Pro 9551 apos astro v2 by BoDonkey · Pull Request #5441 · apostrophecms/apostrophe

BoDonkey · 2026-06-04T12:14:53Z

Please indicate which branch this PR should merge into:

Check one

main
latest
stable
Check if this PR will be resubmitted against another branch

Summary

Summarize the changes briefly, including which issue/ticket this resolves. If it closes an existing Github issue, include "Closes #[issue number]"

This PR introduces a major version update to the apostrophe-astro package to make it compatible with Astro v6. It maintains BC with v5. It is also a significant refactoring of helpers to provide a more viable architecture for moving forward. It has been tested for SSR and static build generation with the latest versions of both v5 and v6. Closes PRO-9551.

What are the specific steps to test this change?

For example:

Run the website and log in as an admin

Open a piece manager modal and select several pieces

Click the "Archive" button on the top left of the manager and confirm that it should proceed

Check that all pieces have been archived properly

What kind of change does this PR introduce?

(Check at least one)

Make sure the PR fulfills these requirements:

It includes a) the existing issue ID being resolved, b) a convincing reason for adding this feature, or c) a clear description of the bug it resolves
The changelog is updated
Related documentation has been updated
Related tests have been updated

If adding a new feature without an already open issue, it's best to open a feature request issue first and wait for approval before working on it.

Other information:

… API

linear · 2026-06-04T12:14:56Z

PRO-9551

haroun · 2026-06-04T15:21:18Z

@BoDonkey Any plans to update undici? Asking because undici 6 is supported for Node.js 18, 20, 21, 22 only. No support for 24 nor 26. It works, but Node.js 24 ships with undici 7.x by default.

Undici Version	Bundled in Node.js	Node.js Versions Supported	End of Life
5.x	18.x	≥14.0 (tested: 14, 16, 18)	2024-04-30
6.x	20.x, 22.x	≥18.17 (tested: 18, 20, 21, 22)	2027-04-30
7.x	24.x	≥20.18.1 (tested: 20, 22, 24)	2028-04-30
8.x	26.x	≥22.19.0 (tested: 22, 24, 26)	2029-04-30

source: https://undici.nodejs.org/#/?id=long-term-support

Astro 6 also now requires Node 22 or later, dropping support for Node 18 and Node 20, which have reached or are approaching end-of-life. Node 22 is faster, more secure, and lets us drop polyfills for older Node versions — resulting in a smaller, more maintainable package and better performance in Astro across the board.

source: https://astro.build/blog/astro-6/

Vite now requires Node.js 20.19+, 22.12+. We have dropped Node.js 18, now that it has reached its EOL at the end of April 2025.

source: https://vite.dev/blog/announcing-vite7#node-js-support

BoDonkey · 2026-06-04T18:44:17Z

@BoDonkey Any plans to update undici? Asking because undici 6 is supported for Node.js 18, 20, 21, 22 only. No support for 24 nor 26. It works, but Node.js 24 ships with undici 7.x by default.

Undici Version Bundled in Node.js Node.js Versions Supported End of Life
5.x 18.x ≥14.0 (tested: 14, 16, 18) 2024-04-30
6.x 20.x, 22.x ≥18.17 (tested: 18, 20, 21, 22) 2027-04-30
7.x 24.x ≥20.18.1 (tested: 20, 22, 24) 2028-04-30
8.x 26.x ≥22.19.0 (tested: 22, 24, 26) 2029-04-30
source: https://undici.nodejs.org/#/?id=long-term-support

Astro 6 also now requires Node 22 or later, dropping support for Node 18 and Node 20, which have reached or are approaching end-of-life. Node 22 is faster, more secure, and lets us drop polyfills for older Node versions — resulting in a smaller, more maintainable package and better performance in Astro across the board.

source: https://astro.build/blog/astro-6/

Vite now requires Node.js 20.19+, 22.12+. We have dropped Node.js 18, now that it has reached its EOL at the end of April 2025.

source: https://vite.dev/blog/announcing-vite7#node-js-support

Thanks for this! We are also handling another issue between 24 and 25, so I will update this before the release.

myovchev

There are some minor issues. Also I think the big library page request handler refactoring is unnecessary - it's not a helper, it's internal lib that we need to reach in our starter kit (or manual integrating projects would need as a bootstrap). Probably no need of risky refactoring when we can only re-export it.

We should rethink the major release bump. Currently we re-export a bunch of old exports for "BC reasons".
We could probably do that for the rest (marking them again as deprecated) so that we match the exact shape of the things before the helpers refactoring, assuming there are no conflicts. Then we can remove the export map in package.json and just publish it as a major bump - the other changes are internal implementation details.

myovchev · 2026-06-05T13:04:02Z

+ * ---
+ * ```
+ */
+export async function aposPageFetch(req) {


This should not be part of public documentation and should have explicit "for internal use only" here.
I understand why it's refactored and why here - the slug.astro in projects probably uses it. However, it's meant to be used only there, in our entrypoint. aposFetch is the tool that can be exposed for developers.

I'd argue that this refactoring makes no sense - we can only re-export it from lib/ (it is indeed internal thing) - similar with what we do for static.

myovchev · 2026-06-05T13:21:47Z

+      "types": "./types/helpers/universal/index.d.ts",
+      "default": "./helpers/universal/index.js"
+    },
+    "./helpers/client": {


We probably don't need that (and the empty index.js and types). I think we can document that it's reserved for client side only (browser) helpers.

myovchev · 2026-06-05T13:29:18Z

-const CACHE_DIR = join(process.cwd(), 'node_modules', '.apostrophe-astro');
-const CONFIG_CACHE = join(CACHE_DIR, '_config.json');
-const ATTACHMENTS_CACHE = join(CACHE_DIR, '_attachments.json');
+let cacheDir = join(process.cwd(), 'node_modules', '.apostrophe-astro-static');


A caution about process.cwd() here - this can break things if process points to the wrong path (not sure if possible though).

myovchev

We still have some export inconsistencies (see the code comments). Additionally:

For every legacy export, it should be made clear that this is not the right import path - with dev JSDoc and documentation, that also point to the proper import path. For example helpers/index.js should be never used. Same for /lib/xxx - we allow it for BC reasons. I'm not sure if this can be done with JSDoc and @deprecated (because it's just re-export) but at least the file can have a clear comment that this should never be directly imported from that location.
Our starter kits should always showcase the right import paths.

myovchev · 2026-06-08T09:34:13Z

@@ -1,12 +1,12 @@
-import config from 'virtual:apostrophe-config';
+import config from 'apostrophe-astro-config/config';
 import { getAposHost } from './url.js';


/helpers/server/static.js re-exports the lib so that the project can import from /helpers/server , however the helpers/server/fetch.js now is reverted (as requested) but doesn't re-export the lib. This sends mixed signals - the project will import static from helpers but the standard page loading from /lib? I think aposPageFetch() should be also re-exported here.

myovchev · 2026-06-08T09:35:16Z

+ */
+
+export { aposFetch, getAposHost, isStaticBuild, getAllStaticPaths, getAllUrlMetadata, getLocales } from './server/index.js';
+export { buildPageUrl, getFilterBaseUrl, aposSetQueryParameter, slugify, stylesElements, stylesAttributes, getFocalPoint, getAttachmentUrl, getAttachmentSrcset, getWidth, getHeight } from './universal/index.js';


This now re-exports everything. I think it should only re-export what was exported previously.

…ts (#5432)

* Fix relationship select scrolling issue * Prevent same scrolling bugs to appear in media manager

* test node 26 * support node 26 by bumping the better-sqlite3 version * node 22 requirement

…5459)

* Corrects documentation links * correct `guides` -> `guide`

* Security: added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Thanks to [crattack](https://github.com/crattack) for reporting the vulnerability. * changeset * removed duplicate changeset * patch the right module

* Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) * allow oembetter to be released (#5412) * release oembetter 1.2.0 (#5413) * release oembetter 1.2.0 * left commit * [latest[ PRO-9441: modal focus trap * [latest] Fix import-export noise * [latest] A11y fixes part 3 * Fix initial focus trap issue, introduced with recent changes (#5427) * merge main to latest (#5460) * Latest security q2 (#5463) * Bump CLI dependencies (#5383) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> * Native browser shortcuts work again (#5384) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * merge back the thanks (#5388) * Postgres (#5365) * postgres experimental WIP * astonishingly, all mocha tests of apostrophe pass with this * mocha tests pass, actual sites work * lint clean * listDatabases support, but changes are coming * wip * dump and restore updates * backpressure, adequate handling of ObjectId for our needs (becomes its hex representation) * mild performance optimization * profiling * testing issue resolved * refactored to db-connect module, introduced sqlite adapter * sqlite WIP * debugging * programmatic API for dump/restore/copy dbs * linting, documentation * MIT license * text ranking is more accurate, documentation is more complete * good full text search for sqlite * updates for compatibility with the rest of the public and private modules, plus a few fixes to genuinely ambiguous tests * requirements found by testing private modules * fixes from full cypress run * eslint passing * restore permissions * maximize atomicity * bug fixes * * exit properly when asset tests fail * "npm test" tests all three adapters * ignore claude-tools in eslint * postgres and sqlite-inclusive ci matrix attempt * clean up logs * We hit github's limit on total configurations because every package gets its own matrix. Solve that with grouping: * apostrophe core * All regular ecosystem packages other than core * non-database-requiring packges * mongodb-specific packages This will probably speed it up too because it won't have to spin up a container a bazillion times. * hardened the asset tests, made them less timing sensitive, fixed a bad commit resulting from the way they dodgily patch themselves without a robust cleanup mechanism * fix a root cause of asset test instability * log mess * implemented missing $size operator * test compatibility * advanced permission uses regex in $in * regex in $in * .db() should not make false promises in plain postgres mode, it should fail * ability to specify a default adapter * obsolete file * put escapeHost back where it belongs * dead code removal, test cleanup * emulate-mongo-3-driver only needed in db-connect * no claude logs in repo (tools are welcome) * * shared aggregation implementation, other shared things * optimize $match when it is the first step in aggregation, don't fetch the whole collection 😜 * multipostgres listDatabases() and .db() should return and expect "fully qualified virtual database names," e.g. physical_db_name-schemaname * vanilla postgres should not attempt to use .db() with alternate names in tests * documentation corrections * documentation errors * listDatabases and documentation corrections * more edge cases revealed by latest work from Miro * anchored prefix regexps are optimized documentation improvements * * matchesQuery in the aggregation cursor implementation doesn't throw on unrecognized operators. It should, and it should support the same mongodb operators that the regular find() path does in postgres/sqlite (our official subset), unless there is an extraordinary reason not to. * Similarly, the main query implementation for normal queries should throw on unrecognized operators if it doesn't already. * The dump/restore programmatic APIs in db-connect concern me. These involve returning the entire database as a string, which could exhaust memory. This impacts both utilities and also copyDatabase(). Could these APIs return and expect async iterators instead of strings? * The test "anchored regex on an indexed field uses a btree index search" runs explain on a query that's hardcoded in the test. Instead these SQL based adapters should expose a means to get the SQL for a query, so it can be directly tested. Otherwise this test proves nothing as changes to the adapter accumulate in future. * Why is this test searching for "at least 1" and not exactly 1? it('should find documents with null value', async function() { const docs = await db.collection('test').find({ value: null }).toArray(); // MongoDB matches both null and missing fields with { value: null } expect(docs.length).to.be.at.least(1); }); * What is the maximum size of a db-connect document in the postgres and sqlite adapters? * Update the copyright year in db-connect/LICENSE.md to 2025. * The db-connect README mentions: sqlite://:memory: What happens if you try to use .db('some-name') with that? I think it would be best to just not support throwaway in-memory sqlite databases because I doubt anyone would intentionally store a website in one. * do not swallow dump/restore errors on indexes * cover how to run the utilities * fix detection of source * separate sanitization for index names * regex prefix safety * pnpm --------- Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> * forgot to include a changeset (#5390) * ignore inline table array as draggable ui for windows (#5392) * Layout focus orchestration (#5393) * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * Pro 9406 base url (#5396) * Removes `seoSiteCanonicalUrl` * Update tests and remove missed log * Change semver level * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed * Layout editable gap (#5397) * a11y fixes (#5401) * clarifications (#5403) * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * Merge commit from fork * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * mergeback (#5409) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * mergeback (#5414) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) * allow oembetter to be released (#5412) * release oembetter 1.2.0 (#5413) * release oembetter 1.2.0 * left commit --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Fix focus trap on the last element in a modal (#5406) * Fix focus trap on the last element in a modal * Fix trap escaping edge cases * Fix import-export noise (#5399) * remove noise, switch to utils debug * Fix tests * Introduce debug option * changelog * Fix test sorting issue * A11y fixes part 3 (#5416) * Fix editor modal a11y issues * Fix manager a11y problems * Fix page manager a11y problems * fix media manager a11y issues * fix a11y issues in style editor and user settings * Fix login a11y issues * eliminate a modal issue * Remove bad aria in rich text * Fix wrong aria in layout * changelog * Fix totp a11y issues, doc context state safety * Fix uncaught error - popup blockers/tests * Fix initial focus trap issue, introduced with recent changes (#5426) * PRO-9542: fix the bug that breaks sitemaps for RA (#5433) * PRO-9542: fix the bug that breaks sitemaps for RA * see changeset * Feature/prevent infinite redirects (#5429) * log aposResponse errors * add changeset * prevent infinite redirects to external URLs --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * add draggable: false support to non-inline array field (#5435) * add draggable: false support to non-inline array field * Add changeset * Make logged-in cookie name configurable via options (#5430) The logged-in cookie name was hardcoded as 'loggedIn' with TODO comments indicating it should be configurable. This is needed for deployments where multiple Apostrophe instances share a domain (e.g., staging and production on subpaths) and need distinct cookie names to avoid conflicts. Changes: - Added 'loggedInCookieName' option to the login module (defaults to 'loggedIn' for backward compatibility) - Replaced all hardcoded references with self.loggedInCookieName - Removed the TODO comments Usage: modules: { '@apostrophecms/login': { options: { loggedInCookieName: 'myAppLoggedIn' } } } Addresses the TODO comments: 'get cookie name from config' Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> * Revert "Make logged-in cookie name configurable via options (#5430)" (#5436) This reverts commit ddcdaa7. * Feature create-apostrophe (#5425) * Fix new schema areas in existing documents (Astro) (#5434) * Fix orphan or new-in-the-schema areas in external front-ends * Save missing empty areas in the DB, refactor nunjucks path * PRO-6295: jsx as an optional alternative to nunjucks (#5391) * jsx as an optional alternative to nunjucks * eslint, all tests pass * log a useful stack trace on attachment errors! Holy shit! * fix lint * clarify behavior * more tests pass linter * This is just a unit test, but it can't hurt to be thorough & satisfy github-advanced-security Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * true access to the apos object in jsx, per the spec * more test coverage, no code changes * fix watchers --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * no watch in prod (#5439) * Fix new schema areas in existing documents (Astro) Part II (#5440) * Prevent data corruption when stubbing areas for Astro * Fix false positive orphan area warnings * Guard against corrupt area items * Fix raw-text sanitization bypass vulnerability and add regression tests (#5432) * changeset for singh contribution (#5442) * Fix relationship select scrolling issue (#5445) * Fix relationship select scrolling issue * Prevent same scrolling bugs to appear in media manager * jsx changeset (#5446) * Ensure install of the project root for astro projects (#5449) * test node 26 (#5450) * test node 26 * support node 26 by bumping the better-sqlite3 version * node 22 requirement * Add link for telemetry policy (#5455) * remove absent options (#5456) * Remove consumed 4.30.0 changesets from main (#5454) * cli links that are correct, or will be post publish (#5458) * release db connect to solve chicken and egg problem in cypress-tools (#5459) * Corrects documentation links (#5457) * Corrects documentation links * correct `guides` -> `guide` --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> Co-authored-by: RohithVangalla1 <reachrohithv@gmail.com> Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Dipanshu singh <161134993+Dipanshusinghh@users.noreply.github.com> * Latest security q2 (#5464) * Bump CLI dependencies (#5383) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> * Native browser shortcuts work again (#5384) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * merge back the thanks (#5388) * Postgres (#5365) * postgres experimental WIP * astonishingly, all mocha tests of apostrophe pass with this * mocha tests pass, actual sites work * lint clean * listDatabases support, but changes are coming * wip * dump and restore updates * backpressure, adequate handling of ObjectId for our needs (becomes its hex representation) * mild performance optimization * profiling * testing issue resolved * refactored to db-connect module, introduced sqlite adapter * sqlite WIP * debugging * programmatic API for dump/restore/copy dbs * linting, documentation * MIT license * text ranking is more accurate, documentation is more complete * good full text search for sqlite * updates for compatibility with the rest of the public and private modules, plus a few fixes to genuinely ambiguous tests * requirements found by testing private modules * fixes from full cypress run * eslint passing * restore permissions * maximize atomicity * bug fixes * * exit properly when asset tests fail * "npm test" tests all three adapters * ignore claude-tools in eslint * postgres and sqlite-inclusive ci matrix attempt * clean up logs * We hit github's limit on total configurations because every package gets its own matrix. Solve that with grouping: * apostrophe core * All regular ecosystem packages other than core * non-database-requiring packges * mongodb-specific packages This will probably speed it up too because it won't have to spin up a container a bazillion times. * hardened the asset tests, made them less timing sensitive, fixed a bad commit resulting from the way they dodgily patch themselves without a robust cleanup mechanism * fix a root cause of asset test instability * log mess * implemented missing $size operator * test compatibility * advanced permission uses regex in $in * regex in $in * .db() should not make false promises in plain postgres mode, it should fail * ability to specify a default adapter * obsolete file * put escapeHost back where it belongs * dead code removal, test cleanup * emulate-mongo-3-driver only needed in db-connect * no claude logs in repo (tools are welcome) * * shared aggregation implementation, other shared things * optimize $match when it is the first step in aggregation, don't fetch the whole collection 😜 * multipostgres listDatabases() and .db() should return and expect "fully qualified virtual database names," e.g. physical_db_name-schemaname * vanilla postgres should not attempt to use .db() with alternate names in tests * documentation corrections * documentation errors * listDatabases and documentation corrections * more edge cases revealed by latest work from Miro * anchored prefix regexps are optimized documentation improvements * * matchesQuery in the aggregation cursor implementation doesn't throw on unrecognized operators. It should, and it should support the same mongodb operators that the regular find() path does in postgres/sqlite (our official subset), unless there is an extraordinary reason not to. * Similarly, the main query implementation for normal queries should throw on unrecognized operators if it doesn't already. * The dump/restore programmatic APIs in db-connect concern me. These involve returning the entire database as a string, which could exhaust memory. This impacts both utilities and also copyDatabase(). Could these APIs return and expect async iterators instead of strings? * The test "anchored regex on an indexed field uses a btree index search" runs explain on a query that's hardcoded in the test. Instead these SQL based adapters should expose a means to get the SQL for a query, so it can be directly tested. Otherwise this test proves nothing as changes to the adapter accumulate in future. * Why is this test searching for "at least 1" and not exactly 1? it('should find documents with null value', async function() { const docs = await db.collection('test').find({ value: null }).toArray(); // MongoDB matches both null and missing fields with { value: null } expect(docs.length).to.be.at.least(1); }); * What is the maximum size of a db-connect document in the postgres and sqlite adapters? * Update the copyright year in db-connect/LICENSE.md to 2025. * The db-connect README mentions: sqlite://:memory: What happens if you try to use .db('some-name') with that? I think it would be best to just not support throwaway in-memory sqlite databases because I doubt anyone would intentionally store a website in one. * do not swallow dump/restore errors on indexes * cover how to run the utilities * fix detection of source * separate sanitization for index names * regex prefix safety * pnpm --------- Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> * forgot to include a changeset (#5390) * ignore inline table array as draggable ui for windows (#5392) * Layout focus orchestration (#5393) * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * Pro 9406 base url (#5396) * Removes `seoSiteCanonicalUrl` * Update tests and remove missed log * Change semver level * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed * Layout editable gap (#5397) * a11y fixes (#5401) * clarifications (#5403) * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * Merge commit from fork * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * mergeback (#5409) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * mergeback (#5414) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) * allow oembetter to be released (#5412) * release oembetter 1.2.0 (#5413) * release oembetter 1.2.0 * left commit --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Fix focus trap on the last element in a modal (#5406) * Fix focus trap on the last element in a modal * Fix trap escaping edge cases * Fix import-export noise (#5399) * remove noise, switch to utils debug * Fix tests * Introduce debug option * changelog * Fix test sorting issue * A11y fixes part 3 (#5416) * Fix editor modal a11y issues * Fix manager a11y problems * Fix page manager a11y problems * fix media manager a11y issues * fix a11y issues in style editor and user settings * Fix login a11y issues * eliminate a modal issue * Remove bad aria in rich text * Fix wrong aria in layout * changelog * Fix totp a11y issues, doc context state safety * Fix uncaught error - popup blockers/tests * Fix initial focus trap issue, introduced with recent changes (#5426) * PRO-9542: fix the bug that breaks sitemaps for RA (#5433) * PRO-9542: fix the bug that breaks sitemaps for RA * see changeset * Feature/prevent infinite redirects (#5429) * log aposResponse errors * add changeset * prevent infinite redirects to external URLs --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * add draggable: false support to non-inline array field (#5435) * add draggable: false support to non-inline array field * Add changeset * Make logged-in cookie name configurable via options (#5430) The logged-in cookie name was hardcoded as 'loggedIn' with TODO comments indicating it should be configurable. This is needed for deployments where multiple Apostrophe instances share a domain (e.g., staging and production on subpaths) and need distinct cookie names to avoid conflicts. Changes: - Added 'loggedInCookieName' option to the login module (defaults to 'loggedIn' for backward compatibility) - Replaced all hardcoded references with self.loggedInCookieName - Removed the TODO comments Usage: modules: { '@apostrophecms/login': { options: { loggedInCookieName: 'myAppLoggedIn' } } } Addresses the TODO comments: 'get cookie name from config' Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> * Revert "Make logged-in cookie name configurable via options (#5430)" (#5436) This reverts commit ddcdaa7. * Feature create-apostrophe (#5425) * Fix new schema areas in existing documents (Astro) (#5434) * Fix orphan or new-in-the-schema areas in external front-ends * Save missing empty areas in the DB, refactor nunjucks path * PRO-6295: jsx as an optional alternative to nunjucks (#5391) * jsx as an optional alternative to nunjucks * eslint, all tests pass * log a useful stack trace on attachment errors! Holy shit! * fix lint * clarify behavior * more tests pass linter * This is just a unit test, but it can't hurt to be thorough & satisfy github-advanced-security Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * true access to the apos object in jsx, per the spec * more test coverage, no code changes * fix watchers --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * no watch in prod (#5439) * Fix new schema areas in existing documents (Astro) Part II (#5440) * Prevent data corruption when stubbing areas for Astro * Fix false positive orphan area warnings * Guard against corrupt area items * Fix raw-text sanitization bypass vulnerability and add regression tests (#5432) * changeset for singh contribution (#5442) * Fix relationship select scrolling issue (#5445) * Fix relationship select scrolling issue * Prevent same scrolling bugs to appear in media manager * jsx changeset (#5446) * Ensure install of the project root for astro projects (#5449) * test node 26 (#5450) * test node 26 * support node 26 by bumping the better-sqlite3 version * node 22 requirement * Add link for telemetry policy (#5455) * remove absent options (#5456) * Remove consumed 4.30.0 changesets from main (#5454) * cli links that are correct, or will be post publish (#5458) * release db connect to solve chicken and egg problem in cypress-tools (#5459) * Corrects documentation links (#5457) * Corrects documentation links * correct `guides` -> `guide` * Merge commit from fork * Merge commit from fork * Merge commit from fork * Merge commit from fork * Security: added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Thanks to [crattack](https://github.com/crattack) for reporting the vulnerability. * changeset * removed duplicate changeset * patch the right module --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> Co-authored-by: RohithVangalla1 <reachrohithv@gmail.com> Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Dipanshu singh <161134993+Dipanshusinghh@users.noreply.github.com> * release and changelog edits (#5465) * changelogs * formatting --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> Co-authored-by: RohithVangalla1 <reachrohithv@gmail.com> Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Dipanshu singh <161134993+Dipanshusinghh@users.noreply.github.com>

* Fix broken link * Add changeset

* Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) * allow oembetter to be released (#5412) * release oembetter 1.2.0 (#5413) * release oembetter 1.2.0 * left commit * [latest[ PRO-9441: modal focus trap * [latest] Fix import-export noise * [latest] A11y fixes part 3 * Fix initial focus trap issue, introduced with recent changes (#5427) * merge main to latest (#5460) * Latest security q2 (#5463) * Bump CLI dependencies (#5383) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> * Native browser shortcuts work again (#5384) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * merge back the thanks (#5388) * Postgres (#5365) * postgres experimental WIP * astonishingly, all mocha tests of apostrophe pass with this * mocha tests pass, actual sites work * lint clean * listDatabases support, but changes are coming * wip * dump and restore updates * backpressure, adequate handling of ObjectId for our needs (becomes its hex representation) * mild performance optimization * profiling * testing issue resolved * refactored to db-connect module, introduced sqlite adapter * sqlite WIP * debugging * programmatic API for dump/restore/copy dbs * linting, documentation * MIT license * text ranking is more accurate, documentation is more complete * good full text search for sqlite * updates for compatibility with the rest of the public and private modules, plus a few fixes to genuinely ambiguous tests * requirements found by testing private modules * fixes from full cypress run * eslint passing * restore permissions * maximize atomicity * bug fixes * * exit properly when asset tests fail * "npm test" tests all three adapters * ignore claude-tools in eslint * postgres and sqlite-inclusive ci matrix attempt * clean up logs * We hit github's limit on total configurations because every package gets its own matrix. Solve that with grouping: * apostrophe core * All regular ecosystem packages other than core * non-database-requiring packges * mongodb-specific packages This will probably speed it up too because it won't have to spin up a container a bazillion times. * hardened the asset tests, made them less timing sensitive, fixed a bad commit resulting from the way they dodgily patch themselves without a robust cleanup mechanism * fix a root cause of asset test instability * log mess * implemented missing $size operator * test compatibility * advanced permission uses regex in $in * regex in $in * .db() should not make false promises in plain postgres mode, it should fail * ability to specify a default adapter * obsolete file * put escapeHost back where it belongs * dead code removal, test cleanup * emulate-mongo-3-driver only needed in db-connect * no claude logs in repo (tools are welcome) * * shared aggregation implementation, other shared things * optimize $match when it is the first step in aggregation, don't fetch the whole collection 😜 * multipostgres listDatabases() and .db() should return and expect "fully qualified virtual database names," e.g. physical_db_name-schemaname * vanilla postgres should not attempt to use .db() with alternate names in tests * documentation corrections * documentation errors * listDatabases and documentation corrections * more edge cases revealed by latest work from Miro * anchored prefix regexps are optimized documentation improvements * * matchesQuery in the aggregation cursor implementation doesn't throw on unrecognized operators. It should, and it should support the same mongodb operators that the regular find() path does in postgres/sqlite (our official subset), unless there is an extraordinary reason not to. * Similarly, the main query implementation for normal queries should throw on unrecognized operators if it doesn't already. * The dump/restore programmatic APIs in db-connect concern me. These involve returning the entire database as a string, which could exhaust memory. This impacts both utilities and also copyDatabase(). Could these APIs return and expect async iterators instead of strings? * The test "anchored regex on an indexed field uses a btree index search" runs explain on a query that's hardcoded in the test. Instead these SQL based adapters should expose a means to get the SQL for a query, so it can be directly tested. Otherwise this test proves nothing as changes to the adapter accumulate in future. * Why is this test searching for "at least 1" and not exactly 1? it('should find documents with null value', async function() { const docs = await db.collection('test').find({ value: null }).toArray(); // MongoDB matches both null and missing fields with { value: null } expect(docs.length).to.be.at.least(1); }); * What is the maximum size of a db-connect document in the postgres and sqlite adapters? * Update the copyright year in db-connect/LICENSE.md to 2025. * The db-connect README mentions: sqlite://:memory: What happens if you try to use .db('some-name') with that? I think it would be best to just not support throwaway in-memory sqlite databases because I doubt anyone would intentionally store a website in one. * do not swallow dump/restore errors on indexes * cover how to run the utilities * fix detection of source * separate sanitization for index names * regex prefix safety * pnpm --------- Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> * forgot to include a changeset (#5390) * ignore inline table array as draggable ui for windows (#5392) * Layout focus orchestration (#5393) * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * Pro 9406 base url (#5396) * Removes `seoSiteCanonicalUrl` * Update tests and remove missed log * Change semver level * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed * Layout editable gap (#5397) * a11y fixes (#5401) * clarifications (#5403) * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * Merge commit from fork * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * mergeback (#5409) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * mergeback (#5414) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) * allow oembetter to be released (#5412) * release oembetter 1.2.0 (#5413) * release oembetter 1.2.0 * left commit --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Fix focus trap on the last element in a modal (#5406) * Fix focus trap on the last element in a modal * Fix trap escaping edge cases * Fix import-export noise (#5399) * remove noise, switch to utils debug * Fix tests * Introduce debug option * changelog * Fix test sorting issue * A11y fixes part 3 (#5416) * Fix editor modal a11y issues * Fix manager a11y problems * Fix page manager a11y problems * fix media manager a11y issues * fix a11y issues in style editor and user settings * Fix login a11y issues * eliminate a modal issue * Remove bad aria in rich text * Fix wrong aria in layout * changelog * Fix totp a11y issues, doc context state safety * Fix uncaught error - popup blockers/tests * Fix initial focus trap issue, introduced with recent changes (#5426) * PRO-9542: fix the bug that breaks sitemaps for RA (#5433) * PRO-9542: fix the bug that breaks sitemaps for RA * see changeset * Feature/prevent infinite redirects (#5429) * log aposResponse errors * add changeset * prevent infinite redirects to external URLs --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * add draggable: false support to non-inline array field (#5435) * add draggable: false support to non-inline array field * Add changeset * Make logged-in cookie name configurable via options (#5430) The logged-in cookie name was hardcoded as 'loggedIn' with TODO comments indicating it should be configurable. This is needed for deployments where multiple Apostrophe instances share a domain (e.g., staging and production on subpaths) and need distinct cookie names to avoid conflicts. Changes: - Added 'loggedInCookieName' option to the login module (defaults to 'loggedIn' for backward compatibility) - Replaced all hardcoded references with self.loggedInCookieName - Removed the TODO comments Usage: modules: { '@apostrophecms/login': { options: { loggedInCookieName: 'myAppLoggedIn' } } } Addresses the TODO comments: 'get cookie name from config' Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> * Revert "Make logged-in cookie name configurable via options (#5430)" (#5436) This reverts commit ddcdaa7. * Feature create-apostrophe (#5425) * Fix new schema areas in existing documents (Astro) (#5434) * Fix orphan or new-in-the-schema areas in external front-ends * Save missing empty areas in the DB, refactor nunjucks path * PRO-6295: jsx as an optional alternative to nunjucks (#5391) * jsx as an optional alternative to nunjucks * eslint, all tests pass * log a useful stack trace on attachment errors! Holy shit! * fix lint * clarify behavior * more tests pass linter * This is just a unit test, but it can't hurt to be thorough & satisfy github-advanced-security Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * true access to the apos object in jsx, per the spec * more test coverage, no code changes * fix watchers --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * no watch in prod (#5439) * Fix new schema areas in existing documents (Astro) Part II (#5440) * Prevent data corruption when stubbing areas for Astro * Fix false positive orphan area warnings * Guard against corrupt area items * Fix raw-text sanitization bypass vulnerability and add regression tests (#5432) * changeset for singh contribution (#5442) * Fix relationship select scrolling issue (#5445) * Fix relationship select scrolling issue * Prevent same scrolling bugs to appear in media manager * jsx changeset (#5446) * Ensure install of the project root for astro projects (#5449) * test node 26 (#5450) * test node 26 * support node 26 by bumping the better-sqlite3 version * node 22 requirement * Add link for telemetry policy (#5455) * remove absent options (#5456) * Remove consumed 4.30.0 changesets from main (#5454) * cli links that are correct, or will be post publish (#5458) * release db connect to solve chicken and egg problem in cypress-tools (#5459) * Corrects documentation links (#5457) * Corrects documentation links * correct `guides` -> `guide` --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> Co-authored-by: RohithVangalla1 <reachrohithv@gmail.com> Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Dipanshu singh <161134993+Dipanshusinghh@users.noreply.github.com> * Latest security q2 (#5464) * Bump CLI dependencies (#5383) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> * Native browser shortcuts work again (#5384) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * merge back the thanks (#5388) * Postgres (#5365) * postgres experimental WIP * astonishingly, all mocha tests of apostrophe pass with this * mocha tests pass, actual sites work * lint clean * listDatabases support, but changes are coming * wip * dump and restore updates * backpressure, adequate handling of ObjectId for our needs (becomes its hex representation) * mild performance optimization * profiling * testing issue resolved * refactored to db-connect module, introduced sqlite adapter * sqlite WIP * debugging * programmatic API for dump/restore/copy dbs * linting, documentation * MIT license * text ranking is more accurate, documentation is more complete * good full text search for sqlite * updates for compatibility with the rest of the public and private modules, plus a few fixes to genuinely ambiguous tests * requirements found by testing private modules * fixes from full cypress run * eslint passing * restore permissions * maximize atomicity * bug fixes * * exit properly when asset tests fail * "npm test" tests all three adapters * ignore claude-tools in eslint * postgres and sqlite-inclusive ci matrix attempt * clean up logs * We hit github's limit on total configurations because every package gets its own matrix. Solve that with grouping: * apostrophe core * All regular ecosystem packages other than core * non-database-requiring packges * mongodb-specific packages This will probably speed it up too because it won't have to spin up a container a bazillion times. * hardened the asset tests, made them less timing sensitive, fixed a bad commit resulting from the way they dodgily patch themselves without a robust cleanup mechanism * fix a root cause of asset test instability * log mess * implemented missing $size operator * test compatibility * advanced permission uses regex in $in * regex in $in * .db() should not make false promises in plain postgres mode, it should fail * ability to specify a default adapter * obsolete file * put escapeHost back where it belongs * dead code removal, test cleanup * emulate-mongo-3-driver only needed in db-connect * no claude logs in repo (tools are welcome) * * shared aggregation implementation, other shared things * optimize $match when it is the first step in aggregation, don't fetch the whole collection 😜 * multipostgres listDatabases() and .db() should return and expect "fully qualified virtual database names," e.g. physical_db_name-schemaname * vanilla postgres should not attempt to use .db() with alternate names in tests * documentation corrections * documentation errors * listDatabases and documentation corrections * more edge cases revealed by latest work from Miro * anchored prefix regexps are optimized documentation improvements * * matchesQuery in the aggregation cursor implementation doesn't throw on unrecognized operators. It should, and it should support the same mongodb operators that the regular find() path does in postgres/sqlite (our official subset), unless there is an extraordinary reason not to. * Similarly, the main query implementation for normal queries should throw on unrecognized operators if it doesn't already. * The dump/restore programmatic APIs in db-connect concern me. These involve returning the entire database as a string, which could exhaust memory. This impacts both utilities and also copyDatabase(). Could these APIs return and expect async iterators instead of strings? * The test "anchored regex on an indexed field uses a btree index search" runs explain on a query that's hardcoded in the test. Instead these SQL based adapters should expose a means to get the SQL for a query, so it can be directly tested. Otherwise this test proves nothing as changes to the adapter accumulate in future. * Why is this test searching for "at least 1" and not exactly 1? it('should find documents with null value', async function() { const docs = await db.collection('test').find({ value: null }).toArray(); // MongoDB matches both null and missing fields with { value: null } expect(docs.length).to.be.at.least(1); }); * What is the maximum size of a db-connect document in the postgres and sqlite adapters? * Update the copyright year in db-connect/LICENSE.md to 2025. * The db-connect README mentions: sqlite://:memory: What happens if you try to use .db('some-name') with that? I think it would be best to just not support throwaway in-memory sqlite databases because I doubt anyone would intentionally store a website in one. * do not swallow dump/restore errors on indexes * cover how to run the utilities * fix detection of source * separate sanitization for index names * regex prefix safety * pnpm --------- Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> * forgot to include a changeset (#5390) * ignore inline table array as draggable ui for windows (#5392) * Layout focus orchestration (#5393) * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * Pro 9406 base url (#5396) * Removes `seoSiteCanonicalUrl` * Update tests and remove missed log * Change semver level * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures * Pro 9405 remove hreflang (#5395) * Remove hreflang generation and update README * Add changeset * Changeset update * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed * Layout editable gap (#5397) * a11y fixes (#5401) * clarifications (#5403) * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * Merge commit from fork * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * mergeback (#5409) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * mergeback (#5414) * Latest merge prerelease 2026 05 (#5404) * Fix choices IDs (#5379) * Fix choices IDs * Cleanup dots from ID values * Update changelog Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Robert Means <robert@apostrophecms.com> (cherry picked from commit 9f458b5) * Bump CLI dependencies (#5383) (cherry picked from commit a5e1a4a) * Native browser shortcuts work again (#5384) (cherry picked from commit b9b32bd) * Pro 8838 charset (#5385) * Removes encoding option and comments hardcoded encoding meta * add changeset * Response to first comments (cherry picked from commit 08845c5) * Log aposResponse errors (#5386) * log aposResponse errors * add changeset --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> (cherry picked from commit d45e27f) * merge back the thanks (#5388) (cherry picked from commit f3501f4) * ignore inline table array as draggable ui for windows (#5392) (cherry picked from commit b360b05) * Layout focus orchestration (#5393) (cherry picked from commit 77a2968) * Bump dependencies (#5398) * Bump dependencies * Fix missing test await resulting in random failures (cherry picked from commit 008417f) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) (#5400) * PRO-9467: remove defunct and nonpublic oembed providers and improve developer control to ensure security in the future (no risk exists today) * allow newer twitter domain * infogr.am still around * facebook no longer does oembed (cherry picked from commit e9b3bac) * Layout editable gap (#5397) (cherry picked from commit bc8f7be) * a11y fixes (#5401) (cherry picked from commit 2e2f3b4) * clarifications (#5403) (cherry picked from commit 13f2c69) --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Latest security merge (#5407) * Merge commit from fork * Fixed arbitrary image URL import vulnerability in rich text impport API * additional reporter * Merge commit from fork * Merge commit from fork * Merge commit from fork * secure the link URL field of image widgets * credit * Merge commit from fork * fix xmp tag vulnerability * thanks * Merge commit from fork * Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be updated promptly to close this vulnerability. * changeset * release only (changelogs formatted) (#5408) * allow oembetter to be released (#5412) * release oembetter 1.2.0 (#5413) * release oembetter 1.2.0 * left commit --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> * Fix focus trap on the last element in a modal (#5406) * Fix focus trap on the last element in a modal * Fix trap escaping edge cases * Fix import-export noise (#5399) * remove noise, switch to utils debug * Fix tests * Introduce debug option * changelog * Fix test sorting issue * A11y fixes part 3 (#5416) * Fix editor modal a11y issues * Fix manager a11y problems * Fix page manager a11y problems * fix media manager a11y issues * fix a11y issues in style editor and user settings * Fix login a11y issues * eliminate a modal issue * Remove bad aria in rich text * Fix wrong aria in layout * changelog * Fix totp a11y issues, doc context state safety * Fix uncaught error - popup blockers/tests * Fix initial focus trap issue, introduced with recent changes (#5426) * PRO-9542: fix the bug that breaks sitemaps for RA (#5433) * PRO-9542: fix the bug that breaks sitemaps for RA * see changeset * Feature/prevent infinite redirects (#5429) * log aposResponse errors * add changeset * prevent infinite redirects to external URLs --------- Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> * add draggable: false support to non-inline array field (#5435) * add draggable: false support to non-inline array field * Add changeset * Make logged-in cookie name configurable via options (#5430) The logged-in cookie name was hardcoded as 'loggedIn' with TODO comments indicating it should be configurable. This is needed for deployments where multiple Apostrophe instances share a domain (e.g., staging and production on subpaths) and need distinct cookie names to avoid conflicts. Changes: - Added 'loggedInCookieName' option to the login module (defaults to 'loggedIn' for backward compatibility) - Replaced all hardcoded references with self.loggedInCookieName - Removed the TODO comments Usage: modules: { '@apostrophecms/login': { options: { loggedInCookieName: 'myAppLoggedIn' } } } Addresses the TODO comments: 'get cookie name from config' Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> * Revert "Make logged-in cookie name configurable via options (#5430)" (#5436) This reverts commit ddcdaa7. * Feature create-apostrophe (#5425) * Fix new schema areas in existing documents (Astro) (#5434) * Fix orphan or new-in-the-schema areas in external front-ends * Save missing empty areas in the DB, refactor nunjucks path * PRO-6295: jsx as an optional alternative to nunjucks (#5391) * jsx as an optional alternative to nunjucks * eslint, all tests pass * log a useful stack trace on attachment errors! Holy shit! * fix lint * clarify behavior * more tests pass linter * This is just a unit test, but it can't hurt to be thorough & satisfy github-advanced-security Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * true access to the apos object in jsx, per the spec * more test coverage, no code changes * fix watchers --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * no watch in prod (#5439) * Fix new schema areas in existing documents (Astro) Part II (#5440) * Prevent data corruption when stubbing areas for Astro * Fix false positive orphan area warnings * Guard against corrupt area items * Fix raw-text sanitization bypass vulnerability and add regression tests (#5432) * changeset for singh contribution (#5442) * Fix relationship select scrolling issue (#5445) * Fix relationship select scrolling issue * Prevent same scrolling bugs to appear in media manager * jsx changeset (#5446) * Ensure install of the project root for astro projects (#5449) * test node 26 (#5450) * test node 26 * support node 26 by bumping the better-sqlite3 version * node 22 requirement * Add link for telemetry policy (#5455) * remove absent options (#5456) * Remove consumed 4.30.0 changesets from main (#5454) * cli links that are correct, or will be post publish (#5458) * release db connect to solve chicken and egg problem in cypress-tools (#5459) * Corrects documentation links (#5457) * Corrects documentation links * correct `guides` -> `guide` * Merge commit from fork * Merge commit from fork * Merge commit from fork * Merge commit from fork * Security: added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Thanks to [crattack](https://github.com/crattack) for reporting the vulnerability. * changeset * removed duplicate changeset * patch the right module --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> Co-authored-by: RohithVangalla1 <reachrohithv@gmail.com> Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Dipanshu singh <161134993+Dipanshusinghh@users.noreply.github.com> * release and changelog edits (#5465) * changelogs * formatting * Hotfix cli links (#5469) * Fix broken link * Add changeset * Create apostrophe hotfix (#5470) * Hotfix cli links (#5469) * Fix broken link * Add changeset * create-apostrophe hotfix --------- Co-authored-by: Robert Means <robert@apostrophecms.com> --------- Co-authored-by: Miro Yovchev <2827783+myovchev@users.noreply.github.com> Co-authored-by: Robert Means <robert@apostrophecms.com> Co-authored-by: haroun <1765606+haroun@users.noreply.github.com> Co-authored-by: Harouna Traoré <haroun@users.noreply.github.com> Co-authored-by: Stuart Romanek <stuart@apostrophecms.com> Co-authored-by: Thomas Boutell <boutell@vcs.trox.local> Co-authored-by: RohithVangalla1 <reachrohithv@gmail.com> Co-authored-by: Vangalla, Rohith <rohith.vangalla@optum.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Dipanshu singh <161134993+Dipanshusinghh@users.noreply.github.com>

* fix: treat col as a self-closing tag

* Add explicit test for inline configuration collapsing * Update test reason * Better contract definition

* First stab at redirects * Add changeset * Response to first review

BoDonkey added 8 commits June 3, 2026 13:09

replace virtual modules with generated files, formalize public helper…

6b21531

… API

Add changeset

9048c2e

Helpers cleanup

f1333cf

Path correction

a33b84a

Add .d.ts and tsconfig files

a70b170

Remove first design doc

83272f4

Remove final design doc

e9d94cd

Better static cache root dir behavior and docs fix

99644c0

BoDonkey requested a review from myovchev June 4, 2026 12:14

Bump dependancy

ffaecff

myovchev requested changes Jun 5, 2026

View reviewed changes

BoDonkey added 4 commits June 5, 2026 15:27

Refactor for non-bc

ea8f042

Migration and version number

df33277

Response to comments.

2ab77f9

Deprecate old files

93157d9

BoDonkey requested a review from myovchev June 6, 2026 11:30

myovchev requested changes Jun 8, 2026

View reviewed changes

BoDonkey and others added 10 commits June 17, 2026 09:18

Fixes upgrade header handling

564aabb

Add tests

32f7a9a

Fix raw-text sanitization bypass vulnerability and add regression tes…

ffdffdc

…ts (#5432)

changeset for singh contribution (#5442)

c21d5fb

Fix relationship select scrolling issue (#5445)

62d710d

* Fix relationship select scrolling issue * Prevent same scrolling bugs to appear in media manager

jsx changeset (#5446)

f1dd138

Ensure install of the project root for astro projects (#5449)

3bc03d8

test node 26 (#5450)

8899103

* test node 26 * support node 26 by bumping the better-sqlite3 version * node 22 requirement

Add link for telemetry policy (#5455)

4e1be7a

remove absent options (#5456)

ff6cbb6

BoDonkey and others added 16 commits June 18, 2026 09:27

Remove consumed 4.30.0 changesets from main (#5454)

043c215

cli links that are correct, or will be post publish (#5458)

6fba442

release db connect to solve chicken and egg problem in cypress-tools (#…

a6daca5

…5459)

Corrects documentation links (#5457)

227b638

* Corrects documentation links * correct `guides` -> `guide`

Merge commit from fork

6e6b98c

Merge commit from fork

6d48f1f

Merge commit from fork

20a29ea

Hotfix cli links (#5469)

5094022

* Fix broken link * Add changeset

Fix asset URLs when a site prefix is configured (#5448)

7a29be1

fix: treat col as a self-closing tag (#5447)

1937537

* fix: treat col as a self-closing tag

Add explicit test for inline configuration collapsing (#5475)

57a01ab

* Add explicit test for inline configuration collapsing * Update test reason * Better contract definition

Pro 9442 insensitive redirects (#5479)

334dc61

* First stab at redirects * Add changeset * Response to first review

Bump undici, fix a leak (#5480)

91ecf47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pro 9551 apos astro v2#5441

Pro 9551 apos astro v2#5441
BoDonkey wants to merge 39 commits into
mainfrom
pro-9551-apos-astro-v2

BoDonkey commented Jun 4, 2026

Uh oh!

linear Bot commented Jun 4, 2026

Uh oh!

haroun commented Jun 4, 2026

Uh oh!

BoDonkey commented Jun 4, 2026

Uh oh!

myovchev left a comment

Uh oh!

myovchev Jun 5, 2026

Uh oh!

myovchev Jun 5, 2026

Uh oh!

myovchev Jun 5, 2026

Uh oh!

myovchev left a comment

Uh oh!

myovchev Jun 8, 2026

Uh oh!

myovchev Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Conversation

BoDonkey commented Jun 4, 2026

Please indicate which branch this PR should merge into:

Summary

What are the specific steps to test this change?

What kind of change does this PR introduce?

Make sure the PR fulfills these requirements:

Uh oh!

linear Bot commented Jun 4, 2026

Uh oh!

haroun commented Jun 4, 2026

Uh oh!

BoDonkey commented Jun 4, 2026

Uh oh!

myovchev left a comment

Choose a reason for hiding this comment

Uh oh!

myovchev Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

myovchev Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

myovchev Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

myovchev left a comment

Choose a reason for hiding this comment

Uh oh!

myovchev Jun 8, 2026

Choose a reason for hiding this comment

Uh oh!

myovchev Jun 8, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants