Bump @backstage/core-app-api from 1.5.0 to 1.6.0

[dependabot]

Bumps @backstage/core-app-api from 1.5.0 to 1.6.0.

Release notes

Sourced from @​backstage/core-app-api's releases.

v1.6.0

These are the release notes for the v1.6.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

Moved to swc for transpilation

We’ve replaced sucrase with swc for transpilation in the Backstage CLI. While swc has slightly slower transpilation times, it’s a library backed by a larger community, and allows us to take advantage of React Refresh out of the box. There’s a few things that could possibly break installations of Backstage and compilation, you can read more about it in the changelog

React Router Stable Compatibility

Backstage has for a long time been using React Router version 6.0.0-beta.0. We adopted this unstable version because v6 had some new features that fit really well with Backstage, particularly relative routing. Because we jumped on this early and unstable version, we knew that we would at some point need a breaking migration to the stable version of React Router v6, which is the point we're at now!

The migration is controlled by each app, meaning this release will not force you to migrate straight away, you can do so at your own pace. Check out the migration guide for all you need to know!

Yarn 3 Support

It is now possible to migrate Backstage projects to use Yarn 3. See the migration guide for more information. Migrating to Yarn 3 is optional, and Backstage projects created with @backstage/create-app will still use classic Yarn by default.

New plugin: @backstage/plugin-user-settings-backend

The user-settings plugin now has an associated backend. This allows for the persistence of settings in your database, essentially in the form of a basic per-user key-value JSON store.

As this backend was added, user-settings also gained a UserSettingsStore class that implements the storageApiRef Utility API. If you install the backend as well as this frontend API, your starred entities and other storage-API-based features will no longer just be persisted in your browser’s local storage, but centrally so that all your devices can leverage them.

Contributed by @​dschwank in #13570

New plugin: @backstage/plugin-playlist

This plugin can be used to create custom collections of Entities that can be shared throughout Backstage or for private usage.

Contributed by @​kuangp in #12870

Security Fixes

Be sure to upgrade to the latest version of @backstage/plugin-scaffolder-backend, as it contains an explicit bump of a transitive dependency where a vulnerability was discovered. If you subscribe to CVE notifications you will already have received this update.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest release. For more guidance on how to upgrade, check out the documentation for keeping Backstage updated.

Links and References

Below you can find a list of links and references to help you learn about and start using this new release.

• Backstage official website, documentation, and getting started guide
• GitHub repository

... (truncated)

Changelog

Sourced from @​backstage/core-app-api's changelog.

1.6.0

Minor Changes

• 456eaa8cf83: OAuth2 now gets ID tokens from a session with the openid scope explicitly requested.

  This should not be considered a breaking change, because spec-compliant OIDC providers will already be returning ID tokens if and only if the openid scope is granted.

  This change makes the dependence explicit, and removes the burden on OAuth2-based providers which require an ID token (e.g. this is done by various default auth handlers) to add openid to their default scopes. That could carry another indirect benefit: by removing openid from the default scopes for a provider, grants for resource-specific access tokens can avoid requesting excess ID token-related scopes.

Patch Changes

• 52b0022dab7: Updated dependency msw to ^1.0.0.
• Updated dependencies
  • @​backstage/core-plugin-api@​1.5.0
  • @​backstage/config@​1.0.7
  • @​backstage/types@​1.0.2
  • @​backstage/version-bridge@​1.0.3

1.6.0-next.2

Minor Changes

• 456eaa8cf83: OAuth2 now gets ID tokens from a session with the openid scope explicitly requested.

  This should not be considered a breaking change, because spec-compliant OIDC providers will already be returning ID tokens if and only if the openid scope is granted.

  This change makes the dependence explicit, and removes the burden on OAuth2-based providers which require an ID token (e.g. this is done by various default auth handlers) to add openid to their default scopes. That could carry another indirect benefit: by removing openid from the default scopes for a provider, grants for resource-specific access tokens can avoid requesting excess ID token-related scopes.

Patch Changes

... (truncated)

Commits

• 3088288 Version Packages
• 8448b53 move the settings storage to the user settings frontend
• 294805e refresh internal version deps
• 8a57ffc Ensure that we return stable observer references
• 9018da5 do not double encode the value
• 9895e6b rename to UserSettingsStorage and adjust error handling
• 8f7e5a7 feat: add keys path support
• 31a2403 feat: use buckets prefix for routes
• 32fa6ca fix: change imports
• 108cdc3 feat: add new user settings backend
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

The following labels could not be found: dependencies.