News
👋 Welcome to Backstage Weekly 139.
TL;DR
A security patch is in review for the catalog MCP unregister-entity action, which currently bypasses resource-level permission checks. Node.js 24.17 and 22.23 break Cloudflare Access Provider authentication - pin to 24.16 or 22.22 until a Backstage patch ships. We published a post on why MCP tool definitions can cost up to 55k tokens and how progressive disclosure cuts that.

MCP permissions and Node.js CVE
No new stable release this week. Two security items are worth addressing before your next upgrade.
PR #34631 by yashoswalyo fixes issue #34617 : the catalog's catalog:unregister-entity MCP action currently skips resource-level authorization. Any user with a valid authentication token can call the MCP endpoint directly and unregister catalog locations they don't own, bypassing the catalogEntityDeletePermission check the frontend enforces. The PR adds bulk authorization checks against colocated entities before deletion. It's open for review and targeting a patch release. If you're running catalog MCP actions in production, this is worth watching.
Node.js 24.17 and 22.23 changed keep-alive socket behavior in a way that breaks @backstage/plugin-auth-backend-module-cloudflare-access-provider. Users see "premature close" errors on login. Pin to Node.js 24.16 or 22.22 until a Backstage-side patch ships (issue #34651 ).
From the Roadie blog
We published Why Your MCP Server Might Be Eating Your Context Window in May. The post picks up an Apideck finding: MCP tool definitions can consume up to 55,000 tokens before user input reaches the model. At that scale, tool definitions crowd out the entity data, ownership annotations, and operational context that make catalog-backed agents accurate.
The solution the post documents is progressive disclosure - delivering only the tools relevant to the current agent session rather than injecting the full MCP tool catalog upfront. For a Backstage-backed MCP server, that means scoping context delivery to the query at hand: a service's owning team, its dependencies, and its operational state, rather than all 20,000 entities in the catalog.
The post includes benchmarks comparing naive full-catalog injection with progressive disclosure and walks through what a production configuration looks like at different scale tiers. If you're building agents on top of your service catalog, or evaluating how much catalog context to expose as MCP tools, start here if you are configuring catalog-backed agents at scale.