Version Packages (rc)#668
Merged
Merged
Conversation
6b595c0 to
3771c45
Compare
3771c45 to
6bbdd83
Compare
coderdan
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
mainis currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, runchangeset pre exitonmain.Releases
@cipherstash/stack@1.0.0-rc.2
Minor Changes
b085f66:
@cipherstash/stack/wasm-inlinenow exposesencryptQueryandencryptQueryBulkonWasmEncryptionClient(wasm-inline omits encryptQuery: no searchable encryption on Deno/edge runtimes #662) — searchable encryptionis reachable on Deno/edge runtimes. Previously the WASM entry exposed only
encrypt/decrypt/isEncrypted, so encrypted WHERE-clause search wasarchitecturally impossible on the edge even though the underlying protect-ffi
WASM build carries the capability.
The new methods mint ciphertext-free EQL v3 query terms — equality,
free-text match, ORE range, and JSON containment/selector — with the same
index-type resolution as the native client (explicit
queryType, orinference from the column's configured indexes). Cast the term to the
column's
eql_v3.query_<domain>type in SQL to reach the indexed operators.Errors throw, consistent with the WASM surface's
encrypt/decrypt; thebulk form is position-stable (
nullvalues pass through asnull).stash@1.0.0-rc.2
Patch Changes
6fcb967:
stash initnow pins the packages it installs (@cipherstash/stack, theintegration adapter, and
stashitself) to the exact versions this CLIrelease was built alongside, instead of installing bare package names that
resolve through npm dist-tags (npm dist-tags deliver broken/stale packages: adapters' latest=0.0.0, stack latest=0.19.0; stash init installs unpinned #661). During a pre-release window dist-tags
lag or point at placeholders, so an unpinned
initcould silently deliver adifferent release than the CLI driving the setup — stale
@cipherstash/stack,or an empty placeholder adapter — breaking
/v3imports out of the box. Theversions are embedded at build time from the release train itself
(
src/release-train.ts, the single source both the build and the runtimecheck against), so they can never disagree with what was published together.
Init also now surfaces version skew on already-installed packages —
unconditionally, before any prompt or early exit, including when the install
is declined or partially fails. Interactively it offers to align the skewed
packages in the same confirm as the missing installs (keeping
stasha devdependency); non-interactively it never mutates an existing install — it
warns and prints the exact align commands. A package whose manifest exists
but can't be read (an aborted install) is reported as skew, not treated as
matching. All other install guidance is pinned the same way: the
missing-package hints,
.cipherstash/context.json'sinstallCommand, theinstall-eqlmanual note, the native-module recovery hint (previouslystash@latest), and thestash wizardone-shot spawn (previously anunpinned
npx @cipherstash/wizard). Thestash-cliskill documents thebehaviour, and the other bundled skills' manual install commands now carry a
verify-what-resolved note.
d803914: Two guards for the release-train version embed (npm dist-tags deliver broken/stale packages: adapters' latest=0.0.0, stack latest=0.19.0; stash init installs unpinned #661 follow-up):
Direction-aware version skew.
stash initnow distinguishes an installedpackage that is behind this CLI release (offered alignment / the pinned
install command, as before) from one that is newer than the release expects.
A newer install no longer produces a downgrade command — init prints the exact
stashupdate command instead (release-train lockstep guarantees that versionexists), and when missing packages are about to be installed alongside newer
ones it says the pairing may not match and to update
stashfirst. Unreadableor malformed manifest versions always count as behind (a broken install should
be offered the reinstall fix, never "looks newer, leave it").
Version lockstep. The release-train packages (
stash,@cipherstash/stack,@cipherstash/stack-drizzle,@cipherstash/stack-supabase,@cipherstash/prisma-next,@cipherstash/wizard) are now a Changesetsfixedgroup: a release of any ofthem republishes all of them at the same version, so the CLI's embedded
version map can never go stale against the packages it pins (previously a
runtime-package-only release would have left the published CLI embedding —
and recommending — outdated versions). A test now asserts the fixed group
stays exactly equal to the release train.
413ca39: The legacy
@cipherstash/drizzlepackage (the@cipherstash/protect-basedDrizzle integration) is removed from the repository and the release train —
@cipherstash/protectis sunsetting at Stack 1.0, and the package's successoris
@cipherstash/stack-drizzle. Already-published versions remain installablefrom npm (deprecated, pointing here); the git history preserves the source for
any emergency maintenance. The
stash-drizzleskill and the@cipherstash/stack-drizzleREADME now state the deprecation explicitly sonobody (human or agent) installs the legacy package by mistake.
@cipherstash/prisma-next@1.0.0-rc.2
Patch Changes
@cipherstash/prisma-nextnow versions in lockstep with the Stack releasetrain (
stash,@cipherstash/stack, and the other adapters) via a Changesetsfixedgroup —stash initinstalls it pinned by exact version, so the twomust always release together. This moves the package from its previous
0.4.xline onto the shared train version; no API changes.
@cipherstash/stack-drizzle@1.0.0-rc.2
Patch Changes
@cipherstash/drizzlepackage (the@cipherstash/protect-basedDrizzle integration) is removed from the repository and the release train —
@cipherstash/protectis sunsetting at Stack 1.0, and the package's successoris
@cipherstash/stack-drizzle. Already-published versions remain installablefrom npm (deprecated, pointing here); the git history preserves the source for
any emergency maintenance. The
stash-drizzleskill and the@cipherstash/stack-drizzleREADME now state the deprecation explicitly sonobody (human or agent) installs the legacy package by mistake.
@cipherstash/stack-supabase@1.0.0-rc.2
Patch Changes
@cipherstash/wizard@1.0.0-rc.2
Patch Changes
@cipherstash/wizardnow versions in lockstep with the Stack release train(
stash,@cipherstash/stack, and the adapters) via a Changesetsfixedgroup — the
stashCLI executes the wizard by exact version, so the two mustalways release together. This moves the package from its previous
0.5.xline onto the shared train version; no API changes.
@cipherstash/e2e@0.0.3-rc.2
Patch Changes
@cipherstash/basic-example@1.2.14-rc.2
Patch Changes
@cipherstash/prisma-next-example@0.0.6-rc.2
Patch Changes
@cipherstash/bench@0.0.5-rc.2
Patch Changes
@cipherstash/test-kit@0.0.1-rc.2
Patch Changes