David TuiteNews
TechDocs Security Patch Shipped
Backstage v1.47.3 shipped February 2nd with security fixes for @backstage/plugin-techdocs-node. The patch addresses vulnerabilities in how TechDocs handles external content. If you're running TechDocs, upgrade now.
Still on 1.46.x? v1.46.5 backports the same fixes.
This follows the security improvements in v1.47.0 from January 20th for Software Templates and external content reading. Use the Backstage Upgrade Helper for your upgrade.
v1.47.3 release notes | v1.46.5 release notes
14+ Community Plugins Updated
Between February 4-5, over 14 community plugins got version bumps for v1.47.3 compatibility: SonarQube, Azure DevOps, RBAC, Jenkins, OCM, Tech Radar, ServiceNow, 3scale, Quay, Keycloak, and several scaffolder backend modules.
Beyond version bumps, a few substantial changes landed:
Cost Insights now supports custom date ranges (#7463 ). You can analyze cloud costs over specific periods instead of fixed windows.
Confluence fixed legacy app-config compatibility for the search collector (#7494 ).
MCP Chat updated to @modelcontextprotocol/sdk v1.26.0 (#7479 ).
BackstageCon Europe: Dates Confirmed
As we mentioned last week, BackstageCon Europe 2026 happens March 23-26 in Amsterdam, co-located with KubeCon + CloudNativeCon Europe. The sponsorship deadline passed February 2nd, but registration opens soon.
Amsterdam will also host a Backstage ContribFest session on March 26th where you can contribute directly to the project. Full schedule here .
If you missed BackstageCon North America 2025 in Atlanta, videos are available on Backstage Community YouTube .
Ecosystem Pulse
AI + Platform Engineering convergence continues to be a major theme for 2026. Jennifer Riggins at The New Stack published In 2026, AI Is Merging With Platform Engineering. Are You Ready? noting that Spotify used AI agents to generate 1,500+ merged PRs with 60-90% time savings, and internal developer platforms have become "nearly universal" per the DORA report.
Roadie published AI, IDPs and Platform Teams: What We're Seeing documenting how platform teams are experimenting with RAG over TechDocs, AI-powered scaffolder actions, and natural language queries across internal tools. Key challenge: AI agents are being built in silos without discoverability, ownership, or governance. Roadie's solution treats AI agents as first-class catalog entities, just like services, enabling teams to track who owns what, where PII flows, and whether agents follow security standards.
Community Discussions
Aliases Configuration Partially Broken
A user deploying Backstage with multiple aliases in #general hit customization issues on January 30. Ingress patches, CORS configuration, and Azure app callbacks all need fixes. Only some alias functionality works.
Tar Vulnerability in 1.45.3
The #general channel surfaced a discussion February 5 about the tar (< 7.5.3) vulnerability affecting Backstage 1.45.3. Tar is a transitive dependency. The bookworm-slim base image makes this worse because packages age without updates.
Users want remediation options. No clear path forward yet.
Dark Mode Theming Broken
Custom themes with company logos work in light mode but break in dark mode, according to a #general post tagged #visual-design from February 5. The sidebar uses one theme, while catalog and home pages use different theming.
Timezone Support Request
A Sydney-based team asked in #meetups on February 2 for different timezone support for community sessions and calls. Current times mean 2am calls.
Renovate Creates Immortal PRs
Renovate creates persistent PRs for Backstage security updates, according to discussion in #maintenance on January 30. OSV vulnerability alerts create too many PRs. You can't configure them at package level, only globally. These PRs block the concurrent PR limit.
