apostrophe - npm Package Versions

3.6.0 - 2021-10-13

Adds

• The context-editing apostrophe admin UI bus event can now take a boolean parameter, explicitly indicating whether the user is actively typing or performing a similar active manipulation of controls right now. If a boolean parameter is not passed, the existing 1100-millisecond debounced timeout is used.
• Adds 'no-search' modifier to relationship fields as a UI simplification option.
• Fields can now have their own modifiers array. This is combined with the schema modifiers, allowing for finer grained control of field rendering.
• Adds a Slovak localization file. Activate the sk locale to use this. Many thanks to Michael Huna for the contribution.
• Adds a Spanish localization file. Activate the es locale to use this. Many thanks to Eugenio Gonzalez for the contribution.
• Adds a Brazilian Portuguese localization file. Activate the pt-BR locale to use this. Many thanks to Pietro Rutzen for the contribution.

Fixes

• Fixed missing translation for "New Piece" option on the "more" menu of the piece manager, seen when using it as a chooser.
• Piece types with relationships to multiple other piece types may now be configured in any order, relative to the other piece types. This sometimes appeared to be a bug in reverse relationships.
• Code at the project level now overrides code found in modules that use improve for the same module name. For example, options set by the @apostrophecms/seo-global improvement that ships with @apostrophecms/seo can now be overridden at project level by /modules/@apostrophecms/global/index.js in the way one would expect.
• Array input component edit button label is now propertly localized.
• A memory leak on each request has been fixed, and performance improved, by avoiding the use of new Nunjucks environments for each request. Thanks to Miro Yovchev for pointing out the leak.
• Fragments now have access to __t(), getOptions and other features passed to regular templates.
• Fixes field group cascade merging, using the original group label if none is given in the new field group configuration.
• If a field is conditional (using an if option), is required, but the condition has not been met, it no longer throws a validation error.
• Passing busy: true to apos.http.post and related methods no longer produces an error if invoked when logged out, however note that there will likely never be a UI for this when logged out, so indicate busy state in your own way.
• Bugs in document modification detection have been fixed. These bugs caused edge cases where modifications were not detected and the "Update" button did not appear, and could cause false positives as well.

Changes

• No longer logs a warning about no users if testModule is true on the app.

3.5.0 - 2021-09-23

• Pinned dependency on vue-material-design-icons to fix apos-build.js build error in production.
• The file size of uploaded media is visible again when selected in the editor, and media information such as upload date, dimensions and file size is now properly localized.
• Fixes moog error messages to reflect the recommended pattern of customization functions only taking self as an argument.
• Rich Text widgets now instantiate with a valid element from the styles option rather than always starting with an unclassed <p> tag.
• Since version 3.2.0, apostrophe modules to be loaded via npm must appear as explicit npm dependencies of the project. This is a necessary security and stability improvement, but it was slightly too strict. Starting with this release, if the project has no package.json in its root directory, the package.json in the closest ancestor directory is consulted.
• Fixes a bug where having no project modules directory would throw an error. This is primarily a concern for module unit tests where there are no additional modules involved.
• css-loader now ignores url() in css files inside assets so that paths are left intact, i.e. url(/images/file.svg) will now find a static file at /public/images/file.svg (static assets in /public are served by express.static). Thanks to Matic Tersek.
• Restored support for clicking on a "foreign" area, i.e. an area displayed on the page whose content comes from a piece, in order to edit it in an appropriate way.
• Apostrophe module aliases and the data attached to them are now visible immediately to ui/src/index.js JavaScript code, i.e. you can write apos.alias where alias matches the alias option configured for that module. Previously one had to write apos.modules['module-name'] or wait until next tick. However, note that most modules do not push any data to the browser when a user is not logged in. You can do so in a custom module by calling self.enableBrowserData('public') from init and implementing or extending the getBrowserData(req) method (note that page, piece and widget types already have one, so it is important to extend in those cases).
• options.testModule works properly when implementing unit tests for an npm module that is namespaced.

Changes

• Cascade grouping (e.g., grouping fields) will now concatenate a group's field name array with the field name array of an existing group of the same name. Put simply, if a new piece module adds their custom fields to a basics group, that field will be added to the default basics group fields. Previously the new group would have replaced the old, leaving inherited fields in the "Ungrouped" section.
• AposButton's block modifier now less login-specific

Adds

• Rich Text widget's styles support a def property for specifying the default style the editor should instantiate with.
• A more helpful error message if a field of type area is missing its options property.

3.4.1 - 2021-09-13

No changes. Publishing to correctly mark the latest 3.x release as "latest" in npm.

3.4.0 - 2021-09-13

Security

• Changing a user's password or marking their account as disabled now immediately terminates any active sessions or bearer tokens for that user. Thanks to Daniel Elkabes for pointing out the issue. To ensure all sessions have the necessary data for this, all users logged in via sessions at the time of this upgrade will need to log in again.
• Users with permission to upload SVG files were previously able to do so even if they contained XSS attacks. In Apostrophe 3.x, the general public so far never has access to upload SVG files, so the risk is minor but could be used to phish access from an admin user by encouraging them to upload a specially crafted SVG file. While Apostrophe typically displays SVG files using the img tag, which ignores XSS vectors, an XSS attack might still be possible if the image were opened directly via the Apostrophe media library's convenience link for doing so. All SVG uploads are now sanitized via DOMPurify to remove XSS attack vectors. In addition, all existing SVG attachments not already validated are passed through DOMPurify during a one-time migration.

Fixes

• The apos.attachment.each method, intended for migrations, now respects its criteria argument. This was necessary to the above security fix.
• Removes a lodash wrapper around @apostrophecms/express bodyParser.json options that prevented adding custom options to the body parser.
• Uses req.clone consistently when creating a new req object with a different mode or locale for localization purposes, etc.
• Fixes bug in the "select all" relationship chooser UI where it selected unpublished items.
• Fixes bug in "next" and "previous" query builders.
• Cutting and pasting widgets now works between locales that do not share a hostname, provided that you switch locales after cutting (it does not work between tabs that are already open on separate hostnames).
• The req.session object now exists in task req objects, for better compatibility. It has no actual persistence.
• Unlocalized piece types, such as users, may now be selected as part of a relationship when browsing.
• Unpublished localized piece types may not be selected via the autocomplete feature of the relationship input field, which formerly ignored this requirement, although the browse button enforced it.
• The server-side JavaScript and REST APIs to delete pieces now work properly for pieces that are not subject to either localization or draft/published workflow at all the (localize: false option). UI for this is under discussion, this is just a bug fix for the back end feature which already existed.
• Starting in version 3.3.1, a newly added image widget did not display its image until the page was refreshed. This has been fixed.
• A bug that prevented Undo operations from working properly and resulted in duplicate widget _id properties has been fixed.
• A bug that caused problems for Undo operations in nested widgets, i.e. layout or multicolumn widgets, has been fixed.
• Duplicate widget _id properties within the same document are now prevented on the server side at save time.
• Existing duplicate widget _id properties are corrected by a one-time migration.

Adds

• Adds a linter to warn in dev mode when a module name include a period.
• Lints module names for apostrophe- prefixes even if they don't have a module directory (e.g., only in app.js).
• Starts all warnDev messages with a line break and warning symbol (⚠️) to stand out in the console.
• apos.util.onReady aliases apos.util.onReadyAndRefresh for brevity. The apos.util.onReadyAndRefresh method name will be deprecated in the next major version.
• Adds a developer setting that applies a margin between parent and child areas, allowing developers to change the default spacing in nested areas.

Changes

• Removes the temporary trace method from the @apostrophecms/db module.
• Beginning with this release, the apostrophe:modulesReady event has been renamed apostrophe:modulesRegistered, and the apostrophe:afterInit event has been renamed apostrophe:ready. This better reflects their actual roles. The old event names are accepted for backwards compatibility. See the documentation for more information.
• Only autofocuses rich text editors when they are empty.
• Nested areas now have a vertical margin applied when editing, allowing easier access to the parent area's controls.

3.3.1 - 2021-09-01

Fixes

• In some situations it was possible for a relationship with just one selected document to list that document several times in the returned result, resulting in very large responses.
• Permissions roles UI localized correctly.
• Do not crash on startup if users have a relationship to another type. This was caused by the code that checks whether any users exist to present a warning to developers. That code was running too early for relationships to work due to event timing issues.

3.3.0 - 2021-08-30

Fixes

• Addresses the page jump when using the in-context undo/redo feature. The page will immediately return users to their origin scroll position after the content refreshes.
• Resolves slug-related bug when switching between images in the archived view of the media manager. The slug field was not taking into account the double slug prefix case.
• Fixes migration task crash when parking new page. Thanks to Miro Yovchev for this fix.
• Fixes incorrect month name in AposCellDate, which can be optionally used in manage views of pieces. Thanks to Miro Yovchev for this fix.

Adds

• This version achieves localization (l10n) through a rich set of internationalization (i18n) features. For more information, see the documentation.
• There is support for both static string localization and dynamic content localization.
• The home page, other parked pages, and the global document are automatically replicated to all configured locales at startup. Parked properties are refreshed if needed. Other pages and pieces are replicated if and when an editor chooses to do so.
• An API route has been added for voluntary replication, i.e. when deciding a document should exist in a second locale, or desiring to overwrite the current draft contents in locale B with the draft contents of locale A.
• Locales can specify prefix and hostname options, which are automatically recognized by middleware that removes the prefix dynamically where appropriate and sets req.locale. In 3.x this works more like the global site prefix option. This is a departure from 2.x which stored the prefix directly in the slug, creating maintenance issues.
• Locales are stateless: they are never recorded in the session. This eliminates many avenues for bugs and bad SEO. However, this also means the developer must fully distinguish them from the beginning via either prefix or hostname. A helpful error message is displayed if this is not the case.
• Switching locales preserves the user's editing session even if on separate hostnames. To enable this, if any locales have hostnames, all configured locales must have hostnames and/or baseUrl must be set for those that don't.
• An API route has been added to discover the locales in which a document exists. This provides basic information only for performance (it does not report title or _url).
• Editors can "localize" documents, copying draft content from one locale to another to create a corresponding document in a different locale. For convenience related documents, such as images and other pieces directly referenced by the document's structure, can be localized at the same time. Developers can opt out of this mechanism for a piece type entirely, check the box by default for that type, or leave it as an "opt-in" choice.
• The @apostrophecms/i18n module now uses i18next to implement static localization. All phrases in the Vue-based admin UI are passed through i18next via this.$t, and i18next is also available via req.t() in routes and __t() in templates. Apostrophe's own admin UI phrases are in the apostrophe namespace for a clean separation. An array of locale codes, such as en or fr or en-au, can be specified using the locales option to the @apostrophecms/i18n module. The first locale is the default, unless the defaultLocale option is set. If no locales are set, the locale defaults to en. The i18next-http-middleware locale guesser is installed and will select an available locale if possible, otherwise it will fall back to the default.
• In the admin UI, v-tooltip has been extended as v-apos-tooltip, which passes phrases through i18next.
• Developers can link to alternate locales by iterating over data.localizations in any page template. Each element always has locale, label and homePageUrl properties. Each element also has an available property (if true, the current context document is available in that locale), title and a small number of other document properties are populated, and _url redirects to the context document in that locale. The current locale is marked with current: true.
• To facilitate adding interpolated values to phrases that are passed as a single value through many layers of code, the this.$t helper provided in Vue also accepts an object argument with a key property. Additional properties may be used for interpolation.
• i18next localization JSON files can be added to the i18n subdirectory of any module, as long as its i18n option is set. The i18n object may specify ns to give an i18next namespace, otherwise phrases are in the default namespace, used when no namespace is specified with a : in an i18next call. The default namespace is yours for use at project level. Multiple modules may contribute to the same namespace.
• If APOS_DEBUG_I18N=1 is set in the environment, the i18next debug flag is activated. For server-side translations, i.e. req.t() and __t(), debugging output will appear on the server console. For browser-side translations in the Vue admin UI, debugging output will appear in the browser console.
• If APOS_SHOW_I18N=1 is set in the environment, all phrases passed through i18next are visually marked, to make it easier to find those that didn't go through i18next. This does not mean translations actually exist in the JSON files. For that, review the output of APOS_DEBUG_I18N=1.
• There is a locale switcher for editors.
• There is a backend route to accept a new locale on switch.
• A req.clone(properties) method is now available. This creates a clone of the req object, optionally passing in an object of properties to be set. The use of req.clone ensures the new object supports req.get and other methods of a true req object. This technique is mainly used to obtain a new request object with the same privileges but a different mode or locale, i.e. mode: 'published'.
• Fallback wrappers are provided for the req.__(), res.__() and __() localization helpers, which were never official or documented in 3.x but may be in use in projects ported from 2.x. These wrappers do not localize but do output the input they are given along with a developer warning. You should migrate them to use req.t() (in server-side javascript) or __t() (Nunjucks templates).

Changes

• Bolsters the CSS that backs Apostrophe UI's typography to help prevent unintended style leaks at project-level code.
• Removes the 2.x series changelog entries. They can be found in the 2.0 branch in Github.

3.2.0 - 2021-08-13

Fixes

• req.hostname now works as expected when trustProxy: true is passed to the @apostrophecms/express module.
• Apostrophe loads modules from npm if they exist there and are configured in the modules section of app.js. This was always intended only as a way to load direct, intentional dependencies of your project. However, since npm "flattens" the dependency tree, dependencies of dependencies that happen to have the same name as a project-level Apostrophe module could be loaded by default, crashing the site or causing unexpected behavior. So beginning with this release, Apostrophe scans package.json to verify an npm module is actually a dependency of the project itself before attempting to load it as an Apostrophe module.
• Fixes the reference to sanitize-html defaults in the rich text widget.
• Fixes the toolbarToAllowedStyles method in the rich text widget, which was not returning any configuration.
• Fixes the broken text alignment in rich text widgets.
• Adds a missing npm dependency on chokidar, which Apostrophe and Nunjucks use for template refreshes. In most environments this worked anyway due to an indirect dependency via the sass module, but for stability Apostrophe should depend directly on any npm module it uses.
• Fixes the display of inline range inputs, notably broken when using Palette
• Fixes occasional unique key errors from migrations when attempting to start up again with a site that experienced a startup failure before inserting its first document.
• Requires that locale names begin with a letter character to ensure order when looping over the object entries.
• Unit tests pass in MongoDB 5.x.

Adds

• Adds Cut and Paste to area controls. You can now Cut a widget to a virtual clipboard and paste it in suitable areas. If an area can include the widget on the clipboard, a special Clipboard widget will appear in area's Add UI. This works across pages as well.

Changes

• Apostrophe's Global's UI (the @apostrophecms/global singleton has moved from the admin bar's content controls to the admin utility tray under a cog icon.
• The context bar's document Edit button, which was a cog icon, has been rolled into the doc's context menu.