-signer package and an IAM role with rds-db:connect permission.

Patch Changes

• 4559806: Added support for typed examples on actions registered via the actions registry. Action authors can now provide examples with compile-time-checked input and output values that match their schema definitions.
• 5cd814f: Refactored auditor severity log level mappings to use zod/v4 with schema-driven defaults and type inference.
• 482ceed: Migrated from assertError to toError for error handling.
• 6e2aaab: Fixed AwsS3UrlReader failing to read files from S3 buckets configured with custom endpoint hosts. When an integration was configured with a specific endpoint like https://bucket-1.s3.eu-central-1.amazonaws.com, the URL parser incorrectly fell through to the non-AWS code path, always defaulting the region to us-east-1 instead of extracting it from the hostname.
• 308c672: HostDiscovery now logs a warning when backend.baseUrl is set to a localhost address while NODE_ENV is production, and when backend.baseUrl is not a valid URL.
• 85c5a46: DefaultActionsRegistryService: add json middleware to /.backstage/actions/ routes only
• 547258f: Refactored the database creation retry loop to avoid an unnecessary delay after the final failed attempt.
• 79453c0: Updated dependency wait-for-expect to ^4.0.0.
• f14df56: Added experimental support for using embedded-postgres as the database for local development. Set backend.database.client to embedded-postgres in your app config to enable this. The embedded-postgres package must be installed as an explicit dependency in your project.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/backend-app-api@​1.6.1
  • @​backstage/cli-node@​0.3.1
  • @​backstage/config-loader@​1.10.10
  • @​backstage/integration@​2.0.1
  • @​backstage/plugin-permission-node@​0.10.12
  • @​backstage/config@​1.3.7
  • @​backstage/integration-aws-node@​0.1.21
  • @​backstage/plugin-events-node@​0.4.21
  • @​backstage/plugin-permission-common@​0.9.8

backstage/backstage (@​backstage/backend-plugin-api)

v1.9.0

Compare Source

Minor Changes

• 4559806: Added support for typed examples on actions registered via the actions registry. Action authors can now provide examples with compile-time-checked input and output values that match their schema definitions.

Patch Changes

• 213ebe7: Aligned .T behavior between ExtensionPoint and ServiceRef to consistently return null instead of throwing.
• 68c557b: Added stricter type checks in isDatabaseConflictError.
• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/cli-common@​0.2.1
  • @​backstage/plugin-permission-node@​0.10.12
  • @​backstage/config@​1.3.7
  • @​backstage/plugin-permission-common@​0.9.8

backstage/backstage (@​backstage/backend-test-utils)

v1.11.2

Compare Source

Patch Changes

• 4559806: Added support for typed examples on actions registered via the actions registry. Action authors can now provide examples with compile-time-checked input and output values that match their schema definitions.
• f44c6bd: Deduplicated internal readiness-polling helpers used by the database and cache test infrastructure.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/backend-defaults@​0.17.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/backend-app-api@​1.6.1
  • @​backstage/config@​1.3.7
  • @​backstage/plugin-events-node@​0.4.21
  • @​backstage/plugin-permission-common@​0.9.8

backstage/backstage (@​backstage/catalog-client)

v1.15.0

Compare Source

Minor Changes

• c384fff: BREAKING PRODUCERS: Added required entityRef field to the Location type, exposing the stable entity reference for each registered location. Any code that produces Location objects must now include this field. Added updateLocation method to CatalogApi for updating the type and target of an existing location.

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/catalog-model@​1.8.0
  • @​backstage/filter-predicates@​0.1.2

backstage/backstage (@​backstage/catalog-model)

v1.8.0

Compare Source

Minor Changes

• e5fcfcb: Added a new catalog model layer system that allows plugins to declare and extend catalog entity kinds, annotations, labels, tags, and relations using JSON Schema. The new createCatalogModelLayer API provides a builder for composing model definitions, and a compileCatalogModel function validates and merges them into a unified model. Built-in entity kinds now include model layer definitions.

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.0

backstage/backstage (@​backstage/cli)

v0.36.1

Compare Source

Patch Changes

• 2e5c5f8: Bumped glob dependency from v7/v8/v11 to v13 to address security vulnerabilities in older versions. Bumped rollup from v4.27 to v4.59+ to fix a high severity path traversal vulnerability (GHSA-mw96-cpmx-2vgc).
• 482ceed: Migrated from assertError to toError for error handling.
• a2f0c72: Removed the unused isDev export from the internal version module.
• a7a14b7: Added DOM.AsyncIterable to the default lib in the shared TypeScript configuration, enabling standard async iteration support for DOM APIs such as FileSystemDirectoryHandle. This aligns behavior with TypeScript 6.0, where this lib is included in DOM by default.
• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/cli-module-build@​0.1.1
  • @​backstage/cli-module-test-jest@​0.1.1
  • @​backstage/cli-common@​0.2.1
  • @​backstage/cli-node@​0.3.1
  • @​backstage/eslint-plugin@​0.2.3
  • @​backstage/cli-defaults@​0.1.1

backstage/backstage (@​backstage/cli-defaults)

v0.1.1

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/cli-module-new@​0.1.2
  • @​backstage/cli-module-auth@​0.1.1
  • @​backstage/cli-module-build@​0.1.1
  • @​backstage/cli-module-test-jest@​0.1.1
  • @​backstage/cli-module-migrate@​0.1.1
  • @​backstage/cli-module-actions@​0.1.0
  • @​backstage/cli-module-config@​0.1.1
  • @​backstage/cli-module-github@​0.1.1
  • @​backstage/cli-module-info@​0.1.1
  • @​backstage/cli-module-lint@​0.1.1
  • @​backstage/cli-module-maintenance@​0.1.1
  • @​backstage/cli-module-translations@​0.1.1

backstage/backstage (@​backstage/config)

v1.3.7

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.0

backstage/backstage (@​backstage/core-components)

v0.18.9

Compare Source

Patch Changes

• 482ceed: Migrated from assertError to toError for error handling.
• 320eed3: Resolved DOM nesting warning in OAuthRequestDialog by rendering secondary text as block-level spans.
• 58b9f3f: Use Backstage Link component for markdown anchor rendering to ensure consistent internal and external link behavior.
• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/theme@​0.7.3
  • @​backstage/config@​1.3.7
  • @​backstage/core-plugin-api@​1.12.5

backstage/backstage (@​backstage/core-plugin-api)

v1.12.5

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/frontend-plugin-api@​0.16.0
  • @​backstage/config@​1.3.7

backstage/backstage (@​backstage/errors)

v1.3.0

Compare Source

Minor Changes

• b2319ff: A new toError utility function is now available for converting unknown values to ErrorLike objects. If the value is already error-like it is returned as-is, strings are used directly as the error message, and all other values are wrapped as unknown error '<stringified>'. Non-error causes passed to CustomErrorBase are now converted and stored using toError rather than discarded.

Patch Changes

• 608c1e5: Simplified assertError to delegate to isError instead of duplicating the same checks.

backstage/backstage (@​backstage/frontend-defaults)

v0.5.1

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-app@​0.4.3
  • @​backstage/frontend-plugin-api@​0.16.0
  • @​backstage/core-components@​0.18.9
  • @​backstage/frontend-app-api@​0.16.2
  • @​backstage/config@​1.3.7

backstage/backstage (@​backstage/frontend-plugin-api)

v0.16.2

Compare Source

v0.16.1

Compare Source

Added @backstage/plugin-bitrise to show bitrise.io builds and download build artifacts.

v0.16.0

Compare Source

Minor Changes

• fa55078: BREAKING: Removed the deprecated createSchemaFromZod helper. Use the new configSchema option instead. See the 1.50 migration documentation for more information.
• 49397c1: Simplified the type signature of createRouteRef by replacing the dual TParams/TParamKeys type parameters with a single TParamKey parameter. This is a breaking change for callers that explicitly provided type arguments, but most usage that relies on inference is unaffected.

Patch Changes

• 4c09967: Fixed the duplicate extension error message in createFrontendModule to correctly say "Module" instead of "Plugin".
• e4804ab: Added open method to DialogApi that renders dialogs without any built-in dialog chrome, giving the caller full control over the dialog presentation. This avoids focus trap conflicts that occur when mixing components from different design libraries. The existing show and showModal methods are now deprecated in favor of open.
• ddc5247: Fixed FlattenedMessages type to avoid excessive type instantiation depth in TypeScript 6 when using createTranslationRef with the translations option.
• a2a6c3b: Added a new configSchema option for createExtension and createExtensionBlueprint that accepts direct schema values from any Standard Schema compatible library with JSON Schema support, such as zod v4 (zod@^4.0.0). The old config.schema option is now deprecated. Note that Zod v3 is not supported by the new configSchema option, including the zod/v4 subpath export which does not include JSON Schema conversion support. You must upgrade to the zod v4 package. See the 1.50 migration documentation for more information.
• d66a3ec: Added titleLink prop to PageLayoutProps so the plugin header title can link back to the plugin root.
• e220589: Removed the unnecessary need to use defineParams callback from PluginHeaderActionBlueprint. It still works, but is no longer required.
• Updated dependencies
  • @​backstage/errors@​1.3.0
  • @​backstage/filter-predicates@​0.1.2

backstage/backstage (@​backstage/plugin-app-backend)

v0.5.13

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/config-loader@​1.10.10
  • @​backstage/config@​1.3.7
  • @​backstage/plugin-app-node@​0.1.44

backstage/backstage (@​backstage/plugin-auth-backend)

v0.28.0

Compare Source

Minor Changes

• d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

  With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

  To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

  The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

• 482ceed: Migrated from assertError to toError for error handling.
• dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/catalog-model@​1.8.0
  • @​backstage/plugin-catalog-node@​2.2.0
  • @​backstage/config@​1.3.7

backstage/backstage (@​backstage/plugin-auth-backend-module-guest-provider)

v0.2.18

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/catalog-model@​1.8.0

backstage/backstage (@​backstage/plugin-catalog)

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

Patch Changes

• e4804ab: Migrated the unregister entity context menu item from the deprecated DialogApi.showModal to the new DialogApi.open method.
• d7b6077: Disabled the default page layout header for the catalog entity page in the new frontend system. The entity page already renders its own header through the EntityHeader extension, so the page layout header was redundant.
• ee1531d: Exported the NFS variant of the catalog index page as CatalogIndexPage from the ./alpha entry point, along with supporting types CatalogIndexPageProps, CatalogTableRow, and CatalogTableColumnsFunc. This allows adopters to use and customize the catalog index page within a PageBlueprint in the new frontend system.
• 482ceed: Migrated from assertError to toError for error handling.
• 744f904: Fixed the catalog table briefly showing an empty loading state when changing filters. The table now keeps displaying stale results until new data arrives.
• c193ef1: Added Kind field to the About Card. Tags moved before Type and Lifecycle, Kind placed after them. A new aboutCard.kindField.label translation key was added.
• e5af44c: Replaced deprecated humanizeEntityRef usage with the Catalog Presentation API.
• Updated dependencies
  • @​backstage/ui@​0.14.0
  • @​backstage/errors@​1.3.0
  • @​backstage/catalog-model@​1.8.0
  • @​backstage/plugin-catalog-react@​2.1.2
  • @​backstage/frontend-plugin-api@​0.16.0
  • @​backstage/core-components@​0.18.9
  • @​backstage/core-compat-api@​0.5.10
  • @​backstage/catalog-client@​1.15.0
  • @​backstage/plugin-scaffolder-common@​2.1.0
  • @​backstage/plugin-permission-react@​0.5.0
  • @​backstage/core-plugin-api@​1.12.5
  • @​backstage/integration-react@​1.2.17
  • @​backstage/plugin-catalog-common@​1.1.9
  • @​backstage/plugin-search-common@​1.2.23
  • @​backstage/plugin-search-react@​1.11.1
  • @​backstage/plugin-techdocs-react@​1.3.10

backstage/backstage (@​backstage/plugin-catalog-backend)

v3.6.1

Compare Source

Patch Changes

• b33f845: Fixed several database migration down functions that were not properly reversible, causing the SQL report to show warnings:

  • 20241003170511_alter_target_in_locations.js: both up and down now include .notNullable() when altering the locations.target column, preventing the NOT NULL constraint from being accidentally dropped when widening the column type from varchar(255) to text.
  • 20220116144621_remove_legacy.js: the down function now properly recreates the three dropped legacy tables (entities, entities_search, entities_relations) with correct columns and indices.
  • 20210302150147_refresh_state.js: the down function now drops dependent tables in the correct order (avoiding a FK constraint violation) and fixes a typo where the table was referred to as references instead of refresh_state_references.
  • 20201005122705_add_entity_full_name.js: the down function now drops the full_name column from entities (not entities_search), and restores the entities_unique_name index with the correct column order (kind, name, namespace).
  • 20200702153613_entities.js: the down function now uses table.integer('generation') instead of table.string('generation'), restoring the correct column type.

• cf195de: Fixed a performance regression in the /entity-facets endpoint when filters or permission conditions are applied, by routing the EXISTS-based filter through final_entities instead of correlating against the much larger search table.

• 744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.

• Updated dependencies

  • @​backstage/errors@​1.3.1-next.0
  • @​backstage/integration@​2.0.2-next.0
  • @​backstage/backend-openapi-utils@​0.6.9-next.0
  • @​backstage/backend-plugin-api@​1.9.1-next.0
  • @​backstage/catalog-client@​1.15.1-next.0
  • @​backstage/catalog-model@​1.8.1-next.0
  • @​backstage/config@​1.3.8-next.0
  • @​backstage/filter-predicates@​0.1.3-next.0
  • @​backstage/plugin-catalog-node@​2.2.1-next.0
  • @​backstage/plugin-events-node@​0.4.22-next.0
  • @​backstage/plugin-permission-common@​0.9.9-next.0
  • @​backstage/plugin-permission-node@​0.10.13-next.0
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-catalog-common@​1.1.10-next.0

v3.6.0

Compare Source

Minor Changes

• d16311f: Added a location_entity_ref column to the locations database table that stores the full entity ref of the corresponding kind: Location catalog entity for each registered location row. The value is pre-computed and persisted so that it no longer needs to be recomputed from the location's type and target on every read.
• e5fcfcb: Added ModelProcessor that validates catalog entities against the compiled catalog model schemas, and integrated it into the CatalogBuilder and CatalogPlugin. This processor is only activated if you explicitly add catalog model sources to your backend; there is no functional change for regular catalog usage.
• c384fff: Location responses now include an entityRef field with the stable entity reference for each location. The entityRef field is also filterable via POST /locations/by-query. Added PUT /locations/:id endpoint for updating the type and target of an existing location.

Patch Changes

• 2e5c5f8: Bumped glob dependency from v7/v8/v11 to v13 to address security vulnerabilities in older versions. Bumped rollup from v4.27 to v4.59+ to fix a high severity path traversal vulnerability (GHSA-mw96-cpmx-2vgc).
• 7e63730: Removed deprecated PermissionAuthorizer support and the createPermissionIntegrationRouter fallback path from CatalogBuilder. The permissionsRegistry service is now required, and permissions is always a PermissionsService.
• 056e18e: Removed the internal addPermissions and addPermissionRules methods from CatalogBuilder, and removed the catalogPermissionExtensionPoint wiring from CatalogPlugin. Custom permission rules and permissions should be registered via coreServices.permissionsRegistry directly.
• 6884814: Improved catalog entity filter query performance by switching from IN (subquery) to EXISTS (correlated subquery) patterns. This enables PostgreSQL semi-join optimizations and fixes NOT IN NULL-semantics pitfalls by using NOT EXISTS instead.
• 9da73bf: Reduced search table write churn during stitching by syncing only changed rows instead of doing a full delete and re-insert. On Postgres this uses a single writable CTE, on MySQL a temporary table merge with deadlock retry, and on SQLite the previous bulk replace.
• 482ceed: Migrated from assertError to toError for error handling.
• 375b546: Fixed a deadlock in the catalog processing loop that occurred when running multiple replicas. The getProcessableEntities method used SELECT ... FOR UPDATE SKIP LOCKED to prevent concurrent processors from claiming the same rows, but the call was not wrapped in a transaction, so the row locks were released before the subsequent UPDATE executed. This allowed multiple replicas to select and update overlapping rows, causing PostgreSQL deadlock errors (code 40P01).
• 79453c0: Updated dependency wait-for-expect to ^4.0.0.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/catalog-model@​1.8.0
  • @​backstage/plugin-catalog-node@​2.2.0
  • @​backstage/filter-predicates@​0.1.2
  • [@​backstage/catalog-client](https://redirect.gi

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.