apostrophe - npm Package Versions

4.2.0 (2024-04-18)

• Typing a / in the title field of a page no longer confuses the slug field. Thanks to Gauav Kumar.

Changes

• Rich text styles are now split into Nodes and Marks, with independent toolbar controls for a better user experience when applying text styles. There is no change in how the styles option is configured.
• Rich text style labels are fully localized.
• i18n module now uses the regular req.redirect instead of a direct res.redirect to ensure redirection, enabling more possibilities for @apostrophecms/redirect module
• Refactors AposModal component with composition api to get rid of duplicated code in AposFocusMixin and AposFocus.
• APOS_MONGODB_LOG_LEVEL has been removed. According to mongodb documentation "Both the logger and the logLevel options had no effect and have been removed."
• Update connect-mongo to 5.x. Add @apostrophecms/emulate-mongo-3-driver dependency to keep supporting mongodb@3.x queries while using mongodb@6.x.

Fixes

• Updates the docs beforeInsert handler to avoid ending with different modes being set between _id, aposLocale and aposMode.
• Adds a migration to fix potential corrupted data having different modes set between _id, aposLocale and aposMode.
• Fix a crash in notification when req.body was not present. Thanks to Michelin for contributing this fix.
• Addresses a console error observed when opening and closing the @apostrophecms-pro/palette module across various projects.
• Fixes the color picker field in @apostrophecms-pro/palette module.
• Ensures that the data-apos-test attribute in the admin bar's tray item buttons is set by passing the action prop to AposButton.
• Prevents stripping of query parameters from the URL when the page is either switched to edit mode or reloaded while in edit mode.
• Add the missing metaType property to newly inserted widgets.

Security

• New passwords are now hashed with scrypt, the best password hash available in the Node.js core crypto module, following guidance from OWASP. This reduces login time while improving overall security.
• Old passwords are automatically re-hashed with scrypt on the next successful login attempt, which adds some delay to that next attempt, but speeds them up forever after compared to the old implementation.
• Custom scrypt parameters for password hashing can be passed to the @apostrophecms/user module via the scrypt option. See the [Node.js documentation for scrypt]. Note that the maxmem parameter is computed automatically based on the other parameters.

4.1.1 (2024-03-21)

Fixes

• Hotfix for a bug that broke the rich text editor when the rich text widget has a styles property. The bug was introduced in 4.0.0 as an indirect side effect of deeper watching behavior by Vue 3.

4.1.0 (2024-03-20)

Fixes

• Don't crash if a document of a type no longer corresponding to any module is present together with the advanced permission module.
• AposLoginForm.js now pulls its schema from the user module rather than hardcoding it. Includes the addition of enterUsername and enterPassword i18n fields for front end customization and localization.
• Simulated Express requests returned by apos.task.getReq now include a req.headers property, for greater accuracy and to prevent unexpected bugs in other code.
• Fix the missing attachment icon. The responsibility for checking whether an attachment actually exists before calling attachment.url still lies with the developer.

Adds

• Add new getChanges method to the schema module to get an array of document changed field names instead of just a boolean like does the isEqual method.
• Add highlight class in UI when comparing documents.

4.0.0 (2024-03-12)

Adds

• Add Marks tool to the Rich Text widget for handling toggling marks.
• Add translation keys used by the multisite assembly module.
• Add side by side comparison support in AposSchema component.
• Add beforeLocalize and afterLocalize events.
• Add custom manager indicators support via apos.schema.addManagerIndicator({ component, props, if }). The component registered this way will be automatically rendered in the manager modal.
• Add the possibility to make widget modals wider, which can be useful for widgets that contain areas taking significant space. See documentation.
• Temporarily add translation module to support document translations via the @apostrophecms-pro/automatic-translation module. The translation core module may be removed or refactored to reduce overhead in the core, so its presence should not be relied upon.

Changes

• Migrate to Vue 3. This entails changes to some admin UI code, as detailed in our public announcement. There are no other backwards incompatible changes in apostrophe version 4.0.0. Certain other modules containing custom admin UI have also been updated in a new major version to be compatible, as noted in our announcement and on the migration page of our website.

Fixes

• Adds textStyle to Tiptap types so that spans are rendered on RT initialization
• field.help and field.htmlHelp are now correctly translated when displayed in a tooltip.
• Bump the he package to most recent version.
• Notification REST APIs should not directly return the result of MongoDB operations.

3.63.2 (2024-03-01)

Security

• Always validate that method names passed to the external-condition API actually appear in if or requiredIf clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of Apostrophe modules could be called over the network, without arguments, and the results returned to the caller. While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities in ApostropheCMS code via security@apostrophecms.com.
• Disable the alwaysIframe query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team.
• Remove vestigial A2 code relating to polymorphic relationship fields. The code in question had no relevance to the way such a feature would be implemented in A3, and could be used to cause a denial of service by crashing and restarting the process. Thanks to the Michelin team.

3.63.1 (2024-02-22)

Security

• Bump dependency on sanitize-html to ^2.12.1 at a minimum, to ensure that npm update apostrophe is sufficient to guarantee a security update is installed. This security update prevents specially crafted HTML documents from revealing the existence or non-existence of files on the server. The vulnerability did not expose any other information about those files. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.

3.63.0 (2024-02-21)

Adds

• Adds a launder method to the slug schema field query builder to allow for use in API queries.
• Adds support for browsing specific pages in a relationship field when withType is set to a page type, like @apostrophecms/home-page, default-page, article-page...
• Add support for canCreate, canPreview & canShareDraft in context operations conditions.
• Add support for canCreate, canEdit, canArchive & canPublish in utility operations definitions.
• Add uponSubmit requirement in the @apostrophecms/login module. uponSubmit requirements are checked each time the user submit the login form. See the documentation for more information.
• Add field metadata feature, where every module can add metadata to fields via public API offered by apos.doc.setMeta(), apos.doc.getMeta(), apos.doc.getMetaPath() and apos.doc.removeMeta(). The metadata is stored in the database and can be used to store additional information about a field.
• Add new apos.schema.addFieldMetadataComponent(namespace, component) method to allow adding custom components. They have access to the server-side added field metadata and can decide to show indicators on the admin UI fields. Currently supported fields are "string", "slug", "array", "object" and "area".

Fixes

• When deleting a draft document, we remove related reverse IDs of documents having a relation to the deleted one.
• Fix publishing or moving published page after a draft page on the same tree level to work as expected.
• Check create permissions on create keyboard shortcut.
• Copy requires create and edit permission.
• Display a more informative error message when publishing a page because the parent page is not published and the current user has no permission to publish the parent page (while having permission to publish the current one).
• The content-changed event for the submit draft action now uses a complete document.
• Fix the context bar overlap on palette for non-admin users that have the permission to modify it.
• Show widget icons in the editor area context menu.

Changes

• Share Drafts modal styles made larger and it's toggle input has a larger hitbox.

3.62.0 (2024-01-25)

Adds

• Adds support for type query parameter for page autocomplete. This allows to filter the results by page type. Example: /api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type.
• Add testing for the float schema field query builder.
• Add testing for the integer schema field query builder.
• Add support for link HTML attributes in the rich text widget via configurable fields linkFields, extendable on a project level (same as it's done for fields). Add an htmlAttribute property to the standard fields that map directly to an HTML attribute, except href (see special case below), and set it accordingly, even if it is the same as the field name. Setting htmlAttribute: 'href' is not allowed and will throw a schema validation exception (on application boot).
• Adds support in can and criteria methods for create and delete.
• Changes support for image upload from canEdit to canCreate.
• The media manager is compatible with per-doc permissions granted via the @apostrophecms-pro/advanced-permission module.
• In inline arrays, the trash icon has been replaced by a close icon.

Fixes

• Fix the launder and finalize methods of the float schema field query builder.
• Fix the launder and finalize methods of the integer schema field query builder.
• A user who has permission to publish a particular page should always be allowed to insert it into the published version of the site even if they could not otherwise insert a child of the published parent.
• Display the "Browse" button in a relationship inside an inline array.

3.61.1 (2023-01-08)

Fixes

• Pinned Vue dependency to 2.7.15. Released on December 24th, Vue 2.7.16 broke the rich text toolbar in Apostrophe.