BackstageCon Recordings, DevLake Plugin, and Two New Releases | Backstage Weekly

BackstageCon Europe 2026 recordings are now available, including the KubeCon keynote Live Demo Showcase. We published a technical deep dive on context engineering as the prerequisite enterprise AI deployments are missing, examining why most initiatives stall when context layers are built on unstructured data. Unity's VP of Engineering contributed a DevLake-to-DORA backend module after community validation. The Backstage team shipped two releases (v1.49.3 and v1.50.0-next.1), but v1.49.3 introduced double headers and scaffolder regressions. Community discussions covered supply chain security hardening, plugin isolation architecture, and AI-powered scaffolder experiments replacing traditional templates with Copilot-backed chatbots.

Backstage: From Spreadsheet to Standard

BackstageCon Europe 2026 recordings now available

The recordings from BackstageCon Europe 2026 are now live. The KubeCon keynote Live Demo Showcase is available on YouTube, along with the CNCF documentary "Backstage: From Spreadsheet to Standard."

Co-chair balajisiva shared raw community feedback in #general from the event. Highlights from the "what's working" side included good adoption momentum, easy upgrades, MCP actions becoming useful, and the flexible entity model. Pain points included ESM support gaps, breaking changes between minor versions, the complexity of the new frontend system, and keeping YAML-based component definitions in sync.

Context engineering: The prerequisite your enterprise AI deployment is missing

We published a technical piece this week on why most enterprise AI initiatives stall. It looks at context engineering as an architectural discipline that determines whether LLMs have accurate, current, and scoped information at inference time. The piece covers four layers: data collection and normalization, semantic modeling and entity resolution, retrieval strategy design, and context validation.

Enterprises accumulate context debt when LLM features are built on unstructured context layers. Service metadata sits distributed across GitHub, Jira, PagerDuty, Confluence, and custom CMDBs with no consistent schema. Ownership modeling defaults to ad hoc assignments with no canonical identity. Almost no tooling tracks lineage by default.

The guide includes a context readiness audit with five critical questions to ask before shipping your next AI feature. Five yes answers mean your context layer is ready to support an LLM feature. Fewer than five means you still have some architectural work to do. We also argue that a well-maintained software catalog already gives you the critical foundation for context infrastructure.

→ Read the full article

Unity contributes DevLake DORA metrics plugin

Miki Lior (VP Engineering at Unity) contributed a new DevLake-to-DORA Backend Module after an 18-message community validation thread in #plugins . The plugin bridges Apache DevLake's engineering metrics API directly to the standard Backstage DORA plugin, featuring a new EntityDoraCard for the Catalog Overview, a Secure SQL Proxy for DevLake v1.0.2, and full compatibility with the new Backend System architecture. If your organization uses DevLake for engineering metrics, this provides a direct path to surface DORA metrics in your internal developer portal.

Two releases this week, v1.49.3 ships with regressions

The Backstage team shipped two releases in the past week. v1.49.3 landed on March 28 with accidentally self-deprecating release notes. Maintainer freben forgot that the automation would take the release note text verbatim, resulting in notes that read "I messed up #33600 in a silly way so ... made this instead" (it got its own #silly-goose thread ). v1.50.0-next.1 landed on March 31, kicking off the next minor release cycle.

v1.49.3 introduced two significant regressions. Users upgrading from v1.48.3 to v1.49.3 are seeing two page headers render on most pages in the new frontend system. Adam (tty0) reported in #scaffolder that v1.49.x broke the NFS custom field explorer, affecting both the template editor and custom field extension loading. Adam already opened PR #33599 to fix the scaffolder issue, so a patch should arrive soon. If you're planning to upgrade to v1.49.3, monitor these threads for fixes before pulling the trigger.

Community Discussions

Supply chain security: yarn-install action uses version refs instead of hashes

In #maintenance, a contributor from INGKA (IKEA Group) flagged that backstage/actions/yarn-install still pins its cache action using a version tag rather than a full commit hash , which fails stricter supply chain security policies such as those required by the trivy toolchain. INGKA already issued an internal fix and opened PR #184 to pin the cache action version to a hash upstream. Teams using GitHub Actions with hardened supply chain policies should be aware of this until the fix is merged.

Backend startup failure when upgrading from v1.46 to v1.47+

A busy support thread (21 messages) tackled a common pain point when upgrading from v1.46.x to v1.47+. The backend throws Plugin 'catalog' startup failed; service or extension point dependencies of plugin 'catalog' are missing: serviceRef{alpha.core.metrics} because the new alpha metrics service needs to be explicitly imported. The fix is to add import { rootSystemMetadataServiceFactory } from '@backstage/backend-defaults/alpha' to your backend/index.ts. A helpful tip from the thread: use yarn why <package-name> to diagnose version mismatches when upgrading.

Plugin isolation and data access security architecture

A 12-message thread in #security explored whether Backstage's plugin architecture provides sufficient isolation to prevent a compromised plugin from accessing sensitive data in other plugins via code.api calls. The thread examined whether Backstage's permissions framework can be used to restrict inter-plugin access. Peter "Parsifal-M" mentioned that OPA (Open Policy Agent) can help with this. The thread also discussed whether Dependabot surfaces community plugin vulnerabilities. Teams running Backstage in high-security environments should treat this as an open architectural question.

Announcements plugin docs fixed after community-reported confusion

A 15-message thread in #plugins surfaced that the documentation for configuring NewAnnouncementsBanner was incorrect. Specifically, the config key documented in app-config.yaml for disabling the banner didn't actually work. Community member Tyson tracked down the issue, and contributor kurtaking opened PR #8363 to fix the docs and add instructions for how to properly disable the banner.

Scaffolder + AI: Replacing templates with Copilot-backed chatbots

A discussion started in #scaffolder when goldbug1 described experimenting with the copilot-sdk to replace traditional scaffolder templates with an AI-powered "create new app" chatbot backed by GitHub Copilot. The chatbot uses Backstage scaffolder actions as tools so it can scaffold apps the same way a template would. The thread attracted community commentary and is an early signal of how teams are exploring AI-augmented scaffolding.

Zod v3 to v4 migration underway internally

A March 27 post in #general noted that the internal migration of @backstage/backend-defaults from Zod v3 to v4 is in progress (linked commit ). This is relevant for anyone building plugins that depend on Backstage's internal Zod usage, and for plugin maintainers who may want to align their own Zod versions ahead of any downstream breaking changes.

Changelog

v1.49.3

Released March 28, 2026

Highlights:

Contains regressions: double headers in new frontend system, broken NFS custom field explorer
Accidentally self-deprecating release notes (automation artifact)
Patches expected soon

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.49.3

v1.50.0-next.1

Released March 31, 2026