All Versions
Latest Version
Avg Release Cycle
8 days
Latest Release
5 days ago

Changelog History
Page 1

  • v2.107.0

    May 20, 2020
    • ⚡️ CKEditor has been updated to version 4.14, addressing a low-risk XSRF vulnerability. The vulnerability required that the source code editor feature be activated and that a user with editing privileges be convinced to import specially crafted markup, which is unlikely in practice.
    • 👉 Users may now intentionally clear a time field, whether or not it has a def setting, in which case it is stored as null (unless required: true is present). The inability to do this was a regression introduced in version 2.102.0.
    • 📚 Developers can now pass a spectrumOptions object to a color field and take full control of Spectrum, the plugin that powers Apostrophe's color picker. Documentation for this configuration here.
    • 👀 Activating the objectNotation option to i18n no longer causes problems for certain strings in Apostrophe's admin interface, which does not use it. You will see alternate Unicode characters for the : and . characters in these strings if you do choose to translate them. These are transformed back for end users.
  • v2.106.4

    May 20, 2020
    • 👉 Users may now intentionally clear a time field, whether or not it has a def setting, in which case it is stored as null (unless required: true is present). The inability to do this was a regression introduced in version 2.102.0.
  • v2.106.3

    May 06, 2020
    • 🛠 Fixes a page tree interface bug that would cause pages to be lost when they were trashed with their parent, then the parent was dragged out of the trash. This only effected projects with trashInSchema: true set in the 📄 apostrophe-docs module, however that includes anything using apostrophe-workflow.
  • v2.106.2

    April 22, 2020
    • 🔌 The icons of custom CKEditor plugins now appear properly. Previously they were hidden.
    • ✅ Switched the continuous integration testing service to CircleCI from Travis.
  • v2.106.1

    April 20, 2020
    • 🛠 Fixed a regression that broke the thumbnail display of images in "Manage Images." This regression was introduced in version 2.106.0, which was otherwise an important security update, so you should definitely update to 2.106.1 to get the benefit of that security fix if you haven't already.
  • v2.106.0

    April 17, 2020

    🔒 Security: the list route of the apostrophe-pieces module and the info route of the apostrophe-pages module formerly allowed site visitors to obtain the complete contents of publicly accessible pages and pieces. While there was no inappropriate access to documents that were unpublished, restricted to certain users, etc., properties not normally visible to end users were exposed. Since the global document can be fetched as part of requests made by the public, this means that any credentials in the schema of the global document are vulnerable to being viewed until your site is updated to at least Apostrophe 2.106.0. Note that if you are using Apostrophe Workflow you must also update that module to Apostrophe 2.34.0, otherwise the "Manage Workflow" view will not work.

    🔧 The most important change made to resolve this issue is the use of a projection to populate the "Manage" view of pieces (the "list" route). While Apostrophe will automatically include any extra columns configured with addColumns in the projection, you may need to add additional properties to the projection if you have overridden the manage list view template entirely for some of your pieces to display additional information.

    🔧 The easiest way to do that is to configure the addToListProjection option for your custom piece type, like so:

    // in lib/modules/my-module
    module.exports = {
      extend: 'apostrophe-pieces',
      addToListProjection: {
        myExtraProperty: 1
      // other configuration here as usual

    You can also apply the super pattern to the new getListProjection method of apostrophe-pieces.

    Many thanks to Kristian Mattila for bringing the issue to our attention, allowing us to patch the vulnerability 🔒 before any public disclosure was made. If you become aware of a security issue in Apostrophe, please contact 🔒 us via email at

  • v2.105.2

    April 09, 2020
    • apos.utils.emit now works properly in IE11, addressing an issue that impacted apostrophe-forms submissions in IE11 in 2.105.0.
    • IE11 now respects the prefix option properly in apos.utils.get and (lean mode helpers for making API calls).
  • v2.105.1

    April 08, 2020
    • 🛠 When using lean mode, video widgets did not support Internet Explorer 11. This issue has been fixed. Non-lean mode video widgets have always supported Internet Explorer 11.
    • 🍱 If the jQuery: 3 option is not passed to apostrophe-assets a developer warning is now printed at startup. The use of jQuery 1.x is deprecated. All Apostrophe-published modules work fine with the jQuery: 3 option. You may need to review the jQuery 3 changelogs for a few changes required for your own legacy code.
    • 👉 Users may now intentionally clear a date field, whether or not it has a def setting, in which case it is stored as null (unless required: true is present). The inability to do this was a regression introduced in verion 2.102.0.
    • 0️⃣ The objectNotation: true option to apostrophe-i18n, which we pass on to the i18n module, is now compatible with the namespaces: true option. When both are active, the namespace separator defaults to <@> to avoid a conflict with the : character used to begin the default value when using object notation.
    • 📚 Various documentation corrections and minor aesthetic improvements.
  • v2.105.0

    March 26, 2020
    • 🚀 Security: Node 6.x has not been supported by its creators since April 2019, and Node 8.x reached its end of support date in December 2019. As of this release of Apostrophe, we are officially acknowledging that it is not possible to maintain support for Node 6.x in Apostrophe and it is unlikely to work on that version, since both the testing frameworks on which we rely and common sub-dependencies of essential open source modules used by Apostrophe now require Node 8 at a minimum. While we will make a good-faith effort to maintain Node 8.x usability as long as possible, we expect to similarly be forced to drop Node 8 compatibility soon. Both Node 6 and Node 8 might not be safe to use for reasons entirely unrelated to Apostrophe, so you should upgrade your servers as soon as practical. Few or no code changes should be needed in Apostrophe 2.x projects. We strongly recommend moving to Node 12.x, the most up to date LTS (Long-Term Support) release of Node. In the future, we recommend becoming familiar with the Node.js release schedule so you can better plan for such upgrades.
    • 🔒 Security: all of the recently new npm audit warnings were fixed. These were considered low risk according to the npm audit tool. In the process we removed dependencies on the tar and prompt modules in favor of simpler solutions with fewer moving parts.
    • Lean mode: the apos.utils.get and methods no longer prepend the site's global prefix when the call targets a different origin (another site's API, for instance). This is a bug fix to match the behavior of $.jsonCall() which set the standard for this in Apostrophe.
    • 💻 Lean mode: apos.utils.emit(el, name, data) has been introduced. This method emits a custom DOM event with the given name and adds the properties of the data object to the event. The event is emitted on el. When emitting events with global significance, our convention is to emit them on document.body. To listen for such events one uses the standard browser method document.body.addEventListener('eventname', function(event) { ... }).
    • Lean mode: apos.utils.get now emits an apos-before-get event with uri, data and request properties just before the request is actually sent. You may use this hook to add headers to request.
    • 🍱 Cloud deployment: when starting up a site with APOS_BUNDLE=1, the asset bundle is by default extracted to the root of the project so that the assets can be found in the filesystem of each server if needed. New feature: for the benefit of environments in which the bundle files are already present and the root of the project is not writable, APOS_EXTRACT_BUNDLE=0 may now be set to disable the extraction (note 0, not 1).
    • Localization: Apostrophe's static i18n of its user interface can now be "namespaced," opening the door to giving your translators better guidance on whether to translate it or ignore it when working with the JSON files in the locales/ folder of your site. You can turn this on by enabling the namespaces: true option for the apostrophe-i18n module. When you do, Apostrophe's i18n phrases will be prefaced with apostrophe<:> in the JSON files (not in the browser). You can create your own namespaced translations by calling __ns('namespacename', 'phrase') rather than __('phrase'), __ns_n rather than __n, etc. Note that if the namespaces option is not actually turned on, these new helpers are still available in templates; they just don't prefix a namespace. The forthcoming apostrophe-static-i18n module, which allows for editing static translations as pieces, will also have an option to ignore a namespace, which is helpful if you wish to avoid showing our user interface phrases to your translation team at all.
  • v2.104.0

    March 11, 2020
    • 👍 apos.utils.get and now return a promise if invoked without a callback. This means you may use await with them. It is up to you to provide a Promise polyfill if you use this feature without callbacks and intend to support IE11. For instance you could use the core-js library. These methods are similar to $.get and $.post but do not require jQuery. supports Apostrophe's CSRF protection natively so you do not have to add an exception if you use it. These methods are available in lean frontend mode.
    • apos.utils.get no longer adds an unnecessary ? to the URL it fetches if data has no properties. In addition, apos.utils.get leaves the URL unchanged if data is null.
    • ⚠ Recursion warnings now include a hint to add a projection to pieces-widgets as well as more obvious joins.
    • ⚡️ Dependencies updated to reflect latest version of emulate-mongo-2-driver, which contains an important fix to count.