✨ New Features & Improvements

• @directus/app
  • Updated the token field on the user detail page to require confirmation before regenerating or removing a token, and saved those changes immediately without requiring a page-level save. (#27108 by @LZylstra)
• @directus/api
  • Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
• @directus/env
  • Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
• @directus/sdk
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed UI freeze when navigating items with WYSIWYG translations for non-admin users (#27154 by @gaetansenn)
  • Fixed selection not being cleared after running a manual flow from the collection list view sidebar (#27330 by @kropsi)
  • Fixed "Save as copy" in the file library throwing a 403 Forbidden error (#27181 by @sanskar-soni-9)
  • Fixed user token not being displayed after generation when collaboration is enabled (#27319 by @LZylstra)
  • Prevented filter popup being closed when reordering filters (#27324 by @HZooly)
  • Fixed icon flash in navigation sidebar for bookmarks without an icon (#27329 by @HZooly)
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
• @directus/api
  • Removed duplicate @directus/schema-builder dependency (#27166 by @ComfortablyCoding)
  • Bumped basic-ftp, liquidjs, xmldom, protobufjs, vite dependencies (#27335 by @br41nslug)
  • Fixed flows not awaiting reload (#27137 by @Nitwel)
  • Fixed VERSION_SAVE activity/revisions not respecting collection tracking settings (#27096 by @yogeshwaran-c)
  • Denied creating collections with / in name (#27114 by @costajohnt)
• @directus/types
  • Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
• @directus/visual-editing
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
  • Fixed the edit handler firing twice when clicking an overlay button directly (#27157 by @formfcw)
• @directus/utils
  • Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
• @directus/sdk
  • Fixed SDK types linking to directus_access junction collection (#27152 by @yogeshwaran-c)
• @directus/composables
  • Fixed useShortcut attempting to access document before available (#27155 by @ComfortablyCoding)

📦 Published Versions

• @directus/app@15.10.0
• @directus/api@35.2.0
• @directus/composables@11.4.1
• create-directus-extension@11.0.36
• @directus/env@5.8.0
• @directus/extensions@3.0.25
• @directus/extensions-registry@3.0.26
• @directus/extensions-sdk@17.1.4
• @directus/memory@3.1.8
• @directus/pressure@3.0.22
• @directus/schema-builder@0.0.20
• @directus/storage-driver-azure@12.0.22
• @directus/storage-driver-cloudinary@12.0.22
• @directus/storage-driver-gcs@12.0.22
• @directus/storage-driver-s3@12.1.8
• @directus/storage-driver-supabase@3.0.22
• @directus/themes@1.3.3
• @directus/types@15.0.3
• @directus/utils@13.4.1
• @directus/validation@2.0.23
• @directus/visual-editing@2.0.1
• @directus/sdk@21.3.0
• @directus/sandbox@0.0.0

Security Release

• Update Instructions
• Update details on blog

This is a security release to improve attachment related permission checks, and URL validation for webhooks.

Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.

Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated attachment actions to align page access check.
• Updated URL validation in webhooks to help prevent escaping workarounds.
• Fixed issue where exact search term negation would lead to no results. (#6121)