Backstage - v1.15.0

These are the release notes for the v1.15.0 release of
Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the
amazing Backstage Community for their hard work in getting this release
developed and done.

Highlights

This release has a few important security fixes, along with a lot of squashed
bugs and exciting additions as usual! Enjoy.

BREAKING: Scaffolder build requirements

The Scaffolder backend uses a sandboxing environment to run its nunjucks
templating in, for security reasons. This used to leverage the vm2 library,
but in this release it has been replaced by isolated-vm. This significantly
improves the confidence level in the sandbox implementation since it builds upon
v8 isolates directly. However, it comes with a cost to implementers: it is a
native dependency, and as such needs to be built during yarn installation, on
the exact architecture that it then executes on. For those who compile and run
Backstage on stripped-down environments, you will want to ensure that you have
the build basics present, e.g. build-essential or similar corresponding to
your operating system of choice. The isolated-vm repo has some further
information about the
build environment requirements.

There is a CVE-2022-39266
that has been reported for isolated-vm, which applies only when using
CachedDataOptions. We do not use that feature at all, since it is recommended
against in the README;
doing so can lead to breakouts and calling back to the main process. Some
security tools may report that this is a vulnerability but it is safe to ignore
this through your .snyk policy file or similar.

BREAKING: @backstage/plugin-linguist-backend

There have been some significant updates to the Linguist plugin, in particular
the backend and its API. One breaking change is that LinguistBackendApi is now
an interface rather than a class, and you should create its implementation
LinguistBackendClient instead.

Contributed by @ahhhndre in
#16954

BREAKING: @backstage/plugin-github-actions

In order to make this plugin support GitHub enterprise as well as cloud, its
GithubActionsClient is updated to take an scmAuthApi instead of the previous
githubAuthApi.

Contributed by @koalaty-code in
#17781

New module: Unprocessed Entities

This frontend plugin and accompanying backend module lets you peek under the
covers of your catalog instance, finding those pesky unprocessed entities that
may be stuck in limbo because of an otherwise tricky-to-debug validation issue
or similar.

Check out the plugin’s
README
for details and installation instructions.

Contributed by @alde in
#17828

More movement toward Material-UI v5 and React v18 compatibility

There have been some tweaks here or there to types and the theme system to
ensure a smooth future migration toward Material-UI version 5. This should be
mostly transparent to adopters, but please let us know if you encounter any
oddities around the theme system after upgrading to this release.

To ensure your future compatibility with v5 plugins, you may want to upgrade
your theme provider to use the new unified one:

     Provider: ({ children }) => (
-    <ThemeProvider theme={lightTheme}>
-      <CssBaseline>{children}</CssBaseline>
-    </ThemeProvider>
+    <UnifiedThemeProvider theme={builtinThemes.light} children={children} />
     ),

We’ve also ensured to be more thorough with how we use PropsWithChildren to
ensure that there’s a smooth transition to the non-implicit children in the
React v18 types.

New Backend System lifecycle changes

When using the new Backend system,
plugins are now started up concurrently instead of serially. This improves
startup times significantly in some cases.

If you were relying on feature registration order to make sure that one plugin
was completely initialized before being consumed by other plugins, we at the
same time introduced a new addStartupHook method to the
coreServices.lifecycle that you can use instead to act after all plugin inits
have completed.

At the same time, the default HTTP server implementation adds a middleware to
the top of the chain, which stalls incoming requests for a short period of time
while waiting for service startup. If it takes longer than that predefined time,
it responds with a 503 Service Unavailable error. The end result is that as
long as startup is typically fast, callers should only see slightly higher
turnaround times for requests to services that are starting up, instead of
getting 404 errors or similar which was often the case in the past.

Azure identity improvements

On the Azure front, there’s been work toward ensuring support for service
principals, managed identities, and workload identities.

Contributed by @sanderaernouts in
#17780 and
@afscrome in
#18324

Resource utilization and error display for k8s pods

You can now see some resource utilization statistics and errors, where present,
for your Kubernetes pods.

Contributed by @mclarke47 in
#17563 and
#18169

Printable TechDocs

There have been some changes to the TechDocs styles, to properly handle print
media. This should make PDF exports and printing of documentation work better.
Let us know how it goes!

Contributed by @maapteh in
#18007

OpenAPI linting

The backstage-repo-tools CLI’s OpenAPI features now have a new lint
subcommand. This lets you automatically lint the OpenAPI schemas of plugins for
correctness and best practices.

Contributed by @sennyeya in
#18185

Catalog conflict events (experimental)

If you pass in an event broker to the catalog backend, it now has the
experimental ability to emit events onto the event bus describing entity
conflicts as they happen internally. This can then be observed and acted upon by
external consumers.

Contributed by @sblausten in
#16977

Security Fixes

• See the note above about the Scaffolder replacing vm2 with isolated-vm.
• There were some cases where sensitive configuration settings could be seen by
  the browser. The configuration schemas have been tightened up accordingly in a
  few places to counter this.
• The TechDocs base Docker image has been upgraded to include a few security
  fixes. This will get picked up automatically for future Docker based TechDocs
  runs, after upgrading Backstage.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest
release. For more guidance on how to upgrade, check out the documentation for
keeping Backstage
updated.

Links and References

Below you can find a list of links and references to help you learn about and
start using this new release.

• Backstage official website,
  documentation, and getting started
  guide
• GitHub repository
• Backstage's versioning and support
  policy
• Community Discord for
  discussions and support
• Changelog
• Backstage Demos,
  Blog,
  Roadmap and
  Plugins

Sign up for our newsletter if
you want to be informed about what is happening in the world of Backstage.