Skip to content

chore(deps): bump @objectstack/runtime from 10.0.0 to 11.1.0#415

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/objectstack/runtime-11.1.0
Closed

chore(deps): bump @objectstack/runtime from 10.0.0 to 11.1.0#415
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/objectstack/runtime-11.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @objectstack/runtime from 10.0.0 to 11.1.0.

Release notes

Sourced from @​objectstack/runtime's releases.

@​objectstack/runtime@​11.1.0

Minor Changes

  • e011d42: Auth: per-org MFA + dispatcher/MCP gate — complete the ADR-0069 enforced-MFA story

    Two follow-ups that make enforced MFA total:

    • Per-org sys_organization.require_mfa — an org may require MFA above the global floor. computeAuthGate now treats the active org's require_mfa as an effective MFA requirement even when the global mfa_required is off; isAuthGateActive() stays cheap via a 60s-TTL "any org requires MFA" cache (lazy background refresh), so a brand-new per-org requirement activates the gate on the next request without per-request org queries.
    • Dispatcher/MCP gate — the auth-policy gate now also runs in the runtime dispatcher (after resolveExecutionContext), so MCP / GraphQL / embedded data paths enforce PASSWORD_EXPIRED / MFA_REQUIRED consistently with the REST seam (reusing the shared evaluateAuthGate allow-list). Previously only the REST surface (the Console) was gated.

    Default-off / additive. Per ADR-0049 each setting ships with its enforcement.

Patch Changes

  • 7087cfe: Remove the unused HTTP framework adapters and the MSW plugin — the open edition ships the Hono adapter only.

    The express / fastify / nextjs / nestjs / nuxt / sveltekit adapters and @objectstack/plugin-msw had zero internal consumers and were not dogfooded — pure release/maintenance surface (and an untested-integration liability). They are removed; @objectstack/hono (the adapter actually used, via @objectstack/client) is kept.

    • Deleted packages: @objectstack/express, @objectstack/fastify, @objectstack/nextjs, @objectstack/nestjs, @objectstack/nuxt, @objectstack/sveltekit, @objectstack/plugin-msw (fixed group 73 → 66).
    • @objectstack/client: dropped the plugin-msw / msw dev usage (MSW test removed).
    • HttpDispatcher (the dispatch engine) is now used only by the Hono adapter + the internal dispatcher-plugin, so its misleading @deprecated → createDispatcherPlugin note (createDispatcherPlugin is a kernel plugin, not a drop-in) is corrected.

    Anyone needing another framework adapter can build one on the public HttpDispatcher / createDispatcherPlugin API or maintain it out-of-tree.

  • 69ae136: docs: align hardening / driver docs with the Hono-only adapter surface (12.0)

    Follow-up to the adapter trim (#2391): the hardening guide's rate-limit/CORS recipes are rewritten from Fastify to Hono (the shipped adapter; the old @objectstack/fastify import was broken), CSRF guidance points at hono/csrf, and stale @objectstack/plugin-msw references are dropped from the driver-memory and driver-turso docs. README framework lists narrowed to Hono.

  • Updated dependencies [574e7a3]

  • Updated dependencies [cbc8c02]

  • Updated dependencies [18f9713]

  • Updated dependencies [7cf81a7]

  • Updated dependencies [d7a88df]

  • Updated dependencies [4f8f108]

  • Updated dependencies [ce0b4f6]

  • Updated dependencies [90bce88]

  • Updated dependencies [3209ec6]

... (truncated)

Changelog

Sourced from @​objectstack/runtime's changelog.

11.1.0

Minor Changes

  • e011d42: Auth: per-org MFA + dispatcher/MCP gate — complete the ADR-0069 enforced-MFA story

    Two follow-ups that make enforced MFA total:

    • Per-org sys_organization.require_mfa — an org may require MFA above the global floor. computeAuthGate now treats the active org's require_mfa as an effective MFA requirement even when the global mfa_required is off; isAuthGateActive() stays cheap via a 60s-TTL "any org requires MFA" cache (lazy background refresh), so a brand-new per-org requirement activates the gate on the next request without per-request org queries.
    • Dispatcher/MCP gate — the auth-policy gate now also runs in the runtime dispatcher (after resolveExecutionContext), so MCP / GraphQL / embedded data paths enforce PASSWORD_EXPIRED / MFA_REQUIRED consistently with the REST seam (reusing the shared evaluateAuthGate allow-list). Previously only the REST surface (the Console) was gated.

    Default-off / additive. Per ADR-0049 each setting ships with its enforcement.

Patch Changes

  • 7087cfe: Remove the unused HTTP framework adapters and the MSW plugin — the open edition ships the Hono adapter only.

    The express / fastify / nextjs / nestjs / nuxt / sveltekit adapters and @objectstack/plugin-msw had zero internal consumers and were not dogfooded — pure release/maintenance surface (and an untested-integration liability). They are removed; @objectstack/hono (the adapter actually used, via @objectstack/client) is kept.

    • Deleted packages: @objectstack/express, @objectstack/fastify, @objectstack/nextjs, @objectstack/nestjs, @objectstack/nuxt, @objectstack/sveltekit, @objectstack/plugin-msw (fixed group 73 → 66).
    • @objectstack/client: dropped the plugin-msw / msw dev usage (MSW test removed).
    • HttpDispatcher (the dispatch engine) is now used only by the Hono adapter + the internal dispatcher-plugin, so its misleading @deprecated → createDispatcherPlugin note (createDispatcherPlugin is a kernel plugin, not a drop-in) is corrected.

    Anyone needing another framework adapter can build one on the public HttpDispatcher / createDispatcherPlugin API or maintain it out-of-tree.

  • 69ae136: docs: align hardening / driver docs with the Hono-only adapter surface (12.0)

    Follow-up to the adapter trim (#2391): the hardening guide's rate-limit/CORS recipes are rewritten from Fastify to Hono (the shipped adapter; the old @objectstack/fastify import was broken), CSRF guidance points at hono/csrf, and stale @objectstack/plugin-msw references are dropped from the driver-memory and driver-turso docs. README framework lists narrowed to Hono.

  • Updated dependencies [574e7a3]

  • Updated dependencies [cbc8c02]

  • Updated dependencies [18f9713]

  • Updated dependencies [7cf81a7]

  • Updated dependencies [d7a88df]

  • Updated dependencies [4f8f108]

  • Updated dependencies [ce0b4f6]

  • Updated dependencies [90bce88]

... (truncated)

Commits
  • 89e80b4 chore: version packages
  • e011d42 feat(auth): per-org MFA + dispatcher/MCP gate (ADR-0069 D3) (#2395)
  • 69ae136 docs: align hardening + driver docs with Hono-only adapters (#2392, 12.0) (#2...
  • 7087cfe chore!: remove unused HTTP adapters (keep Hono only) + MSW plugin (12.0) (#2391)
  • fdb41c0 feat(types)!: remove ObjectStack's own legacy env-var aliases (11.0, #2379) (...
  • 80fe2ef chore: version packages (#2382)
  • c715d25 chore(license): unify framework repo to single Apache-2.0 (#2353)
  • 795b6d1 refactor: single-source the multi-org (OS_MULTI_ORG_ENABLED) flag (#2350)
  • aa33b02 fix(security): single-source the request authorization resolver (REST dropped...
  • 6ad6bf6 fix(runtime): accept integer ai_access (Turso) in the AI-seat synthesis (#2336)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@objectstack/runtime](https://github.com/objectstack-ai/framework/tree/HEAD/packages/runtime) from 10.0.0 to 11.1.0.
- [Release notes](https://github.com/objectstack-ai/framework/releases)
- [Changelog](https://github.com/objectstack-ai/framework/blob/main/packages/runtime/CHANGELOG.md)
- [Commits](https://github.com/objectstack-ai/framework/commits/@objectstack/runtime@11.1.0/packages/runtime)

---
updated-dependencies:
- dependency-name: "@objectstack/runtime"
  dependency-version: 11.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Looks like @objectstack/runtime is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/objectstack/runtime-11.1.0 branch June 29, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants