Ash Weekly: Issue #13

Big announcement incoming at ElixirConf EU, tons of AshJsonApi improvements, and a mitigation for an AshAuthentication confirmation link CVE.

Ash Weekly!

This is a super quick, informal update about the goings on in and around Ash Framework each week. If you find something interesting and think it should make it on this newsletter, drop a message in the #ash-weekly channel in our Discord server.

Shameless Plugs

• Buy the book!

• Check out Ash Premium Support from Alembic.

• Sponsor me if you like what I do.

Oops!

I got mega busy last week and didn’t get a chance to post Ash Weekly. I’m not planning on changing the weekly schedule of the newsletter, but it might happen again at some point, especially with all the conferences coming up 😁

Upcoming Conferences & Trainings

We’ve got a training coming up at GigCity Elixir, and I’ll be speaking there as well as ElixirConf EU and Goatmire later this year. I’ve also just gotten confirmation that I’ll be speaking at Scenic City Summit (also in Chattanooga) this year, delivering the first rendition (I intend to give this talk in a few different venues) of “Building On Bedrock: Elixir’s Fundamental Design Advantage”. Look forward to seeing old friends and making new ones!

ElixirConf EU announcement

We’ll be announcing something fun at ElixirConf EU! I look forward to seeing you all there and can’t wait to see what you do with our next big extension.

AshJsonApi improvements

Our new not-so-secret project being launched needs really good JsonSchema support, so our OpenApi generation has gotten *considerably* better in recent versions. More support for descriptions coming from the resource’s descriptions directly, more supported core types, stricter usage of things like `additionalProperties: false`, and cleaner generated forms of `anyOf`.

AshAuthentication Confirmation Link CVE

We had a low severity (well, technically its medium, but the calculation for that is not really that informative) security advisory and CVE published. It doesn’t provide a way for existing user’s data to be compromised, but there is a way for a new account to become “confirmed” despite not having access to the email that they registered with. It is not a likely occurrence, but it is possible. See the CVE for instructions on upgrading and more information: https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787

Releases (last two weeks)

Ash: 3.5.3-3.5.6

• Allow update action types to be used in `Ash.Generator.changeset_generator`

• Add `:__skip__` value for telling seed generators to not generate a value for a given field.

• Add tools for adding calculations to resources in `Ash.Resource.Igniter`

• Support a `load` option when building changesets (`Ash.Changeset.for_*`)

• More mix tasks for generating Ash custom modules

Reactor: 0.15.1-0.15.2

• Set a unique `run_id` for every reactor run

• Allow additional telemetry metadata to be provided via Reactor context.

Igniter: 0.5.44-0.5.46

• Support installing private packages from hexpm

Spark: 2.2.49-2.2.52

• Validate DSL sections at the very end, making it easier to use `Spark.Dsl.Fragment` to split up large DSL modules (i.e `Ash.Resource`), because each section doesn’t need to be fully valid in the fragment.

• Remove `eval` from `spark_dsl_config` (it was just noise)

AshGraphql: 1.7.7-1.7.8

• Allow :logger handlers to see the original exception before we handle it

AshJsonApi: 1.4.24-1.4.28

• Use bearer auth by default in open api spec, to make the defaults work well with AshAuthentication

• remove the need for `Module.concat` when defining routers

• Add `before_dispatch` option to `AshJsonApi.Router`, allowing you to hook into the conn before all requests are handled. The initial use case for this was setting some Appsignal metadata about the request.

• Support new verified routes behavior in phx 1.8. In Phoenix 1.8 AshJsonApi routes *automatically* show in `mix phx.routes`, and are also fully verified when using verified routes 🎉. Related Phoenix PR: https://github.com/phoenixframework/phoenix/pull/6122

• Support UUIDv7, and Time types in open api specification

• Preserve descriptions with “anyOf” types.

• Set descriptions of attributes in the write attributes (inputs to actions etc.)

AshAuthentication: 4.6.4-4.7.6

• Add `require_interaction?` option for confirmation strategies. Mitigates CVE https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787

• Generate `created_at` timestamp on the token resource when installing.

AshAuthenticationPhoenix: 2.5.2-2.6.2

• Adds the UI and routes required for the `require_interaction?` option. Part of mitigation for CVE https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787

• Support tailwind4 config when installing

AshMoney: 0.2.0

• Add `ex_money_opts` constraint to `AshMoney.Types.Money` to customize its behavior

AshOban: 0.4.2-0.4.5

• Add `AshOban.Igniter` with tools to add triggers to resources.

• Add `actor_persister` option to individual triggers, and support `:none` option to allow overriding a set default.

AshStateMachine: 0.2.9

• Set the `default_initial_state` from `initial_states` when there is only one

• Add an igniter installer

AshPaperTrail: 0.5.3

• Support a `skip_version_when_unchanged?` in the action context, to bypass the new `only_when_changed? false` situationally.

AshPhoenix: 2.1.26-2.2.0

• Add igniter installer

• Allow configuring positional arguments for form code interfaces using the `forms` DSL

• Add subdomain hook for LiveView