emdash

v@emdash-cms/[email protected] Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 15d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

astro cms emdash typescript

Affected surfaces

breaking_upgrade

Summary

AI summary

Updates Minor Changes, Patch Changes, and https://github.com/ascorbic across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Breaking	Medium	Renames `@emdash-cms/registry-cli` to `@emdash-cms/plugin-cli` and binary from `emdash-registry` to `emdash-plugin`. Renames `@emdash-cms/registry-cli` to `@emdash-cms/plugin-cli` and binary from `emdash-registry` to `emdash-plugin`. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature
Feature	Medium	Adds `emdash-plugin.jsonc` manifest support for plugin authors. Adds `emdash-plugin.jsonc` manifest support for plugin authors. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Manifest's optional `publisher` field pins publishing identity, preventing cross-account publishes. Manifest's optional `publisher` field pins publishing identity, preventing cross-account publishes. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Adds `emdash-plugin build` and `emdash-plugin dev` commands for plugin authoring. Adds `emdash-plugin build` and `emdash-plugin dev` commands for plugin authoring. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	`emdash-plugin build` emits runtime bytes, manifest JSON, and descriptor module. `emdash-plugin build` emits runtime bytes, manifest JSON, and descriptor module. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Version in `emdash-plugin.jsonc` is now optional; build reconciles version between manifest and package.json. Version in `emdash-plugin.jsonc` is now optional; build reconciles version between manifest and package.json. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	`emdash-plugin bundle` reduced to packaging step, validates contents, renames plugin.mjs to backend.js inside tarball. `emdash-plugin bundle` reduced to packaging step, validates contents, renames plugin.mjs to backend.js inside tarball. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	New `emdash-plugin validate` command checks manifest against schema offline. New `emdash-plugin validate` command checks manifest against schema offline. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	`emdash-plugin dev` watches sources with 150ms debounce, leaves last good dist on rebuild failure. `emdash-plugin dev` watches sources with 150ms debounce, leaves last good dist on rebuild failure. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	JSON Schema for IDE completion ships at `schemas/emdash-plugin.schema.json`. JSON Schema for IDE completion ships at `schemas/emdash-plugin.schema.json`. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Introduces `emdash-plugin validate` command to offline schema validation with diagnostics. Introduces `emdash-plugin validate` command to offline schema validation with diagnostics. Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Feature	Medium	'emdash-plugin dev' watches source files with 150 ms debounce and retains last successful `dist/` on rebuild failure. 'emdash-plugin dev' watches source files with 150 ms debounce and retains last successful `dist/` on rebuild failure. Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Bugfix	Medium	Renames multi-word flags on `build`, `dev`, and `bundle` from camelCase to kebab-case. Renames multi-word flags on `build`, `dev`, and `bundle` from camelCase to kebab-case. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Renames `--aggregator` flag on `search` and `info` to `--registry-url` for consistency. Renames `--aggregator` flag on `search` and `info` to `--registry-url` for consistency. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

Minor Changes

#1040 e6f7311 Thanks @ascorbic! - Adds emdash-plugin.jsonc manifest support. Plugin authors can now declare profile fields (license, author, security contact, name, description, keywords, repo) once in a hand-edited JSONC file instead of passing them as flags on every publish. The CLI loads ./emdash-plugin.jsonc automatically; explicit flags still win for CI use.

New emdash-plugin validate command checks a manifest against the schema offline with tsc-style file:line:column diagnostics.

The manifest's optional publisher field pins the publishing identity. On first successful publish, the CLI writes the active session's DID back to the manifest. Subsequent publishes verify the active session matches the pinned publisher and refuse on mismatch to prevent accidental cross-account publishes.

JSON Schema for IDE completion ships in the package at schemas/emdash-plugin.schema.json; reference it via "$schema": "./node_modules/@emdash-cms/plugin-cli/schemas/emdash-plugin.schema.json".
#1057 c0ce915 Thanks @ascorbic! - Renames @emdash-cms/registry-cli to @emdash-cms/plugin-cli and the binary from emdash-registry to emdash-plugin. The package's job has outgrown the original name — init, build, dev, bundle, publish, search, info, login, logout, whoami, and switch cover plugin authoring + identity + discovery, not just registry interaction. Adopt the new name on first install; the old package is no longer published.

This release also adds emdash-plugin build and emdash-plugin dev and consolidates the build pipeline so bundle is a thin packaging step on top of build.

emdash-plugin build reads emdash-plugin.jsonc and src/plugin.ts, then emits:
- dist/plugin.mjs (+ dist/plugin.d.mts) — runtime bytes (hooks + routes). The same artifact is consumed both in-process (when the plugin is in plugins: []) and by the sandbox loader (when in sandboxed: []).
- dist/manifest.json — wire-shape PluginManifest including hooks + routes harvested from probing src/plugin.ts. bundle packs this verbatim into the registry tarball; on the npm path it's metadata that consumers can read without parsing JSONC.
- dist/index.mjs (+ dist/index.d.mts) — descriptor module that default-exports a bare PluginDescriptor object. Emitted only when a sibling package.json exists (registry-only plugins skip this, since nothing would import it).
emdash-plugin dev watches src/**, emdash-plugin.jsonc, and package.json, debouncing rebuilds at 150ms. On a failed rebuild it leaves the last good dist/ in place so a downstream site importing the plugin keeps working until the next successful build. Stop with Ctrl-C.

A typical plugin package.json:
```
{
	"scripts": {
		"build": "emdash-plugin build",
		"dev": "emdash-plugin dev"
	}
}
```
version in emdash-plugin.jsonc is now optional. The build reconciles the manifest's version with package.json#version:
- Both set and matching → fine.
- Both set and different → hard error.
- One set → that value wins.
- Neither set → hard error.
The recommended pattern for npm-distributed plugins is to omit version from the manifest and let package.json be the source of truth. Registry-only plugins (no package.json) must set version in the manifest.

emdash-plugin bundle has been reduced to a packaging step: it now calls build to produce dist/, validates the bundle contents (no Node-builtin imports, no oversized files, capability sanity), collects optional assets (README, icon, screenshots), and tarballs. Inside the tarball, plugin.mjs is renamed to backend.js to match the registry's wire-side filename. validateOnly still skips tarball creation but now produces the dist/ artifacts (since "validate" implies "build first").

Patch Changes

#1091 6725e91 Thanks @ascorbic! - Renames the multi-word flags on build, dev, and bundle from camelCase to kebab-case for consistency with publish and standard Unix CLI convention.
- --outDir -> --out-dir
- --validateOnly -> --validate-only
The short alias -o for --out-dir is unchanged.
#1092 6788829 Thanks @ascorbic! - Renames the --aggregator flag on search and info to --registry-url for consistency with the EMDASH_REGISTRY_URL env var and the rest of the user-facing surface. Internally the override still selects the aggregator service to query — the rename only affects what users type.

Old:
```
emdash-plugin search "image" --aggregator https://registry.example.com
```
New:
```
emdash-plugin search "image" --registry-url https://registry.example.com
```

Breaking Changes

Package `@emdash-cms/registry-cli` renamed to `@emdash-cms/plugin-cli` with binary rename from `emdash-registry` to `emdash-plugin`.
Multi‑word flags on `build`, `dev`, and `bundle` changed: `--outDir` → `--out-dir`; `--validateOnly` → `--validate-only` (short alias `-o` unchanged).
Flag `--aggregator` on `search` and `info` renamed to `--registry-url`.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track emdash

Get notified when new releases ship.

About emdash

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Schema migration adds `locale` and `translation_group` columns to `_emdash_bylines`.
[email protected] Byline hydration now strictly per-locale, suppressing cross‑locale fallback.
v@emdash-cms/[email protected] Changes `_emdash_content_bylines.byline_id` to store translation_group instead of row id, enforcing strict per-locale credit hydration.
v@emdash-cms/[email protected] Registry install handler fails closed on non-conforming aggregator release records.
v@emdash-cms/[email protected] Menu and menu-item API responses now camelCase, breaking clients expecting snake_case keys.