emdash

v@emdash-cms/[email protected] Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 6d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

astro cms emdash typescript

Affected surfaces

deps breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 6d

The release upgrades kysely to ^0.29.0, fixing three high‑severity SQL injection advisories and updates import paths for Migrator and Migration types.

Why it matters: Addresses three high‑severity (CVSS ≥ 7) SQL injection vulnerabilities in the kysely dependency; update required for any code using kysely API imports.

Summary

AI summary

Updates Patch Changes, https://github.com/ascorbic, and https://github.com/emdash-cms/emdash/pull/1177 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Upgrades kysely to ^0.29.0 fixing three high-severity SQL injection advisories. Upgrades kysely to ^0.29.0 fixing three high-severity SQL injection advisories. Source: llm_adapter@2026-05-28 Confidence: high	—
Dependency	Medium	Updates import paths for Migrator and Migration types to kysely/migration per kysely 0.29 changes. Updates import paths for Migrator and Migration types to kysely/migration per kysely 0.29 changes. Source: llm_adapter@2026-05-28 Confidence: high	—
Refactor	Low	Bumps @cloudflare/kumo from 1.16 to 2.3, updating internal Collapsible and ChartPalette APIs without public API changes. Bumps @cloudflare/kumo from 1.16 to 2.3, updating internal Collapsible and ChartPalette APIs without public API changes. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

Patch Changes

#1177 b9cc08e Thanks @ascorbic! - Bumps @cloudflare/kumo from 1.16 to 2.3. Two internal call sites picked up breaking API changes from Kumo 2.0: Collapsible is now a compound component (Collapsible.Root / .DefaultTrigger / .DefaultPanel instead of <Collapsible label=...>), used by the accordion block; and ChartPalette.color() was renamed to ChartPalette.categorical() in the chart block. No public API changes -- consumers see identical behaviour. Tests in @emdash-cms/admin that asserted on Button's native title attribute now read aria-label instead, because Kumo 2 wraps <Button title> in a Tooltip popup rather than setting the DOM attribute.
#1139 88f544d Thanks @ask-bonk! - Upgrades kysely to ^0.29.0 (was ^0.27.0) to resolve three high-severity advisories fixed in >=0.28.17:
- GHSA-wmrf-hv6w-mr66 – SQL injection via unsanitized JSON path keys
- GHSA-pv5w-4p9q-p3v2 – JSON-path traversal injection via JSONPathBuilder.key() / .at()
- GHSA-8cpq-38p9-67gx – MySQL SQL injection via sql.lit(string)
Also updates import paths for Migrator and Migration types to kysely/migration to comply with kysely 0.29 export changes.
Updated dependencies [02ed8ba, 11b3001, fae97ee, 88f544d, 9a30607, d0ff94b]:
- [email protected]
- @emdash-cms/[email protected]

Breaking Changes

Renamed `Collapsible` API to compound components (`Collapsible.Root`, `.DefaultTrigger`, `.DefaultPanel`).
Renamed `ChartPalette.color()` to `ChartPalette.categorical()`.
Updated import paths for `Migrator` and `Migration` types from kysely to `kysely/migration`.

Security Fixes

GHSA-wmrf-hv6w-mr66 – Fixed SQL injection via unsanitized JSON path keys (kysely ≥ 0.28.17).
GHSA-pv5w-4p9q-p3v2 – Fixed JSON‑path traversal injection via `JSONPathBuilder.key()` / `.at()` (kysely ≥ 0.28.17).
GHSA-8cpq-38p9-67gx – Fixed MySQL SQL injection via `sql.lit(string)` (kysely ≥ 0.28.17).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track emdash

Get notified when new releases ship.

About emdash

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Schema migration adds `locale` and `translation_group` columns to `_emdash_bylines`.
[email protected] Byline hydration now strictly per-locale, suppressing cross‑locale fallback.
v@emdash-cms/[email protected] Changes `_emdash_content_bylines.byline_id` to store translation_group instead of row id, enforcing strict per-locale credit hydration.
v@emdash-cms/[email protected] Registry install handler fails closed on non-conforming aggregator release records.
v@emdash-cms/[email protected] Menu and menu-item API responses now camelCase, breaking clients expecting snake_case keys.