David TuiteNews
Wiz Plugin Reaches General Availability
Wiz published their first-party Backstage plugin on February 6. The @wiz-sec/backstage-plugin-wiz package surfaces Wiz Issues and Vulnerabilities directly in your portal by mapping Wiz projects to catalog components.
You can search and filter findings by rule, resource, or CVE, track severity, and navigate into Wiz for remediation without leaving Backstage. This is distinct from the earlier Roadie-built Wiz plugin, representing Wiz's own investment in the Backstage ecosystem.
Spotify Details Mobile Release Engineering with Backstage
Spotify Engineering published Part 2 of their mobile release process deep-dive on February 9. The post details how their Release Manager Dashboard, built as a Backstage plugin in React/TypeScript, uses the Software Catalog for build distribution configuration.
The article covers the evolution from Jira-based release tracking to a unified Backstage-powered dashboard, including backend optimization, automated release progression ("the Robot"), and data-driven release insights.
Read the post | Part 1 from April 2025
From the Roadie Blog
We published Backstage Microservices Strategies: Taming Sprawl with a Service Catalog on February 12.
The piece tackles the ownership problem: when a 3 AM incident cascades through your 400-microservice architecture, who owns what's broken? Without a centralized system of record, you accumulate "zombie services" that nobody claims until they fail.
Key sections cover the hidden cost of microservices at scale (Expedia's 5,000 developers managing 20,000 services), how Backstage functions as your microservices operating system, Golden Paths that eliminate the copy-paste tax (Spotify's new service creation time dropped from 14 days to 5 minutes), dependency visualization for blast radius analysis, and Tech Insights that gamify production readiness.
The article compares self-hosted versus managed options, noting self-hosted typically requires 2-3 dedicated FTEs with TypeScript/React expertise, while managed solutions like Roadie cost approximately $20/user/month with same-day setup.
Community Discussions
New Pull Request Review Workflow for Backstage Contributors
The Backstage maintainers have launched a significantly improved pull request review process that makes it easier for community members to become reviewers. The new workflow incorporates a dedicated reviewers group from the start, addressing long-standing feedback about contribution barriers. This change aims to make the review process more transparent and accessible, particularly for those wanting to contribute at a deeper level. The initiative comes with a call for new reviewers to join the program, with RBAC permissions to ensure only authorized platform team members can participate.
Developer Experience: Manual Triggering of Scheduled Tasks
A significant discussion emerged around the pain points of testing scheduled tasks during development. Currently, developers must modify task frequency in config, restart the app, and wait for execution—a slow feedback loop that can take several minutes per iteration. Community member Thomvaill proposed building a "Task Manager" plugin that would provide a UI at /task-manager to list and manually trigger tasks across all plugins, leveraging the existing scheduler trigger API (POST /.backstage/scheduler/v1/tasks/<taskId>/trigger). The proposed solution would integrate with Backstage's native auth, support RBAC permissions, and show task status, run history, and cadence information. This resonated with multiple community members facing similar development workflow challenges.
Security Vulnerability: tar Package Advisory
Users reported concerns about the tar package vulnerability (versions <=7.5.3) affecting Backstage 1.45.3 installations. The discussion focused on identifying remediation paths and whether upgrading to newer Backstage versions would resolve the issue. This thread included 14 messages with community members sharing workarounds and dependency resolution strategies, highlighting the ongoing need for security vigilance in the ecosystem.
Scaffolder: Multiple Action Modules Support
Discussion about scaffolder architecture revealed questions about organizing multiple action modules within a single scaffolder backend module. When running yarn backstage-cli new to create a new action module, developers wondered whether multiple actions should live in separate subdirectories or if there's a recommended pattern for organizing multiple related actions. The conversation highlighted documentation gaps around scaffolder action organization patterns.
Catalog Backend: SQLite Race Condition Issues
Users encountered race condition problems when using SQLite for Backstage catalog backend storage, with multiple participants discussing whether this is a known limitation of the in-memory/SQLite configuration. The recommendation shifted toward using file storage or PostgreSQL for production deployments to avoid database locking issues during concurrent operations. This thread contained 8 messages exploring the technical details of the problem and referencing GitHub issue #22207 .
Authentication: GitHub Enterprise OAuth Scope Errors
Multiple users reported "Refresh failed, session has not been granted the requested scope" errors when trying to access Backstage components. The discussion focused on GitHub integration configurations and whether certain auth providers properly handle scope refresh tokens. Additionally, there was a thread about GitHub Enterprise authentication CORS policy issues when the GitHub Actions plugin attempts to fetch CI/CD pipeline data from self-hosted instances.
Backend System: OpenTelemetry Setup Challenges
A user struggled with internal Backstage metrics deployment using Helm Chart, specifically around OpenTelemetry configuration. The thread included detailed troubleshooting with 2 messages pointing to GitHub issue #307 in the backstage/charts repository for documentation improvements around metrics setup.
Community Plugin: rough.js-based Relations Graph
A new community plugin was shared that updates the visuals of the Relations Graph using the rough.js library to give components a hand-drawn, sketch-like appearance inspired by Excalidraw. The implementation is described as simple and takes only 5 minutes to set up, offering an alternative visual style for catalog entity relationships. View the plugin on GitHub →
Catalog Backend Actions Documentation
A discussion emerged about whether there should be formal documentation for the catalog-backend actions or if the community should rely on description and parameter descriptions within the code. The conversation highlighted interest in creating a basic README under the actions directory or in the top-level catalog plugin documentation to make these actions more discoverable for developers.
CNCF Travel Support for KubeCon EU Contributors
Community contributor Ayush More, who has been contributing to Backstage for several months, received approval for a CNCF Travel Scholarship to KubeCon EU. However, as a 17-year-old traveling solo from India, additional costs like the Tatkaal passport and Schengen visa aren't covered. The community discussed possibilities for a small $200-300 "contributor stipend" to help bridge this gap, highlighting the challenges young international contributors face attending events.
Changelog
Core Releases
v1.48.0-next.2 (Feb 10, 2026) Pre-release continuing v1.48.0 development. Full changelog at docs/releases/v1.48.0-next.2-changelog.md . The demo site runs this version for early testing.
Latest stable release remains v1.47.3 from February 2.
