Skip to content

chore: release package#2323

Merged
bokelley merged 2 commits into
mainfrom
changeset-release/main
Jul 6, 2026
Merged

chore: release package#2323
bokelley merged 2 commits into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@adcp/sdk@10.0.0

Major Changes

  • fc18b40: Security: webhook emitter is SSRF-safe by default, and createTenantStore gains an opt-in resolve isolation gate.

    Breaking — webhook delivery default. createWebhookEmitter / createAdcpServer({ webhooks }) now default their HTTP client to createPinAndBindFetch() instead of globalThis.fetch. This defeats DNS-rebinding / SSRF against the buyer-supplied push_notification_config.url (https-only; loopback, private, and cloud-metadata ranges denied). In-process harnesses that deliver to a loopback http://127.0.0.1 receiver must now opt in explicitly:

    import { createPinAndBindFetch, LOOPBACK_OK_WEBHOOK_SSRF_POLICY } from '@adcp/sdk/server';
    
    createAdcpServer({
      webhooks: { signerKey, fetch: createPinAndBindFetch({ policy: LOOPBACK_OK_WEBHOOK_SSRF_POLICY }) },
    });

    Passing fetch: globalThis.fetch restores the previous unguarded behavior (only do so behind your own URL validation).

    createTenantStorerefAccess gate on resolve. Added refAccess?: 'ref-routed' | 'auth-scoped' (default 'ref-routed', non-breaking). 'ref-routed' preserves the agency-hub model where one credential may resolve any tenant's account by ref. 'auth-scoped' makes accounts.resolve fail closed when a buyer-supplied ref points at a tenant other than the authenticated principal's — closing a cross-tenant read/mutate path for non-trusted-buyer deployments. Corrected the createTenantStore / account.ts docs, which previously implied resolve was always an isolation gate; it is not unless refAccess: 'auth-scoped' is set or a resolve-presets guard is composed.

Minor Changes

  • 68ce3f4: Regenerate the bundled AdCP registry OpenAPI spec and generated TypeScript types from the latest hosted registry schema.

    This adds typed registry feed event payloads plus catalog browse/sync response types to the public registry type exports.

@adcp/eslint-plugin@0.1.4

Patch Changes

  • Updated dependencies [fc18b40]
  • Updated dependencies [68ce3f4]
    • @adcp/sdk@10.0.0

@github-actions github-actions Bot force-pushed the changeset-release/main branch from ae8d2b9 to 8aa979c Compare July 6, 2026 06:33
bokelley
bokelley previously approved these changes Jul 6, 2026

@bokelley bokelley left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release PR generated by changesets after #2324; checks passed.

@bokelley bokelley enabled auto-merge (squash) July 6, 2026 06:37

@bokelley bokelley left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generated registry output refreshed for release CI drift.

@aao-ipr-bot aao-ipr-bot Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Standard changesets release PR — approving on version coherence plus a justified major bump. This is right because the version field is changeset-owned, not hand-edited, and the calc lands exactly where the major changeset says it should.

Things I checked

  • package.json 9.7.0 → 10.0.0 is driven by the major changeset (tidy-webhooks-tenant-isolation.md — webhook default flips to createPinAndBindFetch()), not a manual edit. Not a MUST FIX #6.
  • No version skip: npm is at 9.7.0, one major changeset → 10.0.0.
  • Version constants agree everywhere — package.json, package-lock.json (both root entries), and src/lib/version.ts (LIBRARY_VERSION + VERSION_INFO.library) all read 10.0.0. ADCP_VERSION correctly left at 3.1.1 (independent of library version).
  • Workspace deps bumped in lockstep: client-shim ^9.7.0^10.0.0, eslint-plugin dep ^9.0.0^10.0.0, eslint-plugin itself 0.1.3 → 0.1.4 (patch, dependency-only).
  • CHANGELOG entry matches the two consumed changesets (major security/breaking + minor registry regen); both .changeset/*.md files correctly deleted.
  • Second commit (sync release registry types) only reorders the BrandEventPayload block earlier in registry.yaml and src/lib/registry/types.generated.ts — same fields, same shape, no wire change.

Minor nits (non-blocking)

  1. Regen reorder rode in on the release PR. The BrandEventPayload move is a pure codegen ordering artifact committed directly onto the release branch rather than through its own changeset — harmless since it's already covered by the 68ce3f4 minor entry, but notable that a hand-pushed commit landed on an automated release PR.

LGTM.

@bokelley bokelley merged commit 9ec5285 into main Jul 6, 2026
31 checks passed
@bokelley bokelley deleted the changeset-release/main branch July 6, 2026 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant