Bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /packages/backend directory: @backstage/backend-defaults and @backstage/plugin-auth-backend.

Updates @backstage/backend-defaults from 0.2.18 to 0.17.2

Changelog

Sourced from @​backstage/backend-defaults's changelog.

@​backstage/backend-defaults

0.17.3-next.1

Patch Changes

• b75158b: Adapted Azure-related tests for the Azure SDK upgrade to ESM-style exports. The AzureBlobStorageUrlReader now accepts an optional createContainerClient dependency for testability without needing to mock the @azure/storage-blob module.
• 0211390: Added a new v2 invoke endpoint (/.backstage/actions/v2/actions/:id/invoke) that accepts a wrapped body format { input, secrets } with secrets validation. The existing v1 invoke endpoint remains unchanged for backward compatibility. Updated DefaultActionsService to use the v2 endpoint. Updated DefaultActionsRegistryService to expose secrets schema in the actions list response and validate secrets on invocation.
• 34f21c3: Fix gitlabUrlReader issue with retrieving the repository archive tree
• Updated dependencies
  • @​backstage/integration@​2.0.3-next.1
  • @​backstage/backend-plugin-api@​1.9.2-next.1

0.17.2-next.0

Patch Changes

• a07e6a3: Updated AzureBlobStorageUrlReader to reference the correctly-named AzureBlobStorageIntegration type from @backstage/integration. The previously-used AzureBlobStorageIntergation is now an alias for the new type and remains a valid argument to the constructor.
• def82d4: Fixed the built-in rate limiter throwing a validation error and refusing to start when backend.rateLimit is enabled. Requests are now keyed using the address normalization helper from express-rate-limit, which is required by newer versions of that library and ensures IPv6 clients are grouped by their address block rather than by individual address.
• Updated dependencies
  • @​backstage/integration@​2.0.3-next.0
  • @​backstage/plugin-auth-node@​0.7.2-next.0
  • @​backstage/backend-app-api@​1.7.1-next.0
  • @​backstage/plugin-permission-node@​0.11.1-next.0
  • @​backstage/backend-plugin-api@​1.9.2-next.0
  • @​backstage/plugin-events-node@​0.4.23-next.0

0.17.1

Patch Changes

• 90b572e: Adds an alpha TracingService to provide a unified interface for emitting trace spans across Backstage plugins.
• 97d3bd4: Fixed a race condition in CachedUserInfoService where a failed request could incorrectly evict a newer cache entry for the same token. The error handler now verifies the map entry is still the same promise before deleting it.
• 3595c97: Exported defaultServiceFactories to allow use with createSpecializedBackend for advanced configuration like extensionPointFactoryMiddleware.
• 89d3248: Fixed scheduler sleep firing immediately for durations longer than ~24.8 days, caused by Node.js setTimeout overflowing its 32-bit millisecond limit.
• d00a44b: Fixed Valkey cluster mode to use iovalkey's Cluster class instead of createCluster from @keyv/redis. The previous implementation passed a @redis/client RedisCluster instance to @keyv/valkey, which expects an iovalkey Cluster instance. This caused the cluster client to not be recognized correctly, as the two libraries have incompatible object models.
• 2f0519c: Added a new CachedUserInfoService decorator that wraps DefaultUserInfoService with a 5-second TTL cache and in-flight request coalescing. The decorator is wired in via userInfoServiceFactory using a shared root-level cache. Repeated getUserInfo() calls for the same user token within the TTL window return the cached result without making an HTTP call to the auth backend. Note that custom UserInfoService implementations registered via their own factory will not benefit from this cache automatically.
• 744fa1f: Removed duplicated entries that appeared in both dependencies and devDependencies.
• e9b78e9: Removed the uuid dependency and replaced usage with the built-in crypto.randomUUID().
• 6209065: Added context and propagation to the alpha TracingService. Plugins can bridge OpenTelemetry context across async boundaries via tracing.propagation.extract(tracing.context.active(), carrier) followed by tracing.context.with(ctx, fn), and read propagated baggage via tracing.propagation.getActiveBaggage() or tracing.propagation.getBaggage(ctx).
• Updated dependencies
  • @​backstage/errors@​1.3.1
  • @​backstage/integration-aws-node@​0.2.0
  • @​backstage/backend-plugin-api@​1.9.1
  • @​backstage/backend-app-api@​1.7.0
  • @​backstage/cli-node@​0.3.2

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-auth-backend from 0.22.12 to 0.29.0

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

0.29.0

Minor Changes

• 29d398b: BREAKING: Hardened the default allowed patterns for CIMD and DCR to replace the previous permissive ['*'] wildcards with specific defaults for known MCP clients. If you previously relied on the default ['*'] patterns, you will need to explicitly configure the patterns you need in your app-config.yaml.

  CIMD (experimentalClientIdMetadataDocuments):

  • allowedClientIdPatterns now defaults to Claude, VS Code, and the built-in Backstage CLI instead of ['*']
  • allowedRedirectUriPatterns now defaults to loopback addresses (localhost, 127.0.0.1, [::1]) instead of ['*']

  DCR (experimentalDynamicClientRegistration):

  • allowedRedirectUriPatterns now defaults to Cursor and loopback addresses instead of ['*']

  If you need to allow additional clients or redirect URIs, you can override these defaults in your app-config.yaml:

  auth:
    experimentalClientIdMetadataDocuments:
      enabled: true
      allowedClientIdPatterns:
        - 'https://claude.ai/*'
        - 'https://vscode.dev/*'
        - 'https://my-custom-client.example.com/*'
      allowedRedirectUriPatterns:
        - 'http://localhost:*'
        - 'http://127.0.0.1:*'
        - 'https://my-app.example.com/callback'
    experimentalDynamicClientRegistration:
      enabled: true
      allowedRedirectUriPatterns:
        - 'cursor://*'
        - 'http://localhost:*'
        - 'http://127.0.0.1:*'
        - 'myapp://*'

Patch Changes

• 9f269d7: Limit the size of fetched client ID metadata documents to prevent oversized responses from being accepted.
• 3f5e7ec: Improved OIDC error messages to include the rejected redirect URI or client ID, making it easier to debug client registration failures.
• e9b78e9: Removed the uuid dependency and replaced usage with the built-in crypto.randomUUID().
• 27f24a9: Refresh token usage now verifies that the user's catalog entity still exists before issuing a new access token. If the user has been removed from the catalog, the refresh is rejected and the session is revoked. Transient catalog errors reject the refresh but preserve the session for retry. This check can be disabled by setting auth.experimentalRefreshToken.dangerouslyDisableCatalogPresenceCheck to true.
• 4f62755: Improved the OAuth consent dialog for MCP authorization by showing more client details, including the client metadata host for CIMD clients, the metadata URL, callback URL, and requested scopes.
• Updated dependencies
  • @​backstage/catalog-model@​1.9.0
  • @​backstage/errors@​1.3.1
  • @​backstage/backend-plugin-api@​1.9.1
  • @​backstage/plugin-catalog-node@​2.2.1

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.