In this issue:

• Why AI coding assistants break down in real production environments
• What shipped this week (including v1.50.3 and what’s next)
• Community highlights, from RemixIcons changes to migration tips

AI coding assistants can read your code, but they can't see your platform.

We published a deep dive on why AI coding assistants fail in production engineering organizations.

The scenario: an engineer asks their assistant to refactor a synchronous call into retry logic with exponential backoff. The suggestion looks clean, tests pass, and the PR gets approved. But the assistant couldn't see that the service is already at 99.91% against a 99.9% SLO, p99 latency is at 450ms against a 500ms budget, and there's been a code freeze for 48 hours. The retry logic hammers a degraded downstream service, pushes latency past budget, and burns the remaining error budget in under an hour.

The model produced syntactically correct, architecturally reasonable code. Every piece of information that would have changed its output lived in the service catalog, the observability platform, and on-call tooling, none of which it could reach.

The article identifies four categories of missing platform context: service ownership, SLOs and reliability targets, deployment history, and incident history. It also explains why individual workarounds like GEMINI.md files don't scale beyond small teams. A file written this morning doesn't reflect the deployment that happened this afternoon.

The required shift is platform context engineering: structured, machine-readable operational data exposed through queryable APIs. The article walks through how to implement this architecture using Roadie and includes three practical steps teams can take this week.

Read the full article: AI Coding Assistants Can Read Your Code. They Can't See Your Platform.

v1.50.3 and v1.51.0-next.1 releases

Two releases shipped this week. v1.50.3 (April 22) addresses two targeted fixes: homepage widgets that became non-draggable or non-resizable after the first save are now restored, and a facets endpoint performance regression triggered when filters or permissions are applied has been resolved. v1.51.0-next.1 (April 28) marks the second canary iteration toward the next minor release, giving adopters and plugin authors an early look at upcoming changes.

Community Discussions

RemixIcons license flagged, Backstage caps dependency at v4.8.0

An OSPO (Open-Source Policy Office) member flagged in #support that @remixicon/react had switched from Apache 2.0 to a custom license starting with v4.9.0, a license not on the CNCF's approved allowlist. Rugvip responded within hours by opening PR #34045 to pin the dependency to < 4.9.0 across all Backstage packages until the licensing situation is fully understood. The original reporter thanked the team for the quick action, making this a textbook example of community-driven supply chain vigilance paying off.

Codemod recipe for v1.49 to v1.50 migration

In #general in the "Codemods" thread, Backstage maintainer schultzp2020 shared that he has been collaborating with the Codemod team to build a migration recipe for the v1.49 to v1.50 upgrade, now available on the Codemod Registry at app.codemod.com/registry/@backstage/v1-50-0-migration-recipe. The Backstage codemod repository is currently private but is expected to open up shortly. If you've been dreading the v1.50 migration, this automated recipe should significantly reduce the manual effort.

React Aria dependency errors when upgrading to v1.51

Users upgrading from v1.50 to v1.51 ran into module resolution errors (Module not found: Can't resolve '@react-stately/layout') originating from @backstage/ui table components. Rugvip escalated the issue to the React Aria team and simultaneously patched @backstage/ui releases going back roughly six months to use ~ range specifiers for React Aria packages, which resolved the problem. If you're still seeing errors on v1.50.2 or later, remove all @backstage/ui blocks from your yarn.lock and re-run yarn install to pull in the patched package resolutions.

Yarn 4.14.1 brings new security defaults

A PR to bump the community-plugins repo from Yarn v4.12.0 to v4.14.1 (PR #8543) prompted discussion in #maintenance about new security-focused defaults introduced in Yarn v4.13.0. The most notable change is the enableScripts lockdown. Maintainer Sarabadu chose the more restrictive defaults over allowing enableScripts everywhere, and is actively seeking sign-off from maintainers Peter "Parsifal-M" and Ahhhndre, given the change touches every workspace in the mono-repo. Worth watching if you maintain a large Backstage mono-repo with Yarn workspaces.

Changelog

v1.50.3

Released April 22, 2026

Highlights:

• Fixed homepage widgets becoming non-draggable or non-resizable after first save
• Resolved facets endpoint performance regression when filters or permissions are applied
• Patch release addressing issues from v1.50.0

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.50.3

v1.51.0-next.1

Released April 28, 2026

Highlights:

• Second prerelease of v1.51 cycle
• Available for testing on the next channel
• Continued New Frontend System improvements

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.51.0-next.1

Read past issues: https://roadie.io/backstage-weekly/

Context engineering for developers: Making AI actually useful for engineers

We published a developer-focused deep dive explaining that AI coding tools often fail in production because of a lack of context rather than bad prompts. An engineer debugging p99 latency can get a suggestion that compiles cleanly but bypasses a PCI compliance boundary because that constraint doesn't live in source files.

This piece makes the case that context engineering is a distinct discipline from prompt engineering, one that happens at the data infrastructure layer.

We illustrate two production workflows with diagrams: one showing the context assembly loop engineers perform during incidents and another showing the same engineer querying a context infrastructure API and receiving the relevant information in a single call. The AI agent receives the same structured response and produces system-aware suggestions.

It also includes a practical first step: audit your service catalog for owner, system, dependsOn, and operational annotations. If 30%+ of entities are missing two or more fields, that should be your focus to fix AI productivity, not prompt tuning.

Read the full article: Context Engineering for Developers: Making AI Actually Useful for Engineers

New AIContext catalog kind RFC for AI agent integration

Core maintainer freben surfaced a significant RFC this week when a community member asked whether Backstage's catalog could serve as a Claude skills marketplace. freben's one-word response: "yes!" came with a link to GitHub RFC #33575, which proposes introducing a new AIContext kind in the Software Catalog.

The RFC aims to make Backstage a structured source of context for AI coding agents like Claude Code, GitHub Copilot, and Cursor. An early implementation PR (#33663) adds a catalog model layer system using JSON Schema-based kind declarations and is already available as an alpha feature. The proposal aligns directly with the context engineering architecture outlined in this week's article: a typed entity graph that AI agents can query deterministically for operational metadata.

v1.50.2 and v1.51.0-next.0 releases

Two releases shipped this week. v1.50.2 (April 18) is a patch release that makes TechDocs sidebar positioning configurable via CSS custom properties and bumps the zod dependency to v4 for packages using configSchema. v1.51.0-next.0 (April 21) marks the opening of the next release candidate cycle. Adopters running the next channel can begin testing now.

Additionally, a series of earlier patch releases (v1.47.4, v1.49.5) retroactively pinned React Aria packages to ~ ranges in response to a breaking change in the React Aria library that caused module resolution errors for teams upgrading to v1.50 and v1.51.

Community Discussions

⚠️ React Aria breaking change hits Backstage upgrades

Users upgrading to Backstage v1.50 and v1.51 ran into a module resolution error: Module not found: Can't resolve '@react-stately/layout'. The issue stems from an intentional breaking change in the React Aria library, which does not follow SemVer. Backstage maintainer Rugvip confirmed that the team patched @backstage/ui releases going back approximately six months to pin React Aria packages to ~ ranges. The fix: unlock and bump any @backstage/ui package in your lockfile where the issue appears. Some users reported the problem persisting even on v1.50.2, suggesting the patch may not yet cover all affected packages.

🐛 Scaffolder memory leak traced to isolated-vm

A production-impacting memory leak in Scaffolder task execution was diagnosed and a fix proposed this week. The user discovered that isolated-vm instances used for Scaffolder template rendering were not being garbage collected after task completion. Even a trivial log-only template caused a 10-15% memory spike per 100 runs, leading to eventual container crashes on ECS. The root cause was identified as the SecureTemplater failing to release VM contexts, and PR #33991 was opened to add an explicit dispose() method. The fix significantly reduces the spike, though the author notes some residual memory growth remains.

🔍 Search backend breaks on upgrade to v1.50.0

Users upgrading from v1.49.x to v1.50.0 reported the search backend failing to start with TypeError: cannot read properties of undefined (reading 'id'). The culprit was identified as community search backend modules, specifically @backstage-community/search-backend-module-adr, which weren’t updated to match a breaking interface change in the core search backend. Maintainer Ahhhndre identified four affected plugins and committed to releasing fixes by the end of the week, with a tracking PR #8580 open in the community plugins repo.

📚 NFS migration docs need significant work

Two separate threads this week highlighted gaps in the New Frontend System migration documentation. In #techdocs, a team mid-migration shared a detailed list of missing guidance: how to distinguish between extension overrides, blueprints, and extension config; how to handle custom EntityPage cards and plugin pages; why plugin auto-discovery silently fails when a plugin is also imported explicitly; and the notorious double-header issue caused by running legacy and modern headers simultaneously. Separately, in #frontend-system, Sarabadu shared a dev.to blog post documenting their own catalog plugin migration experience, a valuable community resource filling a gap in the official docs.

🤝 Bootstrapping internal plugin contributions is hard

The #adoption channel hosted a discussion about the challenge of growing internal plugin contributions. Sarabadu noted a recurring pattern where teams build internal tools on their own servers rather than contributing plugins to the company Backstage instance. Their team is experimenting with reducing setup friction, adding plugin starter templates, and reframing the message as "you don't need to be a Backstage expert to build a plugin." Commenter drodil added that AI-assisted development has meaningfully lowered the bar. Good instructions now let someone "vibe code a plugin in a single prompt."

🔧 Scaffolder form decorator API conflict after v1.47

A thread in #scaffolder surfaced an API_FACTORY_CONFLICT error affecting teams upgrading to the New Frontend System: plugin.scaffolder.form-decorators is already provided by plugin 'scaffolder', cannot also be provided by 'app'. The conflict stems from a change introduced around v1.47 where the Scaffolder's formDecoratorsApiRef moved, and custom form decorators registered in App.tsx now collide with the plugin's own registration. A community member posted a code sample showing the correct NFS extension approach, and the thread links to the Backstage Experimental Features documentation for Scaffolder.

Changelog

v1.50.2

Released April 18, 2026

Highlights:

• TechDocs sidebar positioning now configurable via CSS custom properties
• Zod dependency bumped to v4 for packages using configSchema
• Patch release addressing minor issues from v1.50.0

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.50.2

v1.51.0-next.0

Released April 21, 2026

Highlights:

• First prerelease of v1.51 cycle
• Available for testing on the next channel
• Includes ongoing New Frontend System improvements

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.51.0-next.0

Read past issues: https://roadie.io/backstage-weekly/

Backstage v1.50.0 stable release with breaking changes

Backstage v1.50.0 landed on April 14 as a stable release. This release includes several breaking changes that teams should review before upgrading, including changes to identity token ownership claims, the removal of deprecated APIs, and updates to Backstage UI components.

Key breaking changes include the identity token ownership claim being removed by default (reducing token size), Standard Schema replacing the deprecated createSchemaFromZod helper, and React 18 becoming the minimum supported version. See the full release notes and v1.50.0 migration documentation for detailed upgrade instructions.

BackstageCon Amsterdam 2026 recordings available, ING Bank to open-source plugins

The full BackstageCon Amsterdam 2026 YouTube playlist went live on April 14. The community had been waiting for the complete set of talks from the co-located KubeCon Europe event since "The State of Backstage in 2026" by Ben Lambert and Patrik Oldsberg from Spotify went up a few days earlier.

During their BackstageCon talk, ING Bank announced plans to release two of their internal plugins as open source: "Golden Path" and "Contributions Plugin." The community spotted the announcement in #plugins. The plugins were not yet in the community repository at the time of writing, but the community is watching closely for a release date.

Context engineering covers more ground than RAG

We published a technical deep dive this week on why production AI systems fail when treating retrieval augmented generation as a complete context engineering system. The piece examines how context engineering involves intentionally designing every slot in an LLM’s context window, with RAG serving as one retrieval primitive within that system.

An AI ops agent that routes all queries through a vector store has wired up one context slot out of six. The remaining five depend on source systems with entirely different query mechanisms. When an agent escalates an incident to the wrong team, the runbook content is often correct, but the ownership data is stale because ownership records live as structured entity metadata in a service catalog rather than as documentation chunks in a vector index.

The article covers six distinct context source categories used in production systems: system prompts, structured entity metadata, conversation history, retrieved documents via RAG, tool call outputs, and agent working memory. Each source has different authority and staleness characteristics. A system prompt updated by a senior engineer carries different authority than a documentation chunk reflecting last year’s architecture. An entity graph record updated when service ownership changes is more authoritative for ownership questions than any passage in a runbook.

The highest value context is usually structured entity metadata, including service ownership, dependency graphs, on-call assignments, and API configurations. These change faster than documentation can keep up. The article includes a production architecture diagram showing how an incident triage agent assembles context from all six sources at once, including an entity graph, a vector store, and live APIs.

Read the full article: Context Engineering Is Not RAG: Here's the Difference

Community Discussions

🧭 NavContentBlueprint breaking on 1.46 to 1.49 upgrade

With 38 messages, the most active thread in #frontend-system this week was about an error thrown during the new frontend system upgrade: NavContentBlueprint returning navItems is undefined. The issue turned out to be caused by a user accidentally including if(!navItems) return <></> in their component, which triggered an apiRef resolution error. The thread works as a debugging walkthrough for anyone migrating from the legacy frontend to the new BUI-based system.

🧩 New community plugin: Entity Patch

Sarabadu proposed a new community plugin called Entity Patch (PR #8510) that lets teams update catalog entity metadata directly from the Backstage UI, with no YAML editing, custom frontend, or deployments required. The motivation was that Entra/Azure AD group custom fields are unreliable as a source of truth, and some teams need a lightweight escape hatch for manual data corrections.

🔐 Axios security upgrade: Self-serve solution available

Questions arose in #general about when the axios security upgrade in PR #33826 would be released. Maintainer Sarabadu clarified that the change is only in the app scaffolder template (not in Backstage's core package dependencies), meaning teams can immediately upgrade their own instance by running yarn why axios and yarn up -R axios. freben also linked to the Backstage Threat Model docs explaining operator responsibilities for dependency management.

📚 New TechDocs contributor joins post-KubeCon

In #techdocs, Eva Gustavsson introduced herself after attending her first KubeCon in Amsterdam, where she was mentored by CNCF during the event. Now retired after many years writing documentation at Ericsson, she's looking to contribute to TechDocs and the "How to Guides Hard to Navigate" issue #30062. A good example of the KubeCon hallway track bringing new contributors into the project.

Changelog

v1.50.0

Released April 14, 2026

Breaking Changes:

• Identity token ownership claim removed by default: The auth.omitIdentityTokenOwnershipClaim setting now defaults to true. User tokens no longer contain the ent claim with ownership entity refs. Use the userInfo core service to get ownership info instead.

• Standard Schema replaces createSchemaFromZod: The deprecated createSchemaFromZod helper has been removed from @backstage/frontend-plugin-api. The new configSchema option accepts direct schema values from Standard Schema compatible libraries like zod v4. Zod v3 schemas require migration to a compatible version.

• Backstage UI updates: Header tabs now use HeaderNavTabItem[] instead of HeaderTab[], with a new activeTabId prop for controlling highlighted tabs. Tab href values are now resolved through router context. The toolbarWrapper element has been removed from PluginHeader. Minimum React version is now 18.

• Removed deprecated PermissionedRoute: Use RequirePermission component from @backstage/plugin-permission-react.

• Removed deprecated signal service exports: Use SignalsService and DefaultSignalsService instead of the old SignalService and DefaultSignalService exports.

• Catalog node alpha exports removed: Several deprecated alpha exports removed from @backstage/plugin-catalog-node/alpha. Use stable exports from @backstage/plugin-catalog-node instead.

• Location entity refs and update method: The Location type now includes a required entityRef field. Code that produces Location objects must include this field. New updateLocation method added to CatalogApi and CatalogService.

Highlights:

• New catalog model layer system (alpha, opt-in) for declaring and extending entity kinds, annotations, and relations using JSON Schema
• Experimental embedded Postgres support for local development
• New DialogApi.open() method
• Enhanced Backstage UI components, including Badge, RangeSlider, and CheckboxGroup

See the v1.50.0 migration documentation for detailed upgrade guidance.

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.50.0

Read past issues: https://roadie.io/backstage-weekly/

Catalog Model Fragments RFC: Formalizing entity model extensions

Core maintainer freben announced in #catalog that he'd opened a mini-RFC on GitHub (issue #33770) calling for community input on a new alpha system for declaring, extending, and introspecting the catalog entity model. The proposal would let plugins register their own entity model fragments (custom fields, relationships, or metadata schemas) in a structured way that the catalog engine can reason about, rather than relying on ad hoc conventions.

The current model treats the catalog schema as implicit. Plugins add fields or relationships through convention, but there's no formal registration mechanism. This makes it difficult for tools to discover what fields are valid, for validation to catch schema drift, and for documentation to stay synchronized with actual usage. The RFC treats this as an API review opportunity ahead of implementation. Comment on the issue directly if you've ever wished plugins could formally advertise what they add to the catalog.

v1.49.4 ships with OAuth fix for MCP and AI integrations

Backstage v1.49.4 landed on April 7 with a focused set of fixes. It addresses a previous regression where the OAuth 2.0 Protected Resource Metadata endpoint was returning the wrong URL, affecting MCP and AI tool integrations. It also fixes an incorrect legacy-frontend-plugin template name and several other minor issues.

The OAuth fix solved an issue where Backstage actions worked fine with GitHub Copilot in VS Code but failed with Claude Code. The community had already flagged this in #backend-system, and PR #33092 resolves it by correcting the metadata endpoint response.

First Backstage Finland User Group meetup announced for May

The Backstage Finland User Group is hosting its inaugural meetup on Tuesday, May 19, 2026, the day before KubeCon Community Day in Helsinki. The event was announced in #meetups by drodil on April 8. The community-organized event includes knowledge sharing, live demos, and networking. Speakers are welcome to present. Contact drodil directly if you're interested.

Community Discussions

🤖 Community wants to build a Backstage MCP, inspired by Spotify's AiKA

A Spotify R&D video titled "Build like Vincenzo: AiKA | Spotify for Backstage" sparked an 8-message thread in #general, with community members asking about the MCP tooling used in the demo. SonilPro's team is trying to build a Backstage MCP server that can answer questions about their system, similar to how AiKA works internally at Spotify. freben joined in and suggested that Backstage's TechDocs search action would be a natural starting point for MCP tool definitions in documentation lookup use cases. Teams are actively exploring how to expose Backstage's catalog as context for AI coding agents, and this thread is a good snapshot of where that work stands.

🔐 Service account vs. user token: permissions in multi-tool Backstage

A thread in #auth surfaced a common architectural tension: when Backstage integrates with tools like Bitbucket, Jenkins, Kubernetes, and Jira via Keycloak, teams often use a shared service account token for backend-to-service communication, bypassing individual user permissions. This is particularly concerning when AI agents are granted Backstage access to open PRs. The thread explored whether Backstage should proxy user-scoped JWT tokens to downstream services and whether the permissions framework should support federated permission checks from external systems. No clear solution emerged, but teams building AI-augmented pipelines will increasingly run into this design problem.

🔑 Zod schema incompatibility blocking upgrades to v1.49.x

Jon Koops opened a 6-message thread in #general requesting a backport of PR #33536 to the v1.49.x line. The change, which refactors APIs to use TSchema extends ZodType instead of ZodSchema<Output, ZodType...> decomposition, is blocking downstream consumers who can't jump directly to v1.50. freben explained that the team generally doesn't backport breaking-change fixes to stable branches, and the pragmatic workaround is a Yarn resolution override. A related #support thread posted April 7 is also asking about Zod v4.x compatibility, and is still awaiting a maintainer response.

🏗️ Running multiple Backstage environments on one PostgreSQL server

A thread in #general explored how to isolate multiple Backstage environments (for example, idp_dev and idp_uat) on a single shared PostgreSQL server. Backstage creates one database per plugin (catalog, app, search), so running two full environments means managing TOTAL_PLUGINS × N_ENVIRONMENTS databases, which gets unwieldy fast. The thread covered schema-naming conventions and whether a shared server is actually worth the operational complexity compared to dedicated instances per environment.

💾 yarn tsc out of memory after Zod upgrade

A #support thread from April 1 hit on a widespread pain point: after updating to recent Backstage versions, yarn tsc crashes with a JS heap out-of-memory error. Dinesh confirmed that updating from Zod v3 to Zod v4 resolved the OOM, and freben added context: ensure everything is at least ^3.25.0, prefer import { z } over import z, and use from 'zod/v3' explicitly to avoid the v3/v4 ambiguity. A related thread in #general from the same week noted that migrating from the deprecated makeFieldSchemaFromZod to makeFieldSchema also stopped the OOM during type-checking.

😄 Entity provider with delta mutation: How does it actually work?

In a 13-message thread in #support, Enri Kapaj from Red Hat asked how delta-type entity providers know when to fire. Full-mutation providers run on a schedule you define, but delta providers are event-driven with no obvious wiring. freben clarified that some listen to PubSub messages, some run on a cadence, and some are triggered by API calls from a custom backend plugin. The catalog engine receives mutation commands without caring about the source. This thread is now a solid community reference for anyone building event-driven entity ingestion.

📝 app-config.yaml intellisense: The community wants it, it's just hard

Sarabadu kicked things off with a well-received meme ("I don't know if there is an easy way to get app-config intellisense, and at this point I'm too afraid to ask") that triggered an 8-message thread about IDE support for app-config.yaml. Partial intellisense exists for the core framework via config.d.ts schema files, but it doesn't extend to installed community plugins. freben noted that plugin schema discovery is non-trivial, but hinted that the output of backstage-cli config:schema could potentially feed into standard VS Code JSON schema tooling. freben replied on April 7, so it's worth watching.

😂 April Fools: Windows 95-themed Backstage UI with Clippy

The community marked April 1 in their own way. Ballpointcarrot shared a Windows 95-themed Backstage UI complete with a "Clippy"-style assistant with benji saying it was better than his own half-finished "Backstage premium subscription plugin" joke. The "Backstage is dead" LinkedIn post shared by drodil ( from Zohar Einy and Spotify for Backstage) prompted a 6-message thread including freben quipping "...you'd be poor 😂".

Changelog

v1.49.4

Released April 7, 2026

Highlights:

• Fixed OAuth 2.0 Protected Resource Metadata endpoint returning wrong URL (affecting MCP and AI tool integrations)
• Corrected legacy-frontend-plugin template name
• Additional minor bug fixes

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.49.4

v1.50.0-next.2

Released April 7, 2026

Highlights:

• Second prerelease of v1.50 cycle
• Continues work from v1.50.0-next.1

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.50.0-next.2

Read past issues: https://roadie.io/backstage-weekly/

BackstageCon Europe 2026 recordings now available

The recordings from BackstageCon Europe 2026 are now live. The KubeCon keynote Live Demo Showcase is available on YouTube, along with the CNCF documentary "Backstage: From Spreadsheet to Standard."

Co-chair balajisiva shared raw community feedback in #general from the event. Highlights from the "what's working" side included good adoption momentum, easy upgrades, MCP actions becoming useful, and the flexible entity model. Pain points included ESM support gaps, breaking changes between minor versions, the complexity of the new frontend system, and keeping YAML-based component definitions in sync.

Context engineering: The prerequisite your enterprise AI deployment is missing

We published a technical piece this week on why most enterprise AI initiatives stall. It looks at context engineering as an architectural discipline that determines whether LLMs have accurate, current, and scoped information at inference time. The piece covers four layers: data collection and normalization, semantic modeling and entity resolution, retrieval strategy design, and context validation.

Enterprises accumulate context debt when LLM features are built on unstructured context layers. Service metadata sits distributed across GitHub, Jira, PagerDuty, Confluence, and custom CMDBs with no consistent schema. Ownership modeling defaults to ad hoc assignments with no canonical identity. Almost no tooling tracks lineage by default.

The guide includes a context readiness audit with five critical questions to ask before shipping your next AI feature. Five yes answers mean your context layer is ready to support an LLM feature. Fewer than five means you still have some architectural work to do. We also argue that a well-maintained software catalog already gives you the critical foundation for context infrastructure.

→ Read the full article

Unity contributes DevLake DORA metrics plugin

Miki Lior (VP Engineering at Unity) contributed a new DevLake-to-DORA Backend Module after an 18-message community validation thread in #plugins. The plugin bridges Apache DevLake's engineering metrics API directly to the standard Backstage DORA plugin, featuring a new EntityDoraCard for the Catalog Overview, a Secure SQL Proxy for DevLake v1.0.2, and full compatibility with the new Backend System architecture. If your organization uses DevLake for engineering metrics, this provides a direct path to surface DORA metrics in your internal developer portal.

Two releases this week, v1.49.3 ships with regressions

The Backstage team shipped two releases in the past week. v1.49.3 landed on March 28 with accidentally self-deprecating release notes. Maintainer freben forgot that the automation would take the release note text verbatim, resulting in notes that read "I messed up #33600 in a silly way so ... made this instead" (it got its own #silly-goose thread). v1.50.0-next.1 landed on March 31, kicking off the next minor release cycle.

v1.49.3 introduced two significant regressions. Users upgrading from v1.48.3 to v1.49.3 are seeing two page headers render on most pages in the new frontend system. Adam (tty0) reported in #scaffolder that v1.49.x broke the NFS custom field explorer, affecting both the template editor and custom field extension loading. Adam already opened PR #33599 to fix the scaffolder issue, so a patch should arrive soon. If you're planning to upgrade to v1.49.3, monitor these threads for fixes before pulling the trigger.

Community Discussions

Supply chain security: yarn-install action uses version refs instead of hashes

In #maintenance, a contributor from INGKA (IKEA Group) flagged that backstage/actions/yarn-installstill pins its cache action using a version tag rather than a full commit hash, which fails stricter supply chain security policies such as those required by the trivy toolchain. INGKA already issued an internal fix and opened PR #184 to pin the cache action version to a hash upstream. Teams using GitHub Actions with hardened supply chain policies should be aware of this until the fix is merged.

Backend startup failure when upgrading from v1.46 to v1.47+

A busy support thread (21 messages) tackled a common pain point when upgrading from v1.46.x to v1.47+. The backend throws Plugin 'catalog' startup failed; service or extension point dependencies of plugin 'catalog' are missing: serviceRef{alpha.core.metrics} because the new alpha metrics service needs to be explicitly imported. The fix is to add import { rootSystemMetadataServiceFactory } from '@backstage/backend-defaults/alpha' to your backend/index.ts. A helpful tip from the thread: use yarn why <package-name> to diagnose version mismatches when upgrading.

Plugin isolation and data access security architecture

A 12-message thread in #security explored whether Backstage's plugin architecture provides sufficient isolation to prevent a compromised plugin from accessing sensitive data in other plugins via code.api calls. The thread examined whether Backstage's permissions framework can be used to restrict inter-plugin access. Peter "Parsifal-M" mentioned that OPA (Open Policy Agent) can help with this. The thread also discussed whether Dependabot surfaces community plugin vulnerabilities. Teams running Backstage in high-security environments should treat this as an open architectural question.

Announcements plugin docs fixed after community-reported confusion

A 15-message thread in #plugins surfaced that the documentation for configuring NewAnnouncementsBanner was incorrect. Specifically, the config key documented in app-config.yaml for disabling the banner didn't actually work. Community member Tyson tracked down the issue, and contributor kurtaking opened PR #8363 to fix the docs and add instructions for how to properly disable the banner.

Scaffolder + AI: Replacing templates with Copilot-backed chatbots

A discussion started in #scaffolder when goldbug1 described experimenting with the copilot-sdk to replace traditional scaffolder templates with an AI-powered "create new app" chatbot backed by GitHub Copilot. The chatbot uses Backstage scaffolder actions as tools so it can scaffold apps the same way a template would. The thread attracted community commentary and is an early signal of how teams are exploring AI-augmented scaffolding.

Zod v3 to v4 migration underway internally

A March 27 post in #general noted that the internal migration of @backstage/backend-defaults from Zod v3 to v4 is in progress (linked commit). This is relevant for anyone building plugins that depend on Backstage's internal Zod usage, and for plugin maintainers who may want to align their own Zod versions ahead of any downstream breaking changes.

Changelog

v1.49.3

Released March 28, 2026

Highlights:

• Contains regressions: double headers in new frontend system, broken NFS custom field explorer
• Accidentally self-deprecating release notes (automation artifact)
• Patches expected soon

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.49.3

v1.50.0-next.1

Released March 31, 2026

Highlights:

• First prerelease of v1.50 minor release cycle
• Continues work from v1.50.0-next.0

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.50.0-next.1

Read past issues: https://roadie.io/backstage-weekly/

BackstageCon Europe 2026

BackstageCon Europe 2026 took place on March 23 at RAI Amsterdam as a co-located event with KubeCon + CloudNativeCon Europe, featuring talks on AI integration with platform engineering, agentic software catalogs, and production patterns.

Roadie's team participated with two presentations. David Tuite delivered a sponsored keynote titled "AI Can't Use Data it Doesn't Have", covering how to provide AI the context it needs. He demoed live how Roadie can help platform teams use agents in production with 34% better answer correctness than direct MCP and up to 88% less token usage.

Sam Nixon presented "Agentic Backstage: How To Manage an AI Software Catalog", examining how autonomous agents increasingly become the primary users of engineering systems. When your software catalog serves AI agents, it needs fresher metadata, traversable relationships, structured low-token output, and actionability behind proper permissions. Provider-based ingestion beats manual YAML authoring at scale, and relationships matter more than perfect taxonomy.

Other BackstageCon sessions included "The State of Backstage in 2026" from core maintainers Ben Lambert and Patrik Oldsberg, and the Backstage ContribFest for contributors to make direct open source impact. If you’ve been thinking about contributing, you can check out the [Getting Started Guide] (https://contribfest.backstage.io/getting-started/) Available recordings from these sessions will be shared in upcoming newsletters.

The CNCF documentary "Backstage: From Spreadsheet to Standard" premiered at KubeCon + CloudNativeCon Europe. The film, produced with support from Spotify and Roadie, traces how Backstage evolved from an internal Spotify tool into a CNCF standard for developer portals. The documentary is now available on YouTube.

Prompt Engineering vs Context Engineering: Roadie explains why AI systems fail

Roadie published a technical guide this week on the distinction between prompt engineering (how you phrase instructions) and context engineering (what information actually reaches the model). As Andrej Karpathy frames it, the LLM is the CPU, and the context window is RAM. Everything the model can reason about must fit into that buffer before generation starts.

The guide argues that most AI projects fail because of poor context inputs rather than model limitations. A service dependency agent can have a perfectly crafted system prompt and still hallucinate answers when it runs without the relevant catalog metadata. The same prompt with actual entity data injected produces correct, grounded results, with the improvement coming entirely from what gets loaded into the context window.

The article examines four failure patterns that prompt-only approaches can't solve. Stanford's "Lost in the Middle" research shows models ignore content in the middle of 20 documents, meaning positional attention degrades recall on long contexts. Context rot hits before token limits, with performance dropping as context grows even under 128K tokens. Static prompts can't track dynamic systems, so the model doesn't know that the on-call rotation shifted or the runbook was updated. Uncontrolled context produces non-determinism that's impossible to debug, where the same prompt yields different outputs with no way to reproduce them.

The guide includes a production context pipeline architecture, Python code for wiring the Backstage Catalog API into a retrieval pipeline, and a comparison table showing how prompt engineering and context engineering differ in scope, ownership, and failure modes.

Read the full article: https://roadie.io/blog/prompt-engineering-vs-context-engineering/

Backstage ships v1.49.0 through v1.50.0-next.0 in one week

The Backstage team shipped four releases between March 18-24. v1.49.0 dropped on March 18 with the New Frontend System 1.0 RC as the new default, marking a milestone in the platform's evolution. Patch releases v1.49.1 (March 20) and v1.49.2 (March 22) followed quickly to address regressions. The patch releases added a titleLink prop to PageLayoutProps so plugin header titles can link back to the plugin root, removed the now-unnecessary @backstage/cli-module-new package, and fixed OIDC/CIMD redirect URI matching to support any port on loopback addresses. The v1.50.0‑next.0 prerelease landed on March 24, opening the next release cycle.

Full release notes: v1.49.0, v1.49.1, v1.49.2, v1.50.0-next.0

Community Discussions

PostgreSQL deadlocks in the catalog backend with multiple replicas

A 38-message thread in #general uncovered a serious production issue for anyone running more than one Backstage replica. PostgreSQL deadlocks were occurring in the catalog backend's refresh_state table, surfacing as "PostgreSQL error of type 'error' occurred (code: 40P01)" in OTEL traces. The root cause is concurrent UPDATE statements racing during catalog stitching. Maintainer freben confirmed the first fix was merged and shipped in the -next prerelease on March 24, with the community still investigating a second potential deadlock path in DefaultStitcher. If you're running multiple replicas and seeing this error, watch the -next releases.

TypeScript compiler OOMs after upgrading to v1.49.0

Multiple community members hit TypeScript compiler (TSC) out-of-memory crashes after upgrading to v1.49.0. Maintainer freben identified the likely cause as mixed zod 3/zod 4 imports causing excessive type-checking memory usage. The fix involves ensuring your workspace uses at least zod@^3.25.0, preferring import { z } from 'zod' over the default import, and using explicit from 'zod/v3' paths where needed. Rugvip confirmed that v1.49.1 also addressed many related header alignment regressions introduced in v1.49.0, describing it as a hectic pre-KubeCon patch sprint.

Scaffolder dry-run now strips task secrets

A #support post flagged that a recent security commit (4f5ed06) removed both environment variables and user-supplied task.secrets from Scaffolder dry-run executions. The change was motivated by preventing secret leakage, but the community noted that user-supplied secrets (distinct from env secrets) are now also stripped, breaking integration test suites that rely on the dry-run API with tasks.secrets. If your team uses dry-run executions for testing, review this before upgrading.

Unity's VP of Engineering plans a DevLake to Backstage DORA plugin

In a lively 17-message thread in #plugins, Miki Lior (VP of Engineering at Unity) announced plans to contribute a DevLake-to-DORA community backend module that maps DevLake APIs into the standard Backstage DORA plugin. This gives teams using Apache DevLake a way to surface DORA metrics in their IDP. After feedback from maintainer Ahhhndre (recommending the New Frontend System and Backstage UI components), Miki committed to building it as a community plugin, opening a GitHub issue first to gather feedback on the data mapping design. Unity has production use of DevLake, so long-term maintenance is on the table.

yarn new template naming conflict in v1.49.0

Community member Sarabadu spotted a bug in #general. Running yarn new in a fresh v1.49.0 workspace throws Error: Invalid template configuration, received conflicting template name 'frontend-plugin'. The cause is the legacy frontend-plugin template name colliding with the new naming convention. Sarabadu opened a PR (#33446) to rename frontend-plugin to legacy-frontend-plugin as a fix. If you're initializing new Backstage workspaces on v1.49.x, this is worth watching.

Scaffolder SIG skipped due to KubeCon week

Blam posted in #scaffolder that the Backstage Scaffolder SIG meeting was cancelled for the week of March 19 due to the KubeCon Amsterdam schedule and maintainers being heads-down in preparation. Community members with Scaffolder topics were invited to bring them up directly at the KubeCon pavilion instead. Regular SIG cadence should resume after the conference.

Changelog

v1.49.0

Released March 18, 2026

Highlights:

• New Frontend System 1.0 RC becomes the default frontend framework
• Breaking changes to Backstage UI package
• AI and MCP improvements
• CLI Module System enhancements
• Predicate-based catalog filtering

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.49.0

v1.49.1

Released March 20, 2026

Highlights:

• Added titleLink prop to PageLayoutProps for plugin header navigation
• Fixed header alignment regressions from v1.49.0
• Addressed zod 3/4 type-checking issues

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.49.1

v1.49.2

Released March 22, 2026

Highlights:

• Removed unnecessary @backstage/cli-module-new package
• Fixed OIDC/CIMD redirect URI matching for loopback addresses
• Additional regression fixes

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.49.2

v1.50.0-next.0

Released March 24, 2026

Highlights:

• First prerelease of v1.50 cycle
• PostgreSQL deadlock fix for multi-replica catalog deployments

Full changelog: https://github.com/backstage/backstage/releases/tag/v1.50.0-next.0

Backstage v1.49.0 ships with New Frontend System 1.0 Release Candidate

Backstage v1.49.0 dropped on March 18. It brings the New Frontend System to 1.0 Release Candidate status, making it the default for all newly created Backstage apps. The old --next flag for create-app has been replaced with a --legacy flag. This is the effective end of a multi-year migration.

Key changes include significant Backstage UI migrations (entity cards moved from MUI to BUI, new SearchAutocomplete, List, and ListRow components), removal of long-deprecated integrations (Bitbucket, legacy Azure DevOps fields), and new requirements for the ScaffolderApi interface. AI and MCP capabilities expanded with new built-in actions (who-am-i, query-catalog-entities, list-scaffolder-actions, get-scaffolder-task-logs) and support for splitting MCP actions into multiple servers. The CLI was refactored into an extensible module system, the catalog gained predicate-based filtering with operators like $all, $any, and $contains, and a new ToastApi replaces AlertApi for rich notifications.

Additional improvements include permission batching for better performance, GitLab integration enhancements (configurable throttling, group access scaffolder action), and migration of OpenAPI schemas to version 3.1. Two catalog processors (AnnotateScmSlugEntityProcessor and CodeOwnersProcessor) were deprecated and moved to the Community Plugins repo.

Full release notes: https://github.com/backstage/backstage/releases/tag/v1.49.0

Roadie publishes architectural guide to Backstage and the IDP market

Roadie published a technical deep dive on March 17 examining the choice most teams are actually making when evaluating developer portals. What architecture do you want to commit to for the next 5-10 years of developer experience?

The piece presents three possible paths. Self-hosted Backstage gives you framework ownership and architectural control, but you’re responsible for monthly releases that don't follow semver, the TypeScript tax of plugin compatibility, and the ongoing engineering effort to prevent upgrades from turning into periodic migrations. Proprietary SaaS portals offer speed through vendor-defined schemas and workflows but tie your service metadata to a product-defined model. SaaS portals built on the Backstage standard absorb framework lifecycle management while retaining plugin-based extensibility and catalog-driven context.

The guide includes a detailed look at the New Backend System migration as a case study in operational complexity. The shift from imperative plugin setup to declarative backend.add() calls, deprecated packages, and changed service communication patterns requires planning, testing, and staged rollouts for self-hosted teams. The article argues this is where the responsibility boundary matters. Self-hosting makes your team responsible for maintaining the framework itself, while SaaS shifts that boundary so teams can focus on extending and using the portal.

Read the full guide: https://roadie.io/blog/backstage-and-its-place-among-developer-portals/

Your IDP is an AI goldmine: Roadie explains context engineering

Roadie published a technical guide this week on how your IDP can become the context infrastructure that makes org-specific AI agents actually work. The gap between what LLMs can do and what they know about your systems is what kills AI adoption beyond code generation.

Generic tasks like writing unit tests work fine out of the box. But org-specific questions (who owns auth-gateway, did payments-service deploy in the last four hours, what's the runbook for queue consumer failures) require private structural knowledge no pre-trained model has. Most teams dump documentation into vector stores and call it RAG. This produces confident wrong answers when docs go stale or the agent retrieves a page describing your system as it existed eighteen months ago.

Your IDP already has the context you need. The Catalog API surfaces ownership graphs, dependency maps, deployment history, and incident data as structured, continuously-updated JSON. The article presents three wiring patterns for consuming it (RAG over catalog entities, MCP server wrapping the API, direct function-tool definitions), includes code examples for parsing entity JSON into context strings, and provides a Python script for auditing catalog completeness. The operational hygiene section emphasizes that AI agents are only as good as the catalog data they rely on. Missing `spec.owner` removes escalation paths during incidents, and empty descriptions degrade embedding quality, turning the catalog into unreliable context.

Read the full article: https://roadie.io/blog/idp-ai-goldmine-context-engineering/

Community Discussions

v1.49.0 ships with New Frontend System 1.0 RC

Backstage v1.49.0 was announced on March 18 in #announcements. The New Frontend System (NFS) has reached its 1.0 Release Candidate, meaning newly scaffolded Backstage apps now use NFS by default. The old --next flag for create-app has been inverted to --legacy, and yarn new templates now auto-detect which frontend system your app uses and present the appropriate plugin templates.

The release also brings significant Backstage UI (BUI) breaking changes: new SearchAutocomplete and List/ListRow components built on React Aria, a virtualized prop on Table, centralized BUIProvider routing requirements, and removal of deprecated CSS tokens and types. Entity cards (EntityAboutCard, EntityLinksCard, EntityLabelsCard, and others) have been migrated from MUI to BUI. Additionally, deprecated Bitbucket and legacy integrations have been removed, and ScaffolderApi methods (retry, listTasks, autocomplete, etc.) are now fully required on implementations.

The demo site upgraded to 1.49.0-next.2 on March 13 and the full stable release followed on March 18. See the complete release notes on GitHub.

v1.49.0 early upgrade issues: TSC OOMs and double headers

A thread that started within hours of the release in #general is already tracking real-world upgrade pain. Contributor drodil (Buildforce) reported that upgrading to 1.49.0 causes TypeScript compilation to OOM even with --max-old-space-size=16384, backstage-cli repo lint taking 466 seconds on a handful of files, and double headers appearing on catalog pages (one from BUI, one from the old core components). Maintainer Rugvip confirmed the double-header issue is a known transitional artifact while the BUI/NFS cleanup completes, and began investigating the TSC and lint regressions. If you're planning to upgrade, watch this thread before starting.

Framework SIG missed due to Daylight Saving Time confusion

A 33-message thread in #general on March 17 highlighted a community coordination issue around SIG scheduling. The biweekly Backstage Framework SIG was missed after the meeting time was configured in a US Eastern timezone, causing European participants (in Stockholm/Amsterdam, which had just entered DST) to see the event one hour earlier than expected.

Maintainer freben apologized for the miss, noting he was heads‑down on the v1.49.0 release. The thread turned into a discussion about how the community tracks SIG schedules, surfacing that Discord event exports use UTC without explicit timezone context, making them unreliable across DST transitions. The consensus was that SIG meetings in the shared Google Calendar should be set to CET/Europe/Stockholm rather than a US‑based timezone to avoid future drift.

Is NFS the default yet? Community asks about the switchover timeline

Jon Koops opened a short thread in #general on March 17, asking whether it made sense to make the New Frontend System the default for create-app, noting that the --next flag still felt opt-in while NFS had matured significantly. The question turned out to be perfectly timed. v1.49.0 (released the next morning) answered it definitively by flipping the default.

NFS migration challenges: Scaffolder TaskPageComponent missing and routing gaps

Multiple discussions in #frontend-system this week showed that teams are actively attempting the NFS migration and running into real gaps. One team (arlamaeen, March 5) discovered that TemplateWizardPageProps in the NFS scaffolder alpha doesn't expose a TaskPageComponent option (available in the legacy system), making it impossible to replace the task page UI without forking. Meanwhile, another user (Dinesh, March 12–13) reported a blank page on the base route after migrating the homepage. A separate thread showed teams struggling with custom routing for entity pages and the K8s plugin. Community member Sarabadu shared a practical migration logbook on dev.to (posted March 16) documenting their catalog plugin migration journey, which received a warm community reception. The prevailing sentiment is that the docs have gaps, routing for custom pages is the biggest blocker, and the community is learning in the open while the 1.0 RC stabilizes.

RBAC + OIDC role mapping: Dynamic role assignment from Keycloak

A detailed exchange in #plugins starting March 16 tackled a common enterprise pattern: how to dynamically assign RBAC roles to users based on roles returned from an OIDC provider (Keycloak), without hardcoding group memberships in policy.yaml. User Mattia Dell'Oca hit the Policy already set error when trying to stack a second policy implementation. Contributor pknight6443 pointed to RBAC providers as the correct approach. This involves creating a custom backend module that calls Keycloak at login time and invokes applyRoles and applyPermissions dynamically. This is a pattern many enterprise teams are converging on.

BackstageCon Plugins Panel soliciting community input

A #plugins post invited the Backstage community to submit questions for the Plugins Panel at BackstageCon Europe 2026 (March 23, Amsterdam, co-located with KubeCon). The panel will cover plugin stewardship, contribution barriers, balancing innovation with maintenance quality, and what should happen when a plugin is no longer maintained. If you're attending KubeCon or BackstageCon and have opinions on plugin health, ownership, or the contributor experience, there is still time to submit questions. A reminder in #adoption also asked who from the community will be present in Amsterdam.

Scale question: 200,000+ entities with 6+ relations each

A 4-message thread in #catalog from March 13 asked whether anyone had practical experience ingesting very large catalogs (200k+ entities each with six or more relations). User Hulmir reported hitting issues at scale and asked for guidance on tuning the catalog for this volume. freben jumped in to confirm the specific errors being seen, signaling the start of a troubleshooting discussion. This thread is worth monitoring if you're running or planning to run Backstage at this scale.

MCP/AI discoverability of skills in the catalog

A brief message in #catalog on March 16 from cal5barton asked how teams are making MCPs and AI skills discoverable within Backstage. The question drew reactions from multiple community members, suggesting broad interest, but no clear direction yet. With MCP becoming a widely-adopted standard for AI agent tooling, integrating MCP discovery into the Software Catalog (as a new kind, as annotations, or via a dedicated plugin) is an emerging topic that the community is starting to explore.

Changelog

v1.49.0

Released March 18, 2026

Highlights:

• New Frontend System 1.0 Release Candidate (NFS now default for new apps)
• Backstage UI breaking changes (new components, removed props, CSS token changes)
• Entity cards migrated from MUI to BUI
• Deprecated Bitbucket and legacy integrations removed
• AI and MCP improvements (new built-in actions, MCP server splitting)
• CLI Module System refactored into extensible architecture
• Predicate-based catalog entity filtering
• New ToastApi replaces AlertApi
• Permission batching for improved performance

Full changelog: https://github.com/backstage/backstage/blob/master/docs/releases/v1.49.0-changelog.md

The pre-conference quiet continued this week. Backstage shipped v1.49.0-next.2 with incremental fixes ahead of the March 17 stable release, while the community focused on New Frontend System migrations and the recurring DOM types debate in backend packages.

Roadie published a deep dive on context engineering that reframes AI grounding as a platform discipline that requires structured catalog metadata, not just better prompts. With BackstageCon and KubeCon Europe eleven days away, Discord traffic is centered on migration patterns, MCP discovery, and getting production instances ready for Amsterdam.

v1.49.0-next.2 ships incremental fixes

Backstage v1.49.0-next.2 landed on March 10, the second weekly pre-release in the v1.49 cycle. This follows v1.49.0-next.1 from March 3 and keeps everything on track for the stable v1.49.0 release expected March 17. The full changelog is available in docs/releases/v1.49.0-next.2-changelog.md. The v1.49.0 release will be the last before KubeCon Europe and BackstageCon on March 23.

Roadie publishes Context Engineering deep dive

Roadie published "Context Engineering: The Missing Discipline in AI-Assisted Development" this week, arguing that organizational context is the unsolved layer in AI coding tools. GitHub Copilot and Cursor handle local context and repository context reasonably well, but neither knows who owns payment-service, what lifecycle state legacy-auth-api is in, or what security constraints apply to production services. No amount of prompt engineering can retrieve information that doesn't exist in any repository.

The article frames the Internal Developer Portal as the natural solution to Layer 3 context. Your IDP already holds the two things an AI needs: metadata in catalog-info.yaml (owner, tier, lifecycle, dependencies) and semantics in TechDocs (ADRs, runbooks, how-to guides). Spotify proved this architecture works at scale with AiKA and Honk, both tightly integrated with Backstage's catalog and metadata graph. The piece walks through connecting AI tools via the Model Context Protocol (MCP), with Roadie acting as an MCP Server that exposes your catalog and TechDocs as queryable endpoints.

A key warning: the "dump everything into a vector database" approach produces context poisoning. A Confluence instance with 2,000 pages where only 300 are accurate means your AI retrieves from both canonical ADRs and three-year-old contradictory wiki pages with no way to distinguish them. The catalog-info.yaml schema enforces structure at the source. A deprecated service can't masquerade as current because its lifecycle field says otherwise. Context engineering starts with good catalog maintenance.

Community Discussions

Removing node-fetch and the DOM Types Problem

Backstage maintainer Jon Koops opened a significant architectural discussion in #general (22 replies) about the implications of removing node-fetch from the main repo, as outlined in ADR14. As backend packages (like @backstage/backend-defaults) are built from the root TSConfig, they silently receive browser DOM types, which means that incorrect web-based types are provided anywhere the Fetch API behaves differently between Node.js and the browser. Jon proposes changing the TypeScript configurations so that backend-only packages are never exposed to library types from the web, and he plans to bring it to the framework SIG. The discussion also covers project references performance in CI, the upcoming tsgo compiler, and whether the change should be opt-in for adopters initially.

State of AI in Backstage: MCP, RAG, and a Discoverability Gap

A thread in #general titled "ai" (6 replies) kicked off a survey of what AI integration currently looks like in Backstage. The conversation catalogued the current landscape: an MCP chat plugin in the community plugins repo, a plugin for exposing Backstage actions as MCP tools (mcp-actions-backend), and Roadie's RAG-based AI assistant plugin for querying catalog and TechDocs knowledge. This knowledge is currently scattered across Discord threads and GitHub PRs, with no central tracking page. Thomvaill and drodil (a Backstage Framework maintainer) agreed that a dedicated documentation page listing all available MCP actions per plugin would be valuable. Drodil also noted a new PR (#33253) they've made on the topic, though it's not yet clear whether it belongs in the main repo or community plugins.

Templates and partOf Relations: A Design Clarification

A 21-message thread in #general surfaced a common point of confusion: why can't Scaffolder Templates reference entities outside of their owner using partOf relations? A user wanted to track which Component (a repo containing all their templates) each Template "belongs to" in the catalog graph. Maintainer Freben explained that this is an intentional design constraint of the System Model. Templates are not designed to have arbitrary cross-entity relations. Freben suggested the Resource kind as a better fit if the model needs to be extended. The thread links to the Extending the Model docs as the recommended solution.

Finding Entities with Missing or Unknown Owners

An 18-message thread in #catalog explored how to hook into catalog ingestion to detect or process entities with invalid or unknown owners. Freben recommended the Catalog FAQ's processor-based validation section as a starting point, and followed up with a more advanced pattern: as you page through entities, you can call .prime() on the existence dataloader to pre-populate knowledge of which entities exist, then mark the ones that don't as having broken relations. This approach avoids storing the full catalog in memory or making repeated catalog API requests.

Jest Removed from Backstage CLI: Community Plugin Impact

Maintainer Ahhhndre investigated why removing Jest from the Backstage CLI in v1.46.0 hadn't broken anything yet, and found the answer: a version of the Backstage CLI still exists in the root package.json, and CI is using that. Simply removing it would break most workspaces. The fix is a gradual migration. A PR for community plugins (#7867) has been opened to migrate packages one by one, and Ahhhndre has also filed an issue (#7868) for maintainer-owned workspaces so the community can help during ContribFest.

Release Train: v1.49.0 Pre-Releases Are Rolling

The #announcements channel has been active with the v1.49.0 pre-release train. v1.49.0-next.2 dropped on March 10, following v1.49.0-next.1 on March 4 (which also updated the Backstage Demo site). Before that, v1.48.2 (Feb 24) included a fix to update @microsoft/api-extractor to 7.57.3 and restore formFieldsApiRef and ScaffolderFormFieldsApi alpha exports that had gone missing. If you're tracking pre-releases or running the demo, this is a good time to test against next.2 ahead of the stable v1.49.0 release.

Templates Randomly Disappearing with Split Catalog Deployments

A recent #catalog thread flags a possible operational issue for anyone running Backstage at scale with a split read/write catalog deployment and HPA. One user reported that Template entities (and only Templates, not Components or APIs) were disappearing periodically from statically configured catalog locations. The logs showed a ConflictError: Conflicting write of processing result for <entity-id> with location key 'url:https://github.com/<location-key>' error. This appears to be a race condition specific to multi-pod catalog-write deployments; if you're running 2–4 catalog-write pods in production, this thread is worth watching.

Backstage Documentary Premieres at KubeCon Amsterdam

For those attending KubeCon + CloudNativeCon Europe in Amsterdam on March 23, don't miss the premiere of the CNCF Documentary: "Backstage: From Spreadsheet to Standard", a film co-produced by Spotify, CNCF, and Roadie. The screening is on the official KubeCon schedule. The Community Plugins SIG scheduled for March 24 has been cancelled due to the KubeCon overlap, so the documentary event is the place to be for community networking around Backstage that week.

Changelog

v1.49.0-next.2 - March 10, 2026

Pre-release:

• Incremental fixes and improvements ahead of v1.49.0 stable release

Release:v1.49.0-next.2

Beyond security, the CNCF published a BackstageCon Europe preview that positions AI integration as the defining theme for 2026, Roadie released a comprehensive Context Engineering Glossary that reframes catalog hygiene as an AI infrastructure concern, and the first v1.49.0 pre-release landed with quality-of-life fixes. With KubeCon Europe three weeks away, the community is in pre-conference mode.

v1.48.4 addresses three security vulnerabilities, including HIGH-severity TechDocs flaw

Backstage v1.48.4 shipped on March 4 alongside three GitHub Security Advisories. This is a security-focused patch release with no feature changes, making it a low-risk upgrade for all teams.

The most critical advisory is GHSA-928r-fm4v-mvrw, rated HIGH. When TechDocs runs in local mode, an attacker who can modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server. The attack vector uses MkDocs hooks, a feature that allows custom Python execution during documentation builds. The @backstage/plugin-techdocs-node package didn't sanitize hook configurations before passing them to MkDocs, allowing embedded Python to run with full privileges of the TechDocs service. Teams running TechDocs with runIn: local should upgrade to v1.48.4 immediately or switch to runIn: docker as a workaround.

The two remaining advisories are rated LOW but still worth patching. GHSA-95v5-prp4-5gv5 affects @backstage/integration and could allow unauthorized reading of SCM URLs using the built-in token. GHSA-8qp7-fhr9-fw53 affects @backstage/plugin-scaffolder-backend and relates to session token exfiltration via insufficient log redaction. All three advisories were authored by maintainer benjdlambert.

v1.49.0-next.1 fixes MUI dependency and tab ordering issues

Backstage v1.49.0-next.1 landed on March 3 as the first weekly pre-release in the v1.49 cycle. The release fixes the @mui/material/styles shared dependency key by removing a trailing slash that caused module resolution failures with Material UI package exports. It also resolves an issue where entity page tab groups weren't respecting the ordering specified in the groups configuration. The full changelog is available in docs/releases/v1.49.0-next.1-changelog.md. The stable v1.49.0 release is expected later in March, following Backstage's monthly cadence.

CNCF frames BackstageCon Europe around AI and governance

The CNCF published "KubeCon + CloudNativeCon Europe 2026 Co-located Event Deep Dive: BackstageCon" on February 27, revealing the event's strategic focus: AI integration is the defining theme. Co-chairs Balaji Sivasubramanian and Bryan Landes describe the core thesis as "cloud native adoption colliding with AI-accelerated software delivery," with teams needing shared patterns for making the portal and catalog "the trusted context layer that AI copilots and agents can safely use."

BackstageCon takes place March 23 at RAI Amsterdam as a full-day CNCF-hosted co-located event alongside KubeCon + CloudNativeCon Europe (March 23-26). The event targets five audiences: platform engineering teams scaling Backstage in production, AI-forward organizations managing models and agents as first-class portal entities, maintainers and plugin developers, newcomers seeking production-grade implementation examples, and leaders evaluating Backstage adoption. Key topics include golden paths, standardized metadata, governance, plugin ecosystems, and observability. An All-Access Pass to KubeCon is required for entry. The Backstage ContribFest session follows on March 26.

Roadie publishes Context Engineering Glossary for platform engineers

Roadie published "The Context Engineering Glossary for Platform Engineers" on March 5, a comprehensive reference guide defining every key term in the context engineering stack through the lens of Internal Developer Portals. The timing aligns with BackstageCon's AI focus, as the CNCF positions the catalog as "the trusted context layer that AI copilots and agents can safely use" and Roadie's glossary defines the engineering discipline required to make that vision work in production.

The glossary covers five major sections: Context Fundamentals (context windows, grounding, what context engineering actually means), Architecture and Retrieval Terms (RAG, vector embeddings, semantic search), Platform Data Types (Service Catalog context, TechDocs context, operational context, golden paths), Agentic Capabilities (agentic context injection, function calling, system prompts), and Quality and Risk Definitions (hallucination, context drift, context poisoning, privilege leakage, implicit trust chains).

The guide frames context engineering as a core platform responsibility with dedicated engineering ownership. Its central argument is that an LLM is a powerful reasoning engine with no institutional memory, and context engineering is how you give it one. The glossary defines context engineering as the entire information supply chain feeding the model before it generates output, covering what the model is allowed to know, when, and why. For platform teams building AI assistants on top of Backstage, the piece emphasizes that poor catalog hygiene directly degrades AI output quality, context drift is an ongoing operational concern requiring automated re-indexing, and retrieval pipelines must enforce RBAC to prevent privilege leakage. The article includes practical architecture diagrams showing how Service Catalog metadata, TechDocs, and operational data flow through RAG systems to produce grounded responses.

Community Discussions

Release Updates: v1.48.3 and v1.49.0-next.1

Two releases landed this week. v1.48.3 (February 26) is a patch that fixes a @mui/material/styles shared dependency key issue caused by a trailing slash, which was breaking module resolution with MUI package exports. Anyone using MUI-heavy customisations who encountered odd import failures after 1.48 should pick this up. Hot on its heels, v1.49.0-next.1 dropped on March 3, with the demo site already running it. See the announcements for both releases.

Security: Transitive Vulnerability Scan Results Shared in Community

A detailed Snyk scan of a Backstage project uncovered 7 HIGH-severity vulnerabilities across 13 instances, with no Critical ones. Packages flagged included tar@6.2.1 (Directory Traversal), ajv@6.12.6 (ReDoS), glob@10.4.5 (Command Injection), and ip@2.0.1 (SSRF). The discussion highlighted that many of these are transitive dependencies deep in the dependency tree and cannot simply be overridden locally without breaking CLI linting. The thread had 17 messages with maintainer participation and is worth tracking if your security posture requires a clean Snyk report. See the discussion in #security.

New Frontend System Migration: Still the Community's Biggest Challenge

The new frontend system continued to dominate support traffic this week. The most active thread, "New Frontend System migration" in #support, accumulated 37 messages and a resolved badge, with users working through migrating full Catalog plugin routing and internal plugins. A parallel thread titled "Catalog migration" in #frontend-system (17 messages, still active yesterday) saw a user sharing their complete EntityContentBlueprint and createFrontendPlugin patterns for migrating GitHub-releases entity tabs, while a first-time contributor asking how to add a catalog entity card using the new frontend API received 14 replies in under a day. Maintainer Ahhhndre pointed users toward the migration docs and noted that the catalog plugin's README is still lagging behind. Join the discussion in #frontend-system or the first-plugin thread.

BUI vs MUI: Which UI System for New Instances?

With v1.48 shipping Backstage's new BUI component system alongside continued MUI support, a thread in #general sparked debate about the recommended upgrade path. A team upgrading from v1.12 to v1.48 discovered that many of their custom screens are not fully supported in BUI and asked whether staying on MUI is viable for production. Maintainer Ahhhndre confirmed both systems are currently supported, but the direction of travel is clearly toward BUI. This mirrors a parallel support thread ("Upgrade failure", 16 messages) where another user faced the same BUI vs MUI decision mid-migration. The community consensus is that MUI remains the safe path for heavily customised portals for now. See the bui vs mui thread in #general.

Jest Removed from Backstage CLI 1.46.0: Community Plugin Impact

A thread started by maintainer Ahhhndre in #maintenance revealed why removing Jest from the Backstage CLI in version 1.46.0 hadn't broken the community plugins repository CI: the CLI was still pinned in the root package.json. Removing that pin would break most workspaces. A migration PR (#7867) has been opened to slowly migrate workspaces away, and a companion issue (#7868) was logged to involve the community during ContribFest Amsterdam. If you maintain plugins in the community repo, the issue is a good place to volunteer. Follow the progress in the jest-gone thread in #maintenance.

Bug Report: GithubMultiOrgEntityProvider Misses Team Hierarchy on Webhook Events

A well-documented bug report landed in #catalog this week. When using GithubMultiOrgEntityProvider, parent/child team relationships are not updated in real time via GitHub webhook events: the hierarchy only self-corrects on the next scheduled full sync. The root cause identified is that GithubMultiOrgEntityProvider.onTeamEditedInOrganization() updates team members but never calls buildOrgHierarchy(), unlike its single-org counterpart GithubOrgEntityProvider. The thread generated 7 messages with community-contributed analysis. If you're running the multi-org provider and rely on accurate team hierarchy, either trigger more frequent full syncs or watch for an upstream fix. Read the full investigation in the #catalog thread.

How to Update Community Plugins Without Renovate

A recurring question in #plugins was resolved clearly this week: yarn backstage-cli versions:bump only bumps core @backstage/* packages and will not update @backstage-community/* plugins. To bump community plugins manually, run yarn backstage-cli versions:bump --pattern "@backstage-community/*". Maintainer Ahhhndre also recommended Renovate for automating this for monorepos, noting that Dependabot struggles with the mono-repo setup. See the full Plugin releases thread in #plugins.

Changelog

v1.48.4 - March 4, 2026

Security Fixes:

• Fixed arbitrary code execution via MkDocs hooks in TechDocs (GHSA-928r-fm4v-mvrw, HIGH severity)
• Fixed potential reading of SCM URLs using built-in token (GHSA-95v5-prp4-5gv5, LOW severity)
• Fixed session token exfiltration via log redaction bypass (GHSA-8qp7-fhr9-fw53, LOW severity)

Release: v1.48.4

v1.49.0-next.1 - March 3, 2026

Fixes:

• Fixed @mui/material/styles shared dependency key by removing trailing slash
• Fixed entity page tab groups not respecting ordering configuration

Release: v1.49.0-next.1

v1.48.2 fixes scaffolder form customization regression

Backstage v1.48.2 landed on February 24, addressing a critical regression from v1.48.0. The patch restored formFieldsApiRef and ScaffolderFormFieldsApi alpha exports from @backstage/plugin-scaffolder that had been inadvertently removed, breaking teams relying on scaffolder form customization in the new frontend system. The release also bumped @microsoft/api-extractor to 7.57.3. Teams using scaffolder alpha APIs should upgrade immediately.

The earlier v1.48.1 patch (February 18) fixed a missing sidebar item in frontend system docs and a type compatibility issue in FrontendFeature. Together, these patches close the v1.48 stabilization window.

v1.49.0-next.0, the first pre-release of the next monthly cycle, also appeared near the end of the week.

ContribFest web app launches

The Backstage blog published its first post of 2026 on February 25: "Get a jump on ContribFest with the new web app." Written by Elaine de Mattos Silva Bezerra (DB Systel), Heikki Hellgren (OP Financial Group), and André Wanlin (Spotify), the post announces contribfest.backstage.io - a purpose-built app to onboard contributors for ContribFest at KubeCon Europe in Amsterdam on March 26 at 13:45 CET.

The app features five sections: Welcome, Getting Started, Curated Issues, Contrib Champs (celebrating past merged PRs), and Hall of Hosts. New Dev Containers support enables streamlined local setup using Docker Desktop and VS Code or IntelliJ. Past ContribFest contributions highlighted include TechDocs pagination, OpenShift auth provider work, and HTML rendering fixes in GitHub-flavored Markdown.

This cross-organization collaboration signals the project's maturation - contributor onboarding is now a community-driven effort, not just a maintainer task.

Backstage Community Session - February 18, 2026

The latest Backstage Community Session is now available on YouTube. Mihai kicks things off with a walkthrough of what's new in v1.48.0 - catalog extension points graduating out of alpha, stricter API override restrictions, experimental MCP authorization via Client ID Metadata Documents, and experimental token refresh support. From there, the session covers a call for community members to join the new Backstage reviewer program, where your feedback shapes PR prioritization and your own PRs get priority review in return. The highlight of the session is a talk from Volvo Group's Mingdao and Tom, who share how one of the world's largest manufacturers adopted Backstage - rolling out golden paths, access provisioning, and community-driven templates while navigating the organizational challenges of a large-scale IDP rollout. A Q&A with the Volvo team follows. Watch the recording here.

Publications

Roadie publishes TechDocs Guide

Roadie published "Splitting TechDocs Out of Our Monolithic Backstage Deployment" on February 26, detailing how they redesigned their multi-tenant Backstage architecture to solve resource contention issues. The article walks through their original monolithic design where each tenant ran a single Backstage backend pod containing all plugins (Catalog, Scaffolder, TechDocs, Auth), and how TechDocs' resource-intensive workload - fetching documentation files, rendering Markdown, running MkDocs generators - began causing CPU saturation and memory pressure that impacted unrelated functionality like catalog ingestion and authentication.

The solution was extracting TechDocs into a separate Backstage backend service that runs independently using Backstage's native discovery service for backend-to-backend communication. Each tenant now runs two distinct services: a core Backstage backend handling catalog, scaffolder, and auth, and a dedicated TechDocs backend. Results were immediate: cleaner cluster allocations with CPU and memory limits tuned specifically for documentation workloads, improved stability with documentation builds no longer pressuring core APIs, and easier debugging with resource spikes immediately attributable to the correct service. The article emphasizes that Backstage provides the primitives needed to support this modular design, and at scale, using them becomes "less of an optimization and more of a requirement." For teams running Backstage in multi-tenant or high-scale environments experiencing similar symptoms, the piece recommends examining heavy backend plugins and questioning whether they belong in the same process as core Backstage functionality.

Spotify's multi-agent architecture for advertising

Spotify Engineering published "Our Multi-Agent Architecture for Smarter Advertising" on February 19, detailing how they built Ads AI - a multi-agent system using Google's Agent Development Kit (ADK) and Vertex AI. The system transforms media planning from a 15-30 minute manual process requiring 20+ form fields into a conversational interface generating optimized plans in 5-10 seconds using 1-3 natural language messages.

The architecture decomposes planning into specialized agents - RouterAgent, GoalResolverAgent, AudienceResolverAgent, BudgetAgent, ScheduleAgent, and MediaPlannerAgent - executing in parallel. Three key learnings resonate with the Backstage community: prompt engineering is software engineering (prompts need version control and testing), agent boundaries matter (one agent per distinct skill or data source), and evaluation requires new approaches beyond traditional unit testing.

While not a Backstage feature, this connects directly to where Backstage is heading. The v1.48.0 release shipped experimental Client ID Metadata Documents and experimental refresh token support - both designed to reduce MCP client authentication friction. Combined with the @backstage/plugin-mcp-actions-backend plugin and Spotify's AiKA AI Knowledge Assistant, the trajectory is clear: Backstage is becoming the MCP server hub for platform engineering.

Infralovers' three-part series on AI-assisted Backstage development

Infralovers, a Backstage consulting firm, published the final two parts of a notable three-part blog series during the week:

Oct 31, 2025 - "Beyond Copy-Paste: Building Backstage with AI-Assisted Development" detailed how Claude Sonnet 4.5 and GitHub Copilot helped navigate custom Backstage integrations with Crossplane and ArgoCD. The post documented real integration friction - scaffolder temporary directories, the publish:github:pull-request vs. publish:github distinction, ArgoCD rejecting catalog-info.yaml - and showed how AI pair programming resolved each issue faster than traditional documentation searching.

Feb 20 - "Five Levels of AI Development: Why the J-Curve Gets Everyone" applied Dan Shapiro's five-level framework to developer tooling, arguing that 90% of "AI-native" developers are stuck at Level 2 (pair programming) when the real gains come at Levels 3-4 (specification-driven development and autonomous workflows).

Feb 22 - "Dark Factory Architecture: How Level 4 Actually Works" got concrete about Level 4 in practice, referencing StrongDM's "Digital Twin Universe" approach and Boris Cherny's claim that 90% of Claude Code was written by Claude Code, with SemiAnalysis estimating 4% of public GitHub commits now attributable to Claude Code.

The series offers practical context for Backstage adopters evaluating where AI fits in their developer portal strategy - not as a chatbot bolted onto the sidebar, but as a fundamental shift in how platform engineering work gets done.

Community Discussions

Alpha MetricsService Merged into Backstage Core

One of the most celebrated milestones in #backend-system this week: the initial alpha implementation of a native MetricsService was merged into the backstage/backstage repo. Community member kurt had been championing this effort for weeks and celebrated with the note "I am very stoked to see the initial alpha merged," thanking the maintainers who rallied to get PR #32358 (feat(metrics): Implement MetricsService by benjdlambert) across the finish line. The service provides a first-class, framework-native way to emit metrics from Backstage backends - an alternative to the community's current patchwork of OTel instrumentation. The next milestone is documenting the current state and migrating catalog metrics to the new abstraction; kurt opened a meta issue thread to avoid duplicate effort.

"How Do I Actually Delete a Catalog Entity?" - The Cache Mental Model

An 8-message thread in #catalog surfaced a question many new adopters run into: a user tried to delete test entities via the OpenAPI spec by UID, only to find them reappearing with a new UID after a refresh. Maintainer freben delivered the canonical answer - "The catalog is sort of like a big cache, a mirror of externalities… the thing that generated the entity keeps generating the entity as it was instructed to. There's no functionality like 'delete this and refuse all future attempts at creating something with that name'." The resolution is to disconnect or modify the source (e.g., the GitHub repo), not the catalog record. This remains one of the most common conceptual hurdles for new Backstage adopters.

Disabling Software Templates Registered from catalog-info.yaml

A lively 9-message thread in #general started when phred-te discovered that individual repositories can register their own software templates directly from catalog-info.yaml. The question was whether a platform team could disable this auto-discovery to prevent teams from self-registering templates they shouldn't. Core contributor Peter "ParsiFal-M" confirmed that catalog.rules governs this behavior and should prevent unwanted registrations - though the caveat is that the Backstage demo doesn't explicitly exercise this rule so community members were testing edge cases live.

Migrating from GitHub GHEC to GitHub EMU - Running Dual Auth Providers

A timely discussion landed in #auth this week as Pedro described a real-world migration scenario: moving from github.com (GHEC) to GitHub Enterprise Managed Users (EMU), where users temporarily exist in both systems. The key questions: can Backstage run two GitHub auth providers simultaneously in the same instance? If not, what is the recommended EMU-first auth pattern with a fallback during the cutover window? Options discussed include a single provider routing by email domain/org membership, a custom sign-in resolver that attempts EMU first, or a custom auth provider with fallback logic. If you're planning a similar migration, this thread is worth following.

Extending the Catalog Component Spec with Custom Fields

A thoughtful architecture question in #catalog from new adopter Finn Molloy: their team wants to add a spec.license field (SPDX identifier) and a spec.thirdParty boolean to the Component kind - and they've implemented it using a custom Zod schema validator and a custom processor plugin rather than annotations. Their reasoning: typed fields are preferable to string annotations, especially for booleans. They asked whether this approach is safe/recommended or whether company-specific annotations are the better path. This is a great practical exploration of the catalog's extensibility model that will resonate with any team standardising their component metadata.

Community-Built Producer/Consumer Catalog Graph Processor

In a standout community contribution post in #catalog, isaias.b shared a custom catalog processor that creates symmetric relation types (producesTo/producedBy, consumesFrom/consumedBy) for modelling data flows between components - think Kafka topics, DB schemas, queues, and other resources. The processor and example catalog.yaml were shared directly in the channel with working screenshots of the resulting catalog graph. It's the kind of pattern that Backstage's extensibility model was designed for, and demonstrates how rich service dependency maps can be created without any core changes.

Frontend System Migration: Beware of Duplicate Extension Errors

An 8-message thread in #frontend-system is a useful debugging reference for anyone currently migrating plugins to the new frontend system. lgnd_seba hit the Plugin 'helm-dashboard' provided duplicate extensions: page:helm-dashboard error while migrating a two-page plugin. The culprit: when a PageBlueprint extension is created, the name property must be kebab-case (a-name-like-this rather than Something Like This). Maintainer vinzscam confirmed this requirement. If your NFS migration is failing with duplicate extension errors, this is the first thing to check.

API Extractor Issue Could Break CI for Community Plugin PRs on v1.48.0 Bump

In #maintenance, maintainer Ahhhndre flagged PR #32950 - an issue with the API Extractor tsdoc-base configuration that is expected to cause CI failures across community plugin PRs when the version bump to 1.48.0 runs. Plugin maintainers were advised to watch for this and may need to update PRs manually. Separately, the automated version bump scheduler was running as of Feb 24, generating v1.48.2 community plugin bumps - see the auto-version-bump thread for the schedule.

Changelog

v1.48.2 - February 24, 2026

Fixes:

• Restored formFieldsApiRef and ScaffolderFormFieldsApi alpha exports in @backstage/plugin-scaffolder that were removed in v1.48.0
• Updated @microsoft/api-extractor to 7.57.3

Release:v1.48.2

v1.49.0-next.0 - Pre-release

The first pre-release of the v1.49.0 cycle is now available for early testing.

Release:v1.49.0-next.0

Backstage v1.48.0 Ships with Major New Frontend System Updates

Backstage v1.48.0 shipped February 17 after nearly a month of pre-release testing. The release brings significant changes to the New Frontend System, including graduated catalog extension points, experimental MCP authorization support, and breaking changes to API restrictions.

Key highlights:

• Catalog processing extension points graduated from alpha to stable (remove /alpha imports).
• API restrictions now enforced (plugins can only provide APIs to themselves, not other plugins). * New createServiceMock and createApiMock utilities for testing.
• Plugin titles and icons now supported, and module federation enabled by default without build-time overhead.

The release also introduces experimental catalogScmEventsServiceRef for instant catalog updates via webhooks, experimental Client ID Metadata Documents for MCP authorization (auth.experimentalClientIdMetadataDocuments.enabled), and experimental refresh token support to prevent hourly token expiration.

The breaking changes caught some teams off guard. Some users reported Soundcheck rendering issues tied to recently removed CSS variables in Backstage UI. Anyone running a custom theme should check that their files are referencing current CSS tokens before upgrading.

v1.48.0 release notes

v1.48.1 Patch Fixes Type Compatibility and Documentation Issues

A patch release shipped February 18, fixing two regressions from v1.48.0:

• A missing sharing extensions sidebar item in the frontend system architecture docs
• A type compatibility issue for older plugins in the FrontendFeature type.

If you upgraded to 1.48.0 and hit plugin type errors, update to 1.48.1.

v1.48.1 release notes

Security Advisory: CVE-2025-69873 in ajv Dependency

Community members flagged CVE-2025-69873 (CVSS 8.2) affecting ajv@6.12.6, a transitive dependency of @backstage/cli@0.35.3. The vulnerability involves potential denial-of-service via uncontrolled schema input. Maintainer freben assessed impact as low since ajv only runs during build, not in production applications. Teams that tried resolving it by upgrading to ajv@8.18.0 ran into breaking changes in the CLI's linting pipeline. The maintainers are still working through it.

CVE details

Roadie Blog

Roadie published a new post this week on GitLab integration: Supercharge your GitLab setup with Roadie's Internal Developer Portal. It covers how teams using GitLab can eliminate repo sprawl, centralize ownership and governance, and visualize CI/CD pipelines through Roadie's managed Backstage platform. The post focuses on getting a production-ready IDP running in hours rather than months.

Community Discussions

Release Updates: Backstage v1.48.0 and v1.48.1

Backstage v1.48.0 shipped on February 17, followed quickly by a patch release v1.48.1 on February 18. The patch fixed two regressions introduced in 1.48.0: a missing sharing extensions sidebar item in the frontend system architecture docs, and a type compatibility issue for older plugins in the FrontendFeature type. Community members reported that some third-party plugins (notably Soundcheck) showed rendering issues after upgrading to 1.48.0, and a thread in #general noted that GabDug pointed to recently removed CSS variables in the latest Backstage UI update as a likely cause. Users encountering visual glitches after upgrading should check whether they need to update CSS variable references in custom theme files.

New Frontend System: "Is It Production-Ready?" Gets a Definitive Answer

One of the most active discussions of the week came from #support (25 replies), where Dinesh asked whether the New Frontend System is production-ready, what the alpha/experimental status means, and whether teams should migrate now or wait.

Maintainer Ahhhndre gave a clear and confident answer: the NFS has been announced as adoption-ready for several months and many organizations are already running it in production. The thread evolved into a practical migration walkthrough, with Sarabadu and Ahhhndre helping Dinesh navigate the transition from convertLegacyAppOptions to the new createApp API and clarifying plugin compatibility with signals.

Key clarifications from maintainers:

• There is no difference from a deployment standpoint between the legacy and new frontend systems.
• convertLegacyAppOptions is a transitional helper that will be removed once the full migration is complete.
• signalPlugin is already NFS-compatible and should not be added to the legacy options during migration.

If you're looking for more information, check out these docs and migration guides

BUI Migration Pain Points: Theming and Missing Card Types

Teams migrating to Backstage UI (BUI) ran into several friction points this week. In #frontend-system, lgnd_seba reported being unable to apply a custom theme when migrating to BUI, finding that neither import '@backstage/ui/css/styles.css' nor the CSS variable approach using [data-theme-mode='dark'] caused the component to pick up the custom font; it fell back to the BUI default system-ui. In the same channel, adders flagged that EntityDependencyOfComponentsCard is missing an entity-card equivalent in the NFS, with no clear workaround for using existing cards. Brian Wink noted that type: summary was removed in 1.48.0 for Overview cards, raising questions about how to place two smaller cards side-by-side without it.

Security Advisory: CVE-2025-69873 in ajv@6.12.6 (Backstage CLI Dependency)

A message thread in #security raised a Snyk alert for ajv@6.12.6, which is a transitive dependency of @backstage/cli@0.35.3. The vulnerability is CVE-2025-69873 (CVSS 8.2, SNYK-JS-AJV-15274295) and involves a potential denial-of-service via uncontrolled schema input. Maintainer freben assessed the impact as low for Backstage since ajv is used only in the build process (not in the running application).

Teams attempting to resolve the issue by upgrading to ajv@8.18.0 reported that doing so breaks the CLI's linting pipeline with "NOT SUPPORTED: option missingRefs" errors. The thread was ongoing as of Feb 18, with the team investigating the correct version bump path.

CVE details

Call for Help: SCM Webhook Event Handlers for the Catalog

In #catalog, maintainer freben shared an open call for community contributions. The Backstage catalog now has a generic interface for handling SCM events (things like file changes, repo renames/deletions, branch creation, and archiving), but only a GitHub adapter has been implemented so far. Teams using GitLab, Bitbucket, or other SCM providers that want instant reactive updates to catalog state are encouraged to contribute adapters. This was a required feature for the 1.48 release cycle.

GitHub Issue #32833

Community Plugin: Excalidraw-Style Catalog Graph

Milan May'r shared a new community plugin in #visual-design and #plugins: backstage-plugin-roughjs-catalog-graph, which replaces the standard Relations Graph on entity pages with one rendered using rough.js (the same hand-drawn aesthetic popularized by Excalidraw). The plugin takes approximately five minutes to install. It received positive reactions in the community and is a fun way to give the dependency graph a more casual, whiteboard-style look.

View the plugin on GitHub

Kubernetes-Ingestor Plugin: New Release with Cache Improvements

A 9-message thread in #plugins tracked a community request for a new release of the kubernetes-ingestor plugin. User prims47 had contributed a PR improving cache behavior when resolving owner from namespace, and Thomvaill's team was waiting on the release to plan their project schedule. Plugin maintainer Scott Rosenberg (vRabbi) confirmed on Feb 17 that a new release went out with the changes, and prims47 noted significantly improved performance on local testing.

Volvo Backstage Adoption Story Featured in Community Session

In #adoption, mihait announced that the upcoming Backstage Community Session (week of Feb 18) would feature Volvo showcasing their Backstage adoption journey. This continues the tradition of enterprise adoption stories in the monthly community calls and is a great resource for teams making the business case for Backstage internally.

TechDocs Content Rendering Randomly Blank in 1.44.x

A detailed bug report landed in #techdocs from user RP on Feb 17: TechDocs pages randomly show a blank content area while the sidebar renders correctly, with the issue appearing after 3–20 navigation clicks through docs pages.

The instance is running Backstage 1.44.1 with an external builder and GCS publisher. Network inspection showed all requests completing with 200/304 responses and no timeouts, making it tricky to diagnose. RP noted the issue is more common on pages with nested navigation and a custom plugin linking TechDocs for 150+ technologies. The thread was open for community input as of this writing.

Changelog

v1.48.0 (Feb 17, 2026) Major release with graduated catalog extension points, NFS enhancements, module federation enabled by default, experimental MCP authorization, and breaking changes to API restrictions. Full changelog at docs/releases/v1.48.0-changelog.md.

v1.48.1 (Feb 18, 2026) Patch release fixing missing sharing extensions sidebar item in frontend system docs and type compatibility for older plugins.

All releases

Wiz published their first-party Backstage plugin on February 6. The @wiz-sec/backstage-plugin-wiz package surfaces Wiz Issues and Vulnerabilities directly in your portal by mapping Wiz projects to catalog components.

You can search and filter findings by rule, resource, or CVE, track severity, and navigate into Wiz for remediation without leaving Backstage. This is distinct from the earlier Roadie-built Wiz plugin, representing Wiz's own investment in the Backstage ecosystem.

Wiz blog post

Spotify Details Mobile Release Engineering with Backstage

Spotify Engineering published Part 2 of their mobile release process deep-dive on February 9. The post details how their Release Manager Dashboard, built as a Backstage plugin in React/TypeScript, uses the Software Catalog for build distribution configuration.

The article covers the evolution from Jira-based release tracking to a unified Backstage-powered dashboard, including backend optimization, automated release progression ("the Robot"), and data-driven release insights.

Read the post | Part 1 from April 2025

From the Roadie Blog

We published Backstage Microservices Strategies: Taming Sprawl with a Service Catalog on February 12.

The piece tackles the ownership problem: when a 3 AM incident cascades through your 400-microservice architecture, who owns what's broken? Without a centralized system of record, you accumulate "zombie services" that nobody claims until they fail.

Key sections cover the hidden cost of microservices at scale (Expedia's 5,000 developers managing 20,000 services), how Backstage functions as your microservices operating system, Golden Paths that eliminate the copy-paste tax (Spotify's new service creation time dropped from 14 days to 5 minutes), dependency visualization for blast radius analysis, and Tech Insights that gamify production readiness.

The article compares self-hosted versus managed options, noting self-hosted typically requires 2-3 dedicated FTEs with TypeScript/React expertise, while managed solutions like Roadie cost approximately $20/user/month with same-day setup.

Community Discussions

New Pull Request Review Workflow for Backstage Contributors

The Backstage maintainers have launched a significantly improved pull request review process that makes it easier for community members to become reviewers. The new workflow incorporates a dedicated reviewers group from the start, addressing long-standing feedback about contribution barriers. This change aims to make the review process more transparent and accessible, particularly for those wanting to contribute at a deeper level. The initiative comes with a call for new reviewers to join the program, with RBAC permissions to ensure only authorized platform team members can participate.

Developer Experience: Manual Triggering of Scheduled Tasks

A significant discussion emerged around the pain points of testing scheduled tasks during development. Currently, developers must modify task frequency in config, restart the app, and wait for execution—a slow feedback loop that can take several minutes per iteration. Community member Thomvaill proposed building a "Task Manager" plugin that would provide a UI at /task-manager to list and manually trigger tasks across all plugins, leveraging the existing scheduler trigger API (POST /.backstage/scheduler/v1/tasks/<taskId>/trigger). The proposed solution would integrate with Backstage's native auth, support RBAC permissions, and show task status, run history, and cadence information. This resonated with multiple community members facing similar development workflow challenges.

Security Vulnerability: tar Package Advisory

Users reported concerns about the tar package vulnerability (versions <=7.5.3) affecting Backstage 1.45.3 installations. The discussion focused on identifying remediation paths and whether upgrading to newer Backstage versions would resolve the issue. This thread included 14 messages with community members sharing workarounds and dependency resolution strategies, highlighting the ongoing need for security vigilance in the ecosystem.

Scaffolder: Multiple Action Modules Support

Discussion about scaffolder architecture revealed questions about organizing multiple action modules within a single scaffolder backend module. When running yarn backstage-cli new to create a new action module, developers wondered whether multiple actions should live in separate subdirectories or if there's a recommended pattern for organizing multiple related actions. The conversation highlighted documentation gaps around scaffolder action organization patterns.

Catalog Backend: SQLite Race Condition Issues

Users encountered race condition problems when using SQLite for Backstage catalog backend storage, with multiple participants discussing whether this is a known limitation of the in-memory/SQLite configuration. The recommendation shifted toward using file storage or PostgreSQL for production deployments to avoid database locking issues during concurrent operations. This thread contained 8 messages exploring the technical details of the problem and referencing GitHub issue #22207.

Authentication: GitHub Enterprise OAuth Scope Errors

Multiple users reported "Refresh failed, session has not been granted the requested scope" errors when trying to access Backstage components. The discussion focused on GitHub integration configurations and whether certain auth providers properly handle scope refresh tokens. Additionally, there was a thread about GitHub Enterprise authentication CORS policy issues when the GitHub Actions plugin attempts to fetch CI/CD pipeline data from self-hosted instances.

Backend System: OpenTelemetry Setup Challenges

A user struggled with internal Backstage metrics deployment using Helm Chart, specifically around OpenTelemetry configuration. The thread included detailed troubleshooting with 2 messages pointing to GitHub issue #307 in the backstage/charts repository for documentation improvements around metrics setup.

Community Plugin: rough.js-based Relations Graph

A new community plugin was shared that updates the visuals of the Relations Graph using the rough.js library to give components a hand-drawn, sketch-like appearance inspired by Excalidraw. The implementation is described as simple and takes only 5 minutes to set up, offering an alternative visual style for catalog entity relationships. View the plugin on GitHub →

Catalog Backend Actions Documentation

A discussion emerged about whether there should be formal documentation for the catalog-backend actions or if the community should rely on description and parameter descriptions within the code. The conversation highlighted interest in creating a basic README under the actions directory or in the top-level catalog plugin documentation to make these actions more discoverable for developers.

CNCF Travel Support for KubeCon EU Contributors

Community contributor Ayush More, who has been contributing to Backstage for several months, received approval for a CNCF Travel Scholarship to KubeCon EU. However, as a 17-year-old traveling solo from India, additional costs like the Tatkaal passport and Schengen visa aren't covered. The community discussed possibilities for a small $200-300 "contributor stipend" to help bridge this gap, highlighting the challenges young international contributors face attending events.

Changelog

Core Releases

v1.48.0-next.2 (Feb 10, 2026) Pre-release continuing v1.48.0 development. Full changelog at docs/releases/v1.48.0-next.2-changelog.md. The demo site runs this version for early testing.

Latest stable release remains v1.47.3 from February 2.

All releases

Backstage v1.47.3 shipped February 2nd with security fixes for @backstage/plugin-techdocs-node. The patch addresses vulnerabilities in how TechDocs handles external content. If you're running TechDocs, upgrade now.

Still on 1.46.x? v1.46.5 backports the same fixes.

This follows the security improvements in v1.47.0 from January 20th for Software Templates and external content reading. Use the Backstage Upgrade Helper for your upgrade.

v1.47.3 release notes | v1.46.5 release notes

14+ Community Plugins Updated

Between February 4-5, over 14 community plugins got version bumps for v1.47.3 compatibility: SonarQube, Azure DevOps, RBAC, Jenkins, OCM, Tech Radar, ServiceNow, 3scale, Quay, Keycloak, and several scaffolder backend modules.

Beyond version bumps, a few substantial changes landed:

Cost Insights now supports custom date ranges (#7463). You can analyze cloud costs over specific periods instead of fixed windows.

Confluence fixed legacy app-config compatibility for the search collector (#7494).

MCP Chat updated to @modelcontextprotocol/sdk v1.26.0 (#7479).

Browse all updates

BackstageCon Europe: Dates Confirmed

As we mentioned last week, BackstageCon Europe 2026 happens March 23-26 in Amsterdam, co-located with KubeCon + CloudNativeCon Europe. The sponsorship deadline passed February 2nd, but registration opens soon.

Amsterdam will also host a Backstage ContribFest session on March 26th where you can contribute directly to the project. Full schedule here.

If you missed BackstageCon North America 2025 in Atlanta, videos are available on Backstage Community YouTube.

Event page

Ecosystem Pulse

AI + Platform Engineering convergence continues to be a major theme for 2026. Jennifer Riggins at The New Stack published In 2026, AI Is Merging With Platform Engineering. Are You Ready? noting that Spotify used AI agents to generate 1,500+ merged PRs with 60-90% time savings, and internal developer platforms have become "nearly universal" per the DORA report.

Roadie published AI, IDPs and Platform Teams: What We're Seeing documenting how platform teams are experimenting with RAG over TechDocs, AI-powered scaffolder actions, and natural language queries across internal tools. Key challenge: AI agents are being built in silos without discoverability, ownership, or governance. Roadie's solution treats AI agents as first-class catalog entities, just like services, enabling teams to track who owns what, where PII flows, and whether agents follow security standards.

Community Discussions

Aliases Configuration Partially Broken

A user deploying Backstage with multiple aliases in #general hit customization issues on January 30. Ingress patches, CORS configuration, and Azure app callbacks all need fixes. Only some alias functionality works.

Tar Vulnerability in 1.45.3

The #general channel surfaced a discussion February 5 about the tar (< 7.5.3) vulnerability affecting Backstage 1.45.3. Tar is a transitive dependency. The bookworm-slim base image makes this worse because packages age without updates.

Users want remediation options. No clear path forward yet.

Dark Mode Theming Broken

Custom themes with company logos work in light mode but break in dark mode, according to a #general post tagged #visual-design from February 5. The sidebar uses one theme, while catalog and home pages use different theming.

Timezone Support Request

A Sydney-based team asked in #meetups on February 2 for different timezone support for community sessions and calls. Current times mean 2am calls.

Renovate Creates Immortal PRs

Renovate creates persistent PRs for Backstage security updates, according to discussion in #maintenance on January 30. OSV vulnerability alerts create too many PRs. You can't configure them at package level, only globally. These PRs block the concurrent PR limit.

The maintainers opened a GitHub discussion asking what you want prioritized in 2026. Four themes have emerged:

Performance and Reliability: Core performance improvements, better memory management, and stability at scale. This matters if you're running Backstage for hundreds or thousands of engineers.

Scaffolder Enhancements: Better workflows, clearer form UX, and debugging tools that actually help. If you've wrestled with template errors, this should interest you.

Tech Stack Modernization: React 19, TypeScript 5.7+, and modern bundling. This isn't just version bumping, it's about making Backstage easier to extend and maintain.

Security Improvements: Enhanced auth patterns and security features. Given the sensitive data Backstage handles, this is overdue.

The discussion is active now. If you have strong opinions about what needs fixing or improving, add them there.

BackstageCon Europe: March 23 in Amsterdam

BackstageCon Europe 2026 happens March 23 in Amsterdam, co-located with KubeCon + CloudNativeCon Europe.

Sponsorship deadline is February 2. Registration is open.

Backstage Ranks #5 in CNCF Velocity

The CNCF's 2025 Annual Survey ranks Backstage as the #5 CNCF project by velocity. The CNCF project page shows the current metrics:

• 46,063 total contributors
• 13,506 contributing organizations
• $125.1M estimated software value
• Health score: 82 (excellent)

Backstage Changelog

v1.48.0-next.0 Pre-Release

Released January 27, this pre-release packages the latest features heading into v1.48.0. The full changelog has details.

v1.47.0 Breaking Changes and Updates

v1.47.0 shipped January 20 with 103 PRs from 40 contributors. Here's what breaks and what improves:

Table Component Redesign

The Table in @backstage/core-components got rebuilt. If you use custom columns or cell renderers, they need updates. The new version performs better and gives you more control over pagination.

Check the release notes for the migration guide.

Blueprint Component Deprecations

Blueprint.js components are being replaced with Material UI equivalents. The deprecation warnings tell you what to use instead. This isn't urgent but plan for it.

GithubOrgEntityProvider Performance Fix

The GitHub org provider now does incremental updates instead of full refreshes. If you ingest hundreds of repos, this matters. Update your config to enable it.

AWS S3 Auth Priority Change

The URL reader now uses explicit credentials before falling back to environment variables. If you're using S3 for TechDocs storage, verify your auth setup still works.

URL Reader Redirect Validation

Redirects now get validated to prevent security issues. This might break integrations that rely on redirect chains. Test your setup after upgrading.

Kubernetes Plugin Backend Migration

New backend modules are available for the Kubernetes plugin. The old approach still works but follow the migration guide to move to the new system.

Docker Image Updates

v1.47.0-next.2 moved to Node 24 and Debian Trixie. The Docker deployment docs show the new node:24-trixie-slim base image.

Community Discussions

Release Updates: v1.47.2 Fixes Zod Issues

A new patch release, Backstage v1.47.2, has been published. This is a critical update as it fixes a breaking Cannot find module 'zod/v3' error that affected users on 1.47.1 and caused automated version bump processes for community plugins to fail. The issue stemmed from work to migrate to Zod v4 leaking into the release.

• Fix: The patch restores dependency on a specific version of Zod.
• API Factory: It also rolls back immediate breaking changes regarding API factory conflicts, converting them to deprecation warnings instead.
• Community Plugins: Following this fix, the automated version bump process for community plugins has been re-triggered and is back to green.

See the release notes or view the discussion in #maintenance.

Managing Community Plugin Updates

There was an insightful discussion in #plugins regarding how community plugins are released and upgraded:

• Release Process: Once a functionality PR is merged, a "Version Packages" PR is generated. The new version is only published to NPM after that second PR is merged.
• How to Update: Running the standard yarn backstage-cli versions:bump does not update community plugins by default. To bump these packages manually without Renovate, use: yarn backstage-cli versions:bump --pattern "@backstage-community/*"

DevTools and Scheduler Configuration

In #general, users discussed configuring devtools.scheduledTasks.plugins. Current findings suggest that Catalog, Search, and Notifications are the primary plugins supported in this configuration section.

Technical Q&A Highlights

Several technical patterns were debated in #general:

• Config outside React: Users looking to access app config outside of React components (without useApi) were pointed toward defaultConfigLoader.ts as a reference implementation.
• Migration Rollbacks: There is an active issue regarding rolling back backend-defaults scheduler migrations (20250411000000_last_run.js). The standard Knex rollback commands are failing with a "migration directory corrupt" error because the file references tables not strictly bound to the expected database context.
• Tag Validation: A reminder that the Catalog currently enforces lowercase tags; uppercase tags in catalog.yml will fail registration.

From the Roadie Blog

Creating Backstage EntityProviders at Runtime

Brian Fletcher's runtime EntityProviders guide shows how to build a provider pooling pattern. The key idea: pre-register providers at startup, then assign them to consumers at runtime.

This pattern enables:

• Multi-tenancy (different teams, different data sources)
• User-defined integrations without code deployment
• Self-service onboarding
• Dynamic provider registration

If you're building a platform where users define their own integrations, this pattern solves the "restart the backend every time someone adds a data source" problem.

The Real Cost of Self-Hosting Backstage

A recent build vs. buy analysis from Roadie breaks down what self-hosting actually costs. Not just infrastructure, the engineering time to maintain it, upgrade it, and keep it secure.

The analysis covers:

• Real infrastructure costs (compute, storage, networking)
• Hidden maintenance costs (upgrades, plugin updates, security patches)
• Opportunity cost (platform team time vs. product work)
• When self-hosting makes sense vs. when managed makes sense

If you're evaluating Backstage deployment options, this gives you the framework to calculate total cost of ownership.

That's this week's Backstage Weekly. See you next week.

CNCF End User Case Study Contest opens for Backstage adopters

The CNCF announced their End User Case Study Contest, which showcases proven, real-world adoption of CNCF technologies including Backstage by end user organizations. Winners will present a 5-minute live keynote at KubeCon + CloudNativeCon EU 2026 in Amsterdam (March 23-26, 2026) and have their case study published on cncf.io. The contest closes on January 30, 2026 at 11:59pm PT, with winners announced by February 25, 2026. End user case studies published on cncf.io during 2025 will also be considered.

Submit your case study →

Backstage agent skills for AI assistants

A community member shared a new GitHub repository called backstage-agent-skills that provides Backstage skills for AI agents. The project aims to help AI assistants interact with Backstage instances programmatically. This is part of the growing intersection between AI and developer platforms as organizations look to automate more workflows.

Explore the repository →

Code Wiki generates automated documentation for Backstage

A new tool called Code Wiki has appeared that automatically generates up-to-date documentation for codebases. The community discussion highlighted its potential application for the Backstage repository itself, providing automatically generated API references and architecture overviews without manual documentation work.

Check out Code Wiki →

Backstage Changelog

A quick look at the changes that shipped in Backstage v1.47.0, released on January 20th.

Breaking Changes

• Redesigned Table and useTable in @backstage/ui - The Table component now has pagination, sorting, selection, and data display built-in. The low-level wrapper is now TableRoot. The useTable hook supports three pagination modes: complete, offset, and cursor. Migration guide →

• Updated color tokens in @backstage/ui - Color tokens updated to align with the new neutral surface-based design system. The -tint tokens have been removed.

• Redirect validation in URL reader - coreServices.urlReader now validates redirect chains against the allow list in backend.reading.allow. The FetchUrlReader class constructor is now private, replaced with a fromConfig static factory method.

• Better AWS S3 auth handling in TechDocs - Auth priority is now: 1) aws.accounts, 2) techdocs.publisher.awsS3.credentials, 3) integrations.awsS3, 4) Default credential chain.

Features

• Backend action filtering support - ActionsService now supports action filtering based on configuration to control which actions are exposed to consumers like the MCP backend.

• GitHub repository workflow access configuration - The scaffolder now supports configuring workflowAccess level when creating GitHub repositories to control GitHub Actions workflow access. Contributed by @fearphage in #32237

• Additional Kafka Events streaming settings - The Kafka event module now supports fromBeginning offsets and autoCommit. Contributed by @imod in #31410

Improvements

• Home plugin UI improvements - Widget configuration changes now only save when the Save button is clicked. A new Cancel button lets users discard unsaved changes. Contributed by @kmikko in #31198

• GithubOrgEntityProvider performance boost - The provider now fetches only specific user teams instead of all organization users when processing membership events, and uses addEntitiesOperation instead of replaceEntitiesOperation to avoid unnecessary deletions. Contributed by @angeliski in #32184

• Link component navigation fix - The Link component now properly uses React Router's navigation system instead of causing full page refreshes for internal routes.

Deprecations

• App customization blueprints moved - IconBundleBlueprint, NavContentBlueprint, RouterBlueprint, SignInPageBlueprint, SwappableComponentBlueprint, ThemeBlueprint, and TranslationBlueprint have been deprecated and moved to @backstage/plugin-app-react. These are now restricted to use in the app plugin only.

• API factory restrictions - Plugins are now restricted from overriding core Utility APIs and API factories from other plugins. Overrides must be made using plugin overrides or modules.

Security Fixes

This release contains security fixes for Software Templates and reading external content.

Community Discussions

Here's what the Backstage community has been talking about this week:

Entity naming best practices

With auto-ingestion of GitHub repos, AWS resources, and Kubernetes resources, a community member asked about handling name clashes across entity types. The discussion covered using namespaces to scope things (kubens, aws, github) versus prefixing names. Using spec.title for more explicit names in the UI was also suggested as a way to maintain clean URLs while showing friendly names.

View the discussion →

CLI templates and conditional file creation

Questions about the CLI templates feature revealed that you can name files with variables like plugin-{{ pluginId }}.prod.yaml.hbs and use conditional logic like {%- if values.some == "yes" -%}file-name.yaml{%- endif -%} to only create files when conditions are met. This applies both to file names and content within files.

View the discussion →

Getting Backstage in front of a shifting dev experience [podcast]

Pia Nilsson, GM for Backstage and Head of Developer Experience at Spotify, was interviewed on The Stack Overflow Blog to discuss the organic growth and widespread adoption of Backstage, as well as the impact of AI on developer experience. As of September 2025, Backstage boasts over 3,400 known adopters, including numerous Fortune 500 companies like Airbnb, Booking.com, H&M, Toyota, and Lego. Nilsson highlighted how Spotify approaches platform engineering and standardization to help teams address specific needs, emphasizing Backstage's role in reducing friction, cognitive overhead, and operational toil for developers. The discussion also touched upon the future evolution of the developer experience, particularly with the integration of AI-driven workflows.

Read more →

Backstage, a Mid-Year Snapshot - Platform Engineering

A mid-year snapshot from Platform Engineering in September 2025 positions Backstage as the "gravitational center" of the Internal Developer Portal (IDP) conversation, having evolved significantly since its open-sourcing. The article notes that Backstage, now at version 1.42.5, is actively maintained under the CNCF and adopted by over 270 organizations (Editors note: It's more like 3,400). This article provides a good overview of the state of the IDP ecosystem in 2025.

Read more →

Backstage Changelog

Features

• Add CLI template to create new catalog entity provider modules. #31459 by @Rugvip, merged 1 day ago
• Use app title in the auth consent screen. #31475 by @drodil, merged 2 days ago
• Update Postgres policy to support version 18 with tests on 18 and 14. #31453 by @awanlin, merged 4 days ago
• Add eslint rule that blocks importing Backstage UI CSS in plugins to keep styles consistent. #31463 by @Rugvip, merged 5 days ago

Bug Fixes

• Fix TechDocs page rerender on each subpage navigation high activity. Before https://github.com/user-attachments/assets/99566977-052f-4aca-bc0f-cedb18631ce8 After https://github.com/user-attachments/assets/bbbcf127-30d3-4785-a53c-6e9b4c64994d #31447 by @GabDug, merged 2 days ago
• Fix TechDocs CLI missing styles in version 1.10.0. Before After #31456 by @GabDug, merged 5 days ago
• Update email notifications backend to SES v2 to avoid nodemailer v7 errors. #31458 by @drodil, merged 2 days ago
• Make BitbucketUrlReader use the provided token. #31360 by @RedlineTriad, merged 6 days ago
• Fix Backstage UI CSS layer order so base and tokens apply before components. #31448 by @cdedreuille, merged 5 days ago
• Set default font smoothing in Backstage UI for clearer text. #31444 by @cdedreuille, merged 6 days ago
• Import Backstage UI CSS in index.ts to ensure styles load. #31449 by @vinzscam, merged 1 day ago

Improvements

• Soften task worker starting log text to avoid confusion about actual task start. #31460 by @freben, merged 2 days ago
• Allow running the example app with Docker using Postgres OpenSearch Redis for local dev. #31107 by @drodil, merged 2 days ago

Documentation

• Improve Backstage UI installation docs to show how to add the global theme and use components. #31471 by @cdedreuille, merged 2 days ago
• Update mainline release publishing docs to remove steps that are now automated. #31443 by @camilaibs, merged 6 days ago
• Add blog post Get ready for Backstage ContribFest at KubeCon. #31440 by @awanlin, merged 6 days ago

Ecosystem Changelog

Announcements Plugin

• Bug Fixes Add missing CSS so the dark theme renders correctly #5784 merged 6 days ago

Azure Pipelines Plugin

• Features Add option to limit clone depth for the azure repository clone action #5632 merged 5 days ago

Coder Plugin

• Features Add OAuth2 sign in to the Coder frontend Add a backend plugin to handle the OAuth2 flow #151 merged 7 days ago

Crossplane Plugin

• Features Add default exports for NFS alpha export to simplify usage merged 7 days ago

DevPod Plugin

• Features Add default exports for NFS alpha export to simplify usage merged 7 days ago

DX Plugin

• Bug Fixes Fix infinite loop in DxDataChartCard when the variables prop is missing #41 merged 2 days ago

GitHub Actions Plugin

• Changes Disable two NFS cards by default to reduce clutter Remove the optional overview card from the NFS The full view stays in the GitHub Actions tab #5678 merged 5 days ago

Kyverno Policy Reports Plugin

• Features Add default exports for NFS alpha export to simplify usage merged 7 days ago

Pipelines with Tekton Plugin

• Improvements Move status components and helper hooks into the Tekton plugin to reduce external imports #5777 merged 5 days ago

S3 Viewer Plugin

• Features Add config to show or hide bucket details for end users Default stays true to keep current behavior #183 merged 1 day ago

Scaffolder Utility Actions Plugin

• Bug Fixes Fix YAML merge when a file starts with a top level block comment #2070 merged 2 days ago

ScaleOps Plugin

• Features Add default exports for NFS alpha export to simplify usage merged 7 days ago

PagerDuty Unveils End-to-End AI Agent Suite with Backstage Integration

PagerDuty recently announced the launch of its end-to-end AI agent suite, featuring over 150 enhancements and deep integrations with various tools, including Backstage. This new suite aims to leverage AI to improve incident resolution times and reduce on-call fatigue. The integration with Backstage suggests a move towards embedding AI-driven incident management capabilities directly within the developer portal, enabling more streamlined operations and potentially automated responses to system alerts.

Read more →

Backstage v1.44.0 Release Notes

The Backstage Software Catalog and Developer Platform has announced the release of version 1.44.0, bringing several updates and improvements. Key changes include the removal of the built-in CssBaseline from UnifiedThemeProvider, requiring users to manually import @backstage/ui/css/styles.css for proper styling. Additionally, a new --entrypoint option has been added to the package start command in the Backstage CLI, allowing for custom entry directories for development applications. A notable new plugin called "Themer" has also been introduced, designed to assist with Material UI to Backstage UI migration.

Read more →

Backstage Changelog

Breaking Changes

• Remove Backstage UI ScrollArea component for accessibility reasons. #31409 by @cdedreuille, merged 1 day ago
• Remove Backstage UI Icon component to reduce bundle size and stabilize the API. #31407 by @cdedreuille, merged 1 day ago

Features

• Add Backstage UI Dialog component with header body footer and closer. #31371 by @ssjoblad, merged 2 days ago
• Add virtualization to UI menus via virtualized prop plus maxWidth and maxHeight for long lists. #31375 by @cdedreuille, merged 6 days ago
• Allow Box Container Flex Grid GridItem to pass data attributes to rendered elements. #31374 by @vinzscam, merged 6 days ago
• Add sentry fetch dsn action in scaffolder backend Sentry module to output a project DSN. #31046 by @brentswisher, merged 2 days ago
• Add support in the yarn plugin for a custom Backstage manifest location via env vars for restricted networks. #31122 by @drodil, merged 1 day ago (active discussion)

Bug Fixes

• Fix scaffolder form handling of RJSF allOf oneOf anyOf when using nested conditions at the step root. #31382 by @iainvdw, merged today
• Fix NotFound page rendering when a page extension is mounted at root slash. #31353 by @vinzscam, merged 2 days ago
• Fix default text color in Backstage UI. #31429 by @cdedreuille, merged today
• Fix default font weight and family in Backstage UI. #31432 by @cdedreuille, merged today
• Fix default font size in Backstage UI. #31435 by @cdedreuille, merged today
• Fix table sort icon position and visibility on hover in Backstage UI. #31393 by @cdedreuille, merged 2 days ago
• Fix scroll jumping when opening UI menus by avoiding modal body scroll lock. #31394 by @cdedreuille, merged 2 days ago
• Fix missing Backstage UI CSS in the dev app in dev utils. #31428 by @Rugvip, merged today
• Fix discovery of distributed actions in scaffolder backend on startup. #31244 by @drodil, merged 1 day ago

Improvements

• Update React Aria in Backstage UI to 1.13.0 with many small fixes. #31367 by @cdedreuille, merged 6 days ago
• Add CSS layers to Backstage UI to make custom CSS override defaults more predictably. #31362 by @cdedreuille, merged 6 days ago
• Convert Backstage UI components to CSS Modules while keeping theming class names. #31399 by @cdedreuille, merged 2 days ago
• Improve Backstage UI styles props across components and simplify internal styling. #31404 by @cdedreuille, merged 2 days ago
• Remove MUICssBaseline to avoid conflicts with Backstage UI styles and align resets. #31365 by @cdedreuille, merged 6 days ago

Developer Experience

• Relax ESLint rules to allow frontend plugins to import from other frontend plugins with the same plugin id for overrides without warnings. #31373 by @drodil, merged 5 days ago
• Deduplicate imports in generated OpenAPI clients in repo tools. #31297 by @rferreira98, merged 6 days ago (active discussion)
• Add renderTestApp to frontend test utils for the new routing system with extensions. #31353 by @vinzscam, merged 2 days ago

Documentation

• Fix monospace font reference in docs. #31364 by @vinzscam, merged 7 days ago
• Tidy docs including a catalog config key correction. #31426 by @freben, merged today

Reverts

• Revert user settings storage api blueprint for NFS since it replaced storageApiRef incorrectly. #31431 by @benjdlambert, merged today referencing #31413

Ecosystem Changelog

Hetzner Cloud Plugin

• Features Show CPU architecture in the UI merged 5 days ago
• Features Return server architecture in the API merged 5 days ago
• Documentation Fix dev setup instructions merged 5 days ago

Tech Insights Plugin

• Features Show multiple links on MaturityScorePage PR #5126 merged today
• Features Show error info when a check fails and the fact type is not boolean PR #5126 merged today
• Features Tweak maturity accordion summary layout PR #5126 merged today
• Bug Fixes Use the core Accordion to resolve layout issues PR #5126 merged today
• Documentation Fix a readme typo PR #5126 merged today

Pipelines with Tekton Plugin

• Features Show pipeline run params and results PR #5642 merged 2 days ago

Announcements Plugin

• Features Add updated at field so the banner shows the most recent announcement PR #5595 merged 6 days ago

Entity Validation Plugin

• Features Add support for the new frontend system PR #5222 merged 5 days ago

Q&A Plugin

• Features Support mermaid in markdown content merged 5 days ago
• Features Allow passing markdown plugins through props merged 2 days ago
• Features Allow moderators to change post authors merged 2 days ago
• Features Allow moderators to change answer authors merged 2 days ago
• Features Improve user and entity search by limiting fetched fields merged 1 day ago
• Bug Fixes Fix scaffolder import merged today
• Bug Fixes Sort entities and tags in inputs merged 1 day ago
• Bug Fixes Show loading state correctly in the posts table merged 1 day ago
• Bug Fixes Fix posts container props merged 2 days ago
• Bug Fixes Restore user field for metadata input merged 2 days ago
• Bug Fixes Use display name for user groups when available merged 5 days ago
• Documentation Add links to available plugins merged 2 days ago

Toolbox Plugin

• Features Improve overall layout merged today
• Breaking Changes Roll back to MUI four for compatibility merged today
• Bug Fixes Remove input debounce that caused slow updates merged today
• Bug Fixes Add a small input delay to improve typing UX merged today

Kubernetes Ingestor Plugin

• Bug Fixes Fix custom annotation handling merged today
• Bug Fixes Fix system reference namespace mappings merged today
• Bug Fixes Fix name and title mapping use in components merged today

Crossplane Plugin

• Features Export the API ref and client for integrators merged today
• Bug Fixes Fix the API ref export merged 6 days ago

Nobl9 Plugin

• Security Fix on headers vulnerability merged 5 days ago

Application Topology for Kubernetes Plugin

• Maintenance Move status components and related hooks into the plugin PR #5668 merged today

This week:

• State of Backstage: closing soon
• BackstageCon & KubeCon EU
• Roadie Local nears GA, Design Partnerships closing soon

State of Backstage: closing soon

The State of Backstage survey is winding down for 2025, so now is the time to fill it in if you haven't already.

The survey itself closes in April 2025.

We'll be analysing the results and publishing them via the stateofbackstage.io soon (those that filled in the survey will get an advanced copy before they're published to the wider community).

Fill in the survey now.

BackstageCon & KubeCon EU

Speaking of things that are coming very, very soon: BackstageCon & KubeCon EU in London is right around the corner.

We'll be there - Roadie founder David is on stage at BackstageCon to share what we've learned over the years about how to be successful with Backstage, as well talk what we have coming up next in Backstage-land. Roadie engineers will also be manning the booth at both BackstageCon and KubeCon.

We'll be at KubeCon booth N510.

Come say hello if you're in around. 👋

Roadie Local: Design Partnerships will be closing soon

For those that missed it: we're building a version of Roadie that you can run locally or on your own infrastructure. We call it Roadie Local.

That effort is now charging towards GA and so we're closing our call for Design Partners for the beta version soon. The first Design Partners are spinning up (on Azure DevOps Server mainly, if you'll believe it) and we've close to capacity for this tranche of testing and evaluation.

Complete the Design Partner form here.

This week:

• Terasky release some killer Kubernetes & Crossplane plugins
• Kratix makes Backstage into a true Platform
• Open-source Tech Insights gets maturity ranks

Terasky release some seriously good K8s plugins

When we think of Backstage and Kubernetes, we often don't have great associations. The Backstage K8s plugin can be fiddly and doesn't always act in the way you'd expect.

To plug that gap, the folks over at Terasky (hat-tip to Scott Rosenberg) have released a raft of new plugins that meaningfully move Backstage < > K8s forward.

Our personal favourite is the Kubernetes Ingestor plugin, which automatically pulls Kubernetes workloads into the Backstage catalog. That really is as cool as it sounds.

Check them out here or on GitHub.

Kratix brings oss platform dev and Backstage together

Speaking of big jumps forward in Backstage functionality, Kratix is a Syntasso-made OSS project dedicated to the platform-side of Platform Engineering. As their marketing site says: it makes Backstage into a full Platform, not just a Portal. You can instantiate infrastructure, autoingest it into the Catalog and generally interact with all the features you'd expect from a full Platform without leaving Backstage.

Nice stuff.

Check it out at here.

Tech Insights levels

The backend for the Tech Insights scorecard plugin is open-sourced and gets some great additions. Recently, it's seen the introduced of the concept of maturity.

We're currently understanding how much of this is a straight lift into our proprietary Tech Insights product (we have slightly different concepts, like the idea of a Scorecard, which don't exist in the open source version), but expect something on this soon.

In the meantime, check it out here.

This week:

• Roadie Local is moving to beta

• Canon gets a website

• State of Backstage keeps growing

• Project news: v1.36-next

Roadie Local is moving to beta

We mentioned it last time but for those that missed it: a self-hosted version of Roadie is coming and its coming fast.

We'll be talking about this a lot in the next few weeks and months, but the gist is that we'll be offering a locally runnable, self-hosted version of Roadie. It'll include all that you know and love about Roadie SaaS and be free for less than 15 users.

Read all about it on our blog.

If you're interested, there's still time to sign up as a Design Partner for the initial rollout but we'll be closing sign-ups for this at the end of the month.

Sign up for Roadie Local

Canon gets a website (canon.backstage.io)

It's all Canon this, Canon that these days, but with good reason.

The default Backstage UI has been largely unchanged for 4-5 years and UIs for dev tools have come a long way since then.

That's why we're so excited about Canon and the shift to BaseUI and headless components (for those not au fait with all this frontend jazz - it's about decoupling component structure and behaviour from styling, harkening back to the days of the HTML, JS and CSS internet). It means you have much more control over styling than you do currently.

Exciting stuff.

Check it out at https://canon.backstage.io/

🚨 State of Backstage Survey 🚨

The State of Backstage survey is going strong.

Our goal is a few hundred responses by the end of March and we're very much on track. That doesn't mean we can let up though: the more responses we get, the more representative of the whole community this survey will be.

We'll announce the results in a report in Spring 2025.

Visit stateofbackstage.io to complete the survey.

Project updates

There have been a few updates since our last newsletter.

• Backstage v1.36.0 is up and brings Canon to it's first full release. There's also a lot of prep for a move to React 19 and the new frontend system. Reading the tea-leaves, you may assume they're related and that a bunch of frontend changes are the ways, but I couldn't possibly speculate...

Thanks!

Sam Nixon