News
Backstage v1.51.0 ships as stable with a new AiResource entity kind for cataloguing AI tools and governance rules, MCP Server as a first-class API type, and scaffolder-backend promoted to 4.0 with step failure handling.
Backstage v1.51.0
The stable release of v1.51 landed May 19. The upgrade helper covers the full migration steps; here are the highlights.
@backstage/[email protected] ships one new entity kind and one new API spec subtype via the opt-in @backstage/[email protected] module. AiResource gives your catalog a structured home for AI tools and governance rules: a skill subtype declares disciplines, categories, agents, and dependsOn fields; a rule subtype carries category (required) and rationale (required) as first-class catalog properties. The same module registers spec.type: 'mcp-server' on the existing API kind, with a spec.remotes list replacing the string definition field - implementing RFC #32062 (PR #34016, benjdlambert). Both are exported from @backstage/catalog-model/alpha.
Three breaking changes are the ones to check before upgrading. NavItemBlueprint is removed from @backstage/[email protected] - move title and icon to your PageBlueprint.make() call (PR #34299). OIDC defaults in @backstage/[email protected] replace the permissive ['*'] wildcard with explicit client patterns covering Claude, VS Code, the Backstage CLI, and Cursor; clients using CIMD need patterns in auth.experimentalClientIdMetadataDocuments.allowedClientIdPatterns, and clients using DCR need patterns in auth.experimentalDynamicClientRegistration.allowedRedirectUriPatterns (PR #34260). PolicyQueryUser in @backstage/plugin-permission-node drops token and expiresInSeconds; a new CachedUserInfoService with a 5-second TTL and in-flight request coalescing replaces them (PR #34252).
Scaffolder-react reaches 2.0.0 with an experimental BUI form theme (opt-in via extension config) and FormDecoratorBlueprint promoted from alpha to public. Scaffolder-backend 4.0.0 adds always() and failure() step condition functions for cleanup steps that need to run after a failure.
catalog.stitchingStrategy.mode: 'immediate' is now deprecated with a startup warning - plan to remove it from your config before the next release (freben, PR #34278).
From the Roadie blog
We published "The Governance Gap in Agent-Stack Thinking" in May, and the v1.51.0 release makes it worth a read.
The piece picks up where the four standard production-agent bets - identity, context, persistent execution, and purpose-built primitives - leave off. The argument is that the fifth layer, runtime governance, gets consistently skipped: who enforces which actions an agent can take, who audits what it did, and what happens when the context it consumed turns out to be stale or poorly provenance-tracked?
The AiResource entity kind in v1.51.0 is a partial, structural answer to that question. Your catalog now has a first-class place to declare AI tools with their dependency graph (dependsOn) and a rule subtype that carries governance constraints as catalog entities rather than inline prompt text or undocumented convention. The MCP Server API type puts MCP server definitions into your catalog rather than scattered app-config.yaml blocks - giving you a queryable, auditable record of the AI interfaces your platform exposes.
If your team is working through the governance layer for agents you're building or consuming, the piece is a useful framing document. Read it on the Roadie blog.
Community
PR #9121 by PatAKnight (merged May 18) hardens the RBAC backend against Casbin CSV poisoning: policy values containing " are now rejected, loadPolicy failures propagate rather than being swallowed, and malformed CSV lines are skipped with a warning instead of aborting ingestion. Released as @backstage-community/[email protected]. A security patch worth applying before your next upgrade cycle.
PR #8979 by JessicaJHee (merged May 19) adds a PingFederate auth provider module. It ships two sign-in resolvers: ldapUuidMatchingAnnotation (matches the LDAP UUID claim to a backstage.io/ldap-uuid annotation with a configurable claim key) and subClaimMatchingPingIdentityUserId (maps sub to pingidentity.org/id for orgs using the PingOne catalog provider).
PR #7786 by driosalido (merged May 19) fixes ArgoCD entity pages that were throwing HTTP 500s for any multi-source application with a Helm chart source. The frontend was passing Helm chart version strings (e.g. 1.0.0) to the revision metadata endpoint, which only accepts git SHAs. The fix detects chart sources and skips the revision metadata call.
What shipped
@backstage/[email protected]- AiResource entity kind; MCP Server spec type for API kind@backstage/[email protected]- new module to register AI entity kinds@backstage/[email protected]- NavItemBlueprint removed; PortableSchema.schema is now a method@backstage/[email protected]- OIDC patterns hardened; explicit client lists replace wildcards@backstage/[email protected]- BUI form theme (opt-in); FormDecoratorBlueprint stable@backstage/[email protected]-always()andfailure()step conditions;formDecoratorsstable@backstage/[email protected]- DatePicker, DateRangePicker, Combobox; flex item props on Box, Card, Grid, Flex@backstage/[email protected]- index-driven entity sorting; missing index onrelations.target_entity_refadded@backstage/plugin-permission-node- PolicyQueryUser token/expiresInSeconds removed; CachedUserInfoService added@backstage-community/[email protected]- Casbin CSV poisoning fix; error propagation hardened
