Bump emdash from 0.1.0 to 0.21.0

[dependabot]

Bumps emdash from 0.1.0 to 0.21.0.

Release notes

Sourced from emdash's releases.

emdash@0.21.0

Minor Changes

• #1382 b6a5fac Thanks @​ascorbic! - The Astro dev server now prints absolute, clickable URLs for the admin UI and (when enabled) the MCP server, along with a dev-bypass shortcut link that signs you in as a dev admin without going through passkey setup or auth. The startup banner also shows the installed EmDash version. The dev-bypass link is dev-only and the underlying endpoint returns 403 in production.

• #1508 e9cd7b7 Thanks @​swissky! - Add a "Gone (410)" rule type. Redirect rules now support 410 (Content Deleted) and 451 (Unavailable For Legal Reasons) as terminal statuses — served directly with no destination — and the 404 log offers a one-click "Mark as Gone (410)" action next to "Create redirect". A 410 tells search engines a URL was intentionally and permanently removed, so it is deindexed faster than a 404.

Patch Changes

• #1511 23c37f3 Thanks @​CacheMeOwside! - Fixes emdash doctor always reporting "could not query users table". The users check now queries the correct table and reports the actual user count.

• #1530 997d7ee Thanks @​ascorbic! - Fixes admin and content pages intermittently hanging and returning 524 timeouts on Cloudflare Workers. The per-isolate caches for byline custom-field definitions and resolved site secrets could retain a never-settling promise left behind by a cancelled request, which wedged every later request on that isolate until it was evicted. Both caches now cache the resolved value behind a reclaimable single-flight lock, so a cancelled request can no longer stall the isolate.

• #1386 37e848b Thanks @​auggernaut! - Skips default robots.txt and sitemap.xml route injection when the host site defines its own root routes.

• Updated dependencies [1b10c1d, e9cd7b7]:

  • @​emdash-cms/admin@​0.21.0
  • @​emdash-cms/auth@​0.21.0
  • @​emdash-cms/gutenberg-to-portable-text@​0.21.0

emdash@0.20.0

Minor Changes

• #1461 b01aa9b Thanks @​ascorbic! - Fixes registry installs failing with "Plugin manifest has changed since you consented" for plugins that declare hook-registration capabilities (email transport, email events, page fragments) or read user records. Plugin bundles now declare their access as a structured declaredAccess contract that the registry record, the install-consent dialog, and the sandbox all read consistently, so every capability a plugin declares is shown for consent and enforced — no capability is silently dropped. Re-publish affected plugins to adopt the new bundle format; existing installs are unaffected.

• #1425 3e344af Thanks @​swissky! - Repeater fields support image sub-fields with the media picker (#1424)

  Repeater rows previously rendered every non-scalar sub-field as a plain text input, so galleries had to be built from hand-pasted URLs. Image sub-fields now render the same media-picker UI as top-level image fields (select, preview, change, remove) and store the same MediaValue shape — legacy string URLs keep working.

  Includes: image in the schema-builder sub-field type select, the shared ImageFieldRenderer extracted out of ContentEditor for reuse, and the sub-field type whitelists in core (REPEATER_SUB_FIELD_TYPES + the API Zod enum) extended — the Zod enum also gains the previously missing url entry that the builder already offered.

Patch Changes

• #1447 141aa11 Thanks @​ascorbic! - Fixes @atcute peer dependency warnings on install (#1435)

  Installing EmDash pulled in mismatched @atcute package versions, so pnpm install / npm install reported unmet peer warnings for @atcute/identity and @atcute/lexicons. The bundled @atcute dependencies are now aligned on v2 and installs are clean. If your project also depends on @atcute packages directly, note they have moved to v2 (@atcute/client 5, @atcute/lexicons 2, @atcute/atproto 4, @atcute/oauth-node-client 2).

• #1492 7688f0b Thanks @​ascorbic! - Fixes a read-your-writes gap with database read replication: the session bookmark cookie is now persisted even when page rendering throws after a successful write, so an immediately-following request can't read pre-write state from a lagging replica.

• #1459 c7166b0 Thanks @​mvanhorn! - Fix scheduled entries staying hidden after their scheduled time (#1402)

  isVisible() read scheduledAt via dataStr, which returned an empty string for the Date the loader produced, so entries whose scheduled time had passed never became visible. The visibility check now reads the scheduled time correctly.

... (truncated)

Changelog

Sourced from emdash's changelog.

0.21.0

Minor Changes

• #1382 b6a5fac Thanks @​ascorbic! - The Astro dev server now prints absolute, clickable URLs for the admin UI and (when enabled) the MCP server, along with a dev-bypass shortcut link that signs you in as a dev admin without going through passkey setup or auth. The startup banner also shows the installed EmDash version. The dev-bypass link is dev-only and the underlying endpoint returns 403 in production.

• #1508 e9cd7b7 Thanks @​swissky! - Add a "Gone (410)" rule type. Redirect rules now support 410 (Content Deleted) and 451 (Unavailable For Legal Reasons) as terminal statuses — served directly with no destination — and the 404 log offers a one-click "Mark as Gone (410)" action next to "Create redirect". A 410 tells search engines a URL was intentionally and permanently removed, so it is deindexed faster than a 404.

Patch Changes

• #1511 23c37f3 Thanks @​CacheMeOwside! - Fixes emdash doctor always reporting "could not query users table". The users check now queries the correct table and reports the actual user count.

• #1530 997d7ee Thanks @​ascorbic! - Fixes admin and content pages intermittently hanging and returning 524 timeouts on Cloudflare Workers. The per-isolate caches for byline custom-field definitions and resolved site secrets could retain a never-settling promise left behind by a cancelled request, which wedged every later request on that isolate until it was evicted. Both caches now cache the resolved value behind a reclaimable single-flight lock, so a cancelled request can no longer stall the isolate.

• #1386 37e848b Thanks @​auggernaut! - Skips default robots.txt and sitemap.xml route injection when the host site defines its own root routes.

• Updated dependencies [1b10c1d, e9cd7b7]:

  • @​emdash-cms/admin@​0.21.0
  • @​emdash-cms/auth@​0.21.0
  • @​emdash-cms/gutenberg-to-portable-text@​0.21.0

0.20.0

Minor Changes

• #1461 b01aa9b Thanks @​ascorbic! - Fixes registry installs failing with "Plugin manifest has changed since you consented" for plugins that declare hook-registration capabilities (email transport, email events, page fragments) or read user records. Plugin bundles now declare their access as a structured declaredAccess contract that the registry record, the install-consent dialog, and the sandbox all read consistently, so every capability a plugin declares is shown for consent and enforced — no capability is silently dropped. Re-publish affected plugins to adopt the new bundle format; existing installs are unaffected.

• #1425 3e344af Thanks @​swissky! - Repeater fields support image sub-fields with the media picker (#1424)

  Repeater rows previously rendered every non-scalar sub-field as a plain text input, so galleries had to be built from hand-pasted URLs. Image sub-fields now render the same media-picker UI as top-level image fields (select, preview, change, remove) and store the same MediaValue shape — legacy string URLs keep working.

  Includes: image in the schema-builder sub-field type select, the shared ImageFieldRenderer extracted out of ContentEditor for reuse, and the sub-field type whitelists in core (REPEATER_SUB_FIELD_TYPES + the API Zod enum) extended — the Zod enum also gains the previously missing url entry that the builder already offered.

Patch Changes

• #1447 141aa11 Thanks @​ascorbic! - Fixes @atcute peer dependency warnings on install (#1435)

  Installing EmDash pulled in mismatched @atcute package versions, so pnpm install / npm install reported unmet peer warnings for @atcute/identity and @atcute/lexicons. The bundled @atcute dependencies are now aligned on v2 and installs are clean. If your project also depends on @atcute packages directly, note they have moved to v2 (@atcute/client 5, @atcute/lexicons 2, @atcute/atproto 4, @atcute/oauth-node-client 2).

• #1492 7688f0b Thanks @​ascorbic! - Fixes a read-your-writes gap with database read replication: the session bookmark cookie is now persisted even when page rendering throws after a successful write, so an immediately-following request can't read pre-write state from a lagging replica.

• #1459 c7166b0 Thanks @​mvanhorn! - Fix scheduled entries staying hidden after their scheduled time (#1402)

... (truncated)

Commits

• 8b57af6 ci: release (#1516)
• b6a5fac feat(core): print clickable dev-server URLs and dev-bypass shortcut (#1382)
• 37e848b [codex] Skip core SEO routes when site routes exist (#1386)
• 997d7ee fix: close remaining isolate-poisoning hangs after #1489 (#1530)
• 23c37f3 fix(cli): correct users table in doctor command (#1511)
• e9cd7b7 feat(redirects): add a Gone (410) rule type + one-click "Mark as Gone" from t...
• 7f14318 ci: release (#1449)
• 7688f0b feat(cloudflare): Durable Objects SQL database backend with read replication ...
• 9c994ad fix: npx emdash types crashes due to schema envelope mismatch (#1458)
• c7166b0 fix: scheduled entries stay hidden after scheduledAt passes (#1459)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.