Apostrophe 3 Beta 3

[agilbert]

Hi everyone, this week we published Apostrophe 3 Beta 3.

This is planned to be our last Beta release before 3.0.

This cycle we continued to focus on bug fixing, with one notable enhancement being the upgrade of our rich text editor to use tiptap 2. Excited to continue buttoning things up over the next two weeks in preparation for the 3.0 release, after which we'll be focusing quite a bit on migrating critical extensions from 2.x as well as additional enhancements for the editing tools.

Apostrophe 3.0.0-beta.3

Security Fixes

The nlbr and nlp Nunjucks filters marked their output as safe to preserve the tags that they added, without first escaping their input, creating a CSRF risk. These filters have been updated to escape their input unless it has already been marked safe. No code changes are required to templates whose input to the filter is intended as plaintext, however if you were intentionally leveraging this bug to output unescaped HTML markup you will need to make sure your input is free of CSRF risks and then use the | safe filter before the | nlbr or | nlp filter.

Adds

• Added the ignoreUnusedFolderWarning option for modules that intentionally might not be activated or inherited from in a particular startup.
• Better explanation of how to replace macros with fragments, in particular how to call the fragments with {% render fragmentName(args) %}.

Fixes

• Temporarily pinned to Vue 2.6.12 to fix an issue where the "New" button in the piece manager modals disappeared. We think this is a bug in the newly released Vue 2.6.13 but we are continuing to research it.
• Updated dependencies on sanitize-html and nodemailer to new major versions, causing no bc breaks at the ApostropheCMS level. This resolved two critical vulnerabilities according to npm audit.
• Removed many unused dependencies.
• The data retained for "Undo Publish" no longer causes slug conflicts in certain situations.
• Custom piece types using localized: false or autopublish: true, as well as singleton types, now display the correct options on the "Save" dropdown.
• The "Save and View," "Publish and View" and/or "Save Draft and Preview" options now appear only if an appropriate piece page actually exists for the piece type.
• Duplicating a widget now properly assigns new IDs to all copied sub-widgets, sub-areas and array items as well.
• Added the ignoreUnusedFolderWarning option for modules that intentionally might not be activated or inherited from in a particular startup.
• If you refresh the page while previewing or editing, you will be returned to that same state.

Notices

• Numerous npm audit vulnerabily warnings relating to postcss 7.x were examined, however it was determined that these are based on the idea of a malicious SASS coder attempting to cause a denial of service. Apostrophe developers would in any case be able to contribute JavaScript as well and so are already expected to be trusted parties. This issue must be resolved upstream in packages including both stylelint and vue-loader which have considerable work to do before supporting postcss 8.x, and in any case public access to write SASS is not part of the attack surface of Apostrophe.

Changes

• When logging out on a page that only exists in draft form, or a page with access controls, you are redirected to the home page rather than seeing a 404 message.
• Rich text editor upgraded to tiptap 2.x beta 🎉. On the surface not a lot has changed with the upgrade, but tiptap 2 has big improvements in terms of speed, composability, and extension support. See the technical differences of tiptap 1 and 2 here

Apostrophe 2.120

apostrophe (core) 2.120.0

• Adds autoCommitPageMoves flag in workflow to commit all page moves automatically, manages error notification.

apostrophe-multisite 2.11.1

• Do not crash on missing Host header.
• Fix issue with the "copy site" feature in certain versions of the mongorestore utility.

apostrophe-cli 2.3.7

• Updates hosted-git-info for a vulnerability warning.

apostrophe-workflow 2.39.0

• Adds autoCommitPageMoves flag to commit all page moves automatically.

Have a great weekend ✌️