Melange v0.7.1

Melange v0.7.1 is a patch release fixing two bugs reported by community contributors, along with security dependency upgrades and testing improvements.

Bug Fixes

Fix list_accessible_subjects for TTU with Implied Parent Relations

Fixed a bug (#22) where list_accessible_subjects returned empty results for tuple-to-userset patterns with implied parent relations. For example, given a schema like:

type organization
  relations
    define member: [user]
    define can_read: member

type repository
  relations
    define org: [organization]
    define reader: [user] or can_read from org

list_accessible_subjects('repository', 'baz', 'can_read', 'user') returned no results even though users with member on the parent organization should have access. The root cause was that the parent closure optimization in list_subjects SQL generation filtered tuples using only the exact relation name (t.relation = 'can_read'), but for implied relations like can_read: member, no tuples with that relation name exist — only member tuples do. The fix expands the filter to t.relation IN ('can_read', 'member') using the satisfying relations from the analysis lookup.

check_permission and list_accessible_objects were unaffected — they already properly expanded implied relations through the closure table.

Thanks to @Desuuuu for reporting this with a clear reproduction case.

Fix TypeScript Client listObjects and listSubjects Pagination

Fixed two issues (#21, #23) in the TypeScript client’s list methods:

• listObjects and listSubjects sent 0 as the p_limit parameter when no limit was specified, causing the SQL functions to return no results. Now sends NULL to disable pagination, matching the Go client behavior.
• Pagination cursors were never returned because the client read from a non-existent cursor column instead of next_cursor.

Thanks to @Desuuuu for both reporting and fixing this.

Security

TypeScript Dev Dependency Upgrades

Upgraded vitest from v2 to v4 and added a pnpm override for rollup to resolve 5 vulnerabilities flagged by Dependabot:

• rollup <4.59.0: arbitrary file write via path traversal (High)
• minimatch <5: three separate ReDoS vectors (High)
• esbuild <0.25.0: dev server request forgery (Moderate)

All were transitive dev dependencies — no runtime impact for consumers of @pthm/melange.

Testing Improvements

• Derived list assertions — The test runner now automatically derives ListObjects and ListUsers assertions from every eligible check assertion. For each ALLOW check, it verifies the entry appears in the corresponding list result. For DENY checks, it verifies absence. This adds hundreds of implicit list function assertions across the full test suite without requiring upstream test data changes.
• Standardized test format — Converted 7 hand-rolled Go SQL tests (intersection, exclusion, TTU patterns) to YAML test cases in the OpenFGA format, so they benefit from bulk check validation, derived list assertions, and benchmark support.
• Colocated parser tests — Moved parsing unit tests to the pkg/parser package where they belong.

Contributors

Thanks to the contributors who made this release possible:

• @Desuuuu — reported and fixed TypeScript list pagination (#21, #23), reported list_accessible_subjects bug (#22)

Migration Notes

From v0.7.0

No breaking changes. Upgrade and run migrations to pick up the fixed list_accessible_subjects SQL:

melange migrate

If you use the TypeScript client, upgrade to get the pagination fixes:

npm install @pthm/melange@latest

Try It Out

# Install / upgrade CLI
brew install pthm/melange/melange

# Apply migrations
melange migrate

# Go runtime
go get github.com/pthm/melange/melange@v0.7.1

# TypeScript runtime
npm install @pthm/melange

Feedback

We welcome feedback and bug reports. Please open an issue with questions or feature requests.