30.4.0 introduced synchronous require(ESM) that requires Node v24.9+,
breaking tests on Node 22. 30.3.0 pulls in @sinonjs/fake-timers@^15
which conflicts with @types/sinon@^17 (used by aws-sdk-client-mock).
30.2.0 avoids both issues cleanly.
Resets lockfile to a clean base-install from master constraints.
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Keep the monorepo's own jest resolution consistent with the template
range, and update the lockfile to 30.3.0 accordingly.
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
Several packages had the same dependency listed in both `dependencies`
and `devDependencies`. This removes the duplicate from whichever section
is incorrect based on actual usage in the source code.
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Made-with: Cursor
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
The __fixtures__ directory that required this exclusion was moved to
@backstage/cli-module-build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Move jest config files to cli-module-test-jest/config and node
transform + webpack-public-path to cli-module-build/config. Replace
originals in @backstage/cli/config with lazy proxies that forward
to the appropriate module or throw if it is not installed.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Introduces a new `@backstage/cli-defaults` package that re-exports all
standard CLI modules as a single array, simplifying dependency management
for consumers. The CLI's `CliInitializer` is updated to support array
exports alongside single module exports. The create-app template,
changesets, and CLI fallback are updated to use `@backstage/cli-defaults`
instead of listing 11 individual modules.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
The CLI provides tsconfig presets that include webpack-env in the
types array, so @types/webpack-env must remain a dependency of the
CLI package for consuming apps to compile correctly.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Align dependency versions in CLI modules to match the original CLI
package versions. Move dependencies that are only used by modules out
of the main CLI package, and add missing dependencies to the modules
that actually use them. Revert import-to-require conversions in
cli-module-build that were incorrectly introduced during the split.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Move createCliPlugin and related types from the standalone
@backstage/cli-plugin-api package into @backstage/cli-node and
remove the now-empty package.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Bump cleye to ^2.3.0 (which pulls in type-flag 4.1.0) and enable
booleanFlagNegation: true in all cli() invocations so that boolean
flags automatically support --no-<flag> prefix negation.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
* feat(cli): add auth commands for OIDC login
Signed-off-by: benjdlambert <ben@blam.sh>
* address PR review feedback
- move CIMD check before callback server start
- add try/finally for callback server cleanup
- validate URLs with human-readable errors
- deduplicate config URL candidates
- preserve selected flag on re-authentication
- delete accessToken on logout
- log token refresh to stderr in show command
- fix command descriptions to reference CIMD not DCR
- type keytar as optionalDependency, rename storage paths
- add auth-backend changeset
Signed-off-by: benjdlambert <ben@blam.sh>
* migrate auth module from yargs to cleye pattern
Signed-off-by: benjdlambert <ben@blam.sh>
* address PR review feedback
- consolidate storage imports in auth.ts
- add withMetadataLock to setSelectedInstance
- skip file permission tests on Windows
- clarify changeset endpoint path
Signed-off-by: benjdlambert <ben@blam.sh>
* address review feedback from Rugvip and Copilot
- use stdout for user-facing messages instead of stderr
- remove clientSecret remnants from logout
- make refresh_token optional in token response schema
- add timeout to CIMD metadata fetch
- pass same state to callback server and authorize URL
- remove inaccurate test comment
Signed-off-by: benjdlambert <ben@blam.sh>
* validate state in callback server, add CIMD endpoint tests
- localServer now validates the OAuth state parameter in the request
handler and returns 400 on mismatch
- Added tests for the CIMD metadata endpoint in OidcRouter covering
both disabled and enabled cases
Signed-off-by: benjdlambert <ben@blam.sh>
* revert validateRequest to use Zod error details
Signed-off-by: benjdlambert <ben@blam.sh>
* fix callback server hanging by closing keep-alive connections
Signed-off-by: benjdlambert <ben@blam.sh>
* rename secret store service prefix to backstage-cli:auth-instance
Signed-off-by: benjdlambert <ben@blam.sh>
---------
Signed-off-by: benjdlambert <ben@blam.sh>
Extend `BackstageCommand.execute` to accept either a direct function or a
`{ loader }` object for lazy loading command implementations. Convert
several build and migrate commands to use the new pattern. Switch from
`program.parse` to `program.parseAsync` to properly await async actions.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
The only usage of bfj in @backstage/cli is `bfj.write(path, data)` in
bundle.ts for writing bundle-stats.json. The write API is unchanged in
v9 and v9.0.0/v9.0.1 are deprecated, so the range starts at ^9.0.2.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Raghunandan Balachandran <raghunandan@spotify.com>
postcss-import naturally preserves @layer declarations during bundling,
eliminating the need for custom layer parsing and restoration logic.
This simplifies the implementation while also preserving source comments.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
github-actions[bot]