Files

kunthawat 2d1be52177 Emdash source with visual editor image upload fix

Fixes:
1. media.ts: wrap placeholder generation in try-catch
2. toolbar.ts: check r.ok, display error message in popover

2026-05-03 10:44:54 +07:00

24 KiB

Raw Blame History

@emdash-cms/cloudflare

0.9.0

Minor Changes

#816 d4be24f Thanks @ask-bonk! - Unifies plugin capability names under a single <resource>[.<sub-resource>]:<verb>[:<qualifier>] formula so capabilities read like RBAC permissions, separates hook-registration permissions from data-access ones for clearer audits, and replaces the overloaded :any qualifier with the more conspicuous :unrestricted. Old names are still accepted with @deprecated warnings; emdash plugin bundle and emdash plugin validate warn for each deprecated name and emdash plugin publish refuses manifests that still use them.

The Cloudflare sandbox bridge and HTTP fetch helper now enforce canonical names (content:read, content:write, media:read, media:write, users:read, network:request, network:request:unrestricted). Manifests that still declare legacy names continue to work — the runner normalizes capabilities before passing them into the bridge, so installed plugins with read:content resolve to content:read and reach the same code path.

Old	New
`read:content`	`content:read`
`write:content`	`content:write`
`read:media`	`media:read`
`write:media`	`media:write`
`read:users`	`users:read`
`network:fetch`	`network:request`
`network:fetch:any`	`network:request:unrestricted`
`email:provide`	`hooks.email-transport:register`
`email:intercept`	`hooks.email-events:register`
`page:inject`	`hooks.page-fragments:register`

Existing installs keep working — manifests are normalized at every external boundary and diffCapabilities normalizes both sides so version upgrades that only rename do not trigger a "capability changed" prompt. Deprecated names will be removed in the next minor.

Patch Changes

Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
- emdash@0.9.0

0.8.0

Patch Changes

Updated dependencies [493e317, 3eca9d5, 3eca9d5, 37ada52, 0557b62, 5a581d9, 0ecd3b4, 3138432, 70924cd, 1f0f6f2, 3eca9d5, e402890, 3eca9d5, f5658f0, 3eca9d5, 3eca9d5, b6cb2e6, 3eca9d5, cf1edae, b352e88, 31333dc, da3d065, 3eca9d5, 3eca9d5, 3eca9d5, 47978b5, 3eca9d5]:
- emdash@1.0.0

0.7.0

Patch Changes

#740 63509e1 Thanks @ascorbic! - Sandboxed plugin HTTP requests now follow redirects manually and re-validate the destination at every hop. The allowedHosts list is checked on each redirect target (not just the initial URL), so an allowed host that 302s to a disallowed one no longer bypasses the scope. Credential headers (Authorization, Cookie, Proxy-Authorization) are stripped on cross-origin redirects. network:fetch:any and allowedHosts: ["*"] now still reject literal private IPs, cloud-metadata addresses, and known internal hostnames — the allowlist scopes which public hosts a plugin may reach, not whether SSRF protection applies. Non-http(s) URL schemes are rejected. Caps redirect chains at 5 hops.
Updated dependencies [8ebdf1a, 7186961, e9ecec2, e3e18aa, fae63bd, 30d8fe0, d4a95bf, a31db7d, adb118c, 080a4f1, 81fe93b, c26442b]:
- emdash@0.7.0

0.6.0

Patch Changes

#605 445b3bf Thanks @ascorbic! - Fixes D1 read replicas being bypassed for anonymous public page traffic. The middleware fast path now asks the database adapter for a per-request scoped Kysely, so anonymous reads land on the nearest replica instead of the primary-pinned singleton binding.

All D1-specific semantics (Sessions API, constraint selection, bookmark cookie) live in @emdash-cms/cloudflare/db/d1 behind a single createRequestScopedDb(opts) function. Core middleware has no D1-specific logic. Adapters opt in via a new supportsRequestScope: boolean flag on DatabaseDescriptor; d1() sets it to true.

Other fixes in the same change:
- Nested runWithContext calls in the request-context middleware now merge the parent context instead of replacing it, so an outer per-request db override is preserved through edit/preview flows.
- Baseline security headers now forward Astro's cookie symbol across the response clone so cookies.set() calls in middleware survive.
- Any write (authenticated or anonymous) now forces first-primary, so an anonymous form/comment POST isn't racing across replicas.
- The session user is read once per request and reused in both the fast path and the full runtime init (previously read twice on authenticated public-page traffic).
- Bookmark cookies are validated only for length (≤1024) and absence of control characters — no stricter shape check, so a future D1 bookmark format change won't silently degrade consistency.
- The !config bail-out now still applies baseline security headers.
- __ec_d1_bookmark references aligned to __em_d1_bookmark across runtime, docs, and JSDoc.
#569 134f776 Thanks @Yusaku01! - Fixes the playground toolbar layout on small screens.
#653 f97d6ab Thanks @ascorbic! - Adds opt-in query instrumentation for performance regression testing. Setting EMDASH_QUERY_LOG=1 causes the Kysely log hook to emit [emdash-query-log]-prefixed NDJSON on stdout for every DB query executed inside a request, tagged with the route, method, and an X-Perf-Phase header value. Zero runtime overhead when the flag is unset — the log option is only attached to Kysely when enabled.

Also exposes the helpers at emdash/database/instrumentation so first-party adapters (e.g. @emdash-cms/cloudflare) can wire the same hook into their per-request Kysely instances.
Updated dependencies [ada4ac7, f279320, 7f75193, cfd01f3, 38d637b, 31d2f4e, 445b3bf, 943d540, 2cb3165, 1859347, 14c923b, c5ef0f5, f839381, 002d0ac, 0a61ef4, 6d41fe1, b158e40, f97d6ab, e67b940, 0896ec8, 629fe1d, f52154d, 8221c2a, 8fb93eb, 6d7f288, 4ffa141, 04e6cca, 9295cc1]:
- emdash@0.6.0

0.5.0

Patch Changes

#543 7382c9d Thanks @ascorbic! - Fixes sandboxed plugin loading in Worker Loader by providing an emdash shim module
Updated dependencies [82c6345, 64f90d1, 598026c, 197bc1b, ce873f8]:
- emdash@0.5.0

0.4.0

Patch Changes

Updated dependencies [5beddc3, 8ed7969, f866c9c, 1acf174, 678cc8c, d56f6c1, 5d9120e, 9318c56, 2a7c68a, 6492ea2, b382357, 5c0776d, 1b743ac]:
- emdash@0.4.0

0.3.0

Patch Changes

Updated dependencies [f2b3973, 13f5ff5, a283954, c70f66f, 0b4e61b]:
- emdash@0.3.0

0.2.0

Patch Changes

Updated dependencies [156ba73, 80a895b, da957ce, fcd8b7b, 8ac15a4, ba2b020, 0b108cf, 1989e8b, e190324, 724191c, ed28089, a293708, c75cc5b, 6ebb797, d421ee2, 391caf4, 6474dae, 30c9a96, 122c236, 5320321, 8f44ec2, b712ae3, 9cb5a28, 7ee7d95, e1014ef, 4d4ac53, 476cb3a, 87b0439, dd708b1, befaeec, c92e7e6, 2ba1f1f, a13c4ec, a5e0603]:
- emdash@0.2.0

0.1.1

Patch Changes

#200 422018a Thanks @ascorbic! - Replace placeholder text branding with proper EmDash logo SVGs across admin UI, playground loading page, and preview interstitial
#16 7924d54 Thanks @ascorbic! - DIsplay an interstitial when loading playground
Updated dependencies [422018a, 4221ba4, 9269759, d6cfc43, 1bcfc50, 8c693b5, 5b3e33c, 9d10d27, 91e31fb, f112ac4, e9a6f7a, b297fdd, d211452, 8e28cfc, 38af118]:
- emdash@0.1.1

24 KiB

Raw Blame History

@emdash-cms/cloudflare

0.9.0

Minor Changes

Patch Changes

0.8.0

Patch Changes

0.7.0

Patch Changes

0.6.0

Patch Changes

0.5.0

Patch Changes

0.4.0

Patch Changes

0.3.0

Patch Changes

0.2.0

Patch Changes

0.1.1

Patch Changes

0.1.0

Minor Changes

Patch Changes

0.0.3

Patch Changes

0.0.2

Patch Changes

24 KiB Raw Blame History

@emdash-cms/cloudflare

0.9.0

Minor Changes

Patch Changes

0.8.0

Patch Changes

0.7.0

Patch Changes

0.6.0

Patch Changes

0.5.0

Patch Changes

0.4.0

Patch Changes

0.3.0

Patch Changes

0.2.0

Patch Changes

0.1.1

Patch Changes

0.1.0

Minor Changes

Patch Changes

0.0.3

Patch Changes

0.0.2

Patch Changes

24 KiB

Raw Blame History