apostrophe - npm Package Versions

4.1.0 (2024-03-20)

Fixes

• Don't crash if a document of a type no longer corresponding to any module is present together with the advanced permission module.
• AposLoginForm.js now pulls its schema from the user module rather than hardcoding it. Includes the addition of enterUsername and enterPassword i18n fields for front end customization and localization.
• Simulated Express requests returned by apos.task.getReq now include a req.headers property, for greater accuracy and to prevent unexpected bugs in other code.
• Fix the missing attachment icon. The responsibility for checking whether an attachment actually exists before calling attachment.url still lies with the developer.

Adds

• Add new getChanges method to the schema module to get an array of document changed field names instead of just a boolean like does the isEqual method.
• Add highlight class in UI when comparing documents.

4.0.0 (2024-03-12)

Adds

• Add Marks tool to the Rich Text widget for handling toggling marks.
• Add translation keys used by the multisite assembly module.
• Add side by side comparison support in AposSchema component.
• Add beforeLocalize and afterLocalize events.
• Add custom manager indicators support via apos.schema.addManagerIndicator({ component, props, if }). The component registered this way will be automatically rendered in the manager modal.
• Add the possibility to make widget modals wider, which can be useful for widgets that contain areas taking significant space. See documentation.
• Temporarily add translation module to support document translations via the @apostrophecms-pro/automatic-translation module. The translation core module may be removed or refactored to reduce overhead in the core, so its presence should not be relied upon.

Changes

• Migrate to Vue 3. This entails changes to some admin UI code, as detailed in our public announcement. There are no other backwards incompatible changes in apostrophe version 4.0.0. Certain other modules containing custom admin UI have also been updated in a new major version to be compatible, as noted in our announcement and on the migration page of our website.

Fixes

• Adds textStyle to Tiptap types so that spans are rendered on RT initialization
• field.help and field.htmlHelp are now correctly translated when displayed in a tooltip.
• Bump the he package to most recent version.
• Notification REST APIs should not directly return the result of MongoDB operations.

3.63.2 (2024-03-01)

Security

• Always validate that method names passed to the external-condition API actually appear in if or requiredIf clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of Apostrophe modules could be called over the network, without arguments, and the results returned to the caller. While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities in ApostropheCMS code via security@apostrophecms.com.
• Disable the alwaysIframe query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team.
• Remove vestigial A2 code relating to polymorphic relationship fields. The code in question had no relevance to the way such a feature would be implemented in A3, and could be used to cause a denial of service by crashing and restarting the process. Thanks to the Michelin team.

3.63.1 (2024-02-22)

Security

• Bump dependency on sanitize-html to ^2.12.1 at a minimum, to ensure that npm update apostrophe is sufficient to guarantee a security update is installed. This security update prevents specially crafted HTML documents from revealing the existence or non-existence of files on the server. The vulnerability did not expose any other information about those files. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.

3.63.0 (2024-02-21)

Adds

• Adds a launder method to the slug schema field query builder to allow for use in API queries.
• Adds support for browsing specific pages in a relationship field when withType is set to a page type, like @apostrophecms/home-page, default-page, article-page...
• Add support for canCreate, canPreview & canShareDraft in context operations conditions.
• Add support for canCreate, canEdit, canArchive & canPublish in utility operations definitions.
• Add uponSubmit requirement in the @apostrophecms/login module. uponSubmit requirements are checked each time the user submit the login form. See the documentation for more information.
• Add field metadata feature, where every module can add metadata to fields via public API offered by apos.doc.setMeta(), apos.doc.getMeta(), apos.doc.getMetaPath() and apos.doc.removeMeta(). The metadata is stored in the database and can be used to store additional information about a field.
• Add new apos.schema.addFieldMetadataComponent(namespace, component) method to allow adding custom components. They have access to the server-side added field metadata and can decide to show indicators on the admin UI fields. Currently supported fields are "string", "slug", "array", "object" and "area".

Fixes

• When deleting a draft document, we remove related reverse IDs of documents having a relation to the deleted one.
• Fix publishing or moving published page after a draft page on the same tree level to work as expected.
• Check create permissions on create keyboard shortcut.
• Copy requires create and edit permission.
• Display a more informative error message when publishing a page because the parent page is not published and the current user has no permission to publish the parent page (while having permission to publish the current one).
• The content-changed event for the submit draft action now uses a complete document.
• Fix the context bar overlap on palette for non-admin users that have the permission to modify it.
• Show widget icons in the editor area context menu.

Changes

• Share Drafts modal styles made larger and it's toggle input has a larger hitbox.

3.62.0 (2024-01-25)

Adds

• Adds support for type query parameter for page autocomplete. This allows to filter the results by page type. Example: /api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type.
• Add testing for the float schema field query builder.
• Add testing for the integer schema field query builder.
• Add support for link HTML attributes in the rich text widget via configurable fields linkFields, extendable on a project level (same as it's done for fields). Add an htmlAttribute property to the standard fields that map directly to an HTML attribute, except href (see special case below), and set it accordingly, even if it is the same as the field name. Setting htmlAttribute: 'href' is not allowed and will throw a schema validation exception (on application boot).
• Adds support in can and criteria methods for create and delete.
• Changes support for image upload from canEdit to canCreate.
• The media manager is compatible with per-doc permissions granted via the @apostrophecms-pro/advanced-permission module.
• In inline arrays, the trash icon has been replaced by a close icon.

Fixes

• Fix the launder and finalize methods of the float schema field query builder.
• Fix the launder and finalize methods of the integer schema field query builder.
• A user who has permission to publish a particular page should always be allowed to insert it into the published version of the site even if they could not otherwise insert a child of the published parent.
• Display the "Browse" button in a relationship inside an inline array.

3.61.1 (2023-01-08)

Fixes

• Pinned Vue dependency to 2.7.15. Released on December 24th, Vue 2.7.16 broke the rich text toolbar in Apostrophe.

3.61.0 (2023-12-21)

Adds

• Add a validate method to the url field type to allow the use of the pattern property.
• Add autocomplete attribute to schema fields that implement it (cf. HTML attribute: autocomplete).
• Add the delete method to the @apostrophecms/cache module so we don't have to rely on direct MongoDB manipulation to remove a cache item.
• Adds tag property to fields in order to show a tag next to the field title (used in advanced permission for the admin field). Adds new sensitive label color.
• Pass on the module name and the full, namespaced template name to external front ends, e.g. Astro. Also make this information available to other related methods for future and project-level use.
• Fixes the AposCheckbox component to be used more easily standalone, accepts a single model value instead of an array.

Fixes

• Fix date schema field query builder to work with arrays.
• Fix if on pages. When you open the AposDocEditor modal on pages, you now see an up to date view of the visible fields.
• Pass on complete annotation information for nested areas when adding or editing a nested widget using an external front, like Astro.
• We can now close the image modal in rich-text widgets when we click outside of the modal. The click on the cancel button now works too.
• Fixes the clearLoginAttempts method to work with the new @apostrophecms/cache module delete method.

3.60.1 (2023-12-06)

Fixes

• corrected an issue where the use of the doc template library can result in errors at startup when replicating certain content to new locales. This was not a bug in the doc template library. Apostrophe was not invoking findForEditing where it should have.