CVE-2026-25153

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including hooks) are now removed from mkdocs.yml before running the generator, with a warning logged to indicate which keys were removed. Users of @techdocs/cli should also upgrade to the latest version, which includes the fixed @backstage/plugin-techdocs-node dependency. Some workarounds are available. Configure TechDocs with runIn: docker instead of `runIn: