Bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /packages/backend directory: @backstage/plugin-auth-backend and @backstage/plugin-scaffolder-backend.

Updates @backstage/plugin-auth-backend from 0.24.5 to 0.28.0

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

0.28.0

Minor Changes

• d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

  With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

  To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

  The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

• 482ceed: Migrated from assertError to toError for error handling.
• dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/catalog-model@​1.8.0
  • @​backstage/plugin-catalog-node@​2.2.0
  • @​backstage/config@​1.3.7

0.28.0-next.2

Patch Changes

• 482ceed: Migrated from assertError to toError for error handling.
• Updated dependencies
  • @​backstage/errors@​1.3.0-next.0
  • @​backstage/plugin-auth-node@​0.7.0-next.2
  • @​backstage/plugin-catalog-node@​2.2.0-next.2
  • @​backstage/backend-plugin-api@​1.9.0-next.2
  • @​backstage/catalog-model@​1.7.8-next.0
  • @​backstage/config@​1.3.7-next.0

0.28.0-next.1

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0-next.1
  • @​backstage/plugin-auth-node@​0.7.0-next.1
  • @​backstage/plugin-catalog-node@​2.1.1-next.1

0.28.0-next.0

Minor Changes

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-scaffolder-backend from 1.33.0 to 3.0.3

Release notes

Sourced from @​backstage/plugin-scaffolder-backend's releases.

v1.51.0-next.1

See docs/releases/v1.51.0-next.1-changelog.md for more information.

v1.51.0-next.0

See docs/releases/v1.51.0-next.0-changelog.md for more information.

v1.50.4

This release contains security fixes for @backstage/plugin-catalog-backend-module-unprocessed , @backstage/plugin-catalog-unprocessed-entities-common version and @backstage/plugin-catalog-unprocessed-entities.

v1.50.3

This patch release fixes the following issues:

• Fix home page widgets not being draggable or resizable after the first save
• Fix facets endpoint performance regression when filters or permissions are applied
• Preserve external hrefs in BUI link components under non-root base path

v1.50.2

This patch release fixes the following issues:

• Make TechDocs sidebar positioning configurable via CSS custom properties
• Bump zod dependency to v4 for packages using configSchema and clarify that zod/v4 subpath from v3 is not supported
• Clamp React Aria dependency ranges to patch-only updates to prevent unintended minor version upgrades
• Fix active tab indicator disappearing on uncontrolled Tabs in @​backstage/ui

v1.50.1

This patch release fixes the following issues:

• Replaced old config schema values from existing extensions and blueprints.
• Fix config path resolution for embedded-postgres detection in repo start
• Update React Aria to v1.17.0 and migrate to monopackage imports

v1.50.0

These are the release notes for the v1.50.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

BREAKING: Identity token ownership claim removed by default

The auth.omitIdentityTokenOwnershipClaim setting now defaults to true. Backstage user tokens issued by the auth backend will no longer contain the ent claim with the user's ownership entity refs. This means tokens in large organizations no longer risk hitting HTTP header size limits.

To get ownership info for the current user, code should use the userInfo core service. The setting can still be set back to false if needed, but it will be removed entirely in a future release.

BREAKING: Standard Schema for new frontend system extension config

The new frontend system now uses Standard Schema for extension configuration. A new configSchema option has been added to createExtension, createExtensionBlueprint, as well as the override and makeWithOverrides methods on extension definitions and blueprints. This option accepts direct schema values from any Standard Schema compatible library with JSON Schema support, replacing the old config.schema callback format which is now deprecated.

To use the new configSchema option with Zod, you need Zod v4 or the zod/v4 subpath export from the Zod v3 package. The zod/v4 subpath requires a minimum Zod version of 3.25.0 — make sure to update your Zod dependency if needed:

... (truncated)

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

@​backstage/plugin-scaffolder-backend

3.5.0-next.1

Minor Changes

• 77bee9f: Updated the list-scaffolder-tasks action to support the new "status" filter parameter, allowing the action to return tasks matching a specific status.
• 07e08be: Added always() and failure() status check functions for scaffolder steps. These functions can be used in the if field of a step to control execution after failures. always() ensures a step runs regardless of previous step outcomes, while failure() runs a step only when a previous step has failed.

Patch Changes

• e9b78e9: Removed the uuid dependency and replaced usage with the built-in crypto.randomUUID().
• Updated dependencies
  • @​backstage/catalog-model@​1.8.1-next.1
  • @​backstage/plugin-catalog-node@​2.2.1-next.1
  • @​backstage/plugin-scaffolder-node@​0.13.3-next.1
  • @​backstage/plugin-permission-common@​0.9.9-next.1

3.4.1-next.0

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.1-next.0
  • @​backstage/integration@​2.0.2-next.0
  • @​backstage/backend-openapi-utils@​0.6.9-next.0
  • @​backstage/backend-plugin-api@​1.9.1-next.0
  • @​backstage/catalog-model@​1.8.1-next.0
  • @​backstage/config@​1.3.8-next.0
  • @​backstage/plugin-catalog-node@​2.2.1-next.0
  • @​backstage/plugin-events-node@​0.4.22-next.0
  • @​backstage/plugin-permission-common@​0.9.9-next.0
  • @​backstage/plugin-permission-node@​0.10.13-next.0
  • @​backstage/plugin-scaffolder-common@​2.1.1-next.0
  • @​backstage/plugin-scaffolder-node@​0.13.3-next.0
  • @​backstage/types@​1.2.2

3.4.0

Minor Changes

• 309b712: Added a new execute-template actions registry action that executes a scaffolder template with provided input values and returns a task ID for tracking progress.
• 5af48e7: Migrated permission registration to use the PermissionsRegistryService instead of the deprecated createPermissionIntegrationRouter. This fixes an issue where scaffolder permissions were not visible to RBAC plugins because the actionsRegistryServiceRef dependency caused an empty permissions metadata router to shadow the scaffolder's actual permission metadata. The old createPermissionIntegrationRouter path is retained as a fallback for standalone createRouter usage.

Patch Changes

• 482ceed: Migrated from assertError to toError for error handling.
• 961e274: Migrated OpenTelemetry metrics to use the MetricsService from @backstage/backend-plugin-api/alpha instead of the raw @opentelemetry/api meter.
• 8a42f77: Fix handling of after=0 in task events endpoint
• 4559806: Removed unnecessary empty examples array from actions bridged via the actions registry.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.