Skip to content

Bump emdash from 0.1.0 to 0.7.0#7

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/emdash-0.7.0
Open

Bump emdash from 0.1.0 to 0.7.0#7
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/emdash-0.7.0

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Bumps emdash from 0.1.0 to 0.7.0.

Changelog

Sourced from emdash's changelog.

0.7.0

Minor Changes

  • #705 8ebdf1a Thanks @​eba8! - Adds admin white-labeling support via admin config in astro.config.mjs. Agencies can set a custom logo, site name, and favicon for the admin panel, separate from public site settings.

  • #742 c26442b Thanks @​ascorbic! - Adds trustedProxyHeaders config option so self-hosted deployments behind a reverse proxy can declare which client-IP headers to trust. Used by auth rate limits (magic-link, signup, passkey, OAuth device flow) and the public comment endpoint — without it, every request on a non-Cloudflare deployment was treated as "unknown" and rate limits were effectively disabled.

    Set the option in astro.config.mjs:

    emdash({
	trustedProxyHeaders: ["x-real-ip"], // nginx, Caddy, Traefik
});

    or via the EMDASH_TRUSTED_PROXY_HEADERS env var (comma-separated). Headers are tried in order; values ending in forwarded-for are parsed as comma-separated lists.

    Also removes the user-agent-hash fallback on the comment endpoint. The fallback was meant to give anonymous commenters on non-Cloudflare deployments something approximating per-user rate limiting, but the UA is trivially rotatable; requests with no trusted IP now share a stricter "unknown" bucket. Operators behind a reverse proxy should set trustedProxyHeaders to restore per-IP bucketing.

    Only set trustedProxyHeaders when you control the reverse proxy. Trusting a forwarded-IP header from the open internet lets any client spoof their IP and defeats rate limiting.

Patch Changes

  • #745 7186961 Thanks @​ascorbic! - Fixes an unauthenticated denial-of-service via the 404 log. Every 404 response previously inserted a new row into _emdash_404_log, so an attacker could grow the database without bound by requesting unique nonexistent URLs. Repeat hits to the same path now dedup into a single row with a hits counter and last_seen_at timestamp, referrer and user-agent headers are truncated to bounded lengths, and the log is capped at 10,000 rows with oldest-first eviction.

  • #739 e9ecec2 Thanks @​MohamedH1998! - Fixes the REST content API silently stripping publishedAt on create/update and createdAt on create. Importers can now preserve original publish and creation dates on migrated content. Gated behind content:publish_any (EDITOR+) so regular contributors cannot backdate posts. createdAt is intentionally not accepted on update — created_at is treated as immutable.

  • #732 e3e18aa Thanks @​jcheese1! - Fixes select dropdown appearing behind dialog by removing explicit z-index values and adding isolate to the admin body for proper stacking context.

  • #695 fae63bd Thanks @​ascorbic! - Fixes emdash seed so entries declared with "status": "published" are actually published. Previously the seed wrote the content row with status: "published" and a published_at timestamp but never created a live revision, so the admin UI showed "Save & Publish" instead of "Unpublish" and live_revision_id stayed null. The seed now promotes published entries to a live revision on both create and update paths.

  • #744 30d8fe0 Thanks @​ascorbic! - Fixes a setup-window admin hijack by binding /setup/admin and /setup/admin/verify to a per-session nonce cookie. Previously an unauthenticated attacker who could reach a site during first-time setup could POST to /setup/admin between the legitimate admin's email submission and passkey verification, overwriting the stored email — the admin account would then be created with the attacker's address. The admin route now mints a cryptographically random nonce, stores it in setup state, and sets it as an HttpOnly, SameSite=Strict, /_emdash/-scoped cookie; the verify route rejects any request whose cookie does not match in constant time.

  • #685 d4a95bf Thanks @​ascorbic! - Fixes visual editing: clicking an editable field now opens the inline editor instead of always opening the admin in a new tab. The toolbar's manifest fetch was reading manifest.collections directly but the /_emdash/api/manifest endpoint wraps its payload in { data: … }, so every field-kind lookup returned null and every click fell through to the admin-new-tab fallback.

  • #743 a31db7d Thanks @​ascorbic! - Locks emdash:site_url after the first setup call so a spoofed Host header on a later step of the wizard can't overwrite it. Config (siteUrl) and env (EMDASH_SITE_URL) paths already took precedence; this is a defence-in-depth guard for deployments that rely on the request-origin fallback.

  • #737 adb118c Thanks @​ascorbic! - Rate-limits the self-signup request endpoint to prevent abuse. POST /_emdash/api/auth/signup/request now allows 3 requests per 5 minutes per IP, matching the existing limit on magic-link/send. Over-limit requests return the same generic success response as allowed-but-ignored requests, so the limit isn't observable to callers.

  • #738 080a4f1 Thanks @​ascorbic! - Strengthens SSRF protection on the import pipeline against DNS-rebinding. The validateExternalUrl helper now also blocks known wildcard DNS services (nip.io, sslip.io, xip.io, traefik.me, lvh.me, localtest.me) and trailing-dot FQDN forms of blocked hostnames. A new resolveAndValidateExternalUrl resolves the target hostname via DNS-over-HTTPS (Cloudflare) and rejects if any returned IP is in a private range. ssrfSafeFetch and the plugin unrestricted-fetch path now use the DNS-aware validator on every hop. This adds two DoH round-trips per outbound request; self-hosted admins whose egress blocks cloudflare-dns.com can inject a custom resolver via setDefaultDnsResolver.

  • #736 81fe93b Thanks @​ascorbic! - Restricts Subscriber-role access to draft, scheduled, and trashed content. Subscribers retain content:read for member-only published content but no longer see non-published items via the REST API or MCP server. Adds a new content:read_drafts permission (Contributor and above) that gates /compare, /revisions, /trash, /preview-url, and the corresponding MCP tools.

  • Updated dependencies [8ebdf1a, 2e4b205, e3e18aa, 743b080, fa8d753, 81fe93b]:

    • @​emdash-cms/admin@​0.7.0
    • @​emdash-cms/auth@​0.7.0
    • @​emdash-cms/gutenberg-to-portable-text@​0.7.0

0.6.0

... (truncated)

Commits
  • 8a86aab ci: release (#698)
  • 7186961 fix(redirects): bound 404 log to prevent unauthenticated DoS (#745)
  • 30d8fe0 fix(setup): bind admin creation to per-session nonce cookie (#744)
  • a31db7d fix(setup): write emdash:site_url once, don't overwrite on later calls (#743)
  • e9ecec2 fix(core): accept publishedAt/createdAt on content create/update (#739)
  • c26442b feat(auth): trustedProxyHeaders config for self-hosted rate limits (#742)
  • e3e18aa fix(admin): select dropdown appearing behind dialog (#732)
  • 080a4f1 fix(import): resolve hostnames before fetching external URLs (#738)
  • adb118c fix(auth): rate-limit signup request endpoint (#737)
  • 81fe93b fix(auth): restrict Subscriber access to non-published content (#736)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump emdash from 0.1.0 to 0.7.0
dcb9e5b 
Bumps [emdash](https://github.com/emdash-cms/emdash/tree/HEAD/packages/core) from 0.1.0 to 0.7.0.
- [Changelog](https://github.com/emdash-cms/emdash/blob/main/packages/core/CHANGELOG.md)
- [Commits](https://github.com/emdash-cms/emdash/commits/emdash@0.7.0/packages/core)

---
updated-dependencies:
- dependency-name: emdash
  dependency-version: 0.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 27, 2026

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot mentioned this pull request Apr 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants