Skip to content

chore(deps): bump @objectstack/service-automation from 10.0.0 to 11.1.0#412

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/objectstack/service-automation-11.1.0
Closed

chore(deps): bump @objectstack/service-automation from 10.0.0 to 11.1.0#412
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/objectstack/service-automation-11.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @objectstack/service-automation from 10.0.0 to 11.1.0.

Release notes

Sourced from @​objectstack/service-automation's releases.

@​objectstack/service-automation@​11.1.0

Patch Changes

  • Updated dependencies [ce0b4f6]
  • Updated dependencies [9ccfcd6]
  • Updated dependencies [ecf193f]
  • Updated dependencies [51bec81]
  • Updated dependencies [3e593a7]
  • Updated dependencies [63d5403]
    • @​objectstack/core@​11.1.0
    • @​objectstack/spec@​11.1.0
    • @​objectstack/formula@​11.1.0

@​objectstack/service-automation@​11.0.0

Major Changes

  • 82ff91c: Remove the deprecated http_request / http_call / webhook flow-node aliases — author http (ADR-0018 M3).

    ADR-0018 M3 collapsed the divergent outbound-callout verbs onto the canonical http node and kept the old names as deprecated aliases for back-compat. This removes those aliases (the 11.0 cleanup):

    • http_request is dropped from FlowNodeAction (and therefore FLOW_BUILTIN_NODE_TYPES); authoring it now fails fast at parse instead of resolving to http.
    • AutomationEngine no longer registers the http_request / http_call / webhook node aliases; only http is registered.
    • The flow-builder palette offers http.

    Breaking. Flows / workflow rules / approval actions that still use the old node type must switch to type: 'http' (behavior is identical — durable outbox when config.durable, inline fetch otherwise). The trigger eventType: 'webhook' and the webhook resume event are unaffected — only the HTTP node aliases are removed. First-party examples (showcase, app-crm) are migrated.

Minor Changes

  • 6c4fbd9: fix(security): enforce flow runAs execution identity (#1888)

    The service-automation engine now honors flow.runAs instead of ignoring it. Previously the CRUD nodes passed no identity to ObjectQL, so the security middleware was skipped entirely — every flow ran effectively elevated regardless of runAs. A runAs:'user' flow did not de-elevate (a privilege-boundary surprise), and runAs:'system' did not explicitly elevate.

    The engine now establishes the run's data-layer identity at setup and restores the caller's context afterward:

    • runAs:'system' → an elevated, RLS-bypassing system principal ({ isSystem: true }): the run can read/write records the triggering user

... (truncated)

Changelog

Sourced from @​objectstack/service-automation's changelog.

11.1.0

Patch Changes

  • Updated dependencies [ce0b4f6]
  • Updated dependencies [9ccfcd6]
  • Updated dependencies [ecf193f]
  • Updated dependencies [51bec81]
  • Updated dependencies [3e593a7]
  • Updated dependencies [63d5403]
    • @​objectstack/core@​11.1.0
    • @​objectstack/spec@​11.1.0
    • @​objectstack/formula@​11.1.0

11.0.0

Major Changes

  • 82ff91c: Remove the deprecated http_request / http_call / webhook flow-node aliases — author http (ADR-0018 M3).

    ADR-0018 M3 collapsed the divergent outbound-callout verbs onto the canonical http node and kept the old names as deprecated aliases for back-compat. This removes those aliases (the 11.0 cleanup):

    • http_request is dropped from FlowNodeAction (and therefore FLOW_BUILTIN_NODE_TYPES); authoring it now fails fast at parse instead of resolving to http.
    • AutomationEngine no longer registers the http_request / http_call / webhook node aliases; only http is registered.
    • The flow-builder palette offers http.

    Breaking. Flows / workflow rules / approval actions that still use the old node type must switch to type: 'http' (behavior is identical — durable outbox when config.durable, inline fetch otherwise). The trigger eventType: 'webhook' and the webhook resume event are unaffected — only the HTTP node aliases are removed. First-party examples (showcase, app-crm) are migrated.

Minor Changes

  • 6c4fbd9: fix(security): enforce flow runAs execution identity (#1888)

    The service-automation engine now honors flow.runAs instead of ignoring it. Previously the CRUD nodes passed no identity to ObjectQL, so the security middleware was skipped entirely — every flow ran effectively elevated regardless of runAs. A runAs:'user' flow did not de-elevate (a privilege-boundary surprise), and runAs:'system' did not explicitly elevate.

    The engine now establishes the run's data-layer identity at setup and restores the caller's context afterward:

... (truncated)

Commits
  • 89e80b4 chore: version packages
  • 80fe2ef chore: version packages (#2382)
  • 82ff91c feat(automation)!: remove deprecated http_request/http_call/webhook flow-node...
  • c715d25 chore(license): unify framework repo to single Apache-2.0 (#2353)
  • 4b5ec6e fix(automation): re-bind scheduled-flow jobs on os dev hot-reload (#2313)
  • ad143ce fix(security): surface schedule/user-less flow runAs fail-open (#1888 follow-...
  • 6c4fbd9 fix(security): enforce flow runAs execution identity (#1888) (#2302)
  • b6a4972 fix(automation): honor the assignments wrapper shape on assignment nodes (#2250)
  • 23c0f9a chore: version packages (#2245)
  • f941058 chore: version packages (#2218)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@objectstack/service-automation](https://github.com/objectstack-ai/framework/tree/HEAD/packages/services/service-automation) from 10.0.0 to 11.1.0.
- [Release notes](https://github.com/objectstack-ai/framework/releases)
- [Changelog](https://github.com/objectstack-ai/framework/blob/main/packages/services/service-automation/CHANGELOG.md)
- [Commits](https://github.com/objectstack-ai/framework/commits/@objectstack/service-automation@11.1.0/packages/services/service-automation)

---
updated-dependencies:
- dependency-name: "@objectstack/service-automation"
  dependency-version: 11.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Looks like @objectstack/service-automation is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/objectstack/service-automation-11.1.0 branch June 29, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants