Roadie’s Blog

Backstage Weekly 64 - RCE vulnerability, Events API, incremental entities, security

By Jorge LainfiestaNovember 28th, 2022

Alright, y’all, buckle up! I’m bringing you huge news this week. First is an invitation to upgrade past Backstage 1.5 (if you haven’t), then I’ll review the new exciting Events API, and finally introduce the new incremental entity provider.

A critical vulnerability in outdated instances

Recently, the Oxeye research team published a report of a vulnerability found in the Scaffolder that could allow a threat actor to execute remote code by exploiting an outdated vm2 third-party library. The Backstage team patched this issue on version 1.5.1 back on August 29th.

If you’re running a self-hosted Backstage instance and still use a pre-1.5.1 version, you face a vulnerability with a 9.8 CVSS score, which is the most severe for exploitability and impact. Please take the time to upgrade ASAP.


Roadie customers are unaffected by the RCE vulnerability because their instances are regularly upgraded and have extra security measures built into our architecture.


React to events from external sources

pjungermann championed a paramount new feature: events management. A major use case for this is to work with events triggered by SCM providers like GitHub or Bitbucket Cloud. Other than http, the event management also comes with sqs support so that you can receive messages from AWS SQS queues.

The events management API comes with modules for:

But, it’s designed to be extended to fit a variety of use cases. The events management backend comes with a simple in-memory event broker that is meant to be replaced by a more sophisticated broker of your choosing.

You can already get started with this plugin. For additional details and context, check out the PR.

Also, beware that not all the existing SCM entity providers have been updated to use the events management API. I’ll let you know when support becomes available.

Incremental Ingestion for large data sources

When you have a large enough data source that provides pagination, you might run into problems ingesting entities in the Catalog and later keeping them in sync. dekoding—who explained how they ingest 200k+ entities at HP—championed the Open Sourcing of an incremental entity provider designed to ingest entities in incremental bursts instead of attempting full massive ingestion. The concept was pioneered by Taras from Frontside, who actively worked on the provider throughout the PR.

The Incremental Entity Provider is designed for data sources that provide paginated results. The provider will go through the data in various bursts with one or more pages of the query. The plugin will attempt to fetch as many pages as possible within a configurable burst length. At every iteration, it expects to receive the next cursor that will be used to query in the next iteration.

To start using this provider, head over to its comprehensive README.


Before saying goodbye, I want to welcome all the adopters that joined the community in November: Trifork, MSCI, ESW, and FanDuel!

Talk to you next week!

Jorge L

Become a Backstage expert

To get the latest news, deep dives into Backstage features, and a roundup of recent open-source action, sign up for Roadie's Backstage Weekly. See recent editions.

We will never sell or share your email address.