Bump emdash from 0.1.0 to 0.14.0

[dependabot]

Bumps emdash from 0.1.0 to 0.14.0.

Release notes

Sourced from emdash's releases.

emdash@0.14.0

Patch Changes

• #1100 f753dba Thanks @​jcheese1! - Resolve bare local media IDs in media fields before falling back to external URLs.

• #1101 e539731 Thanks @​ascorbic! - Fixes experimental registry navigation and allows the configured registry aggregator through the admin CSP.

• #1112 3756168 Thanks @​ascorbic! - Validates aggregator responses at the read-side trust boundary in DiscoveryClient. Two layers run:

  • Response envelope (uri, cid, did, slug, version, …): DiscoveryClient now routes every call through @atcute/client's schema-validating .call() against the aggregator method's output lexicon. Request params are validated too. A non-conforming envelope throws ClientValidationError.
  • Embedded signed profile / release records (typed unknown by the aggregator lexicon because they are relayed verbatim from publisher repos under a different lexicon namespace): now safeParse'd against com.emdashcms.experimental.package.profile / release. A conforming record is returned as the typed lexicon shape; a non-conforming one is surfaced as null so one bad record doesn't fail an entire search page.

  Refines the return types from unknown to PackageProfile.Main | null / PackageRelease.Main | null (new exported ValidatedPackageView / ValidatedReleaseView / ValidatedSearchPackages / ValidatedListReleases types). Callers must null-check. The registry install handler now fails closed when the aggregator returns a release record that does not conform to its lexicon.

  Validation is structural only — the lexicon's uri format permits non-HTTP schemes, so UI rendering these URLs still applies its own scheme allow-list.

• Updated dependencies [cf85941, 3756168, 3756168]:

  • @​emdash-cms/admin@​0.14.0
  • @​emdash-cms/registry-client@​0.1.0
  • @​emdash-cms/auth@​0.14.0
  • @​emdash-cms/gutenberg-to-portable-text@​0.14.0
  • @​emdash-cms/auth-atproto@​0.2.7

emdash@0.13.0

Minor Changes

• #1057 c0ce915 Thanks @​ascorbic! - BREAKING (plugin authors): Reworks how sandboxed plugins are defined. The definePlugin() helper is removed for sandboxed-format plugins; the new shape is a bare default export with a satisfies SandboxedPlugin annotation. A new type-only subpath emdash/plugin provides the types.

  This affects anyone writing a sandboxed plugin. Sites that use plugins are unaffected (see the per-plugin changesets for the import-shape change in published plugins).

  - import { definePlugin, type ContentHookEvent, type PluginContext } from "emdash";
  + import type { SandboxedPlugin } from "emdash/plugin";
  
  export default definePlugin({
  
  
  export default {
  hooks: {
  "content:beforeSave": {
  
  
  
    	handler: async (event: ContentHookEvent, ctx: PluginContext) => {
  
  
  
  
  
    	handler: async (event, ctx) => {
             // ...
             return event.content;
         },
     },
  
  },
  
  
  });
  
  
  } satisfies SandboxedPlugin;

Three changes:

... (truncated)

Changelog

Sourced from emdash's changelog.

0.14.0

Patch Changes

• #1100 f753dba Thanks @​jcheese1! - Resolve bare local media IDs in media fields before falling back to external URLs.

• #1101 e539731 Thanks @​ascorbic! - Fixes experimental registry navigation and allows the configured registry aggregator through the admin CSP.

• #1112 3756168 Thanks @​ascorbic! - Validates aggregator responses at the read-side trust boundary in DiscoveryClient. Two layers run:

  • Response envelope (uri, cid, did, slug, version, …): DiscoveryClient now routes every call through @atcute/client's schema-validating .call() against the aggregator method's output lexicon. Request params are validated too. A non-conforming envelope throws ClientValidationError.
  • Embedded signed profile / release records (typed unknown by the aggregator lexicon because they are relayed verbatim from publisher repos under a different lexicon namespace): now safeParse'd against com.emdashcms.experimental.package.profile / release. A conforming record is returned as the typed lexicon shape; a non-conforming one is surfaced as null so one bad record doesn't fail an entire search page.

  Refines the return types from unknown to PackageProfile.Main | null / PackageRelease.Main | null (new exported ValidatedPackageView / ValidatedReleaseView / ValidatedSearchPackages / ValidatedListReleases types). Callers must null-check. The registry install handler now fails closed when the aggregator returns a release record that does not conform to its lexicon.

  Validation is structural only — the lexicon's uri format permits non-HTTP schemes, so UI rendering these URLs still applies its own scheme allow-list.

• Updated dependencies [cf85941, 3756168, 3756168]:

  • @​emdash-cms/admin@​0.14.0
  • @​emdash-cms/registry-client@​0.1.0
  • @​emdash-cms/auth@​0.14.0
  • @​emdash-cms/gutenberg-to-portable-text@​0.14.0
  • @​emdash-cms/auth-atproto@​0.2.7

0.13.0

Minor Changes

• #1057 c0ce915 Thanks @​ascorbic! - BREAKING (plugin authors): Reworks how sandboxed plugins are defined. The definePlugin() helper is removed for sandboxed-format plugins; the new shape is a bare default export with a satisfies SandboxedPlugin annotation. A new type-only subpath emdash/plugin provides the types.

  This affects anyone writing a sandboxed plugin. Sites that use plugins are unaffected (see the per-plugin changesets for the import-shape change in published plugins).

  - import { definePlugin, type ContentHookEvent, type PluginContext } from "emdash";
  + import type { SandboxedPlugin } from "emdash/plugin";
  
  export default definePlugin({
  
  
  export default {
  hooks: {
  "content:beforeSave": {
  
  
  
    	handler: async (event: ContentHookEvent, ctx: PluginContext) => {
  
  
  
  
  
    	handler: async (event, ctx) => {
             // ...
             return event.content;
         },
     },
  
  },
  
  
  });
  
  
  } satisfies SandboxedPlugin;

... (truncated)

Commits

• 102535f ci: release (#1103)
• 3756168 feat(registry): profile fields end-to-end (license, authors, security, keywor...
• 361f0e2 ci: release (#1096)
• f753dba Fix local media ID normalization (#1100)
• e539731 fix: enable experimental registry admin UI (#1101)
• 121f173 Fix FTS5 corruption on publish (#768)
• c0ce915 feat(plugin-cli): sandboxed plugin authoring CLI (#1057)
• 23597d0 fix(core): preserve taxonomy + content_taxonomies data on D1 in migration 036...
• 878a0b6 fix(import): preserve WXR taxonomies and WPML/Polylang translations (#1087)
• 883b75b fix(client): map { terms } envelope to ListResult.items in client.terms() (#1...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.