Bump @backstage/plugin-catalog-backend from 1.32.1 to 3.7.1 in /packages/backend

[dependabot]

Bumps @backstage/plugin-catalog-backend from 1.32.1 to 3.7.1.

Release notes

Sourced from @​backstage/plugin-catalog-backend's releases.

v1.52.0-next.1

See docs/releases/v1.52.0-next.1-changelog.md for more information.

v1.52.0-next.0

See docs/releases/v1.52.0-next.0-changelog.md for more information.

v1.51.1

This patch release fixes the following issues:

• Split queryEntities list and count queries to fix CTE materialization bottleneck
• Fix 406 response for repository/archive retrieval in gitlabUrlReader
• Restore runtime dependencies incorrectly demoted to devDependencies
• Fix msgraph userGroupMember filter error by filtering disabled users client-side

v1.51.0

These are the release notes for the v1.51.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

BREAKING: Removed deprecated NavItemBlueprint

The deprecated NavItemBlueprint has been removed from @backstage/frontend-plugin-api. Navigation items are now discovered from PageBlueprint extensions based on their title and icon params. If you were still using NavItemBlueprint, migrate by setting title and icon on the page extension instead. All built-in plugins have been updated accordingly.

Additionally, renderInTestApp from @backstage/frontend-test-utils no longer renders a sidebar or legacy nav-item extensions. The app nav extension is now disabled in the minimal test app shell.

BREAKING: Removed deprecated PortableSchema.schema property form

The deprecated property form of PortableSchema.schema has been removed from @backstage/frontend-plugin-api. The schema member is now a plain method that must be called as schema() — direct property access like schema.type or schema.properties is no longer supported.

BREAKING: Hardened OIDC default patterns

The default allowed patterns for CIMD and DCR in @backstage/plugin-auth-backend have been hardened. The previous permissive ['*'] wildcards have been replaced with specific defaults for known MCP clients. If you previously relied on the permissive defaults and have custom MCP clients, you will need to explicitly add their patterns to the allow list.

BREAKING: Cleaned up PolicyQueryUser type

The token and expiresInSeconds fields have been removed from PolicyQueryUser in @backstage/plugin-permission-node. These were previously deprecated in favor of credentials with coreServices.auth. The identity field has been deprecated. A new CachedUserInfoService with a 5-second TTL cache and in-flight request coalescing has been added to reduce repeated user info lookups.

BREAKING: Catalog entity pagination excludes entities without sort field

When paginating entities with an order field via /entities/by-query, entities that lack the order field are now excluded from both the result set and the totalItems count. Previously these entities appeared at the end via NULLS LAST, but cursor-based pagination could not actually reach them past the first page — the count over-reported the number of navigable entities.

BREAKING: Microsoft Graph disabled users filtered by default

The @backstage/plugin-catalog-backend-module-msgraph and @backstage/plugin-catalog-backend-module-msgraph-incremental providers now filter out disabled user accounts by default. The provider automatically applies an accountEnabled eq true filter, combining it with any custom user.filter you provide. If you need to ingest disabled accounts, set the filter to explicitly include them.

Contributed by @​mtlewis in #34165

... (truncated)

Changelog

Sourced from @​backstage/plugin-catalog-backend's changelog.

@​backstage/plugin-catalog-backend

3.8.0-next.0

Minor Changes

• 8f20cc2: /entities/by-query now accepts a totalItems parameter ('include' or 'exclude', default 'include') that controls whether the response's totalItems count is computed. Pass 'exclude' to skip the count entirely when the caller doesn't need it — useful for cursor-paginated user interfaces that only display the count cosmetically. The accepted values list is forward-compatible: future modes (e.g. approximate counts) can be added without breaking existing callers.

  The internal QueryEntitiesInitialRequest.skipTotalItems option has been replaced by totalItems: 'include' | 'exclude'. Note that skipTotalItems was never exposed as a REST API parameter, so this is only a TypeScript-level change affecting direct callers of EntitiesCatalog.queryEntities.

  Sort field keys are now lowercased before comparing against search.key, fixing silent mismatches for camelCase field names. The NULLS LAST ordering clause has been removed since NULL sort values are already excluded by the WHERE clause.

• dc7678c: Removed the immediate mode stitching strategy. All stitching now uses the deferred mode, which processes entities asynchronously via a worker queue. If your configuration includes catalog.stitchingStrategy.mode: 'immediate', it will be ignored with a deprecation warning. The pollingInterval and stitchTimeout settings continue to work as before.

Patch Changes

• 39c5fbb: Added extended multi-column statistics on (key, value) in the search table (PostgreSQL only). This tells the query planner about the correlation between the key and value columns, fixing severe row count estimation errors on compound filter queries. Without this, the planner could choose to materialize and sort thousands of rows instead of using the LIMIT short-circuit index scan — causing 10-40x slower catalog list views when multiple filters are active.

• 4829e89: Split the queryEntities list and count into separate queries instead of a multi-reference CTE. When the filtered CTE was referenced twice (once for the count, once for the data), PostgreSQL refused to inline it, forcing full materialization of the filtered set before applying LIMIT. By running the count as a standalone query, the list CTE is only referenced once, allowing the planner to short-circuit on LIMIT and return the first page in milliseconds instead of waiting for the full filtered set to materialize.

  The standalone count query also fixes a pre-existing bug where totalItems was inflated for entities with multi-valued sort fields (e.g. tags). The old CTE-based count counted search rows, so an entity with 3 tags would be counted 3 times. The new count uses EXISTS to count distinct entities, aligning totalItems with the number of entities actually reachable through cursor pagination.

• 774d698: Fixed a race condition in the stitch queue and entity processing claim logic where SELECT FOR UPDATE SKIP LOCKED row locks were released before the subsequent timestamp bump, allowing multiple workers to claim the same rows. Both the select and update now run inside a single transaction for MySQL and PostgreSQL.

• 0b8b677: Improved stitch queue semantics to prevent overlapping stitches for the same entity. New stitch requests that arrive while a stitch is in progress now only update the ticket (not the timestamp), so the in-progress worker is not interrupted. When the worker completes and detects a pending re-stitch, the queue entry becomes immediately eligible for pickup instead of waiting for the timeout period.

• Updated dependencies

  • @​backstage/catalog-client@​1.16.0-next.0
  • @​backstage/integration@​2.0.3-next.0
  • @​backstage/plugin-catalog-node@​2.2.2-next.0
  • @​backstage/plugin-permission-node@​0.11.1-next.0
  • @​backstage/backend-plugin-api@​1.9.2-next.0
  • @​backstage/plugin-events-node@​0.4.23-next.0
  • @​backstage/backend-openapi-utils@​0.6.10-next.0

3.7.0

Minor Changes

• c2de113: BREAKING: When paginating entities with an order field via /entities/by-query, entities that lack the order field are now excluded from both the result set and the totalItems count. Previously these entities appeared at the end of the sorted result via NULLS LAST, but cursor-based pagination could not actually reach them past the first page — the count over-reported the number of navigable entities. The new behavior aligns the count with what is actually returned.

  This also removes the DISTINCT deduplication from the sort-field CTE, which is a prerequisite for the planner to use the (key, value, entity_id) index in sort order and short-circuit on LIMIT. Installations with duplicate search rows should land the search-table deduplication migration before adopting this change.

Patch Changes

• 3f5e7ec: Added catalog.actions.experimentalCatalogLayersDescriptions.enabled config option. When enabled, the query-catalog-entities action description references get-catalog-model-description for field information instead of embedding a static model description.

• ccbad9d: Improved the performance of the catalog_entities_count metric.

  The legacy Prometheus and OpenTelemetry observable gauges previously each ran their own copy of the per-kind count query against the search table on every metrics scrape. On large catalogs this could pile up faster than the queries completed, contending for buffers and stalling the database.

  The two callbacks now share a single query result with a short in-process TTL cache, and the underlying query reads from final_entities instead of search, avoiding the bitmap heap scans that dominated the previous form. The emitted labels and values are unchanged.

• 17a9550: Deprecated immediate mode stitching (catalog.stitchingStrategy.mode: 'immediate'). A warning is now logged on startup when immediate mode is configured. Immediate mode will be removed in the next Backstage release. Migrate to deferred mode (the default) by removing the stitchingStrategy configuration or setting mode: 'deferred'.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)