ApostropheCMS changelog

Changelog History

Page 1

• v3.11.0 Changes

  January 06, 2022

  ➕ Adds

  • Apostrophe now extends Passport's req.login to emit an afterSessionLogin event from the @apostrophecms:login module, with req as an argument. Note that this does not occur at all for login API calls that return a bearer token rather than establishing an Express session.

  🛠 Fixes

  • Apostrophe's extension of req.login now accounts for the req.logIn alias and the skippable options parameter, which is relied upon in some passport strategies.
  • 🔧 Apostrophe now warns if a nonexistent widget type is configured for an area field, with special attention to when -widget has been erroneously included in the name. For backwards compatibility this is a startup warning rather than a fatal error, as sites generally did operate successfully otherwise with this type of bug present.

  🔄 Changes

  • 🛠 Unpins vue-click-outside-element the packaging of which has been fixed upstream.
  • ➕ Adds deprecation note to __testDefaults option. It is not in use, but removing would be a minor BC break we don't need to make.
  • 👍 Allows test modules to use a custom port as an option on the @apostrophecms/express module.
  • ✂ Removes the code base pull request template to instead inherit the organization-level template.
  • ➕ Adds npm audit back to the test scripts.

• v3.10.0 Changes

  December 22, 2021

  🛠 Fixes

  • slug type fields can now have an empty string or null as their def value without the string 'none' populating automatically.
  • 🔧 The underline feature works properly in tiptap toolbar configuration.
  • Required checkbox fields now properly prevent editor submission when empty.
  • 🔒 Pins vue-click-outside-element to a version that does not attempt to use eval in its distribution build, which is incompatible with a strict Content Security Policy.

  ➕ Adds

  • ➕ Adds a last option to fields. Setting last: true on a field puts that field at the end of the field's widget order. If more than one field has that option active the true last item will depend on general field registration order. If the field is ordered with the fields.order array or field group ordering, those specified orders will take precedence.

  🔄 Changes

  • ➕ Adds deprecation notes to the widget class methods getWidgetWrapperClasses and getWidgetClasses from A2.
  • ➕ Adds a deprecation note to the reorganize query builder for the next major version.
  • 🐎 Uses the runtime build of Vue. This has major performance and bundle size benefits, however it does require changes to Apostrophe admin UI apps that use a template property (components should require no changes, just apps require an update). These apps must now use a render function instead. Since custom admin UI apps are not yet a documented feature we do not regard this as a bc break.
  • 🔒 Compatible with the @apostrophecms/security-headers module, which supports a strict Content-Security-Policy.
  • ➕ Adds a deprecation note to the addLateCriteria query builder.
  • ⚡️ Updates the toCount doc type query method to use Math.ceil rather than Math.floor plus an additional step.

• v3.9.0 Changes

  December 08, 2021

  ➕ Adds

  • 📚 Developers can now override any Vue component of the ApostropheCMS admin UI by providing a component of the same name in the ui/apos/components folder of their own module. This is not always the best approach, see the documentation for details.
  • 👷 When running a job, we now trigger the notification before to run the job, this way the progress notification ID is available from the job and the notification can be dismissed if needed.
  • ➕ Adds maxUi, maxLabel, minUi, and minLabel localization strings for array input and other UI.

  🛠 Fixes

  • 🚚 Fully removes references to the A2 self.partial module method. It appeared only once outside of comments, but was not actually used by the UI. The self.render method should be used for simple template rendering.
  • 🛠 Fixes string interpolation for the confirmation modal when publishing a page that has an unpublished parent page.
  • No more "cannot set headers after they are sent to the client" and "req.res.redirect not defined" messages when handling URLs with extra trailing slashes.
  • 👀 The apos.util.runPlayers method is not called until all of the widgets in a particular tree of areas and sub-areas have been added to the DOM. This means a parent area widget player will see the expected markup for any sub-widgets when the "Edit" button is clicked.
  • 👉 Properly activates the apostropheI18nDebugPlugin i18next debugging plugin when using the APOS_SHOW_I18N environment variable. The full set of l10n emoji indicators previously available for the UI is now available for template and server-side strings.
  • Actually registers piece types for site search unless the searchable option is false.
  • 🛠 Fixes the methods required for the search index task.

  🔄 Changes

  • ➕ Adds localization keys for the password field component's min and max error messages.

• v3.8.1 Changes

  November 23, 2021

  🛠 Fixes

  • The search field of the pieces manager modal works properly. Thanks to Miro Yovchev for pointing out the issue and providing a solution.
  • 🛠 Fixes a bug in AposRichTextWidgetEditor.vue when a rich text widget was specifically configured with an empty array as the styles option. In that case a new empty rich text widget will initiate with an empty paragraph tag.
  • ThefieldsPresent method that is used with the presentFieldsOnly option in doc-type was broken, looking for properties in strings and wasn't returning anything.

• v3.8.0 Changes

  November 15, 2021

  ➕ Adds

  • Checkboxes for pieces are back, a main checkbox allows to select all page items. When all pieces on a page are checked, a banner where the user can select all pieces appears. A launder for mongo projections has been added.
  • 💅 Registered batchOperations on a piece-type will now become buttons in the manager batch operations "more menu" (styled as a kebab icon). Batch operations should include a label, messages object, and modalOptions for the confirmation modal.
  • batchOperations can be grouped into a single button with a menu using the group cascade subproperty.
  • batchOperations can be conditional with an if conditional object. This allows developers to pass a single value or an array of values.
  • 🔧 Piece types can have utilityOperations configured as a top-level cascade property. These operations are made available in the piece manager as new buttons.
  • Notifications may now include an event property, which the AposNotification component will emit on mount. The event property should be set to an object with name (the event name) and optionally data (data included with the event emission).
  • ➕ Adds support for using the attachments query builder in REST API calls via the query string.
  • ➕ Adds contextual menu for pieces, any module extending the piece-type one can add actions in this contextual menu.
  • When clicking on a batch operation, it opens a confirmation modal using modal options from the batch operation, it also works for operations in grouped ones. operations name property has been renamed in action to work with AposContextMenu component.
  • 📚 Beginning with this release, a module-specific static asset in your project such as modules/mymodulename/public/images/bg.png can always be referenced in your .scss and .css files as /modules/mymodulename/images/bg.png, even if assets are actually being deployed to S3, CDNs, etc. Note that public and ui/public module subdirectories have separate functions. See the documentation for more information.
  • ➕ Adds AposFile.vue component to abstract file dropzone UI, uses it in AposInputAttachment, and uses it in the confirmation modal for pieces import.
  • ⚡️ Optionally add dimensionAttrs option to image widget, which sets width & height attributes to optimize for Cumulative Layout Shift. Thank you to Qiao Lin for the contribution.

  🛠 Fixes

  • 💻 The apos.util.attachmentUrl method now works correctly. To facilitate that, apos.uploadsUrl is now populated browser-side at all times as the frontend logic originally expected. For backwards compatibility apos.attachment.uploadsUrl is still populated when logged in.
  • Widget players are now prevented from being played twice by the implementing vue component.

  🔄 Changes

  • ✂ Removes Apostrophe 2 documentation and UI configuration from the @apostrophecms/job module. These options were not yet in use for A3.
  • 🚚 Renames methods and removes unsupported routes in the @apostrophecms/job module that were not yet in use. This was not done lightly, but specifically because of the minimal likelihood that they were in use in project code given the lack of UI support.
    • The deprecated cancel route was removed and will likely be replaced at a later date.
    • run was renamed runBatch as its purpose is specifically to run processes on a "batch selected" array of pieces or pages.
    • runNonBatch was renamed to run as it is the more generic job-running method. It is likely that runBatch will eventually be refactored to use this method.
    • The good and bad methods are renamed success and failure, respectively. The expected methods used in the run method were similarly renamed. They still increment job document properties called good and bad.
  • Comments out the unused batchSimpleRoute methods in the page and piece-type modules to avoid usage before they are fully implemented.
  • ⚡️ Optionally add dimensionAttrs option to image widget, which sets width & height attributes to optimize for Cumulative Layout Shift.
  • 🔒 Temporarily removes npm audit from our automated tests because of a sub-dependency of uploadfs that doesn't actually cause a security vulnerability for apostrophe.

• v3.7.0 Changes

  October 26, 2021

  ➕ Adds

  • Schema select field choices can now be populated by a server side function, like an API call. Set the choices property to a method name of the calling module. That function should take a single argument of req, and return an array of objects with label and value properties. The function can be async and will be awaited.
  • Apostrophe now has built-in support for the Node.js cluster module. If the APOS_CLUSTER_PROCESSES environment variable is set to a number, that number of child processes are forked, sharing the same listening port. If the variable is set to 0, one process is forked for each CPU core, with a minimum of 2 to provide availability during restarts. If the variable is set to a negative number, that number is added to the number of CPU cores, e.g. -1 is a good way to reserve one core for MongoDB if it is running on the same server. This is for production use only (NODE_ENV=production). If a child process fails it is restarted automatically.

  🛠 Fixes

  • 💻 Prevents double-escaping interpolated localization strings in the UI.
  • 💅 Rich text editor style labels are now run through a localization method to get the translated strings from their l10n keys.
  • 🛠 Fixes README Node version requirement (Node 12+).
  • 💅 The text alignment buttons now work immediately in a new rich text widget. Previously they worked only after manually setting a style or refreshing the page. Thanks to Michelin for their support of this fix.
  • 💻 Users can now activate the built-in date and time editing popups of modern browsers when using the date and time schema field types.
  • Developers can now require their project app.js file in the Node.js REPL for debugging and inspection. Thanks to Matthew Francis Brunetti.
  • 0️⃣ If a static text phrase is unavailable in both the current locale and the default locale, Apostrophe will always fall back to the en locale as a last resort, which ensures the admin UI works if it has not been translated.
  • Developers can now require their project app.js in the Node.js REPL for debugging and inspection
  • Ensure array field items have valid _id prop before storing. Thanks to Thanks to Matthew Francis Brunetti.

  🔄 Changes

  • 🚀 In 3.x, relationship fields have an optional builders property, which replaces filters from 2.x, and within that an optional project property, which replaces projection from 2.x (to match MongoDB's cursor.project). Prior to this release leaving the old syntax in place could lead to severe performance problems due to a lack of projections. Starting with this release the 2.x syntax results in an error at startup to help the developer correct their code.
  • The className option from the widget options in a rich text area field is now also applied to the rich text editor itself, for a consistently WYSIWYG appearance when editing and when viewing. Thanks to Max Mulatz for this contribution.
  • ➕ Adds deprecation notes to doc module afterLoad events, which are deprecated.
  • ✂ Removes unused afterLogin method in the login module.

• v3.6.0 Changes

  October 13, 2021

  ➕ Adds

  • 💻 The context-editing apostrophe admin UI bus event can now take a boolean parameter, explicitly indicating whether the user is actively typing or performing a similar active manipulation of controls right now. If a boolean parameter is not passed, the existing 1100-millisecond debounced timeout is used.
  • ➕ Adds 'no-search' modifier to relationship fields as a UI simplification option.
  • Fields can now have their own modifiers array. This is combined with the schema modifiers, allowing for finer grained control of field rendering.
  • ➕ Adds a Slovak localization file. Activate the sk locale to use this. Many thanks to Michael Huna for the contribution.
  • ➕ Adds a Spanish localization file. Activate the es locale to use this. Many thanks to Eugenio Gonzalez for the contribution.
  • ➕ Adds a Brazilian Portuguese localization file. Activate the pt-BR locale to use this. Many thanks to Pietro Rutzen for the contribution.

  🛠 Fixes

  • 🛠 Fixed missing translation for "New Piece" option on the "more" menu of the piece manager, seen when using it as a chooser.
  • 🔧 Piece types with relationships to multiple other piece types may now be configured in any order, relative to the other piece types. This sometimes appeared to be a bug in reverse relationships.
  • Code at the project level now overrides code found in modules that use improve for the same module name. For example, options set by the @apostrophecms/seo-global improvement that ships with @apostrophecms/seo can now be overridden at project level by /modules/@apostrophecms/global/index.js in the way one would expect.
  • Array input component edit button label is now propertly localized.
  • 🐎 A memory leak on each request has been fixed, and performance improved, by avoiding the use of new Nunjucks environments for each request. Thanks to Miro Yovchev for pointing out the leak.
  • Fragments now have access to __t(), getOptions and other features passed to regular templates.
  • 🛠 Fixes field group cascade merging, using the original group label if none is given in the new field group configuration.
  • If a field is conditional (using an if option), is required, but the condition has not been met, it no longer throws a validation error.
  • 💻 Passing busy: true to apos.http.post and related methods no longer produces an error if invoked when logged out, however note that there will likely never be a UI for this when logged out, so indicate busy state in your own way.
  • 🐛 Bugs in document modification detection have been fixed. These bugs caused edge cases where modifications were not detected and the "Update" button did not appear, and could cause false positives as well.

  🔄 Changes

  • ✅ No longer logs a warning about no users if testModule is true on the app.

• v3.5.0 Changes

  September 23, 2021

  • 🏗 Pinned dependency on vue-material-design-icons to fix apos-build.js build error in production.
  • The file size of uploaded media is visible again when selected in the editor, and media information such as upload date, dimensions and file size is now properly localized.
  • 🛠 Fixes moog error messages to reflect the recommended pattern of customization functions only taking self as an argument.
  • 💅 Rich Text widgets now instantiate with a valid element from the styles option rather than always starting with an unclassed <p> tag.
  • 🚀 Since version 3.2.0, apostrophe modules to be loaded via npm must appear as explicit npm dependencies of the project. This is a necessary security and stability improvement, but it was slightly too strict. Starting with this release, if the project has no package.json in its root directory, the package.json in the closest ancestor directory is consulted.
  • 🛠 Fixes a bug where having no project modules directory would throw an error. This is primarily a concern for module unit tests where there are no additional modules involved.
  • 🍱 css-loader now ignores url() in css files inside assets so that paths are left intact, i.e. url(/images/file.svg) will now find a static file at /public/images/file.svg (static assets in /public are served by express.static). Thanks to Matic Tersek.
  • ⏪ Restored support for clicking on a "foreign" area, i.e. an area displayed on the page whose content comes from a piece, in order to edit it in an appropriate way.
  • 🔧 Apostrophe module aliases and the data attached to them are now visible immediately to ui/src/index.js JavaScript code, i.e. you can write apos.alias where alias matches the alias option configured for that module. Previously one had to write apos.modules['module-name'] or wait until next tick. However, note that most modules do not push any data to the browser when a user is not logged in. You can do so in a custom module by calling self.enableBrowserData('public') from init and implementing or extending the getBrowserData(req) method (note that page, piece and widget types already have one, so it is important to extend in those cases).
  • ✅ options.testModule works properly when implementing unit tests for an npm module that is namespaced.

  🔄 Changes

  • 0️⃣ Cascade grouping (e.g., grouping fields) will now concatenate a group's field name array with the field name array of an existing group of the same name. Put simply, if a new piece module adds their custom fields to a basics group, that field will be added to the default basics group fields. Previously the new group would have replaced the old, leaving inherited fields in the "Ungrouped" section.
  • AposButton's block modifier now less login-specific

  ➕ Adds

  • 💅 Rich Text widget's styles support a def property for specifying the default style the editor should instantiate with.
  • A more helpful error message if a field of type area is missing its options property.

• v3.4.1 Changes

  September 13, 2021

  🚀 No changes. Publishing to correctly mark the latest 3.x release as "latest" in npm.

• v3.4.0 Changes

  September 13, 2021

  🔒 Security

  • ⬆️ Changing a user's password or marking their account as disabled now immediately terminates any active sessions or bearer tokens for that user. Thanks to Daniel Elkabes for pointing out the issue. To ensure all sessions have the necessary data for this, all users logged in via sessions at the time of this upgrade will need to log in again.
  • 🚚 Users with permission to upload SVG files were previously able to do so even if they contained XSS attacks. In Apostrophe 3.x, the general public so far never has access to upload SVG files, so the risk is minor but could be used to phish access from an admin user by encouraging them to upload a specially crafted SVG file. While Apostrophe typically displays SVG files using the img tag, which ignores XSS vectors, an XSS attack might still be possible if the image were opened directly via the Apostrophe media library's convenience link for doing so. All SVG uploads are now sanitized via DOMPurify to remove XSS attack vectors. In addition, all existing SVG attachments not already validated are passed through DOMPurify during a one-time migration.

  🛠 Fixes

  • 🔒 The apos.attachment.each method, intended for migrations, now respects its criteria argument. This was necessary to the above security fix.
  • ✂ Removes a lodash wrapper around @apostrophecms/express bodyParser.json options that prevented adding custom options to the body parser.
  • 👯 Uses req.clone consistently when creating a new req object with a different mode or locale for localization purposes, etc.
  • 🛠 Fixes bug in the "select all" relationship chooser UI where it selected unpublished items.
  • 🛠 Fixes bug in "next" and "previous" query builders.
  • Cutting and pasting widgets now works between locales that do not share a hostname, provided that you switch locales after cutting (it does not work between tabs that are already open on separate hostnames).
  • 👍 The req.session object now exists in task req objects, for better compatibility. It has no actual persistence.
  • Unlocalized piece types, such as users, may now be selected as part of a relationship when browsing.
  • Unpublished localized piece types may not be selected via the autocomplete feature of the relationship input field, which formerly ignored this requirement, although the browse button enforced it.
  • 💻 The server-side JavaScript and REST APIs to delete pieces now work properly for pieces that are not subject to either localization or draft/published workflow at all the (localize: false option). UI for this is under discussion, this is just a bug fix for the back end feature which already existed.
  • 🛠 Starting in version 3.3.1, a newly added image widget did not display its image until the page was refreshed. This has been fixed.
  • 🛠 A bug that prevented Undo operations from working properly and resulted in duplicate widget _id properties has been fixed.
  • 🛠 A bug that caused problems for Undo operations in nested widgets, i.e. layout or multicolumn widgets, has been fixed.
  • Duplicate widget _id properties within the same document are now prevented on the server side at save time.
  • Existing duplicate widget _id properties are corrected by a one-time migration.

  ➕ Adds

  • ➕ Adds a linter to warn in dev mode when a module name include a period.
  • 👕 Lints module names for apostrophe- prefixes even if they don't have a module directory (e.g., only in app.js).
  • ⚠ Starts all warnDev messages with a line break and warning symbol (⚠️) to stand out in the console.
  • 🗄 apos.util.onReady aliases apos.util.onReadyAndRefresh for brevity. The apos.util.onReadyAndRefresh method name will be deprecated in the next major version.
  • ➕ Adds a developer setting that applies a margin between parent and child areas, allowing developers to change the default spacing in nested areas.

  🔄 Changes

  • ✂ Removes the temporary trace method from the @apostrophecms/db module.
  • 📚 Beginning with this release, the apostrophe:modulesReady event has been renamed apostrophe:modulesRegistered, and the apostrophe:afterInit event has been renamed apostrophe:ready. This better reflects their actual roles. The old event names are accepted for backwards compatibility. See the documentation for more information.
  • Only autofocuses rich text editors when they are empty.
  • Nested areas now have a vertical margin applied when editing, allowing easier access to the parent area's controls.

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »