All Versions
Latest Version
Avg Release Cycle
8 days
Latest Release
1 day ago

Changelog History
Page 1

  • v2.111.0

    August 12, 2020
    • 🔧 By popular request, "Add Widget" dropdown menus are better organized now, with support for categories of widgets. You can configure this optional feature like so:
    apos.area(, 'areaNameHere', {
      widgets: { ... you must configure your widgets as usual ... }
      widgetGroups: {
        'Content': [ 'apostrophe-rich-text', 'apostrophe-images' ],
        'Layout': [ 'one-column', 'two-column' ]

    🔧 Every widget type you specify for widgetGroups must still be configured in widgets.

    If widgetGroups is not present the "add widget" dropdown menu will appear as it always did.

    • ✂ Removes the aposBody template macro, which was unused.
  • v2.110.1

    August 12, 2020
    • ✂ Removes the aposBody template macro, which was unused.
  • v2.110.0

    July 29, 2020
    • 🔒 Security: added support for throttling login attempts. If you set the throttle option of apostrophe-login to { allowedAttempts: 3, perMinutes: 1, lockoutMinutes: 1 }, a user will be locked out and unable to try again for 1 minute after three failed login attempts in 1 minute. Thanks to Michelin for making this work possible via Apostrophe Enterprise Support.
    • Schemas: you may now set a regular expression to be used to validate any string schema field by setting the pattern property of the schema field. Please note that pattern must be a string, not a regular expression literal. Otherwise it will only be validated on the server side, causing confusion for the user when it 💻 is not reported on the browser side. You may also set patternErrorMessage to provide a clear explanation to the user when their input does not match. When setting pattern as a string always remember to escape the \ character properly (you will often need two \ characters, for instance \\w). To avoid Denial of Service attacks, take care to avoid evil regular expressions.
    • 🔒 Security: added an apostrophe-login:before promise event which is emitted with (req) before a login attempt is evaluated. If a handler throws a string as an error, that string is internationalized and displayed as a login error, otherwise login proceeds normally. This can be used to implement features like the new apostrophe-login-recaptcha module, which you can install separately.
    • 🔒 Security: to ease implementation of apostrophe-login-recaptcha, the login form now has data-apos-login-form and data-apos-login-submit-button attributes on the appropriate elements.
    • 📚 Security: when requiring Google Authenticator or a similar app for login (TOTP), you may now limit the requirement to certain groups, by passing a setting like totp: { groups: true } to the apostrophe-login module rather than just totp: true. Admins may then select which groups actually require TOTP by selecting it when editing the group (look at the permissions tab). In addition, the existing totp option has been added to the module documentation.
  • v2.109.0

    July 15, 2020
    • ➕ Add heic-to-jpeg-middleware to support uploading heic/heif images (the standard format for recent iPhones/iPads). Many thanks to Gabriel L. Maljkovich for their contributions to the underlying middleware as well as the integration with Apostrophe.
    • ➕ Add CSS to maintain spacing of admin UI.
  • v2.108.1

    July 01, 2020
    • 📚 Updates documentation of the clonePermanent utility method.
    • 🔧 The http response to dismissing a notification should not include any information about the mongodb connection. The response previously included relatively low-risk information, including the IP address of the MongoDB server but not enough to make an unauthorized connection when the MongoDB server and/or firewall are properly configured.
  • v2.108.0

    June 17, 2020
    • 👀 UX improvement: if a piece type has the contextual: true option set and workflow is present, do not default published to false. There is already a good opportunity to review before the public sees the piece afforded by workflow.

    • 👯 If called with a scalar argument, apos.utils.clonePermanent now returns scalars (strings, booleans, numbers) as-is. This makes it easier to use the method when the argument might or might not be an object that requires cloning.

  • v2.107.2

    June 10, 2020
    • 🛠 Fixed a regression that caused difficulty saving array fields with color subfields in their schema. This regression was introduced in 2.107.0.
  • v2.107.1

    May 29, 2020
    • The distinctCounts feature (also known as counts: true for piecesFilters) is now compatible with the apostrophe-db-mongo-3-driver module, when in use. Note that there is little benefit to that module now that emulate-mongo-2-driver is standard in Apostrophe and employs the MongoDB 3.x driver under the hood but provides a 2.x-compatible API. However those who strongly prefer the 3.x driver APIs for direct MongoDB queries may use apostrophe-db-mongo-3-driver with more confidence given this fix.
  • v2.107.0

    May 20, 2020
    • ⚡️ CKEditor has been updated to version 4.14, addressing a low-risk XSRF vulnerability. The vulnerability required that the source code editor feature be activated and that a user with editing privileges be convinced to import specially crafted markup, which is unlikely in practice.
    • 👉 Users may now intentionally clear a time field, whether or not it has a def setting, in which case it is stored as null (unless required: true is present). The inability to do this was a regression introduced in version 2.102.0.
    • 📚 Developers can now pass a spectrumOptions object to a color field and take full control of Spectrum, the plugin that powers Apostrophe's color picker. Documentation for this configuration here.
    • 👀 Activating the objectNotation option to i18n no longer causes problems for certain strings in Apostrophe's admin interface, which does not use it. You will see alternate Unicode characters for the : and . characters in these strings if you do choose to translate them. These are transformed back for end users.
  • v2.106.4

    May 20, 2020
    • 👉 Users may now intentionally clear a time field, whether or not it has a def setting, in which case it is stored as null (unless required: true is present). The inability to do this was a regression introduced in version 2.102.0.