emdash

v@emdash-cms/[email protected] Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 2d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

astro cms emdash typescript

Affected surfaces

auth rbac rce_ssrf

Summary

AI summary

Updates Minor Changes, Patch Changes, and https://github.com/ascorbic across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Registry plugins can declare environment requirements in manifest. Registry plugins can declare environment requirements in manifest. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Experimental registry plugins may ship icon, screenshot, and banner images via artifacts. Experimental registry plugins may ship icon, screenshot, and banner images via artifacts. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Experimental registry plugins support long‑form profile sections (description, installation, FAQ, changelog, security). Experimental registry plugins support long‑form profile sections (description, installation, FAQ, changelog, security). Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Updated @emdash-cms/registry-client dependency to version 0.3.0. Updated @emdash-cms/registry-client dependency to version 0.3.0. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Fixes plugin build failures on Windows by importing probe artifact through a file URL. Fixes plugin build failures on Windows by importing probe artifact through a file URL. Source: llm_adapter@2026-06-01 Confidence: high	—

Full changelog

Minor Changes

#1238 60c0b2e Thanks @ascorbic! - Registry plugins can now declare environment requirements. A plugin's manifest may set a release-level requires block (e.g. { "env:emdash": ">=1.0.0", "env:astro": ">=4.16" }), which is published into the release record. When browsing a registry plugin, the admin compares those constraints against the running EmDash and Astro versions: if the host doesn't satisfy them, it shows a compatibility warning and disables the Install button. The server enforces the same check on install and update, refusing an incompatible release with ENV_INCOMPATIBLE so the gate can't be bypassed.
#1239 1a4918f Thanks @ascorbic! - Plugins published to the experimental registry can now ship icon, screenshot, and banner images. Declare them in emdash-plugin.jsonc under release.artifacts as file refs; emdash-plugin publish --artifact-base-url <url> measures each image's dimensions, uploads it, and records it in the release. The admin plugin detail page renders the icon, banner, and a screenshot gallery, fetched through a server-side image proxy. The proxy resolves each artifact's URL server-side from the validated release record (the client sends only the artifact's coordinates, never a URL), then applies SSRF defences and an image content-type allowlist before serving the bytes. Supported image types are PNG, JPEG, WebP, GIF, and AVIF; SVG is rejected at both publish and proxy because it is active content.
#1253 d2f2679 Thanks @ascorbic! - Plugins published to the experimental registry can now ship long-form profile sections. Declare them in emdash-plugin.jsonc under a top-level sections block with any of description, installation, faq, changelog, and security. Each value is either inline CommonMark Markdown or a { file: "./path.md" } ref read relative to the manifest at load time. Every section is capped at 20000 bytes and 2000 graphemes, enforced locally (inline strings during schema validation, file refs once their content is read) so emdash-plugin validate/publish fails with a clear message instead of a 400 from the PDS. File refs are resolved within the manifest directory; paths that escape it (via .. or an absolute path) are rejected. Sections are profile-level: written to the package profile record on first publish and editable afterward with emdash-registry update-package, like the other profile fields.

Patch Changes

#1247 245f8dc Thanks @mvanhorn! - Fixes plugin builds on Windows by importing the probe artifact through a file URL.
Updated dependencies [60c0b2e]:
- @emdash-cms/[email protected]

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track emdash

Get notified when new releases ship.

About emdash

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Schema migration adds `locale` and `translation_group` columns to `_emdash_bylines`.
[email protected] Byline hydration now strictly per-locale, suppressing cross‑locale fallback.
v@emdash-cms/[email protected] Changes `_emdash_content_bylines.byline_id` to store translation_group instead of row id, enforcing strict per-locale credit hydration.
v@emdash-cms/[email protected] Registry install handler fails closed on non-conforming aggregator release records.
v@emdash-cms/[email protected] Menu and menu-item API responses now camelCase, breaking clients expecting snake_case keys.