# Changelog ## 4.28.1 ### Patch Changes - f8d1952: Bug fix: the "pretty URLs" feature of @apostrophecms/file is now compatible with locale prefixes. ## 4.28.0 ### Adds - Adds support for static URLs and static external frontend builds. - Adds widget graph store, accessible in Admin UI. - Support for the new `prettyUrls: true` option for @apostrophecms/file, which enables "pretty URLs" for PDFs and other items in the file library, in exchange for a small performance impact. Edit the slug field to adjust the pretty URL ### Fixes - Fix a bug when rich text link open in new tab checkbox can't be cleared - Ensures the `getOne` API can correctly retrieve documents that are not localized. Thanks to [Eduardo Correal](https://github.com/ecb34). - Clicking a choice should dismiss the relationship suggestions dropdown. This regression was caused by part of the patch in release 4.27.1. - lint on main - Adds inner wrapper to area widget that creates a separate z-index context for the user, fixing widget/apostrophe UI conflicts - Fixes a bug where Layout's mode erroneously switches state - Fixes a bug where Layouts synthetic column styles were not reaching their children - Fixes styles being sanitized as html (breaks quotes) and resolves duplicate styles on the page. - Fix subtle bug in AposPermissionGrid that caused unrelated clicks to be "swallowed" due to a race condition at low network speeds - Fixes two conditions where slow internet speed could cause input to lose focus before a selection can be registered. ### Changes - Improve re-rendering UX while keeping the performance optimization - raise the user's widget z-index context only when focused - Hide add content buttons on rich text editing, like widget controls - Refine in-context focus states for calmer UX - Simplifies some in-context UI rendering checks - Updated dependencies ### Security - This previously undisclosed security vulnerability allowed users who had compromised a password to perform actions in the CMS without 2FA. For sites not using 2FA (e.g. our @apostrophecms/login-totp module), this changes nothing. But for those using our TOTP module or similar, upgrading to this release is urgent. Thanks to 0xkakashi for reporting the issue and recommending a fix. ## 4.27.1 (2026-03-03) ### Fixes - Fixes two conditions where slow internet speed could cause relationship field inputs to lose focus before a selection can be registered. - Fixes a subtle bug in AposPermissionGrid that caused unrelated clicks to be "swallowed" due to a race condition at low network speeds. ## 4.27.0 (2026-02-18) ### Adds - Relax the image and attachment related Nunjucks helpers, they should never throw. - Adds the `intlMapping` option to locale configuration to map custom locale codes to standard ones for `Intl` usage. This property is available in `apos.i18n.locales` for project-level code. - In `@apostrophecms/i18n` add `direction` property to locale configuration to support RTL languages (e.g., `he`, `ar`), `slugDirection` option to control default direction of slug fields. Add `direction` property in the schema field definitions to override and validate text direction (supports `ltr` and `rtl`) of input fields. Note that the admin UI layout and labels overall are still LTR only for now, but these changes accommodate editing RTL locale content within that. For best results the feature should be combined with `adminLocales` and `defaultAdminLocale` module options, e.g. the admin UI itself should remain in English or another LTR language for now. - Add new `showBreakpointsHelp` option (default `true`). If set to `false`, the "Show tablet/mobile" fields help text will be removed from the UI. - Adds windowed view to widget editor - Added support for translation interpolation for schema fields in the UI via `labelInterpolation` and `helpInterpolation` schema properties. - Updates Global Styles Editor window title - Updated dependencies [bbf3359] - sanitize-html@2.17.1 ### Fixes - Fix hardcoded help text in Layout Column fields. Rename the existing `breakpoints` option to `labelBreakpoints` for clarity. The old option is deprecated but still supported for BC reasons. - Fix a bug where rich text images and permalinks are not properly rendered in public external front (e.g. Astro) views. - Fixed a regression introduced in 4.26.0 that could cause some areas on the page not to be editable outside of the page or piece settings dialog. ## 4.27.0-alpha.2 ### Changes - Removes commit resolution markers that were left behind in the 4.27.0-alpha.1 release ## 4.26.1 ### Fixes - No changes relative to 4.26.0. Published to reset the `latest` tag in `npm`, which inadvertently pointed to an alpha release for a brief period of time. ## 4.27.0-alpha.1 ### Adds - In `@apostrophecms/i18n` add `direction` property to locale configuration to support RTL languages (e.g., `he`, `ar`), `slugDirection` option to control default direction of slug fields. Add `direction` property in the schema field definitions to override and validate text direction (supports `ltr` and `rtl`) of input fields. Note that the admin UI layout and labels overall are still LTR only for now, but these changes accommodate editing RTL locale content within that. For best results the feature should be combined with `adminLocales` and `defaultAdminLocale` module options, e.g. the admin UI itself should remain in English or another LTR language for now. ## 4.26.1-alpha.1 ### Fixes - Fix a bug where rich text images and permalinks are not properly rendered in public external front (e.g. Astro) views. ## 4.26.0 ### Adds - Add new Global Styles and Widget Styles features - Explicitly specify `meta encoding="utf-8"` to ensure browser auto-detection does not inadvertently cause problems in a very small percentage of cases. Note that utf-8 is the only official encoding supported for html5. - Adds field unit to box input UI if provided - When editing a relationship it is now much easier to create and select new content for that purpose. A "New" button is directly exposed in the manager, a newly created document is automatically selected for the relationship, and several relevant bugs were fixed. - Rich text table styles are now available in the public build and can be overridden by project level `modules/@apostrophecms/ui/ui/src/index.scss` file ### Changes - Fix box field type to generate valid css properties - set layout columns to min-width 0 to prevent automatic overflowing - if no class provided for a rt style set it to null to ensure removal - Updated dependencies ## 4.25.0 ### Adds - If you want production sourcemaps to be created but not actually uploaded for the public, you can combine `productionSourceMaps: true` with the new `productionSourceMapsDir` option to specify an alternate location where the `@apostrophecms/asset:build` task should place them. By using this option, you take responsibility for delivering the sourcemaps to their final home. Creating and/or erasing the folder between builds is also up to you. Most people will not need this option. - Adds support for context utility admin bar items to display a label and omit an icon ### Fixes - Fixes an issue where the frontend was caching stale choices for `select`, `radio` and `checkboxes` fields that were saved but no longer valid (i.e removed from the schema). - When we reach the max in a widget area, the `Add Content` button is now disabled. - Fix `getManagerOf` to log an error and return `undefined` instead of throwing for unsupported metaTypes ### Changes - Bumped dependency on `express-cache-on-demand` to guarantee installation of recent fixes for edge cases that could share a response between two locales of a single-site project, report errors without a process restart, and correctly handle `res.send('')` with an empty string. - Restores relative import paths inside Vite-generated entrypoints on \*nix builds so dev server HMR works again, while keeping the Windows-specific absolute path workaround. - The `productionSourceMaps` option is now fully supported in both Vite and Webpack. Previously this feature did not work fully in Vite, and was not supported with Webpack. Enabling this feature completes the task of making sourcemaps fully available in the browser in production. - Relationship input's autocomplete list now positioned with floating-ui ## 4.24.1 (2025-12-04) ### Fixes - Fixes soft-redirect module to decode the URL path before matching historic URLs, ensuring proper matching of accents, Cyrillic, and other non-ASCII characters in old URLs. While this was not a new issue, the fix is of new importance now that a migration path to eliminate accent marks in existing slugs has been introduced in version 4.24.0. ### Adds - Adds a new `isAdmin` method to the `permission` module. ## 4.24.0 (2025-11-25) ### Adds - Adds `stripUrlAccents` option in `@apostrophecms/i18n` module to globally control whether accents are stripped from URLs. When set to `true`, all URLs (slugs) will have accents from Latin characters removed on document creation and updates. No existing documents are modified automatically; this only affects new or updated documents. A new task `node app @apostrophecms/i18n:strip-slug-accents` is provided to update existing document slugs in the database when needed. - Add `@apostrophecms/migration:add-missing-schema-fields` task. This task does not run database migrations. - Translation strings added for the layout- and layout-column-widgets. - Adds `@apostrophecms/doc:get-apos-doc-id` and `@apostrophecms/doc:set-apos-doc-id` tasks. - New `box` schema field type - When switching locale from the doc editor, ask if the user wants to localize the current document in the target locale or want to start a blank document. - Adds batch failure notifications. - Introduced a new `longPolling: false` option for the `@apostrophecms/notification` module. This eliminates long-pending requests when logged in, but also slows down the delivery of notifications. The behavior can be tuned further via the `pollingInterval` option, which defaults to `5000` milliseconds. - Add support for `def` in area fields - array of widget names to use as defaults when the area is created. ### Changes - `@apostrophecms/migration:requirements` handler now runs the migration requirements like `insertIfMissing`, `implementParkAllInDefaultLocale`, `replicate` and `implementParkAllInOtherLocales`. - Bump nodemailer to v7.x. - Improves client error log when unable to render a widget. - Rich text `styles` are once again available to insert menu items, such as our optional `@apostrophecms/ai-helper` module. ### Fixes - Specify the content type when calling back to Astro with JSON to render an area. This is required starting in Astro 4.9.0 and up, otherwise the request is blocked by CSRF protection. - Improved support for Node.js on "plain vanilla" Windows, e.g. without WSL. We suggest working with NVM for Windows and Git Bash. - Fixes `AposBreadcrumbSwitch` tooltip prop that is supposed to be an object, not a string. Object returned from the shared method `getOperationTooltip`. - Empty text nodes are output properly without a warning. - Uses `modalData.locale` in `AposI18nLocalize` component. Fixes watcher on `relatedDocTypes` not being properly triggered (uses data and methods for more control instead). - Layout area fix when no columns are present. ## 4.23.0 (2025-10-30) ### Adds - Add locale picker in the page and piece manager modals. - Support for the `render-areas` query parameter in the REST API when using Astro as an external frontend, provided the Astro project has the corresponding route. This allows section template library previews to work in Astro projects. For ease of migration, if Astro cannot satisfy the request, ApostropheCMS will also attempt to render the widget natively. - Made `self.apos.externalFrontKey` available, simplifying API calls back to Astro. - Layout widget for dynamic grid layouts. - `widgetOperations` support for `placement: 'breadcrumb'` to add operations to the breadcrumb menu of widgets. Extend the widget operations configuration to support various features when in the breadcrumb menu. - Area template (Nunjucks) support for `aposStyle`, `aposClassName`, `aposParentOptions` and `aposAttrs` contextual named variables (`with {}` syntax). - New login option `caseInsensitive` to force login usernames and emails to be case insensitive. New task `login-case-insensitive` updating all login names / email to lowercase, used by a new migration when switching to `caseInsensitive`. - Adds `disableIfProps` and `disableTooltip` to widget operations and breadcrumb operations. ### Changes - Enable `/api/v1/@apostrophecms/login/logout` and `/api/v1/@apostrophecms/login/whoami` routes when `localLogin` is `false`. - Refactored complex logic regarding data updates in `AposSchema`. - Cleaned up `annotateAreaForExternalFront` logic and added context so developers understand the reason if it fails due to a widget type with no matching module in the project. - Color fields now display their preset color swatches in the field UI rather than just the color picker popup - Moves widget operations to backend with new `action` and `nativeAction` properties. - Moves `mode` from breakpoint preview to it's own store (to be used by layout). ### Fixes - The `render-areas` query parameter now works correctly with areas nested in array items. - Fix min size calculation for image widgets configured with an aspect ratio. - Added missing `await` in helper library function for the asset module, ensuring JS assets build reliably. - Autodetection of bundles, and automatic activation of "improvements" shipped in those bundles, now works correctly when the bundle is delivered in ES module format rather than commonjs format. ## 4.22.0 (2025-10-01) ### Adds - Custom operations registered with `addCreateWidgetOperation` can now specify an `ifTypesIntersect` property containing an array of widget type names. If the area in question allows at least one, the operation is offered. - The login-requirements tests were updated to include tests for the `uponSubmit` filter - Add `prependNodes` and `appendNodes` calls for `main`. - Add options for pieces to change the title, message and icon of the empty state block. ### Fixes - Fixes a bug in the login `uponSubmit` filter where a user could login without meeting the requirement. - Fixes pieces filters when values from optional fields are falsy. - Resolve inline image URLs correctly when in edit mode and not in the default locale. - Using `CTRL+F` or `CMD+F` in the page manager now works. ### Changes - Redirects to URLs containing accent marks and other non-ascii characters now behave as expected with Astro. Pre-encoding the URLs exactly the way `res.redirect` would before passing them to Astro prevents an error in Astro and allows the redirect to succeed. - Removes the non-functional `uniqueUsername` route from the `user` module - Modifies the `annotateAreaForExternalFront()` method of the `@apostrophecms/template` module to accept a per-module `annotateWidgetForExternalFront()` method. This allows widgets to send project-level options alongside the per-area options to external frontends. - Updated dependencies to address deprecation warnings. ## 4.21.1 (2025-09-26) ### Adds - The `exit` option to the main `apostrophe()` function now supports the new string value `exit: 'throw'`. If this value is specified and the apostrophe startup procedure fails with an error, the actual error is re-thrown for the benefit of the caller. - For backwards compatibility, the existing `exit: false` option to the main `apostrophe()` function is still supported, but now logs the error that took place before returning `undefined` as before. This is more useful than the previous behavior, but `exit: 'throw'` is the more logical choice if you need to avoid a process exit. - The default behavior is still to log the error and exit the process, which isthe only sensible move in most single-site projects. ## 4.21.0 (2025-09-03) ### Adds - Modules can now call `apos.area.addCreateWidgetOperation` to register a custom operation that invokes a modal and inserts the widget returned by that modal. These operations are offered as choices in all "add widget" menus, both regular and expanded. - `AposDocEditor` now accepts a `values` prop, which can be used to pass an object of initial values for some or all fields. Use of this prop is optional. It is not supported when editing existing documents. - `apos.doc.edit` now accepts an optional `values` object as the final parameter, containing initial values for some or all fields. This is supported only when editing existing documents. - When specifying a modal name to be executed, developers may now register "transformers" to be invoked first, using pipe syntax. For example, the modal name `aposSectionTemplateLibraryWidgetToDoc|AposDocEditor` will invoke the transformer `aposSectionTemplateLibraryWidgetToDoc` with the original props, and pass the returned result to `AposDocEditor`. Note that transformers are awaited. Transformers are registered in frontend admin UI code by passing a name and a function to `apos.ui.addTransformer`. - Adds quick image upload UI to `@apostrophecms/image-widget`. - Makes autocropping work when uploading or selecting images from the new quick image upload UI. ### Fixes - The `?render-areas=1` API feature now correctly disregards areas in separate documents loaded via relationship fields. Formerly their presence resulted in an error, not a rendering. - Make conditional fields work in Image Editor. - Importing a custom icon from an npm module using a `~` path per the admin UI now works per the documentation, as long as the Vue component used for the icon is structured like those found in `@apostrophecms/vue-material-design-icons`. - The `button: true` flag works again for piece module utility operations. Previously the button appeared but did not trigger the desired operation. - Fix the fact that area options `minSize` and `aspectRatio` weren't passed to the image cropper when coming directly from the area and the widget controls (without passing through the widget editor). - Fixes the widget data being cloned to be saved before the `postprocess` method being called, which leads to a loss of data in `AposWidgetEditor` (like the autocrop data). - In editors like `AposWidgetEditor` relationships are now post processed after they are updated in `AposInputRelationship` only for the relationship that has been updated. It allows live preview to work well with it, it also avoids complexity and fixes updated data not being properly synced between the editor and the `AposSchema`. - Deeply nested widgets can now be edited properly via the editor dialog box. This longstanding issue did not affect on-page editing. ### Changes - Rolled back a change in 4.16.0 that strictly enforced `required` and `min` for relationship fields. Because the related document can be archived or deleted at any time, it is misleading to offer such enforcement. Also, it greatly complicates adding these constraints to existing schemas, resulting in surprising and unwanted behaviors. Therefore it is better for these constraints to be soft constraints on the front end. `max` is still a hard constraint. - The `@apostrophecms/login/whoami` route now accepts both `POST` (recommended) and `GET` requests. Previously, it only supported `GET`. This maintains backwards compatibility while aligning with the documentation’s recommendation to use `POST`. ## 4.20.0 (2025-08-06) ### Adds - Adds any alt text found in an attribute to the media library attachment during import of rich text inline images by API - Adds `prependNodes` and `appendNodes` methods to every module. These methods allow you to inject HTML to every page using a `node` declaration. ### Changes - A `clone-widget.js` file has been factored out, providing a universal way to return a clone of an existing widget which is distinct from the original. - Adds any alt text found in an attribute to the media library attachment during import of rich text inline images by API - Adds `prependNodes` and `appendNodes` methods to every module. These methods allow you to inject HTML to every page using a `node` declaration. - Changes handling of `order` and `groups` in the `admin-bar` module to respect, rather that reverse, the order of items - Interacting with the text inside a rich text widget will hide the widget controls to prevent awkward text selection. ### Fixes - Let the `@apostrophecms/page:unpark` task unpark all parked pages with the given slug, not just the first one. - Exclude unknown page types from the page manager. - Remove multiple calls to render-widget when switch to edit mode. - Resolved an issue affecting `withRelationships` with two or more steps. This issue could cause a document to appear to be related to the same document more than once. - You can now use checkboxes as filter `inputType`. - Fixed a regression that prevented multiple variations of `p` with different classes from being recognized again when reopening the rich text editor, even if they are all on the style menu. This was caused by knock-on effects of upstream changes in tiptap and prosemirror and our previous efforts to mitigate these. Those upstream changes were correct, but they did have certain side effects in ApostropheCMS. By more fully specifying the desired behavior, we have now fully corrected the issue at the ApostropheCMS level. - Correctly update alt attribute of images in rich text widgets. ### Security - Clear an npm audit warning by replacing `connect-multiparty` with `multer`. Thanks to [Radhakrishnan Mohan](https://github.com/RadhaKrishnan) for this contribution. - To be clear, this was never an actual security vulnerability. The CVE in question is disputed, and for good reasons. However, since `connect-multiparty` is no longer maintained, it makes sense to move to `multer`. ## 4.19.0 (2025-07-09) ### Adds - Implemented GET /api/v1/@apostrophecms/login/whoami route such that it returns the details of the currently logged in user; added the route to the login module. Thanks to [sombitganguly](https://github.com/sombitganguly) for this contribution. - Adds keyboard shortcuts for manipulating widgets in areas. Includes Cut, Copy, Paste, Delete, and Duplicate. - Automatic translation now supports a disclaimer and an help text for the checkbox. You can now set the disclaimer by setting `automaticTranslationDisclaimer` `i18n` key and the help text by setting `automaticTranslationCheckboxHelp` `i18n` key. - Adds dynamic choices working with piece manager filters. - Allow `import.imageTags` (array of image tag IDs) to be passed to the rich text widget when importing (see ). - Adds a new way to make `GET` requests with a large query string. It can become a `POST` request containing the key `__aposGetWithQuery` in its body. A middleware checks for this key and converts the request back to a `GET` request with the right `req.query` property. - Adds a new batch operation to tag images. ### Changes ### Fixes - Add missing Pages manager shortcuts list helper. - Improve the `isEmpty` method of the rich text widget to take into account the HTML blocks (`
` and ``) that are not empty but do not contain any plain text. - Fixed admin bar item ordering to correctly respect the precedence hierarchy: groups (when leader is positioned) > explicit order array > groups (when leader has positioning options) > individual `last`/`after` options. - (Backward compatibility break) Conditional field that depends on already hidden field is also hidden, again. ## 4.18.0 (2025-06-11) ### Adds - Adds MongoDB-style support (comparison operators) for conditional fields and all systems that use conditions. Conditional fields now have access to the `following` values from the parent schema fields. - Add `followingIgnore` option to the `string` field schema. A boolean `true` results in all `following` values being ignored (not attempted to be used as a value for the field). When array of strings, the UI will ignore every item that matches a `following` field name. - Adds link configuration to the `@apostrophecms/image-widget` UI and a new option `linkWithType` to control what document types can be linked to. Opt-out of the widget inline styles (reset) by setting `inlineStyles: false` in the widget configuration or contextual options (area). - Use the link configuration of the Rich Text widget for image links too. It respects the existing `linkWithType` Rich Text option and uses the same schema (`linkFields`) used for text links. The fields from that schema can opt-in for specific tiptap extension now via a field property `extensions` (array) with possible array values `Link` and/or `Image`. You still need to specify the `htmlAttribute` property (the name of the attribute to be added to the link tag) in the schema when adding more fields. If the `extensions` property is not set, the field will be applied for both tiptap extensions. - Adds body style support for breakpoint preview mode. Created new `[data-apos-refreshable-body]` div inside the container during breapoint preview. Switch body attributes to this new div to keep supporting body styles in breakpoint preview mode. ### Changes - Set the `Cache-Control` header to `no-store` for error pages in order to prevent the risk of serving stale error pages to users. - Updates rich-text default configuration. ### Fixes - The Download links in the media library now immediately download the file as expected, rather than navigating to the image in the current tab. `AposButton` now supports the `:download="true"` prop as expected. - Using an API key with the editor, contributor or guest role now have a `req` object with the corresponding rights. The old behavior gave non-admin API keys less access than expected. ## 4.17.1 (2025-05-16) ### Fixes - Pinned to tiptap 2.11.0 and specific prosemirror releases compatible with it, to work around a bug that broke the behavior of lists in the editor when re-opening an existing list. We are working with upstream projects to resolve this so we can continue to track updates in tiptap and prosemirror. ## 4.17.0 (2025-05-14) ### Adds - Support for `fetchRelationships: false` in `applyPatch` and related methods. This is intended for the use of the `@apostrophecms/import-export` module, so the functionality is not exposed in a way that can be accessed simply by making a web request. ### Fixes - Errors thrown on the server side by subfields of widgets are now reported in a useful form at the document level. Previously a different error occurred in the error handling logic itself, confusing the issue. ## 4.16.0 (2025-05-14) ### Adds - Uses new `widgetOperations` to add the `adjustImage` operation to the image widget. - Adds a server validation before adding a widget to an area. Introduces a new POST route `@apostrophecms/area/validate-widget`. - The new `widgetOperations` cascade config property can be used to display custom operations for widgets. An `if` condition can be used to test properties of the widget before displaying an operation. ### Changes - Enable widget live preview by default. ### Fixes - Fixes `range` field type default value not being set properly. - Fixes autocomplete and search sorting and as a consequence, fixes potential duplicates during pagination. - Fixes all eslint warnings. - When pasting a widget from the clipboard, the correct widget type is always offered on the "Add Content" menu. - Widget live preview is now attempting to auto-position the Widget Editor modal only if no explicit widget configuration (`options.origin`) is provided. - `required` is now implemented on the server side as well for `relationship` fields. It behaves like `min: 1`. It was always implemented on the front end. However, note that a relationship can still become empty if the related document is archived or deleted. - Image widgets, and others with a placeholder when empty, now restore their placeholder view when canceling the widget editor in live preview mode. - Fixes `z-index` of widget controls, going above the controls add button. ### Changes - Updates the default fields for the `getMangageApiProjection()` to include a more sensible base configuration and adds a `true` option to return the minimal default values. ## 4.15.2 (2025-04-28) ### Security - Fixes a potential XSS attack vector, [CVE-2025-26791](https://github.com/advisories/GHSA-vhxf-7vqr-mrjg). While the risk was low, it was possible for one user with login and editing privileges to carry out an XSS attack on another by uploading a specially crafted SVG file. Normally this would not work because ApostropheCMS typically renders uploaded SVGs via an `img` tag, however if the second user downloaded the SVG file from the media library the exploit could work. ## 4.15.1 (2025-04-22) ### Fixes - Fixes a RT bug where including `table` in `toolbar` but omitting an `insert` array crashed the rich text editor. ## 4.15.0 (2025-04-16) ### Adds - To display a live preview on the page as changes are made to widgets, set the `preview: true` option on any widget module. To turn it on for all widgets, you can set it on the `@apostrophecms/widget-type` module, the base class of all widget modules. This works especially well when `range` fields are used to achieve visual effects. - Adds separate control bar for editing tables in rich text - Adds ability to drag-resize rich text table columns ### Changes - Improve the Page Manager experience when dragging and dropping pages - the updates happen in background and the UI is not blocked anymore. - Allow scrolling while dragging a page in the Page Manager. - Change user's email field type to `email`. - Improve media manager experience after uploading images. No additional server requests are made, no broken UI on error. - Change reset password form button label to `Reset Password`. - Removed overly verbose logging of schema errors in the schema module itself. These are already logged appropriately if they become the actual result of an API call. With this change it becomes possible to catch and discard or mitigate these in some situations without excessive log output. - Bumps eslint-config-apostrophe, fix errors and a bunch of warnings. - Gets back checkboxes in the media manager. ### Fixes - Adds missing notifications and error handling in media manager and save notification for auto-published pieces. - Update `uploadfs` to `1.24.3`. - Fixes an edge case where reordering a page in the Page Manager might affect another locale. - Fixes chrome bug when pages manager checkboxes need a double click when coming from the rich text editor (because some text is selected). - Fixes the rich text insert menu image menu not being properly closed. - Fixes the rich text toolbar not closing sometimes when unfocusing the editor. - Fixes missing wording on images batch operations. - Fixes rich text toolbar width being limited to parent width. - Fixes rich text insert menu focused item text color easily overridable. - Fixes long overlapping text in the header of the Report modal. - Fixes clipped text in the pager and in the relationship filters of piece manager. - Fixes an error when pressing Enter in a relationship input without a focused suggestion. - Fixes locale switcher not allowing to switch the page of an article when its parent page is draft only. ## 4.14.2 (2025-04-02) ### Fixes - Hotfix: the `choices` query parameter of the REST API no longer results in a 500 error if an invalid filter name is part of the list. Such filters are now properly ignored in `choices`. This issue could also have resulted in invocation of query methods that are not builders, however since all such methods are read-only operations, no arguments could be passed and no information was returned, there are no security implications. ## 4.14.1 (2025-03-31) ### Fixes - Hotfix: fixes a bug in which the same on-demand cache was used across multiple sites in the presence of `@apostrophecms/multisite`. In rare cases, this bug could cause the home page of site "A" to be displayed on a request for site "B," but only if requests were simultaneous. This bug did not impact single-site projects. ## 4.14.0 (2025-03-19) ### Adds - Add a label for the `@apostrophecms/attachment` module (error reporting reasons). - Add `translate` boolean option for report modal header configuration to force translation of the relevant items value (table cells). - Adds feature to generate a table from an imported CSV file inside the rich-text-widget. - Add data-test attributes to the login page. - Adds AI-generated missing translations - Adds the missing "Tags" filter to the chooser/manager view of files. - Adds batch operations to the media manager. - Passes `moduleName` to the event `content-changed` for batch operations, to know if data should be refreshed or not. ### Changes - Bumps the `perPage` option for piece-types from 10 to 50 - Reworks rich text popovers to use `AposContextMenu`, for toolbar components as well as insert menu items. ### Fixes - The `lang` attribute of the `` tag now respects localization. - Fixes the focus styling on AposTable headers. - Proper errors when widgets are badly configured in expanded mode. - More reliable Media Manager infinite scroll pagination. - Fixes margin collapse in nested areas by switching to `padding` instead of `margin` - Fixes Edit in Media Manager when the image is not in the currently loaded images. This may happen when the the Media Manager is in a relationship mode. - Removes `publish` batch operation for `autopublished` pieces. - Fixes `restore` batch operation having the action `update`. - Fixes `localize` batch operation having no `action` and no `docIds`. ### Removes - Table controls from the default rich text control bar ## 4.13.0 (2025-02-19) ### Adds - Supports progress notification type, can be used when no job are involved. Manage progress state into the new `processes` entity. - Moves global notification logic into Pinia store as well as job polling that updates processes. ### Fixes - Field inputs inside an array modal can now be focused/tabbed via keyboard - Fixes admin bar overlapping widget area add menu. - Fixed the checkered background for gauging color transparency. - Fixes `group.operations` (batch configuration) merging between modules in the same way that `group.fields` are merged. - The i18n manager detects the current locale correctly in some edge cases, like when the locale is changed per document (Editor Modal) and the localization manager is opened from a relationship manager via a document context menu. ### Adds - Add support for batch localization of pieces and pages. - Adds type for each file uploaded by big-upload. Moves big-upload-client to `apos/ui` folder and makes it esm. - When present, projections for reverse relationships now automatically include the special id and field storage properties for the relationship in question, allowing the related documents to be successfully returned. - Introduce `AposModalReport` component for displaying table reports. It's accessible via `apos.report(content, options)` method and it's now used in the `@apostrophecms/i18n` module for detailed reporting after a batch localization operation. ### Changes - The array editor's `isModified` method is now a computed property for consistency. - The `modal` configuration property for batch operations without a group is now accepted and works as expected in the same way as for grouped operations. - Explicitly enable document versions for `@apostrophecms/file-tag`, `@apostrophecms/file`, `@apostrophecms/image-tag` and `@apostrophecms/image` piece types. ### Adds - If `error.cause` is prevent, log the property. ## 4.12.0 (2025-01-27) ### Fixes - Fixes ability to change color hue by clicking the color hue bar rather than dragging the indicator. - Prevents the rich text control bar from closing while using certain UI within the color picker. - Saving a document via the dialog box properly refreshes the main content area when on a "show page" (when the context document is a piece rather than a page) - Fixes the `AposButtonSplit` markup to follow the HTML5 specification, optimizes the component performance, visuals and testability. - Fixes a case where releationship button overlaps a context menu. ### Adds - Ability to disable the color spectrum UI of a color picker - Accessibility improvement for the rich text editor Typography toolbar item. - Adds `moduleLabels` prop to `AposDocContextMenu` to pass it to opened modals from custom operations (used by templates to define labels to display on the export modal). ### Changes - Range style updates. - The `pickerOptions` sub property of a color field's configuration has been merged with it's parent `options` object. - Reworks `inline` and `micro` UI of some fields (color, range, select). Improve global inline style. - Makes the range input being a number all the time instead of a string that we convert manually. - Command line tasks can run before the first frontend asset build without error messages. ## 4.11.2 (2024-12-29) ### Fixes - Fixes a bug where images in Media manager are not selectable (click on an image does nothing) in both default and relationship mode. - Eliminated superfluous error messages. The convert method now waits for all recursive invocations to complete before attempting to determine if fields are visible. ### Adds - Possibility to set a field not ready when performing async operations, when a field isn't ready, the validation and emit won't occur. ## 4.11.1 (2024-12-18) ### Fixes - Corrected a unit test that relies on the sitemap module, as it now makes explicit that the project level `baseUrl` must be set for a successful experience, and the module level `baseUrl` was set earlier. No other changes. ## 4.11.0 (2024-12-18) ### Adds - When validating an `area` field, warn the developer if `widgets` is not nested in `options`. - Adds support for supplying CSS variable names to a color field's `presetColors` array as selectable values. - Adds support for dynamic focus trap in Context menus (prop `dynamicFocus`). When set to `true`, the focusable elements are recalculated on each cycle step. - Adds option to disable `tabindex` on `AposToggle` component. A new prop `disableFocus` can be set to `false` to disable the focus on the toggle button. It's enabled by default. - Adds support for event on `addContextOperation`, an option `type` can now be passed and can be `modal` (default) or `event`, in this case it does not try to open a modal but emit a bus event using the action as name. ### Fixes - Focus properly Widget Editor modals when opened. Keep the previous active focus on the modal when closing the widget editor. - a11y improvements for context menus. - Fixes broken widget preview URL when the image is overridden (module improve) and external build module is registered. - Inject dynamic custom bundle CSS when using external build module with no CSS entry point. - Range field now correctly takes 0 into account. - Apos style does not go through `postcss-viewport-to-container-toggle` plugin anymore to avoid UI bugs. ## 4.10.0 (2024-11-20) ### Fixes - Extra bundle detection when using external build module works properly now. - Widget players are now properly invoked when they arrive later in the page load process. - Fix permission grid tooltip display. - Fixes a bug that crashes external frontend applications. - Fixes a false positive warning for module not in use for project level submodules (e.g. `widges/module.js`) and dot-folders (e.g. `.DS_Store`). - Bumped `express-bearer-token` dependency to address a low-severity `npm audit` warning regarding noncompliant cookie names and values. Apostrophe did not actually use any noncompliant cookie names or values, so there was no vulnerability in Apostrophe. - Rich text "Styles" toolbar now has visually focused state. - The `renderPermalinks` and `renderImages` methods of the `@apostrophecms/rich-text` module now correctly resolve the final URLs of page links and inline images in rich text widgets, even when the user has editing privileges. Formerly this was mistakenly prevented by logic intended to preserve the editing experience. The editing experience never actually relied on the rendered output. - Search bar will perform the search even if the bar is empty allowing to reset a search. - Fixes Color picker being hidden in an inline array schema field, also fixes rgba inputs going off the modal. ### Adds - It's possible now to target the HMR build when registering via `template.append` and `template.prepend`. Use `when: 'hmr:public'` or `when: 'hmr:apos'` that will be evaluated against the current asset `options.hmr` configuration. - Adds asset module option `options.modulePreloadPolyfill` (default `true`) to allow disabling the polyfill preload for e.g. external front-ends. - Adds `bundleMarkup` to the data sent to the external front-end, containing all markup for injecting Apostrophe UI in the front-end. - Warns users when two page types have the same field name, but a different field type. This may cause errors or other problems when an editor switches page types. - The piece and page `GET` REST APIs now support `?render-areas=inline`. When this parameter is used, an HTML rendering of each widget is added to that specific widget in each area's `items` array as a new `_rendered` property. The existing `?render-areas=1` parameter is still supported to render the entire area as a single `_rendered` property. Note that this older option also causes `items` to be omitted from the response. ### Changes - Removes postcss plugin and webpack loader used for breakpoint preview mode. Uses instead the new `postcss-viewport-to-container-toggle` plugin in the webpack config. - Implement `vue-color` directly in Apostrophe rather than as a dependency - Switch color handling library from `tinycolor2` to `@ctrl/tinycolor` - Removes error messages in server console for hidden fields. These messages should not have been printed out in the server console in the first place. - Removes invalid error messages on select fields appearing while opening an existing valid document. ## 4.9.0 (2024-10-31) ### Adds - Relationship inputs have aria accessibility tags and autocomplete suggestions can be controlled by keyboard. - Elements inside modals can have a `data-apos-focus-priority` attribute that prioritizes them inside the focusable elements list. - Modals will continute trying to find focusable elements until an element marked `data-apos-focus-priority` appears or the max retry threshold is reached. - Takes care of an edge case where Media Manager would duplicate search results. - Add support for ESM projects. - Modules can now have a `before: "module-name"` property in their configuration to initialize them before another module, bypassing the normal order implied by `defaults.js` and `app.js`. - `select` and `checkboxes` fields that implement dynamic choices can now take into account the value of other fields on the fly, by specifying a `following` property with an array of other field names. Array and object subfields can access properties of the parent document by adding a `<` prefix (or more than one) to field names in `following` to look upwards a level. Your custom method on the server side will now receive a `following` object as an additional argument. One limitation: for now, a field with dynamic choices cannot depend on another field with dynamic choices in this way. - Adds AI-generated missing translations - Adds the mobile preview dropdown for non visibles breakpoints. Uses the new `shortcut` property to display breakpoints out of the dropdown. - Adds possibility to have two icons in a button. - Breakpoint preview only targets `[data-apos-refreshable]`. - Adds a `isActive` state to context menu items. Also adds possibility to add icons to context menu items. - Add a postcss plugin to handle `vh` and `vw` values on breakpoint preview mode. - Adds inject component `when` condition with possible values `hmr`, `prod`, and `dev`. Modules should explicitely register their components with the same `when` value and the condition should be met to inject the component. - Adds inject `bundler` registration condition. It's in use only when registering a component and will be evaluated on runtime. The value should match the current build module (`webpack` or the external build module alias). - Adds new development task `@apostrophecms/asset:reset` to reset the asset build cache and all build artifacts. - Revamps the `@apostrophecms/asset` module to enable bundling via build modules. - Adds `apos.asset.devServerUrl()` nunjucks helper to get the (bundle) dev server URL when available. - The asset module has a new option, `options.hmr` that accepts `public` (default), `apos` or `false` to enable HMR for the public bundle or the admin UI bundle or disable it respectively. This configuration works only with external build modules that support HMR. - The asset module has a new option, `options.hmrPort` that accepts an integer (default `null`) to specify the HMR WS port. If not specified, the default express port is used. This configuration works only with external build modules that support HMR WS. - The asset module has a new option, `options.productionSourceMaps` that accepts a boolean (default `false`) to enable source maps in production. This configuration works only with external build modules that support source maps. ### Changes - Silence deprecation warnings from Sass 1.80+ regarding the use of `@import`. The Sass team [has stated there will be a two-year transition period](https://sass-lang.com/documentation/breaking-changes/import/#transition-period) before the feature is actually removed. The use of `@import` is common practice in the Apostrophe codebase and in many project codebases. We will arrange for an orderly migration to the new `@use` directive before Sass 3.x appears. - Move saving indicator after breakpoint preview. - Internal methods `mergeConfiguration`, `autodetectBundles`, `lintModules`, `nestedModuleSubdirs` and `testDir` are now async. - `express.getSessionOptions` is now async. ### Fixes - Modifies the `AposAreaMenu.vue` component to set the `disabled` attribute to `true` if the max number of widgets have been added in an area with `expanded: true`. - `pnpm: true` option in `app.js` is no longer breaking the application. - Remove unused `vue-template-compiler` dependency. - Prevent un-publishing the `@apostrophecms/global` doc and more generally all singletons. - When opening a context menu while another is already opened, prevent from focusing the button of the first one instead of the newly opened menu. - Updates `isEqual` method of `area` field type to avoid comparing an area having temporary properties with one having none. - In a relationship field, when asking for sub relationships using `withRelationships` an dot notion. If this is done in combination with a projection, this projection is updated to add the id storage fields of the needed relationships for the whole `withRelationships` path. - The admin UI no longer fails to function when the HTML page is rendered with a direct `sendPage` call and there is no current "in context" page or piece. ## 4.7.2 and 4.8.1 (2024-10-09) ### Fixes - Correct a race condition that can cause a crash at startup when custom `uploadfs` options are present in some specific cloud environments e.g. when using Azure Blob Storage. ## 4.8.0 (2024-10-03) ### Adds - Adds a mobile preview feature to the admin UI. The feature can be enabled using the `@apostrophecms/asset` module's new `breakpointPreviewMode` option. Once enabled, the asset build process will duplicate existing media queries as container queries. There are some limitations in the equivalence between media queries and container queries. You can refer to the [CSS @container at-rule](https://developer.mozilla.org/en-US/docs/Web/CSS/@container) documentation for more information. You can also enable `breakpointPreviewMode.debug` to be notified in the console when the build encounters an unsupported media query. - Apostrophe now automatically adds the appropriate default values for new properties in the schema, even for existing documents in the database. This is done automatically during the migration phase of startup. - Adds focus states for media library's Uploader tile. - Adds focus states file attachment's input UI. - Simplified importing rich text widgets via the REST API. If you you have HTML that contains `img` tags pointing to existing images, you can now import them all quickly. When supplying the rich text widget object, include an `import` property with an `html` subproperty, rather than the usual `content` property. You can optionally provide a `baseUrl` subproperty as well. Any images present in `html` will be imported automatically and the correct `figure` tags will be added to the new rich text widget, along with any other markup acceptable to the widget's configuration. ### Changes - The various implementations of `newInstance` found in Apostrophe, e.g. for widgets, array items, relationship fields and documents themselves, have been consolidated in one implementation. The same code is now reused both on the front and the back end, ensuring the same result without the need to introduce additional back end API calls. ### Fixes - Apostrophe's migration logic is no longer executed twice on every startup and three times in the migration task. It is executed exactly once, always at the same point in the startup process. This bug did not cause significant performance issues because migrations were always only executed once, but there is a small performance improvement due to not checking for them more than once. - The `@apostrophecms/page` module APIs no longer allow a page to become a child of itself. Thanks to [Maarten Marx](https://github.com/Pixelguymm) for reporting the issue. - Uploaded SVGs now permit `` tags granted their `xlink:href` property is a local reference and begins with the `#` character. This improves SVG support while mitgating XSS vulnerabilities. - Default properties of object fields present in a widget now populate correctly even if never focused in the editor. - Fixed the "choices" query builder to correctly support dynamic choices, ensuring compatibility with the [`piecesFilters`](https://docs.apostrophecms.org/reference/modules/piece-page-type.html#piecesfilters) feature when using dynamic choices. - Fix a reordering issue for arrays when dragging and dropping items in the admin UI. - The inline array item extract the label now using `title` as `titleField` value by default (consistent with the Slat list). ## 4.7.1 (2024-09-20) ### Fixes - Ensure parked fields are not modified for parked pages when not configured in `_defaults`. ## 4.7.0 (2024-09-05) ### Changes - UI and UX of inline arrays and their table styles ### Adds - To aid debugging, when a file extension is unacceptable as an Apostrophe attachment the rejected extension is now printed as part of the error message. - The new `big-upload-client` module can now be used to upload very large files to any route that uses the new `big-upload-middleware`. - Add option `skipReplace` for `apos.doc.changeDocIds` method to skip the replacing of the "old" document in the database. - The `@apostrophecms/i18n` module now exposes a `locales` HTTP GET API to aid in implementation of native apps for localized sites. - Context menus can be supplied a `menuId` so that interested components can listen to their opening/closing. - Allow to set mode in `AposWidget` component through props. - Add batch operations to pages. - Add shortcuts to pages manager. - Add `replaces` (boolean, `false` by default) option to the context operation definition (registered via `apos.doc.addContextOperation()`) to allow the operation to require a replace confirmation before being executed. The user confirmation results in the Editor modal being closed and the operation being executed. The operation is not executed if the user cancels the confirmation. ### Changes - Wait for notify before navigating to a new page. - Send also `checkedTypes` via the pages body toolbar operations (e.g. 'batch') to the modal. ### Fixes - Fix link to pages in rich-text not showing UI to select page during edit. - Bumps `uploadfs` dependency to ensure `.tar.gz`, `.tgz` and `.gz` files uploaded to S3 download without double-gzipping. This resolves the issue for new uploads. - Registering duplicate icon is no longer breaking the build. - Fix widget focus state so that the in-context Add Content menu stays visible during animation - Fix UI of areas in schemas so that their context menus are layered overtop sibling schema fields UI - Fix unhandled promise rejections and guard against potential memory leaks, remove 3rd party `debounce-async` dependency - Adds an option to center the context menu arrow on the button icon. Sets this new option on some context menus in the admin UI. - Fixes the update function of `AposSlatLists` so that elements are properly reordered on drag ## 4.6.1 (2024-08-26) ### Fixes - Registering duplicate icon is no longer breaking the build. - Fix widget focus state so that the in-context Add Content menu stays visible during animation. - Fix UI of areas in schemas so that their context menus are layered overtop sibling schema fields UI. ### Removes - Inline array option for `alwaysOpen` replaced with UI toggles ## 4.6.0 (2024-08-08) ### Adds - Add a locale switcher in pieces and pages editor modals. This is available for localized documents only, and allows you to switch between locales for the same document. The locale can be switched at only one level, meaning that sub documents of a document that already switched locale will not be able to switch locale itself. - Adds visual focus states and keyboard handlers for engaging with areas and widgets in-context - Adds method `simulateRelationshipsFromStorage` method in schema module. This method populates the relationship field with just enough information to allow convert to accept it. It does not fully fetch the related documents. It does the opposite of prepareForStorage. - A new options object has been added to the convert method. Setting the `fetchRelationships` option to false will prevent convert from actually fetching relationships to check which related documents currently exist. The shape of the relationship field is still validated. ### Changes - Refactors Admin UI SASS to eliminate deprecation warnings from declarations coming after nested rules. - Bumps the sass-loader version and adds a webpack option to suppress mixed declaration deprecation warnings to be removed when all modules are updated. - Add `title` and `_url` to select all projection. - Display `Select all` message on all pages in the manager modal. - Refresh `checked` in manager modal after archive action. - Update `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`. - Updates rich text link tool's keyboard key detection strategy. - Buttons that appear on slats (preview, edit crop/relationship, remove) are visually focusable and keyboard accessible. - Added tooltip for update button. Thanks to [gkumar9891](https://github.com/gkumar9891) for this addition. ### Fixes - Fixes the rendering of conditional fields in arrays where the `inline: true` option is used. - Fixes the rich text link tool's detection and display of the Remove Link button for removing existing links - Fixes the rich text link tool's detection and display of Apostrophe Page relationship field. - Overriding standard Vue.js components with `editorModal` and `managerModal` are now applied all the time. - Accommodate old-style replica set URIs with comma-separated servers by passing any MongoDB URIs that Node.js cannot parse directly to the MongoDB driver, and avoiding unnecessary parsing of the URI in general. - Bump `oembetter` dependency to guarantee compatibility with YouTube. YouTube recently deployed broken `link rel="undefined"` tags on some of their video pages. - It is now possible to see the right filename and line number when debugging the admin UI build in the browser. This is automatically disabled when `@apostrophecms/security-headers` is installed, because its defaults are incompatible by design. ## 4.5.4 (2024-07-22) ### Fixes - Add a default projection to ancestors of search results in order to load a reasonable amount of data and avoid request timeouts. ## 4.5.3 (2024-07-17) ### Fixes - Enhanced media selection with touchpad on Windows by extending focus timeout. ## 4.5.2 (2024-07-11) ### Fixes - Ensure that `apos.doc.walk` never gets caught in an infinite loop even if circular references are present in the data. This is a hotfix for an issue that can arise when the new support for breadcrumbs in search results is combined with a more inclusive projection for page ancestors. - Correct a longstanding bug in `apos.doc.walk` that led items to be listed twice in the `ancestors` array passed to the iterator. - Correct a longstanding bug in `apos.doc.walk` that led ancestors that are themselves arrays to be misrepresented as a series of objects in the `ancestors` array passed to the iterator. - For additional guarantees of reliability the `_dotPath` and `_ancestors` arguments to `apos.doc.walk`, which were always clearly documented as for internal use only, can no longer be passed in externally. ## 4.5.1 (2024-07-11) ### Changes - Allow tiptap rich-text widget to open modals for images and links without closing the toolbar. ## 4.5.0 (2024-07-10) ### Adds - Allow to disable shortcut by setting the option `shortcut: false` - Adds a new color picker tool for the rich-text-widget toolbar that matches the existing `color` schema field. This also adds the same `pickerOptions` and `format` options to the rich-text-widget configuration that exist in the `color` schema field. - Add missing UI translation keys. - Infite scroll in media manager instead of pagination and related search fixes. - Improves loaders by using new `AposLoadingBlock` that uses `AposLoading` instead of the purple screen in media manager. - Select the configured aspect ratio and add `data-apos-field` attributes to the fields inside `AposImageRelationshipEditor.vue`. - Add `getShowAdminBar` method. This method can be overriden in projects to drive the admin bar visibility for logged-in users. ### Fixes - Removes unnecessary, broadly applied line-height setting that may cause logged-in vs logged-out visual discrepencies. - Remove double GET request when saving image update. - Fix filter menu forgetting selecting filters and not instantiating them. - Remove blur emit for filter buttons and search bar to avoid re requesting when clicking outside… - `this.modified` was not working properly (set to false when saving). We can now avoid to reload images when saving no changes. - In media manager images checkboxes are disabled when max is reached. - In media manager when updating an image or archiving, update the list instead of fetching and update checked documents to see changes in the right panel selected list. - The `password` field type now has a proper fallback default, the empty string, just like the string field type and its derivatives. This resolves bugs in which the unexpected `null` caused problems during validation. This bug was old, but was masked in some situations until the release of version `4.4.3`. - Identify and mark server validation errors in the admin UI. This helps editors identify already existing data fields, having validation errors when schema changes (e.g. optional field becomes required). - Removes `menu-offset` props that were causing `AposContextMenu` to not display properly. - Allows to pass a number or an array to `AposContextMenu` to set the offset of the context menu (main and cross axis see `floating-ui` documentation). - Fixes the relationship fields not having the data when coming from the relationship modal. - Fixes watch on `checkedDocs` passed to `AposSlatList` not being reactive and not seeing updated relationship fields. - Adds styles for 1 column expanded area ([#4608](https://github.com/apostrophecms/apostrophe/issues/4608)) - Fixes weird slug computations based on followed values like title. Simplifies based on the new tech design. - Prevent broken admin UI when there is a missing widget. - Fixes media manager not loading images when last infinite scroll page have been reached (when uploading image for example). - Upgrade oembetter versions to allow all vimeo urls. ### Changes - Update `Choose Images` selection behavior. When choosing images as part of a relationship, you click on the image or checkbox to add the image to the selection. If a max is set to allow only one image, clicking on the selected image will remove it from the selection. Clicking on another image will update the selection with the newly clicked image. If a max is set to allow multiple images, you can remove images from the selection by using the checkbox. Clicking on the image will bring the image schema in the right panel. You can upload images even if the max has been reached. We will append the uploaded images to the existing selection up to the max if any. - Update `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`. ## 4.4.3 (2024-06-17) ### Fixes - Do not use schema `field.def` when calling `convert`. Applying defaults to new documents is the job of `newInstance()` and similar code. If you wish a field to be mandatory use `required: true`. - As a convenience, using `POST` for pieces and pages with `_newInstance: true` keeps any additional `req.body` properties in the API response. This feature unofficially existed before, it is now supported. - Rollbacks watcher on `checked` array. Fixes, checked docs not being properly updated. ## 4.4.2 (2024-06-14) ### Fixes - Hotfix: the new `_parent` property of pieces, which refers to the same piece page as `_parentUrl`, is now a carefully pruned subset to avoid the risk of infinite recursion when the piece page has a relationship to a piece. Those who want `_parent` to be more complete can extend the new `pruneParent` method of the relevant piece page module. This regression was introduced in version 4.4.0. ## 4.4.1 (2024-06-12) ### Fixes - Depend on `stylelint-config-apostrophe` properly via npm, not github. ## 4.4.0 (2024-06-12) ### Adds - Adds a pinia store to handle modals logic. - Methods from the store are registered on `apos.modal` instead of methods from `TheAposModals` component. - No more need to emit `safe-close` when defining an `AposModal`, modal is automatically resolved when closed. - Adds field components access to the reactive document value. - Expose `AposContextMenu` owned method for re-calculation of the content position. - Field Meta components of `slug` and `string` types can now fire `replace-field-value` events with text value payload, which will replace the respective field value. - `AposInputString` now accepts a `rows` prop, in effect only when `field.textarea` is set to `true`. - Add `T,S` shortcut to open the Personal Settings. - Add `T,D` shortcut to open the Submitted Drafts. - Add a scrollbar to the shortcut list. - Add breadcrumbs to search results page. - Pages relationships have now their checkboxes disabled when max is reached. ### Changes - Improves widget tabs for the hidden entries, improves UX when validation errors are present in non-focused tabs. - When moving a page, recognize when the slug of a new child already contains the new parent's slug and not double it. For example, given we have two pages as children of the home page, page A and page B. Page A and page B are siblings. Page A has the slug `/peer` and page B has the slug `/peer/page`. Now we want page B to be the child of page A. We will now end up with page B slug as `/peer/page` and not `/peer/peer/page` as before. - `AposSpinner` now respects the colors for `heavy` weight mode and also accepts second, "light" color in this mode. Props JSDoc blocks are added. - `AposContextMenu` now respects the `menuOffset` component property. - Set `G,Shift+I` shortcut to open the Image Tags manager modal. - Set `G,Shift+F` shortcut to open the File Tags manager modal. - Remove slug from suggestion for images. - Increase suggestion search image size to 50px. - For suggestions with image, keep title on a single line and truncate title field with `...` when it hits the right side. ### Fixes - Rich Text editor properly unsets marks on heading close. - Widget client side schema validation. - Allow `G,Shift+I` shortcut style. - Detect shortcut conflicts when using multiple shortcuts. - Updating schema fields as read-only no longer reset the value when updating the document. - Fixes stylelint config file, uses config from our shared configuration, fixes all lint errors. - Fixes `TheAposCommandMenu` modals not computing shortcuts from the current opened modal. - Fixes select boxes of relationships, we can now check manually published relationships, and `AposSlatList` renders properly checked relationships. - Fixes issues in `AposInputArray` on production build to be able to add, remove and edit array items after `required` error. - Relationships browse button isn't disabled when max is reached. - In media manager images checkboxes are disabled when max is reached. ## 4.3.3 (2024-06-04) ### Fixes - Removes `$nextTick` use to re render schema in `AposArrayEditor` because it was triggering weird vue error in production. Instead, makes the AposSchema for loop keys more unique using `modelValue.data._id`, if document changes it re-renders schema fields. - In media manager image checkboxes are disabled when max is reached. - Fixes tiptap bubble menu jumping on Firefox when clicking on buttons. Also fixes the fact that double clicking on bubble menu out of buttons would prevent it from closing when unfocusing the rich text area. - In media manager images checkboxes are disabled when max is reached. - Makes the final fields accessible in the media manager right rail. ## 4.3.2 (2024-05-18) ### Fixes - Corrects a regression introduced in version 4.3.0 that broke the validation of widget modals, resulting in a confusing error on the page. A "required" field in a widget, for instance, once again blocks the save operation properly. ### Changes - Improves widget tab UI for the hidden entries, improves UX when validation errors are present in non-focused tabs. ## 4.3.1 (2024-05-17) ### Fixes - Databases containing documents that no longer correspond to any module no longer cause the migration that adds missing mode properties to fail (an issue introduced in version 4.2.0). Databases with no such "orphaned" documents were not affected. ## 4.3.0 (2024-05-15) ### Adds - Allows to disable page refresh on content changed for page types. - Widget editor can now have tabs. - Adds prop to `AposInputMixin` to disable blur emit. - Adds `throttle` function in ui module utils. - Adds a `publicBundle` option to `@apostrophecms/asset`. When set to `false`, the `ui/src` public asset bundle is not built at all in most cases except as part of the admin UI bundle which depends on it. For use with external front ends such as [apostrophe-astro](https://github.com/apostrophecms/apostrophe-astro). Thanks to Michelin for contributing this feature. ### Fixes - Do not show widget editor tabs when the developer hasn't created any groups. - `npm link` now works again for Apostrophe modules that are dependencies of a project. - Re-crop image attachments found in image widgets, etc. when replacing an image in the Media Manager. - Fixes visual transitions between modals, as well as slider transition on overlay opacity. - Changing the aspect ratio multiple times in the image cropper modal no longer makes the stencil smaller and smaller. ### Changes - Improves `debounce` function to handle async properly (waiting for previous async call to finish before triggering a new one). - Adds the `copyOfId` property to be passed to the `apos.doc.edit()` method, while still allowing the entire `copyOf` object for backwards compatibility. ### Fixes ## 4.2.1 (2024-04-29) ### Fixes - Fixes drag and drop regression in the page tree where pages were not able to be moved between parent and child. ## 4.2.0 (2024-04-18) - Typing a `/` in the title field of a page no longer confuses the slug field. Thanks to [Gauav Kumar](https://github.com/gkumar9891). ### Changes - Rich text styles are now split into Nodes and Marks, with independent toolbar controls for a better user experience when applying text styles. There is no change in how the `styles` option is configured. - Rich text style labels are fully localized. - `i18n` module now uses the regular `req.redirect` instead of a direct `res.redirect` to ensure redirection, enabling more possibilities for `@apostrophecms/redirect` module - Refactors `AposModal` component with composition api to get rid of duplicated code in `AposFocusMixin` and `AposFocus`. - `APOS_MONGODB_LOG_LEVEL` has been removed. According to [mongodb documentation](https://github.com/mongodb/node-mongodb-native/blob/main/etc/notes/CHANGES_5.0.0.md#mongoclientoptionslogger-and-mongoclientoptionsloglevel-removed) "Both the logger and the logLevel options had no effect and have been removed." - Update `connect-mongo` to `5.x`. Add `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`. ### Fixes - Updates the docs `beforeInsert` handler to avoid ending with different modes being set between `_id`, `aposLocale` and `aposMode`. - Adds a migration to fix potential corrupted data having different modes set between `_id`, `aposLocale` and `aposMode`. - Fix a crash in `notification` when `req.body` was not present. Thanks to Michelin for contributing this fix. - Addresses a console error observed when opening and closing the `@apostrophecms-pro/palette` module across various projects. - Fixes the color picker field in `@apostrophecms-pro/palette` module. - Ensures that the `data-apos-test` attribute in the admin bar's tray item buttons is set by passing the `action` prop to `AposButton`. - Prevents stripping of query parameters from the URL when the page is either switched to edit mode or reloaded while in edit mode. - Add the missing `metaType` property to newly inserted widgets. ### Security - New passwords are now hashed with `scrypt`, the best password hash available in the Node.js core `crypto` module, following guidance from [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html). This reduces login time while improving overall security. - Old passwords are automatically re-hashed with `scrypt` on the next successful login attempt, which adds some delay to that next attempt, but speeds them up forever after compared to the old implementation. - Custom `scrypt` parameters for password hashing can be passed to the `@apostrophecms/user` module via the `scrypt` option. See the [Node.js documentation for `scrypt`]. Note that the `maxmem` parameter is computed automatically based on the other parameters. ## 4.1.1 (2024-03-21) ### Fixes - Hotfix for a bug that broke the rich text editor when the rich text widget has a `styles` property. The bug was introduced in 4.0.0 as an indirect side effect of deeper watching behavior by Vue 3. ## 4.1.0 (2024-03-20) ### Fixes - Don't crash if a document of a type no longer corresponding to any module is present together with the advanced permission module. - AposLoginForm.js now pulls its schema from the user module rather than hardcoding it. Includes the addition of `enterUsername` and `enterPassword` i18n fields for front end customization and localization. - Simulated Express requests returned by `apos.task.getReq` now include a `req.headers` property, for greater accuracy and to prevent unexpected bugs in other code. - Fix the missing attachment icon. The responsibility for checking whether an attachment actually exists before calling `attachment.url` still lies with the developer. ### Adds - Add new `getChanges` method to the schema module to get an array of document changed field names instead of just a boolean like does the `isEqual` method. - Add highlight class in UI when comparing documents. ## 4.0.0 (2024-03-12) ### Adds - Add Marks tool to the Rich Text widget for handling toggling marks. - Add translation keys used by the multisite assembly module. - Add side by side comparison support in AposSchema component. - Add `beforeLocalize` and `afterLocalize` events. - Add custom manager indicators support via `apos.schema.addManagerIndicator({ component, props, if })`. The component registered this way will be automatically rendered in the manager modal. - Add the possibility to make widget modals wider, which can be useful for widgets that contain areas taking significant space. See [documentation](https://v3.docs.apostrophecms.org/reference/modules/widget-type.html#options). - Temporarily add `translation` module to support document translations via the `@apostrophecms-pro/automatic-translation` module. **The `translation` core module may be removed or refactored to reduce overhead in the core,** so its presence should not be relied upon. ### Changes - Migrate to Vue 3. This entails changes to some admin UI code, as detailed in our public announcement. There are no other backwards incompatible changes in apostrophe version 4.0.0. Certain other modules containing custom admin UI have also been updated in a new major version to be compatible, as noted in our announcement and on the migration page of our website. ### Fixes - Adds `textStyle` to Tiptap types so that spans are rendered on RT initialization - `field.help` and `field.htmlHelp` are now correctly translated when displayed in a tooltip. - Bump the `he` package to most recent version. - Notification REST APIs should not directly return the result of MongoDB operations. ## 3.63.2 (2024-03-01) ### Security - Always validate that method names passed to the `external-condition` API actually appear in `if` or `requiredIf` clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of Apostrophe modules could be called over the network, without arguments, and the results returned to the caller. While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities in ApostropheCMS code via [security@apostrophecms.com](mailto:security@apostrophecms.com). - Disable the `alwaysIframe` query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team. - Remove vestigial A2 code relating to polymorphic relationship fields. The code in question had no relevance to the way such a feature would be implemented in A3, and could be used to cause a denial of service by crashing and restarting the process. Thanks to the Michelin team. ## 3.63.1 (2024-02-22) ### Security - Bump dependency on `sanitize-html` to `^2.12.1` at a minimum, to ensure that `npm update apostrophe` is sufficient to guarantee a security update is installed. This security update prevents specially crafted HTML documents from revealing the existence or non-existence of files on the server. The vulnerability did not expose any other information about those files. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix. ## 3.63.0 (2024-02-21) ### Adds - Adds a `launder` method to the `slug` schema field query builder to allow for use in API queries. - Adds support for browsing specific pages in a relationship field when `withType` is set to a page type, like `@apostrophecms/home-page`, `default-page`, `article-page`... - Add support for `canCreate`, `canPreview` & `canShareDraft` in context operations conditions. - Add support for `canCreate`, `canEdit`, `canArchive` & `canPublish` in utility operations definitions. - Add `uponSubmit` requirement in the `@apostrophecms/login` module. `uponSubmit` requirements are checked each time the user submit the login form. See the documentation for more information. - Add field metadata feature, where every module can add metadata to fields via public API offered by `apos.doc.setMeta()`, `apos.doc.getMeta()`, `apos.doc.getMetaPath()` and `apos.doc.removeMeta()`. The metadata is stored in the database and can be used to store additional information about a field. - Add new `apos.schema.addFieldMetadataComponent(namespace, component)` method to allow adding custom components. They have access to the server-side added field metadata and can decide to show indicators on the admin UI fields. Currently supported fields are "string", "slug", "array", "object" and "area". ### Fixes - When deleting a draft document, we remove related reverse IDs of documents having a relation to the deleted one. - Fix publishing or moving published page after a draft page on the same tree level to work as expected. - Check create permissions on create keyboard shortcut. - Copy requires create and edit permission. - Display a more informative error message when publishing a page because the parent page is not published and the current user has no permission to publish the parent page (while having permission to publish the current one). - The `content-changed` event for the submit draft action now uses a complete document. - Fix the context bar overlap on palette for non-admin users that have the permission to modify it. - Show widget icons in the editor area context menu. ### Changes - Share Drafts modal styles made larger and it's toggle input has a larger hitbox. ## 3.62.0 (2024-01-25) ### Adds - Adds support for `type` query parameter for page autocomplete. This allows to filter the results by page type. Example: `/api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type`. - Add testing for the `float` schema field query builder. - Add testing for the `integer` schema field query builder. - Add support for link HTML attributes in the rich text widget via configurable fields `linkFields`, extendable on a project level (same as it's done for `fields`). Add an `htmlAttribute` property to the standard fields that map directly to an HTML attribute, except `href` (see special case below), and set it accordingly, even if it is the same as the field name. Setting `htmlAttribute: 'href'` is not allowed and will throw a schema validation exception (on application boot). - Adds support in `can` and `criteria` methods for `create` and `delete`. - Changes support for image upload from `canEdit` to `canCreate`. - The media manager is compatible with per-doc permissions granted via the `@apostrophecms-pro/advanced-permission` module. - In inline arrays, the trash icon has been replaced by a close icon. ### Fixes - Fix the `launder` and `finalize` methods of the `float` schema field query builder. - Fix the `launder` and `finalize` methods of the `integer` schema field query builder. - A user who has permission to `publish` a particular page should always be allowed to insert it into the published version of the site even if they could not otherwise insert a child of the published parent. - Display the "Browse" button in a relationship inside an inline array. ## 3.61.1 (2023-01-08) ### Fixes - Pinned Vue dependency to 2.7.15. Released on December 24th, Vue 2.7.16 broke the rich text toolbar in Apostrophe. ## 3.61.0 (2023-12-21) ### Adds - Add a `validate` method to the `url` field type to allow the use of the `pattern` property. - Add `autocomplete` attribute to schema fields that implement it (cf. [HTML attribute: autocomplete](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete)). - Add the `delete` method to the `@apostrophecms/cache` module so we don't have to rely on direct MongoDB manipulation to remove a cache item. - Adds tag property to fields in order to show a tag next to the field title (used in advanced permission for the admin field). Adds new sensitive label color. - Pass on the module name and the full, namespaced template name to external front ends, e.g. Astro. Also make this information available to other related methods for future and project-level use. - Fixes the AposCheckbox component to be used more easily standalone, accepts a single model value instead of an array. ### Fixes - Fix `date` schema field query builder to work with arrays. - Fix `if` on pages. When you open the `AposDocEditor` modal on pages, you now see an up to date view of the visible fields. - Pass on complete annotation information for nested areas when adding or editing a nested widget using an external front, like Astro. - We can now close the image modal in rich-text widgets when we click outside of the modal. The click on the cancel button now works too. - Fixes the `clearLoginAttempts` method to work with the new `@apostrophecms/cache` module `delete` method. ## 3.60.1 (2023-12-06) ### Fixes - corrected an issue where the use of the doc template library can result in errors at startup when replicating certain content to new locales. This was not a bug in the doc template library. Apostrophe was not invoking `findForEditing` where it should have. ## 3.60.0 (2023-11-29) ### Adds - Add the possibility to add custom classes to notifications. Setting the `apos-notification--hidden` class will hide the notification, which can be useful when we only care about the event carried by it. - Give the possibility to add horizontal rules from the insert menu of the rich text editor with the following widget option: `insert: [ 'horizontalRule' ]`. Improve also the UX to focus back the editor after inserting a horizontal rule or a table. ### Fixes - The `render-widget` route now provides an `options` property on the widget, so that schema-level options of the widget are available to the external front end when rendering a newly added or edited widget in the editor. Note that when rendering a full page, this information is already available on the parent area: `area.options.widgets[widget.type]` - Pages inserted directly in the published mode are now given a correct `lastPublishedAt` property, correcting several bugs relating to the page tree. - A migration has been added to introduce `lastPublishedAt` wherever it is missing for existing pages. - Fixed a bug that prevented page ranks from renumbering properly during "insert after" operations. - Added a one-time migration to make existing page ranks unique among peers. - Fixes conditional fields not being properly updated when switching items in array editor. - The `beforeSend` event for pages and the loading of deferred widgets are now handled in `renderPage` with the proper timing so that areas can be annotated successfully for "external front" use. - The external front now receives 100% of the serialization-friendly data that Nunjucks receives, including the `home` property etc. Note that the responsibility to avoid passing any nonserializable or excessively large data in `req.data` falls on the developer when choosing to use the `apos-external-front` feature. - Wraps the group label in the expanded preview menu component in `$t()` to allow translation ## 3.59.1 (2023-11-14) ### Fixes - Fix `if` and `requiredIf` fields inside arrays. With regard to `if`, this is a hotfix for a regression introduced in 3.59.0. ## 3.59.0 (2023-11-03) ### Changes - Webpack warnings about package size during the admin UI build process have been turned off by default. Warnings are still enabled for the public build, where a large bundle can be problematic for SEO. ### Fixes - Apostrophe warns you if you have more than one piece page for the same piece type and you have not overridden `chooseParentPage` to help Apostrophe decide which page is suitable as the `_url` of each piece. Beginning with this release, Apostrophe can recognize when you have chosen to do this via `extendMethods`, so that you can call `_super()` to fall back to the default implementation without receiving this warning. The default implementation still just returns the first page found, but always following the `_super()` pattern here opens the door to npm modules that `improve` `@apostrophecms/piece-page` to do something more sophisticated by default. - `newInstance` always returns a reasonable non-null empty value for area and object fields in case the document is inserted without being passed through the editor, e.g. in a parked page like the home page. This simplifies the new external front feature. ### Adds - An adapter for Astro is under development with support from Michelin. Starting with this release, adapters for external fronts, i.e. "back for front" frameworks such as Astro, may now be implemented more easily. Apostrophe recognizes the `x-requested-with: AposExternalFront` header and the `apos-external-front-key` header. If both are present and `apos-external-front-key` matches the `APOS_EXTERNAL_FRONT_KEY` environment variable, then Apostrophe returns JSON in place of a normal page response. This mechanism is also available for the `render-widget` route. - Like `type`, `metaType` is always included in projections. This helps ensure that `apos.util.getManagerOf()` can be used on any object returned by the Apostrophe APIs. ## 3.58.1 (2023-10-18) ### Security - Update `uploadfs` to guarantee users get a fix for a [potential security vulnerability in `sharp`](https://security.snyk.io/vuln/SNYK-JS-SHARP-5922108). This was theoretically exploitable only by users with permission to upload media to Apostrophe - Remove the webpack bundle analyzer feature, which had been nonfunctional for some time, to address a harmless npm audit warning - Note: there is one remaining `npm audit` warning regarding `postcss`. This is not a true vulnerability because only developers with access to the entire codebase can modify styles passed to `postcss` by Apostrophe, but we are working with upstream developers to determine the best steps to clear the warning ### Fixes - Automatically add `type` to the projection only if there are no exclusions in the projection. Needed to prevent `Cannot do exclusion on field in inclusion projection` error. ## 3.58.0 (2023-10-12) ### Fixes - Ensure Apostrophe can make appropriate checks by always including `type` in the projection even if it is not explicitly listed. - Never try to annotate a widget with permissions the way we annotate a document, even if the widget is simulating a document. - The `areas` query builder now works properly when an array of area names has been specified. ### Adds - Widget schema can now follow the parent schema via the similar to introduced in the `array` field type syntax (`<` prefix). In order a parent followed field to be available to the widget schema, the area field should follow it. For example, if area follows the root schema `title` field via `following: ['title']`, any field from a widget schema inside that area can do `following: ['