Skip to content

Bump @adaptivestone/framework from 5.1.0 to 5.1.2#10

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/adaptivestone/framework-5.1.2
Open

Bump @adaptivestone/framework from 5.1.0 to 5.1.2#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/adaptivestone/framework-5.1.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Contributor

Bumps @adaptivestone/framework from 5.1.0 to 5.1.2.

Release notes

Sourced from @​adaptivestone/framework's releases.

5.1.2

Patch release — a types-only codegen fix. No runtime behavior changes.

Fixed

  • Route-type codegen no longer emits an empty middleware chain for differently-named sibling param routes. When two routes on one controller sat at the same tree depth with different param names (e.g. PUT /:slug and POST /:event), the generated *.routes.gen.ts gave the second sibling an empty UnionAppInfoProvides<readonly []> — dropping req.appInfo.user and other middleware-provided fields from its request type, even though the route runs the full middleware chain at runtime. Every sibling now gets its correct chain. Runtime routing, req.params, and middleware execution were already correct and are unchanged.

Full notes in CHANGELOG.md.

5.1.1

Mongoose validation safety net no longer echoes submitted input.

Changelog

Sourced from @​adaptivestone/framework's changelog.

[5.1.2] - Unreleased

Fixed

  • Route-type codegen emitted an empty middleware chain for sibling param routes with different names. When two routes on the same controller sat at the same position in the route tree but used param segments with different names (e.g. PUT /:slug and POST /:event), the generated *.routes.gen.ts gave the sibling whose param name was not registered first an empty UnionAppInfoProvides<readonly []> — dropping req.appInfo.user (and every other middleware-provided field) from its request type, even though that route runs the controller's full middleware chain at runtime. Root cause: the router keeps a single param child per tree node, so same-depth param siblings collapse onto one node named after the first-registered segment (:slug); flatten() then reconstructs every sibling's path with that name, while codegen looked each route's chain up by its own source path (:event) and missed. The middleware-chain lookup is now param-name-insensitive (segment names never affect which node a path resolves to), so all siblings resolve their real chain. Types-only fix — runtime routing, req.params extraction, and middleware execution are unchanged (they were already correct; only the generated types were wrong).

[5.1.1] - 2026-07-05

Security

  • Mongoose validation safety net no longer echoes submitted input. The safety net (added in 5.1.0) mapped an escaped Mongoose ValidationError to 400 { errors: { <path>: message } } using the raw Mongoose message. Those default templates interpolate the rejected value (Path \title` (`<the whole 300-char submission>`) is longer than …, Cast to Number failed for value "" …), so the offending input — a phone number, a password pasted into the wrong field, any oversized string — rode into both the 400response body and thewarn-level log (and thus Sentry). Each per-path message is now **rebuilt from the validation kind + the schema constraint only** (maxlength: 255→ "Must be at most 255 characters", aNumbercast failure → "Must be a number", anenumviolation → "Must be one of: …"), and the submitted value is never included, under any kind. Thewarn-level log line for a safety-net-handled error is sanitized the same way — the logged error is rebuilt with those kind-based messages and a fresh, input-free stack — while an error that stays a **500** (internal/renamed paths, or no registry match) still logs the original in full, since that branch is a server-side defect the developer needs complete detail on. This matches the YupDriver, which already strips value/originalValue from route-validation errors. Messages are plain English, not i18n (the route validator owns user-facing wording; this is a last-resort fallback for a route schema that failed to mirror a model constraint). **Trade-off:** a model-defined *custom* message (maxlength: [50, 'Name too long']) is indistinguishable from a templated default that embedded the value, so **all** messages are rebuilt generically — a custom message set on the model is not passed through the safety net. Set user-facing wording on the route request:/query:schema instead. The400/500split, the "client actually sent this field" gate, the log levels, and the{ errors: { path } }` response shape are unchanged.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@adaptivestone/framework](https://github.com/adaptivestone/framework) from 5.1.0 to 5.1.2.
- [Release notes](https://github.com/adaptivestone/framework/releases)
- [Changelog](https://github.com/adaptivestone/framework/blob/main/CHANGELOG.md)
- [Commits](adaptivestone/framework@5.1.0...5.1.2)

---
updated-dependencies:
- dependency-name: "@adaptivestone/framework"
  dependency-version: 5.1.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 11, 2026
@github-code-quality

Copy link
Copy Markdown

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/node-test

The overall coverage remains at 96%, unchanged from the branch.


Code Coverage is in Public Preview. Learn more and provide us with your feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants