Bump emdash from 0.1.0 to 0.11.1

[dependabot]

Bumps emdash from 0.1.0 to 0.11.1.

Release notes

Sourced from emdash's releases.

emdash@0.11.1

Patch Changes

• #991 dc44989 Thanks @​ascorbic! - Fixes TypeError crash on all content mutation API routes when Astro's cache API is not available. The cache context parameter is undefined when the cache feature is not enabled, causing cache.enabled to throw. All 11 call sites now use optional chaining (cache?.enabled).

• Updated dependencies []:

  • @​emdash-cms/admin@​0.11.1
  • @​emdash-cms/auth@​0.11.1
  • @​emdash-cms/gutenberg-to-portable-text@​0.11.1
  • @​emdash-cms/auth-atproto@​0.2.4

emdash@0.11.0

Minor Changes

• #978 27e6d58 Thanks @​ascorbic! - Enforces the sandboxed plugin bundle size caps from RFC 0001 §"Bundle size limits" in both the bundle and publish CLI flows: total decompressed ≤ 256 KB, per-file decompressed ≤ 128 KB, and at most 20 files per bundle. The previous bundle command capped only the total at 5 MB; the publish command now also re-validates the decompressed tarball before signing the release record so a publisher hits the same cap locally that aggregators enforce at ingest. Bundles between 256 KB and the old 5 MB ceiling will now be rejected — usually a sign the plugin is bundling host-provided dependencies or assets that belong in a CDN rather than the plugin payload.

• #942 7c536e5 Thanks @​MA2153! - Adds per-field allowed MIME types for file and image fields. Field-level allowedTypes is now honored end-to-end: it filters the media picker, widens upload acceptance for that field (so e.g. a zip-only field can accept zip uploads even though the global allowlist excludes them), and validates referenced media against the destination field on content save. The schema editor in admin gains an "Allowed types" control with curated presets and freeform entry.

  Behavior change: the image builder's allowedTypes option was previously accepted but read by nothing. It is now load-bearing — a code-first schema that already passed allowedTypes (e.g. ["image/png"]) will now actually narrow the picker and gate uploads. Most users will see no change; if you set this option intending the old (silent) behavior, drop it.

  Behavior change: updating a field via the admin schema editor now explicitly clears its validation when the form contains no validation settings, instead of leaving an existing validation value intact. This only affects fields with pre-existing validation that is not expressible in the editor UI.

Patch Changes

• #893 f8ee1ed Thanks @​j-liszt! - Enhances Passkey authentication with polymorphic algorithm support. Adds support for RS256 (RSA) alongside the existing ES256 (ECDSA) implementation, ensuring full compatibility with Windows Hello, hardware security keys, and FIDO2 standards. Includes a database migration to track and persist credential algorithms for future-proof authentication.

  Note for standalone @emdash-cms/auth consumers: If your credentials table already exists, you must manually run ALTER TABLE credentials ADD COLUMN algorithm INTEGER NOT NULL DEFAULT -7 to support this update. The DEFAULT -7 value ensures that existing rows (which are all ES256) continue to work seamlessly without requiring any data backfill.

• #976 4c11017 Thanks @​ask-bonk! - Fixes migration 016_api_tokens failing with table "_emdash_api_tokens" already exists after a partially-applied previous attempt. If up() crashed mid-way (D1 subrequest limit, isolate cancellation, transient connection error), the migration record never got recorded and Kysely re-ran the migration from the top on the next request, blocking every subsequent boot. up() now uses IF NOT EXISTS on every CREATE so a retry skips already-applied steps and finishes the remainder. Resolves the "table already exists" error reported on fresh Cloudflare Workers + D1 deploys.

• #939 f1d4c0b Thanks @​schiste! - Make the MCP menu write tools locale-aware by exposing locale on menu_create, menu_update, menu_delete, and menu_set_items, exposing translationOf on menu_create, and teaching handleMenuSetItems() to target the requested locale and tag inserted menu items with that menu's locale.

  All seven menu-name lookups (handleMenuUpdate, handleMenuDelete, handleMenuSetItems, handleMenuItemCreate, handleMenuItemUpdate, handleMenuItemDelete, handleMenuItemReorder) now fail loud with the new AMBIGUOUS_LOCALE error code (HTTP 400) when called with a name that exists in multiple locales and no locale is provided. Previously the lookup silently picked an arbitrary translation, which could rewrite or delete the wrong locale's menu on multi-locale installs. The error message lists the available locales so callers can recover. Single-locale installs and callers that already pass locale are unaffected.

  The translationOf → locale requirement is now enforced inside handleMenuCreate (returns VALIDATION_ERROR), so REST/SDK callers get the same guard the MCP boundary already provided.

• d273e9a Thanks @​ascorbic! - Refactors the plugin manifest types to re-export from @emdash-cms/plugin-types. The capability vocabulary (PluginCapability, CAPABILITY_RENAMES, normalizeCapability, isDeprecatedCapability) and manifest shape (ManifestHookEntry, ManifestRouteEntry, PluginStorageConfig, StorageCollectionConfig) now live in the shared package so the registry CLI can write the same types core reads. Existing imports from emdash's plugin types module continue to work unchanged.

... (truncated)

Changelog

Sourced from emdash's changelog.

0.11.1

Patch Changes

• #991 dc44989 Thanks @​ascorbic! - Fixes TypeError crash on all content mutation API routes when Astro's cache API is not available. The cache context parameter is undefined when the cache feature is not enabled, causing cache.enabled to throw. All 11 call sites now use optional chaining (cache?.enabled).

• Updated dependencies []:

  • @​emdash-cms/admin@​0.11.1
  • @​emdash-cms/auth@​0.11.1
  • @​emdash-cms/gutenberg-to-portable-text@​0.11.1
  • @​emdash-cms/auth-atproto@​0.2.4

0.11.0

Minor Changes

• #978 27e6d58 Thanks @​ascorbic! - Enforces the sandboxed plugin bundle size caps from RFC 0001 §"Bundle size limits" in both the bundle and publish CLI flows: total decompressed ≤ 256 KB, per-file decompressed ≤ 128 KB, and at most 20 files per bundle. The previous bundle command capped only the total at 5 MB; the publish command now also re-validates the decompressed tarball before signing the release record so a publisher hits the same cap locally that aggregators enforce at ingest. Bundles between 256 KB and the old 5 MB ceiling will now be rejected — usually a sign the plugin is bundling host-provided dependencies or assets that belong in a CDN rather than the plugin payload.

• #942 7c536e5 Thanks @​MA2153! - Adds per-field allowed MIME types for file and image fields. Field-level allowedTypes is now honored end-to-end: it filters the media picker, widens upload acceptance for that field (so e.g. a zip-only field can accept zip uploads even though the global allowlist excludes them), and validates referenced media against the destination field on content save. The schema editor in admin gains an "Allowed types" control with curated presets and freeform entry.

  Behavior change: the image builder's allowedTypes option was previously accepted but read by nothing. It is now load-bearing — a code-first schema that already passed allowedTypes (e.g. ["image/png"]) will now actually narrow the picker and gate uploads. Most users will see no change; if you set this option intending the old (silent) behavior, drop it.

  Behavior change: updating a field via the admin schema editor now explicitly clears its validation when the form contains no validation settings, instead of leaving an existing validation value intact. This only affects fields with pre-existing validation that is not expressible in the editor UI.

Patch Changes

• #893 f8ee1ed Thanks @​j-liszt! - Enhances Passkey authentication with polymorphic algorithm support. Adds support for RS256 (RSA) alongside the existing ES256 (ECDSA) implementation, ensuring full compatibility with Windows Hello, hardware security keys, and FIDO2 standards. Includes a database migration to track and persist credential algorithms for future-proof authentication.

  Note for standalone @emdash-cms/auth consumers: If your credentials table already exists, you must manually run ALTER TABLE credentials ADD COLUMN algorithm INTEGER NOT NULL DEFAULT -7 to support this update. The DEFAULT -7 value ensures that existing rows (which are all ES256) continue to work seamlessly without requiring any data backfill.

• #976 4c11017 Thanks @​ask-bonk! - Fixes migration 016_api_tokens failing with table "_emdash_api_tokens" already exists after a partially-applied previous attempt. If up() crashed mid-way (D1 subrequest limit, isolate cancellation, transient connection error), the migration record never got recorded and Kysely re-ran the migration from the top on the next request, blocking every subsequent boot. up() now uses IF NOT EXISTS on every CREATE so a retry skips already-applied steps and finishes the remainder. Resolves the "table already exists" error reported on fresh Cloudflare Workers + D1 deploys.

• #939 f1d4c0b Thanks @​schiste! - Make the MCP menu write tools locale-aware by exposing locale on menu_create, menu_update, menu_delete, and menu_set_items, exposing translationOf on menu_create, and teaching handleMenuSetItems() to target the requested locale and tag inserted menu items with that menu's locale.

  All seven menu-name lookups (handleMenuUpdate, handleMenuDelete, handleMenuSetItems, handleMenuItemCreate, handleMenuItemUpdate, handleMenuItemDelete, handleMenuItemReorder) now fail loud with the new AMBIGUOUS_LOCALE error code (HTTP 400) when called with a name that exists in multiple locales and no locale is provided. Previously the lookup silently picked an arbitrary translation, which could rewrite or delete the wrong locale's menu on multi-locale installs. The error message lists the available locales so callers can recover. Single-locale installs and callers that already pass locale are unaffected.

  The translationOf → locale requirement is now enforced inside handleMenuCreate (returns VALIDATION_ERROR), so REST/SDK callers get the same guard the MCP boundary already provided.

... (truncated)

Commits

• 356c52e ci: release (#992)
• dc44989 fix(core): guard cache.enabled with optional chaining in content API routes (...
• b86ce9f ci: release (#925)
• 27e6d58 feat(cli): enforce sandboxed plugin bundle size caps (#978)
• 4c11017 Fix migration 016 partial-reapply crash (#976)
• f1d4c0b Fix/mcp menu locale awareness (#939)
• 908787a feat(aggregator): scaffold plugin-registry aggregator (#971)
• 7c536e5 feat: per-field allowed MIME types for file and image fields (#942)
• c4ee7ad fix(auth): quote reserved "window" column in rate-limit SQL for Postgres (#946)
• 514d32d fix(seed): menu item i18n (#943)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.