ci: release

[emdashbot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@emdash-cms/admin@0.16.0

Minor Changes

• #1238 60c0b2e Thanks @ascorbic! - Registry plugins can now declare environment requirements. A plugin's manifest may set a release-level requires block (e.g. { "env:emdash": ">=1.0.0", "env:astro": ">=4.16" }), which is published into the release record. When browsing a registry plugin, the admin compares those constraints against the running EmDash and Astro versions: if the host doesn't satisfy them, it shows a compatibility warning and disables the Install button. The server enforces the same check on install and update, refusing an incompatible release with ENV_INCOMPATIBLE so the gate can't be bypassed.

• #1239 1a4918f Thanks @ascorbic! - Plugins published to the experimental registry can now ship icon, screenshot, and banner images. Declare them in emdash-plugin.jsonc under release.artifacts as file refs; emdash-plugin publish --artifact-base-url <url> measures each image's dimensions, uploads it, and records it in the release. The admin plugin detail page renders the icon, banner, and a screenshot gallery, fetched through a server-side image proxy. The proxy resolves each artifact's URL server-side from the validated release record (the client sends only the artifact's coordinates, never a URL), then applies SSRF defences and an image content-type allowlist before serving the bytes. Supported image types are PNG, JPEG, WebP, GIF, and AVIF; SVG is rejected at both publish and proxy because it is active content.

• #1253 d2f2679 Thanks @ascorbic! - The registry plugin detail page now surfaces a plugin's long-form profile sections. Publishers' description, installation, faq, changelog, and security sections render as sanitized Markdown (the shared audited renderMarkdown — raw HTML, scripts, and images stripped, https-only links) in a tabbed view below the install action, with one tab per non-empty section. The page also shows an SBOM badge with the document format and a guarded direct download link (rendered only for safe http(s) URLs), the publisher-asserted lastUpdated time labelled distinctly from the aggregator's indexedAt, and an accessible tooltip on the verified-publisher shield naming the labeller DID that issued the verification.

Patch Changes

• #1257 62619c2 Thanks @Rimander! - Completes the Spanish (Spain) admin translation, filling the 54 remaining untranslated strings across the plugin registry, SEO/social-image settings, the code-block editor, byline/content strings, and the capability-consent dialog. The es-ES catalog is now fully translated.

• #1255 3d540da Thanks @ascorbic! - Fix admin crash on authenticated load with @cloudflare/kumo 2.4.x (#1240). The
  sidebar was using Sidebar.GroupContent and group-level collapsible/
  defaultOpen props, which were removed in kumo 2.4.0. The four nav sections
  (Content, Manage, Admin, Plugins) now render as plain Sidebar.Group blocks.
  The workspace catalog range for @cloudflare/kumo is bumped from ^2.3.0 to
  ^2.4.0 to match.

• #1248 b89e988 Thanks @mvanhorn! - Fixes the flat taxonomy tag picker so focusing an empty input shows available existing terms for the collection.

• #1244 4612749 Thanks @pitscher! - Fixes admin UI translations for permission counts and action labels so languages can use their correct plural forms and word order

• Updated dependencies [60c0b2e]:

  • @emdash-cms/registry-client@0.3.0
  • @emdash-cms/blocks@0.16.0

emdash@0.16.0

Minor Changes

• #1195 47a8350 Thanks @ascorbic! - The per-collection sitemap (/sitemap-{collection}.xml) is now i18n-aware. When Astro i18n is enabled, each translation row is emitted as its own <url> with the correct locale prefix (resolved via Astro's own getRelativeLocaleUrl, so prefixDefaultLocale and custom path mappings are honoured). Every entry also lists its sibling translations as <xhtml:link rel="alternate" hreflang="..."> (plus x-default for the default-locale variant), grouped by translation_group. Sites with a single locale or no i18n configured are unaffected -- their sitemap XML is unchanged.

• #1238 60c0b2e Thanks @ascorbic! - Registry plugins can now declare environment requirements. A plugin's manifest may set a release-level requires block (e.g. { "env:emdash": ">=1.0.0", "env:astro": ">=4.16" }), which is published into the release record. When browsing a registry plugin, the admin compares those constraints against the running EmDash and Astro versions: if the host doesn't satisfy them, it shows a compatibility warning and disables the Install button. The server enforces the same check on install and update, refusing an incompatible release with ENV_INCOMPATIBLE so the gate can't be bypassed.

• #1239 1a4918f Thanks @ascorbic! - Plugins published to the experimental registry can now ship icon, screenshot, and banner images. Declare them in emdash-plugin.jsonc under release.artifacts as file refs; emdash-plugin publish --artifact-base-url <url> measures each image's dimensions, uploads it, and records it in the release. The admin plugin detail page renders the icon, banner, and a screenshot gallery, fetched through a server-side image proxy. The proxy resolves each artifact's URL server-side from the validated release record (the client sends only the artifact's coordinates, never a URL), then applies SSRF defences and an image content-type allowlist before serving the bytes. Supported image types are PNG, JPEG, WebP, GIF, and AVIF; SVG is rejected at both publish and proxy because it is active content.

• #1064 33f76b8 Thanks @Glacier-Luo! - Adds field-level and range filtering to getEmDashCollection's where option. Previously, only taxonomy-based keys were processed via JOIN; non-taxonomy field names were silently discarded. Now the where clause supports exact match (string), multi-value match (string[]), and range comparisons ({ gt?, gte?, lt?, lte? }) on any content table column, all executed at the SQL layer with parameterized queries.

Patch Changes

• #1159 e312528 Thanks @jp-knj! - Fix scheduled posts missing from snapshot export on SQLite/D1 until UTC midnight.

• #1166 668c5e1 Thanks @OrangeManLi! - Fixes portableTextToProsemirror flattening nested lists whose subtree mixes listItem types. The outer run-grouping broke on the first nested type switch (e.g. an orderedList child under a bulletList parent), so an input like [bullet L1, number L2, bullet L1] was emitted as three separate top-level lists instead of one bullet list with a numbered sub-list under the first item. Internal convertList/convertListItem recursion was already correct — only the outer grouping needed to be widened to include level > 1 blocks regardless of listItem type.

• #1160 f62c004 Thanks @CacheMeOwside! - Fixes Postgres server bundles importing better-sqlite3, which crashed production starts (pnpm preview, pnpm start) with ERR_MODULE_NOT_FOUND because the SQLite driver is not installed in Postgres-only deployments. Moved EmDashDatabaseError into a new SQLite driver-free database/errors.ts and re-exported it from there, so the better-sqlite3 import doesn't leak into the Postgres build.

• #985 5456514 Thanks @ppppangu! - Fixes public form embeds during SSR by allowing frontend plugin components to call public plugin routes without self-fetching.

• #1157 7554bd3 Thanks @jp-knj! - Fix scheduled posts not appearing on SQLite/D1 until UTC midnight.

• #1196 e9877e1 Thanks @Rimander! - Fix WordPress import leaving featured_image (and other image/file fields) pointing at the original WordPress URL after media download. The rewrite step passed the whole stored MediaValue JSON to the URL matcher instead of its inner src, so the field was never rewritten to the local R2 URL even though the file existed in the media table. Inline content images were unaffected.

• Updated dependencies [62619c2, 3d540da, b89e988, 4612749, 60c0b2e, 1a4918f, d2f2679]:

  • @emdash-cms/admin@0.16.0
  • @emdash-cms/registry-client@0.3.0
  • @emdash-cms/auth@0.16.0
  • @emdash-cms/gutenberg-to-portable-text@0.16.0

@emdash-cms/plugin-cli@0.5.0

Minor Changes

• #1238 60c0b2e Thanks @ascorbic! - Registry plugins can now declare environment requirements. A plugin's manifest may set a release-level requires block (e.g. { "env:emdash": ">=1.0.0", "env:astro": ">=4.16" }), which is published into the release record. When browsing a registry plugin, the admin compares those constraints against the running EmDash and Astro versions: if the host doesn't satisfy them, it shows a compatibility warning and disables the Install button. The server enforces the same check on install and update, refusing an incompatible release with ENV_INCOMPATIBLE so the gate can't be bypassed.

• #1239 1a4918f Thanks @ascorbic! - Plugins published to the experimental registry can now ship icon, screenshot, and banner images. Declare them in emdash-plugin.jsonc under release.artifacts as file refs; emdash-plugin publish --artifact-base-url <url> measures each image's dimensions, uploads it, and records it in the release. The admin plugin detail page renders the icon, banner, and a screenshot gallery, fetched through a server-side image proxy. The proxy resolves each artifact's URL server-side from the validated release record (the client sends only the artifact's coordinates, never a URL), then applies SSRF defences and an image content-type allowlist before serving the bytes. Supported image types are PNG, JPEG, WebP, GIF, and AVIF; SVG is rejected at both publish and proxy because it is active content.

• #1253 d2f2679 Thanks @ascorbic! - Plugins published to the experimental registry can now ship long-form profile sections. Declare them in emdash-plugin.jsonc under a top-level sections block with any of description, installation, faq, changelog, and security. Each value is either inline CommonMark Markdown or a { file: "./path.md" } ref read relative to the manifest at load time. Every section is capped at 20000 bytes and 2000 graphemes, enforced locally (inline strings during schema validation, file refs once their content is read) so emdash-plugin validate/publish fails with a clear message instead of a 400 from the PDS. File refs are resolved within the manifest directory; paths that escape it (via .. or an absolute path) are rejected. Sections are profile-level: written to the package profile record on first publish and editable afterward with emdash-registry update-package, like the other profile fields.

Patch Changes

• #1247 245f8dc Thanks @mvanhorn! - Fixes plugin builds on Windows by importing the probe artifact through a file URL.

• Updated dependencies [60c0b2e]:

  • @emdash-cms/registry-client@0.3.0

@emdash-cms/registry-client@0.3.0

Minor Changes

• #1238 60c0b2e Thanks @ascorbic! - Registry plugins can now declare environment requirements. A plugin's manifest may set a release-level requires block (e.g. { "env:emdash": ">=1.0.0", "env:astro": ">=4.16" }), which is published into the release record. When browsing a registry plugin, the admin compares those constraints against the running EmDash and Astro versions: if the host doesn't satisfy them, it shows a compatibility warning and disables the Install button. The server enforces the same check on install and update, refusing an incompatible release with ENV_INCOMPATIBLE so the gate can't be bypassed.

@emdash-cms/auth-atproto@0.2.9

Patch Changes

• Updated dependencies []:
  • @emdash-cms/auth@0.16.0

@emdash-cms/cloudflare@0.16.0

Patch Changes

• Updated dependencies [e312528, 668c5e1, f62c004, 47a8350, 5456514, 60c0b2e, 1a4918f, 7554bd3, 33f76b8, e9877e1]:
  • emdash@0.16.0

@emdash-cms/plugin-embeds@0.1.17

Patch Changes

• Updated dependencies []:
  • @emdash-cms/blocks@0.16.0

@emdash-cms/plugin-forms@0.2.3

Patch Changes

• #985 5456514 Thanks @ppppangu! - Fixes public form embeds during SSR by allowing frontend plugin components to call public plugin routes without self-fetching.

@emdash-cms/sandbox-workerd@0.1.1

Patch Changes

• Updated dependencies [e312528, 668c5e1, f62c004, 47a8350, 5456514, 60c0b2e, 1a4918f, 7554bd3, 33f76b8, e9877e1]:
  • emdash@0.16.0

@emdash-cms/auth@0.16.0

@emdash-cms/blocks@0.16.0

create-emdash@0.16.0

@emdash-cms/gutenberg-to-portable-text@0.16.0

@emdash-cms/x402@0.16.0

@emdash-cms/fixture-perf-site@0.0.12

Patch Changes

• Updated dependencies [e312528, 668c5e1, f62c004, 47a8350, 5456514, 60c0b2e, 1a4918f, 7554bd3, 33f76b8, e9877e1]:
  • emdash@0.16.0
  • @emdash-cms/cloudflare@0.16.0

@emdash-cms/perf-demo-site@0.0.12

Patch Changes

• Updated dependencies [e312528, 668c5e1, f62c004, 245f8dc, 47a8350, 5456514, 60c0b2e, 1a4918f, d2f2679, 7554bd3, 33f76b8, e9877e1]:
  • emdash@0.16.0
  • @emdash-cms/plugin-cli@0.5.0
  • @emdash-cms/plugin-forms@0.2.3
  • @emdash-cms/cloudflare@0.16.0
  • @emdash-cms/plugin-webhook-notifier@0.2.0

@emdash-cms/cache-demo-site@0.0.12

Patch Changes

• Updated dependencies [e312528, 668c5e1, f62c004, 245f8dc, 47a8350, 5456514, 60c0b2e, 1a4918f, d2f2679, 7554bd3, 33f76b8, e9877e1]:
  • emdash@0.16.0
  • @emdash-cms/plugin-cli@0.5.0
  • @emdash-cms/plugin-forms@0.2.3
  • @emdash-cms/cloudflare@0.16.0
  • @emdash-cms/plugin-webhook-notifier@0.2.0

---

Try this PR

Open a fresh playground →

A full working EmDash site, deployed from this branch. Each visit gets its own session-scoped sandbox: no login needed and no shared state. Try the admin, edit content, hit the public site.

_{Tracks changeset-release/main. Updated automatically when the playground redeploys.}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	docs	7acaa6d	Jun 01 2026, 06:51 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	emdash-demo-cache	7acaa6d	Jun 01 2026, 06:52 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	emdash-playground	7acaa6d	Jun 01 2026, 06:52 PM

[pkg-pr-new]

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@1209

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@1209

@emdash-cms/auth-atproto

npm i https://pkg.pr.new/@emdash-cms/auth-atproto@1209

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@1209

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@1209

@emdash-cms/contentful-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/contentful-to-portable-text@1209

emdash

npm i https://pkg.pr.new/emdash@1209

create-emdash

npm i https://pkg.pr.new/create-emdash@1209

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@1209

@emdash-cms/plugin-cli

npm i https://pkg.pr.new/@emdash-cms/plugin-cli@1209

@emdash-cms/plugin-types

npm i https://pkg.pr.new/@emdash-cms/plugin-types@1209

@emdash-cms/registry-client

npm i https://pkg.pr.new/@emdash-cms/registry-client@1209

@emdash-cms/registry-lexicons

npm i https://pkg.pr.new/@emdash-cms/registry-lexicons@1209

@emdash-cms/sandbox-workerd

npm i https://pkg.pr.new/@emdash-cms/sandbox-workerd@1209

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@1209

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@1209

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@1209

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@1209

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@1209

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@1209

@emdash-cms/plugin-field-kit

npm i https://pkg.pr.new/@emdash-cms/plugin-field-kit@1209

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@1209

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@1209

commit: 7acaa6d

[github-actions]

Scope check

This PR touches 33 files. PRs with a broad scope are harder to review. Please confirm the scope hasn't drifted beyond the intended change.
This PR spans 5 different areas (area/core, area/admin, area/plugins, area/auth, area/cloudflare). Consider breaking it into smaller, focused PRs.

If this scope is intentional, no action needed. A maintainer will review it. If not, please consider splitting this into smaller PRs.

See CONTRIBUTING.md for contribution guidelines.

[github-actions]

Overlapping PRs

This PR modifies files that are also changed by other open PRs:

• chore(deps-dev): bump the dev-dependencies group with 19 updates #1262 (4 shared files)

This may cause merge conflicts or duplicated work. A maintainer will coordinate.