emdash

v@emdash-cms/[email protected] Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 6d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

astro cms emdash typescript

Affected surfaces

deps rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 6d

The release upgrades kysely to ^0.29.0, fixing three high‑severity SQL injection and traversal vulnerabilities.

Why it matters: High‑severity (CVSS ≥ 7) SQL injection and traversal bugs are patched in kysely; upgrade to ≥0.29.0 immediately if using that dependency.

Summary

AI summary

Updates Patch Changes, https://github.com/emdash-cms/emdash/pull/426, and https://github.com/BenjaminPrice across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Upgrades kysely to ^0.29.0 fixing three high-severity SQL injection and traversal vulnerabilities. Upgrades kysely to ^0.29.0 fixing three high-severity SQL injection and traversal vulnerabilities. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds workerd-based plugin sandboxing for Node.js deployments with new SandboxRunner API and utilities. Adds workerd-based plugin sandboxing for Node.js deployments with new SandboxRunner API and utilities. Source: llm_adapter@2026-05-28 Confidence: high	—
Dependency	Low	Updates import paths for Migrator and Migration types to kysely/migration per kysely 0.29 changes. Updates import paths for Migrator and Migration types to kysely/migration per kysely 0.29 changes. Source: llm_adapter@2026-05-28 Confidence: high	—
Dependency	Low	Bumps emdash package version to 0.15.0 with updated dependencies. Bumps emdash package version to 0.15.0 with updated dependencies. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes storageQuery() and storageCount() to correctly honor where, orderBy, and cursor options, preventing infinite pagination loops and incorrect counts. Fixes storageQuery() and storageCount() to correctly honor where, orderBy, and cursor options, preventing infinite pagination loops and incorrect counts. Source: llm_adapter@2026-05-28 Confidence: low	—

Full changelog

Patch Changes

#426 02ed8ba Thanks @BenjaminPrice! - Adds workerd-based plugin sandboxing for Node.js deployments.
- emdash: Adds isHealthy() to SandboxRunner interface, SandboxUnavailableError class, sandbox: false config option, mediaStorage field on SandboxOptions, and exports createHttpAccess/createUnrestrictedHttpAccess/PluginStorageRepository/UserRepository/OptionsRepository for platform adapters.
- @emdash-cms/cloudflare: Implements isHealthy() on CloudflareSandboxRunner. Fixes storageQuery() and storageCount() to honor where, orderBy, and cursor options (previously ignored, causing infinite pagination loops and incorrect filtered counts). Adds storageConfig to PluginBridgeProps so PluginStorageRepository can use declared indexes.
- @emdash-cms/sandbox-workerd: New package. WorkerdSandboxRunner for production (workerd child process + capnp config + authenticated HTTP backing service) and MiniflareDevRunner for development.
#1139 88f544d Thanks @ask-bonk! - Upgrades kysely to ^0.29.0 (was ^0.27.0) to resolve three high-severity advisories fixed in >=0.28.17:
- GHSA-wmrf-hv6w-mr66 – SQL injection via unsanitized JSON path keys
- GHSA-pv5w-4p9q-p3v2 – JSON-path traversal injection via JSONPathBuilder.key() / .at()
- GHSA-8cpq-38p9-67gx – MySQL SQL injection via sql.lit(string)
Also updates import paths for Migrator and Migration types to kysely/migration to comply with kysely 0.29 export changes.
Updated dependencies [02ed8ba, 11b3001, fae97ee, 88f544d, 9a30607, d0ff94b]:
- [email protected]

Security Fixes

GHSA-wmrf-hv6w-mr66 – SQL injection via unsanitized JSON path keys (kysely >=0.28.17).
GHSA-pv5w-4p9q-p3v2 – JSON‑path traversal injection via `JSONPathBuilder.key()`/`.at()` (kysely >=0.28.17).
GHSA-8cpq-38p9-67gx – MySQL SQL injection via `sql.lit(string)` (kysely >=0.28.17).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track emdash

Get notified when new releases ship.

About emdash

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Schema migration adds `locale` and `translation_group` columns to `_emdash_bylines`.
[email protected] Byline hydration now strictly per-locale, suppressing cross‑locale fallback.
v@emdash-cms/[email protected] Changes `_emdash_content_bylines.byline_id` to store translation_group instead of row id, enforcing strict per-locale credit hydration.
v@emdash-cms/[email protected] Registry install handler fails closed on non-conforming aggregator release records.
v@emdash-cms/[email protected] Menu and menu-item API responses now camelCase, breaking clients expecting snake_case keys.