Skip to content

build(deps): bump @backstage/plugin-auth-backend from 0.27.0 to 0.27.1#319

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/backstage/plugin-auth-backend-0.27.1
Open

build(deps): bump @backstage/plugin-auth-backend from 0.27.0 to 0.27.1#319
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/backstage/plugin-auth-backend-0.27.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 12, 2026
edited
Loading

Bumps @backstage/plugin-auth-backend from 0.27.0 to 0.27.1.

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

@​backstage/plugin-auth-backend

0.28.0-next.0

Minor Changes

  • d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

    With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

    To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

    The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

  • dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.8.1-next.0
    • @​backstage/plugin-auth-node@​0.6.15-next.0
    • @​backstage/plugin-catalog-node@​2.1.1-next.0
    • @​backstage/catalog-model@​1.7.7
    • @​backstage/config@​1.3.6
    • @​backstage/errors@​1.2.7
    • @​backstage/types@​1.2.2

0.27.2

Patch Changes

  • 1ccad86: Added who-am-i action to the auth backend actions registry. Returns the catalog entity and user info for the currently authenticated user.
  • d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
  • 6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1
  • e9b6e97: Fixed a security vulnerability where the CIMD metadata fetch could follow HTTP redirects to internal hosts, bypassing SSRF protections.
  • 0f9d673: Improved redirect URI validation in the experimental OIDC provider to match against normalized URLs rather than raw strings.
  • a49a40d: Updated dependency zod to ^3.25.76 || ^4.0.0 & migrated to /v3 or /v4 imports.
  • 634eded: Fixed a foreign key constraint violation when issuing refresh tokens for CIMD clients, and prevented a failed refresh token issuance from failing the entire token exchange. Fixed AWS ALB auth provider incorrectly returning HTTP 500 instead of 401 for JWT validation failures, which caused retry loops and memory pressure under load.
  • 619be54: Update migrations to be reversible
  • Updated dependencies
    • @​backstage/backend-plugin-api@​1.8.0
    • @​backstage/plugin-catalog-node@​2.1.0
    • @​backstage/catalog-model@​1.7.7
    • @​backstage/plugin-auth-node@​0.6.14

0.27.1-next.2

Patch Changes

... (truncated)

Commits

@dependabot dependabot bot requested a review from a team as a code owner March 12, 2026 15:23
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 12, 2026
@dietmar-91
Copy link
Copy Markdown
Collaborator

dietmar-91 commented Mar 30, 2026

@dependabot rebase

@dependabot
build(deps): bump @backstage/plugin-auth-backend from 0.27.0 to 0.27.1
aadf6db 
Bumps [@backstage/plugin-auth-backend](https://github.com/backstage/backstage/tree/HEAD/plugins/auth-backend) from 0.27.0 to 0.27.1.
- [Release notes](https://github.com/backstage/backstage/releases)
- [Changelog](https://github.com/backstage/backstage/blob/master/plugins/auth-backend/CHANGELOG.md)
- [Commits](https://github.com/backstage/backstage/commits/HEAD/plugins/auth-backend)

---
updated-dependencies:
- dependency-name: "@backstage/plugin-auth-backend"
  dependency-version: 0.27.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/backstage/plugin-auth-backend-0.27.1 branch from 1e28100 to aadf6db Compare March 30, 2026 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dietmar-91