emdash-cms/emdash emdash@0.2.0

on GitHub

Minor Changes

• #367 8f44ec2 Thanks @ttmx! - Adds content:afterPublish and content:afterUnpublish plugin hooks, fired after content is published or unpublished. Both are fire-and-forget notifications requiring read:content capability, supporting trusted and sandboxed plugins.

• #431 7ee7d95 Thanks @jdevalk! - Per-collection sitemaps with sitemap index and lastmod

  /sitemap.xml now serves a <sitemapindex> with one child sitemap per SEO-enabled collection. Each collection's sitemap is at /sitemap-{collection}.xml with <lastmod> on both index entries and individual URLs. Uses the collection's url_pattern for correct URL building.

• #414 4d4ac53 Thanks @jdevalk! - Adds breadcrumbs?: BreadcrumbItem[] to PublicPageContext so themes can publish a breadcrumb trail as part of the page context, and SEO plugins (or any other page:metadata consumer) can read it without having to invent their own per-theme override mechanism. BreadcrumbItem is also exported from the emdash package root. The field is optional and non-breaking — existing themes and plugins work unchanged, and consumers can adopt it incrementally. Empty array (breadcrumbs: []) is an explicit opt-out signal (e.g. for homepages); undefined means "no opinion, fall back to consumer's own derivation".

• #111 87b0439 Thanks @mvanhorn! - Adds repeater field type for structured repeating data

• #382 befaeec Thanks @UpperM! - Adds siteUrl config option to fix reverse-proxy origin mismatch. Replaces passkeyPublicOrigin with a single setting that covers all origin-dependent features: passkeys, CSRF, OAuth, auth redirects, MCP discovery, snapshots, sitemap, robots.txt, and JSON-LD.

  Supports EMDASH_SITE_URL / SITE_URL environment variables for container deployments where the domain is only known at runtime.

  Disables Astro's security.checkOrigin (EmDash's own CSRF layer handles origin validation with dual-origin support and runtime siteUrl resolution). When siteUrl is set in config, also sets security.allowedDomains so Astro.url reflects the public origin in templates.

  Breaking: passkeyPublicOrigin is removed. Rename to siteUrl in your astro.config.mjs.

Patch Changes

• #182 156ba73 Thanks @masonjames! - Fixes media routes so storage keys with slashes resolve correctly.

• #422 80a895b Thanks @baezor! - Fixes SEO hydration exceeding D1 SQL variable limit on large collections by chunking the content_id IN (...) clause in SeoRepository.getMany.

• #94 da957ce Thanks @eyupcanakman! - Reject dangerous URL schemes in menu custom links

• #223 fcd8b7b Thanks @baezor! - Fixes byline hydration exceeding D1 SQL variable limit on large collections by chunking IN clauses.

• #479 8ac15a4 Thanks @ascorbic! - Enforces permission checks on content status transitions, media provider endpoints, and translation group creation.

• #250 ba2b020 Thanks @JULJERYT! - Optimize dashboard stats (3x fewer db queries)

• #340 0b108cf Thanks @mvanhorn! - Passes emailPipeline to plugin route handler context so plugins with email:send capability can send email from route handlers.

• #148 1989e8b Thanks @masonjames! - Adds public plugin settings helpers.

• #352 e190324 Thanks @barckcode! - Allows external HTTPS images in the admin UI by adding https: to the img-src CSP directive. Fixes external content images (e.g. from migration or external hosting) being blocked in the content editor.

• #72 724191c Thanks @travisbreaks! - Fix CLI login against remote Cloudflare-deployed instances by unwrapping API response envelope and adding admin scope

• #480 ed28089 Thanks @ascorbic! - Fixes admin demotion guard, OAuth consent flow, device flow token exchange, preview token scoping, and revision cleanup on permanent delete.

• #247 a293708 Thanks @NaeemHaque! - Fixes email settings page showing empty by registering the missing API route. Adds error state to the admin UI so fetch failures are visible instead of silently swallowed.

• #324 c75cc5b Thanks @barckcode! - Fixes admin editor crash when image blocks lack the asset wrapper. Image blocks with url at the top level (e.g. from CMS migrations) now render correctly instead of throwing TypeError: Cannot read properties of undefined (reading 'url').

• #353 6ebb797 Thanks @ilicfilip! - fix(core): pass field.options through to admin manifest for plugin field widgets

• #209 d421ee2 Thanks @JonahFoster! - Fixes base OG, Twitter, and article JSON-LD titles so they can use a page-specific title without including the site name suffix from the document title.

• #394 391caf4 Thanks @datienzalopez! - Fixes plugin:activate and plugin:deactivate hooks not being called when enabling or disabling a plugin via the admin UI or setPluginStatus. Previously, setPluginStatus rebuilt the hook pipeline but never invoked the lifecycle hooks. Now plugin:activate fires after the pipeline is rebuilt with the plugin included, and plugin:deactivate fires on the current pipeline before the plugin is removed.

• #357 6474dae Thanks @Vallhalen! - Fix: default adminPages and dashboardWidgets to empty arrays in manifest to prevent admin UI crash when plugins omit these properties.

• #453 30c9a96 Thanks @all3f0r1! - Fixes ctx.content.create() and ctx.content.update() so plugins can write
  to the core SEO panel. When the input data contains a reserved seo key,
  it is now extracted and routed to _emdash_seo via the SEO repository,
  matching the REST API shape. ctx.content.get() and ctx.content.list()
  also hydrate the seo field on returned items for SEO-enabled collections.

• #326 122c236 Thanks @barckcode! - Fixes WXR import not preserving original post dates or publish status. Uses wp:post_date_gmt (UTC) with fallback chain to pubDate (RFC 2822) then wp:post_date (site-local). Handles the WordPress 0000-00-00 00:00:00 sentinel for unpublished drafts. Sets published_at for published posts. Applies to both WXR file upload and plugin-based import paths.

• #371 5320321 Thanks @pejmanjohn! - Fix MCP OAuth discovery for unauthenticated POST requests.

• #338 b712ae3 Thanks @mvanhorn! - Fixes standalone wildcard "" in plugin allowedHosts so plugins declaring allowedHosts: [""] can make outbound HTTP requests to any host.

• #434 9cb5a28 Thanks @hayatosc! - Avoid accessing sessions on prerendered public routes.

• #119 e1014ef Thanks @blmyr! - Fix plugin page:metadata and page:fragments hooks not firing for anonymous public page visitors. The middleware's early-return fast-path for unauthenticated requests now initializes the runtime (skipping only the manifest query), so plugin contributions render via <EmDashHead>, <EmDashBodyStart>, and <EmDashBodyEnd> for all visitors. Also adds collectPageMetadata and collectPageFragments to the EmDashHandlers interface.

• #424 476cb3a Thanks @csfalcao! - Fixes public access to the search API (#104). The auth middleware blocked /_emdash/api/search before the handler ran, so #107's handler-level change never took effect for anonymous callers. Adds the endpoint to PUBLIC_API_EXACT so the shipped LiveSearch component works on public sites without credentials. Admin endpoints (/search/enable, /search/rebuild, /search/stats, /search/suggest) remain authenticated.

• #333 dd708b1 Thanks @mvanhorn! - Adds composite index on (deleted_at, published_at DESC, id DESC) to eliminate full table scans for frontend listing queries that order by published_at.

• #448 c92e7e6 Thanks @grexe! - fixes logo and favicon site settings not being applied to templates

• #319 2ba1f1f Thanks @ideepakchauhan7! - Fixes i18n config returning null in Vite dev SSR by reading from virtual module instead of dynamic import.

• #251 a13c4ec Thanks @yohaann196! - fix: expose client_id in device flow discovery response

• #93 a5e0603 Thanks @eyupcanakman! - Fix taxonomy links missing from admin sidebar

• Updated dependencies [0966223, 53dec88, 3b6b75b, a293708, 1a93d51, c9bf640, 87b0439, 5eeab91, e3f7db8, a5e0603]:

  • @emdash-cms/admin@0.2.0
  • @emdash-cms/auth@0.2.0
  • @emdash-cms/gutenberg-to-portable-text@0.2.0