community-plugins icon indicating copy to clipboard operation
community-plugins copied to clipboard
verified publisher icon backstage

🙏 Help wanted: Deprecate old backend plugins

Open jhaals opened this issue 1 year ago • 2 comments

TL;DR make sure that createRouter and other exports are marked as deprecated. For the majority of packages there should only be one default export of the backend plugin itself. The @backstage/backend-common package is deprecated so usages of that package should also be avoided.

Backstage’s new backend system is ready for general use; we are now asking for a full transition over to the new backend system, which involves stop supporting the old system. By old system we mean having exports of createRouter and related types. There should only need to be one export like this in the backend plugin’s index.ts file.

How do I help?

Run yarn community-cli lint legacy-backend-exports workspaces/<workspace> in the repository to get a full report of packages that require action.

Phase 1

Ensure that plugins contain a default export

Ensure that there is a default export of the backend plugin in index.ts, see this example.

If the plugin previously had a default export in plugins/<plugin-id>/src/alpha.ts, make sure that that export is deprecated and that the default export is moved to the non-alpha index.ts instead.

Deprecate createRouter, RouterOptions and similar types.

Here’s an example of a plugin’s createRouter being deprecated.

/**
+ * @deprecated Please migrate to the new backend system as this will be removed in the future.
 * @public
 * */
export async function createRouter(
  options: RouterOptions,
): Promise<express.Router> {

Phase 2

Remove deprecated exports

Ensure that deprecations have been out for at one mainline release before proceeding with removal of all deprecated exports. Removing exports from one release to another is not recommended

The complete migration story for a backend plugin (including deprecation) is also mentioned in our docs.

If you take on migrating a backend plugin, feel free to add a comment in this issue to avoid duplicate work.

We plan to have all createRouter exports and @backstage/backend-common usages removed by the end of this year. Your help would be much appreciated!

jhaals avatar Sep 05 '24 13:09 jhaals

This is a pretty good list of the backend plugins to start from: https://github.com/backstage/community-plugins/blob/main/docs/compatibility/new-backend-system.md

awanlin avatar Sep 08 '24 18:09 awanlin

I've started the work for Azure DevOps and Linguist:

  • https://github.com/backstage/community-plugins/pull/1197
  • https://github.com/backstage/community-plugins/pull/1198

awanlin avatar Sep 10 '24 00:09 awanlin

I believe that getting rid of @backstage/backend-common package usages would also reduce occurrences of Vulnerability (CVE-2024-21534)

There is a vulnerability with severity 9.3 in jsonpath-plus <= 10.0.7. See https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

@backstage/backend-common package is using @kubernetes/client-node package which is using vulnerable jsonpath-plus@npm:7.2.0

knowacki23 avatar Nov 07 '24 12:11 knowacki23

I took a run at removing @backstage/backend-common over the weekend. There were a number of them that this ended up being fine but there is currently a group of roughly 12 that will be breaking changes and we need to do the deprecation first with a follow up in the new year where we do the removal. The list of plugins as of November 20, 2024 is:

  • airbrake
  • azure-sites
  • azure-storage-explorer
  • badges
  • blackduck
  • code-coverage
  • explore
  • feedback
  • jenkins
  • lighthouse
  • mta
  • todo

Plugins not listed here should have @backstage/backend-common already removed to the best of my knowledge.

I intended to submit PRs for the above list marking things as deprecated so we can get that in as soon as possible. We also discussed this during the Community Plugins SIG this week and agreed on this course of action.

awanlin avatar Nov 20 '24 18:11 awanlin

All the above plugins now have PRs created to deprecate their support for the legacy backend. đź‘Ť

awanlin avatar Nov 20 '24 20:11 awanlin

FYI - Work has started upstream to remove @backstage/backend-common

  • https://github.com/backstage/backstage/pull/28182
  • https://github.com/backstage/backstage/pull/28189

I'm sure there will be more. Also, this section about deadline should be helpful: https://github.com/backstage/backstage/issues/24493#deadline

awanlin avatar Dec 18 '24 13:12 awanlin

Can we add a lint rule to the repo to forbid the use of @backstage/backend-common so that way we don't get new usages added?

awanlin avatar Jan 14 '25 15:01 awanlin

I found these two zlib1g and jsonpath-plus 

node_modules/@backstage/plugin-kubernetes-node/node_modules/@kubernetes/client-node/package.json:        "jsonpath-plus": "^10.0.0",
node_modules/@backstage/plugin-kubernetes-common/node_modules/@kubernetes/client-node/package.json:        "jsonpath-plus": "^10.0.0",
node_modules/@backstage/plugin-kubernetes/node_modules/@kubernetes/client-node/package.json:        "jsonpath-plus": "^10.0.0",

node_modules/@asyncapi/parser/package.json:    "jsonpath-plus": "^10.0.0",

abhipsnl avatar Jan 26 '25 12:01 abhipsnl

Best I can tell this is the last PR for this work, once merged all direct references to backend-common will be gone!

https://github.com/backstage/community-plugins/pull/3433

awanlin avatar Mar 22 '25 23:03 awanlin

Yup, looks like all direct references to backend-common are gone! Are we good to close this issue in that case?

04kash avatar Mar 25 '25 15:03 04kash

Closing the issue, thanks everyone đź‘Ź

vinzscam avatar Apr 08 '25 15:04 vinzscam