chore(deps): update dependency @backstage/integration to v1.20.1

[mend-on-mend]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/integration (source)	1.17.1 → 1.20.1

---

Backstage vulnerable to potential reading of SCM URLs using built in token

CVE-2026-29185 / GHSA-95v5-prp4-5gv5

More information

Details

Impact

A vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials.

This affects instances that use any of the SCM integrations (GitHub, Bitbucket Server, Bitbucket Cloud) with the scaffolder or other features that accept user-provided SCM URLs.

Patches

This is patched in @backstage/integration version 1.20.1.

Workarounds

There is no workaround for this vulnerability. Users should upgrade to the patched version.

References

• Backstage SCM integration documentation: https://backstage.io/docs/integrations/

Severity

• CVSS Score: 2.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-95v5-prp4-5gv5
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/integration)

v1.20.1

Compare Source

This release fixes an issue where the @backstage/plugin-search-react package had an unnecessary dependency on @backstage/frontend-app-api.

v1.20.0

Compare Source

Minor Changes

• 6999f6d: The AzureUrl class in the @​backstage/integration package is now able to process BOTH git branches and git tags. Initially this class only processed git branches and threw an error when non-branch Azure URLs were passed in.

Patch Changes

• cc6206e: Added support for {org}.visualstudio.com domains used by Azure DevOps
• 7455dae: Use node prefix on native imports

v1.19.2

Compare Source

Patch Changes

• 3afeab4: Implementing ScmIntegration for GoogleGcs
• 9083273: Rollback the lowercase replacing in GitHub integration config

v1.19.1

Compare Source

This release fixes an issue where Microsoft auth would fail.

Contributed by @​TheGemmell in #​20655

v1.19.0

Compare Source

Minor Changes

• 37fba1d: Added support for Bitbucket Cloud OAuth. This introduces an alternative authentication method using a workspace OAuth consumer, alongside App Passwords (deprecated) and API tokens. OAuth does not require a bot or service account and avoids token expiry issues.

  BREAKING CHANGES

  • @​backstage/integration (src/bitbucketCloud/core.ts)

    • getBitbucketCloudRequestOptions now returns a Promise and must be awaited.

  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud (src/actions/helpers.ts)

    • getBitbucketClient now returns a Promise and must be awaited.
    • getAuthorizationHeader now returns a Promise and must be awaited.

  OAuth usage example

  integrations:
    bitbucketCloud:
      - clientId: client-id
        clientSecret: client-secret

Patch Changes

• a26a322: Added support for using a GitHub App installation to generate tokens for public repository access when the publicAccess option is enabled. When all other authentication methods fail (e.g., the app is not installed in that organization), the provider will now use an available installation to generate a token that can be used to access public repositories as read only.
• fb029b6: Updated luxon types
• e15fdae: Made the github urls case insensitive.

v1.18.2

Compare Source

Patch Changes

• fa255f5: Support for Bitbucket Cloud's API token was added as appPassword is deprecated (no new creation from September 9, 2025) and will be removed on June 9, 2026.

  API token usage example:

  integrations:
    bitbucketCloud:
      - username: user@domain.com
        token: my-token

• 05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript's erasableSyntaxOnly setting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.

• Updated dependencies

  • @​backstage/config@​1.3.6

v1.18.1

Compare Source

Patch Changes

• d772b51: remove host from azure blob storage integration type
• 84443f1: Adds config definitions for Azure Blob Storage.
• Updated dependencies
  • @​backstage/config@​1.3.5

v1.18.0

Compare Source

Minor Changes

• 03bdc68: Added support for limiting GithubAppCredentialsMux to specific apps

Patch Changes

• 56897d7: Fixes issue with Github credentials provider which fails to match organization name if using allowedInstallationOwners

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

[mend-on-mend]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.