emdash

[email protected] scope: emdash Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 14d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

astro cms emdash typescript

Affected surfaces

auth deps

Summary

AI summary

Updates Patch Changes, https://github.com/ascorbic, and https://github.com/jcheese1 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	Experimental registry navigation fixed and configured registry aggregator allowed through admin CSP. Experimental registry navigation fixed and configured registry aggregator allowed through admin CSP. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Validates aggregator responses at read-side trust boundary in DiscoveryClient with schema validation and safe parsing. Validates aggregator responses at read-side trust boundary in DiscoveryClient with schema validation and safe parsing. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Medium	Updated dependencies: @emdash-cms/admin to 0.14.0, @emdash-cms/registry-client to 0.1.0, @emdash-cms/auth to 0.14.0, @emdash-cms/gutenberg-to-portable-text to 0.14.0, @emdash-cms/auth-atproto to 0.2.7. Updated dependencies: @emdash-cms/admin to 0.14.0, @emdash-cms/registry-client to 0.1.0, @emdash-cms/auth to 0.14.0, @emdash-cms/gutenberg-to-portable-text to 0.14.0, @emdash-cms/auth-atproto to 0.2.7. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Resolves bare local media IDs in media fields before external URLs fallback. Resolves bare local media IDs in media fields before external URLs fallback. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Refactor	Medium	Refines return types from unknown to PackageProfile.Main \| null / PackageRelease.Main \| null; introduces ValidatedPackageView, ValidatedReleaseView, ValidatedSearchPackages, ValidatedListReleases. Refines return types from unknown to PackageProfile.Main \| null / PackageRelease.Main \| null; introduces ValidatedPackageView, ValidatedReleaseView, ValidatedSearchPackages, ValidatedListReleases. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—

Full changelog

Patch Changes

#1100 f753dba Thanks @jcheese1! - Resolve bare local media IDs in media fields before falling back to external URLs.
#1101 e539731 Thanks @ascorbic! - Fixes experimental registry navigation and allows the configured registry aggregator through the admin CSP.
#1112 3756168 Thanks @ascorbic! - Validates aggregator responses at the read-side trust boundary in DiscoveryClient. Two layers run:
- Response envelope (uri, cid, did, slug, version, …): DiscoveryClient now routes every call through @atcute/client's schema-validating .call() against the aggregator method's output lexicon. Request params are validated too. A non-conforming envelope throws ClientValidationError.
- Embedded signed profile / release records (typed unknown by the aggregator lexicon because they are relayed verbatim from publisher repos under a different lexicon namespace): now safeParse'd against com.emdashcms.experimental.package.profile / release. A conforming record is returned as the typed lexicon shape; a non-conforming one is surfaced as null so one bad record doesn't fail an entire search page.
Refines the return types from unknown to PackageProfile.Main | null / PackageRelease.Main | null (new exported ValidatedPackageView / ValidatedReleaseView / ValidatedSearchPackages / ValidatedListReleases types). Callers must null-check. The registry install handler now fails closed when the aggregator returns a release record that does not conform to its lexicon.

Validation is structural only — the lexicon's uri format permits non-HTTP schemes, so UI rendering these URLs still applies its own scheme allow-list.
Updated dependencies [cf85941, 3756168, 3756168]:
- @emdash-cms/[email protected]
- @emdash-cms/[email protected]
- @emdash-cms/[email protected]
- @emdash-cms/[email protected]
- @emdash-cms/[email protected]

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track emdash

Get notified when new releases ship.

About emdash

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Schema migration adds `locale` and `translation_group` columns to `_emdash_bylines`.
[email protected] Byline hydration now strictly per-locale, suppressing cross‑locale fallback.
v@emdash-cms/[email protected] Changes `_emdash_content_bylines.byline_id` to store translation_group instead of row id, enforcing strict per-locale credit hydration.
v@emdash-cms/[email protected] Registry install handler fails closed on non-conforming aggregator release records.
v@emdash-cms/[email protected] Menu and menu-item API responses now camelCase, breaking clients expecting snake_case keys.