Search code, repositories, users, issues, pull requests...

Minor Changes

6a916a1: Backstage version bump to v1.50.4

Patch Changes

Updated dependencies [6a916a1]
- @backstage-community/plugin-rbac-common@1.27.0
- @backstage-community/plugin-rbac-node@1.21.0

`v7.12.5`

Patch Changes

39a3942: Hardens RBAC policy handling to prevent Casbin CSV poisoning and improve error visibility.

Key fixes:
- Rejects permission policy permission values containing " before persistence (prevents known CSV parse failures).
- Rethrows loadPolicy failures after audit logging so mutation/read paths surface the root cause instead of secondary errors.
- Improves policy API request validation and missing-role handling (400/404 where appropriate).
- Validates default configured permissions/admin refs with the same stricter checks used by runtime write paths.
- Strengthens conditional and plugin-id payload validation and aligns owner filtering behavior for default roles.
Compatibility notes:
- Requests/config entries using permission values with embedded " are now rejected.
- Conditional policy payloads and conditional YAML ingestion now enforce limits.
- Conditional permissionMapping must list distinct Backstage permission actions (no duplicates); at most one entry per supported action (create, read, update, delete, use).
- Plugin ID registration payloads now enforce count/length/duplicate checks.
- For larger existing payloads, limits are configurable via:
- permission.rbac.validation.conditionalPolicies.maxConditionDepth
- permission.rbac.validation.conditionalPolicies.maxConditionNodeCount
- permission.rbac.validation.conditionalPolicies.maxCriteriaItems
- permission.rbac.validation.conditionalPoliciesFile.maxBytes
- permission.rbac.validation.conditionalPoliciesFile.maxDocuments
Operational note:
- CSV policy files are parsed line-by-line; malformed lines are skipped with warnings instead of aborting the entire file load.

`v7.12.4`

Patch Changes

170f85d: Migrate to Jest 30 and fix backend test assertion compatibility
Updated dependencies [170f85d]
- @backstage-community/plugin-rbac-common@1.26.1
- @backstage-community/plugin-rbac-node@1.20.1

`v7.12.3`

Patch Changes

fb2a770: Made postgres username and password optional in casbin adapter factory to support passwordless authentication

`v7.12.2`

Patch Changes

39272f8: Updated dependency csv-parse to ^6.0.0.
70e6333: Updated dependency @dagrejs/graphlib to ^4.0.0.
a559dfb: Updated dependency @types/node to 22.19.17.
8846adf: Updated dependency qs to 6.15.1.

`v7.12.1`

Patch Changes

40e44bb: Updated dependency qs to 6.14.2.

`v7.12.0`

Minor Changes

8993474: Backstage version bump to v1.49.2

Patch Changes

Updated dependencies [8993474]
- @backstage-community/plugin-rbac-common@1.26.0
- @backstage-community/plugin-rbac-node@1.20.0

`v7.11.0`

Minor Changes

50e194d: Add support for a default role and permissions for authenticated users in RBAC backend
- Introduced a new defaultRole and basicPermissions configuration options to assign a default role to all authenticated users.
```
permission:
  rbac:
+   defaultPermissions:
+     defaultRole: role:default/my-default-role
+     basicPermissions:
+       - permission: catalog.entity.read
+         action: read
```
- Updated the RBAC permission policy to include the default role in user roles if not already present.

Patch Changes

Updated dependencies [50e194d]
- @backstage-community/plugin-rbac-common@1.25.0
- @backstage-community/plugin-rbac-node@1.19.1

`v7.10.0`

Minor Changes

133eae6: Add support for loading conditional permissions from a remote provider (fix #6412)

Minor Changes

da170a1: Add support for group reference in superUsers list, using direct membership only

Patch Changes

8a6b81c: Updated dependency @types/supertest to ^7.0.0.

`v7.8.0`

Minor Changes

843bbe2: Backstage version bump to v1.48.4

Patch Changes

Updated dependencies [843bbe2]
- @backstage-community/plugin-rbac-common@1.24.0
- @backstage-community/plugin-rbac-node@1.18.0

`v7.7.2`

Patch Changes

8c7bddb: Added NFS support
af998b7: Updated dependency supertest to 7.2.2.

`v7.7.1`

Patch Changes

b133c9d: Updated dependency @types/supertest to ^6.0.0.
497d5c6: Updated dependency @types/node to 22.19.11.
9c7ae87: Fix - stop error on upgrade v1.47.x - allow all plugins in the arry to show

`v7.7.0`

Minor Changes

e6dbf70: Backstage version bump to v1.47.2

Patch Changes

e6dbf70: updated the permissionFactory to use the FetchUrlReader.fromConfig
a184943: Updated dependency @types/node to 22.19.7.
Updated dependencies [e6dbf70]
- @backstage-community/plugin-rbac-common@1.23.0
- @backstage-community/plugin-rbac-node@1.17.0

microsoft/playwright (@playwright/test)

`v1.61.0`

Continue to review full report in Codecov by Harness.

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();

// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
  id: credentialId,
  userHandle,
  privateKey,
  publicKey,
});
await context.credentials.install();

const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
Supported expect.soft.poll(...).
New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
testInfo.errors now lists each sub-error of an AggregateError as a separate entry.
New -G command line shorthand for --grep-invert.

🛠️ Other improvements

Playwright now supports Ubuntu 26.04.
HAR and trace recordings now include WebSocket requests.

Browser Versions

Chromium 149.0.7827.55
Mozilla Firefox 151.0
WebKit 26.5

This version was also tested against the following stable channels:

Google Chrome 149
Microsoft Edge 149

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

rhdh-gh-app · 2026-04-28T17:14:38Z

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
app	workspaces/x2a/packages/app	none	`v0.0.0`
backend	workspaces/x2a/packages/backend	none	`v0.0.0`

mareklibra

So far we must preserve RHDH 1.9 (Backstage 1.45.3) compatibility

The @playwright/test bump to 1.59.1 is fine.

The @backstage-community/plugin-rbac-backend should stay at 7.6.2 (or whichever version is compatible with Backstage 1.45.3).

The rbac-backend 7.12.3 code runs against @backstage/backend-defaults@0.13.2 and @backstage/backend-plugin-api@1.5.0. This is almost certain to cause runtime errors.

codecov · 2026-04-29T19:05:04Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.61%. Comparing base (578c694) to head (d66c6bd).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2791   +/-   ##
=======================================
  Coverage   53.61%   53.61%           
=======================================
  Files        2254     2254           
  Lines       85821    85821           
  Branches    24179    24181    +2     
=======================================
  Hits        46014    46014           
+ Misses      38330    38257   -73     
- Partials     1477     1550   +73

Flag	Coverage Δ	*Carryforward flag
adoption-insights	`83.70% <ø> (ø)`	Carriedforward from 578c694
ai-integrations	`67.95% <ø> (ø)`	Carriedforward from 578c694
app-defaults	`69.79% <ø> (ø)`	Carriedforward from 578c694
augment	`46.39% <ø> (ø)`	Carriedforward from 578c694
boost	`100.00% <ø> (ø)`	Carriedforward from 578c694
bulk-import	`72.46% <ø> (ø)`	Carriedforward from 578c694
cost-management	`14.10% <ø> (ø)`	Carriedforward from 578c694
dcm	`61.79% <ø> (ø)`	Carriedforward from 578c694
extensions	`61.53% <ø> (ø)`	Carriedforward from 578c694
global-floating-action-button	`71.18% <ø> (ø)`	Carriedforward from 578c694
global-header	`59.71% <ø> (ø)`	Carriedforward from 578c694
homepage	`49.92% <ø> (ø)`	Carriedforward from 578c694
install-dynamic-plugins	`56.23% <ø> (ø)`	Carriedforward from 578c694
konflux	`91.49% <ø> (ø)`	Carriedforward from 578c694
lightspeed	`68.57% <ø> (ø)`	Carriedforward from 578c694
mcp-integrations	`85.46% <ø> (ø)`	Carriedforward from 578c694
orchestrator	`37.75% <ø> (ø)`	Carriedforward from 578c694
quickstart	`63.76% <ø> (ø)`	Carriedforward from 578c694
sandbox	`79.56% <ø> (ø)`	Carriedforward from 578c694
scorecard	`83.96% <ø> (ø)`	Carriedforward from 578c694
theme	`61.26% <ø> (ø)`	Carriedforward from 578c694
translations	`6.55% <ø> (ø)`	Carriedforward from 578c694
x2a	`78.68% <ø> (ø)`

*This pull request uses carry forward flags. Click here to find out more.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 578c694...d66c6bd. Read the comment docs.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

mareklibra · 2026-05-12T06:56:46Z

Partial fix: #3108

The @backstage-community/plugin-rbac-backend update must wait.

sonarqubecloud · 2026-05-15T20:43:53Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2026-06-10T14:43:58Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2026-06-17T06:45:50Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

sonarqubecloud · 2026-06-19T21:06:38Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code