🙏 Help wanted: Deprecate old backend plugins

[jhaals]

TL;DR make sure that createRouter and other exports are marked as deprecated. For the majority of packages there should only be one default export of the backend plugin itself. The @backstage/backend-common package is deprecated so usages of that package should also be avoided.

Backstage’s new backend system is ready for general use; we are now asking for a full transition over to the new backend system, which involves stop supporting the old system. By old system we mean having exports of createRouter and related types. There should only need to be one export like this in the backend plugin’s index.ts file.

How do I help?

Run yarn community-cli lint legacy-backend-exports workspaces/<workspace> in the repository to get a full report of packages that require action.

Phase 1

Ensure that plugins contain a default export

Ensure that there is a default export of the backend plugin in index.ts, see this example.

If the plugin previously had a default export in plugins/<plugin-id>/src/alpha.ts, make sure that that export is deprecated and that the default export is moved to the non-alpha index.ts instead.

Deprecate createRouter, RouterOptions and similar types.

Here’s an example of a plugin’s createRouter being deprecated.

/**
+ * @deprecated Please migrate to the new backend system as this will be removed in the future.
 * @public
 * */
export async function createRouter(
  options: RouterOptions,
): Promise<express.Router> {

Phase 2

Remove deprecated exports

Ensure that deprecations have been out for at one mainline release before proceeding with removal of all deprecated exports. Removing exports from one release to another is not recommended

The complete migration story for a backend plugin (including deprecation) is also mentioned in our docs.

If you take on migrating a backend plugin, feel free to add a comment in this issue to avoid duplicate work.

We plan to have all createRouter exports and @backstage/backend-common usages removed by the end of this year. Your help would be much appreciated!

[awanlin]

This is a pretty good list of the backend plugins to start from: https://github.com/backstage/community-plugins/blob/main/docs/compatibility/new-backend-system.md

[awanlin]

I've started the work for Azure DevOps and Linguist:

• https://github.com/backstage/community-plugins/pull/1197
• https://github.com/backstage/community-plugins/pull/1198

[knowacki23]

I believe that getting rid of @backstage/backend-common package usages would also reduce occurrences of Vulnerability (CVE-2024-21534)

There is a vulnerability with severity 9.3 in jsonpath-plus <= 10.0.7. See https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

@backstage/backend-common package is using @kubernetes/client-node package which is using vulnerable jsonpath-plus@npm:7.2.0

[awanlin]

I took a run at removing @backstage/backend-common over the weekend. There were a number of them that this ended up being fine but there is currently a group of roughly 12 that will be breaking changes and we need to do the deprecation first with a follow up in the new year where we do the removal. The list of plugins as of November 20, 2024 is:

• airbrake
• azure-sites
• azure-storage-explorer
• badges
• blackduck
• code-coverage
• explore
• feedback
• jenkins
• lighthouse
• mta
• todo

Plugins not listed here should have @backstage/backend-common already removed to the best of my knowledge.

I intended to submit PRs for the above list marking things as deprecated so we can get that in as soon as possible. We also discussed this during the Community Plugins SIG this week and agreed on this course of action.

[awanlin]

All the above plugins now have PRs created to deprecate their support for the legacy backend. 👍