This release was deprecated due to a mistake

5.49.0 (2026-06-24)

🚀 New feature

• mcp: export defineTool/defineResource/definePrompt builders (#26603)

🔥 Bug fix

• add support for initiallySelectedAssets (#26679)
• homepage dashboard duplicates entries for users with multiple roles (#25860)
• avoid buffering large uploads for MIME detection (#26678)
• throw ValidationError when populate exceeds qs arrayLimit (#25632, #25916)
• push anchor into view to prevent off-screen tooltips (#26303)
• admin: support array of links in StrapiApp.addSettingsLink (#26433)
• admin: admin users logged out mid-session by access-token expiry timer (#26680)
• content-manager: use top-level Core type import in MCP types (#26681)
• content-manager: save draft with Cmd/Ctrl+Enter, publish with Cmd/Ctrl+Shift+Enter (#26621)
• content-manager: reduce MCP relation output to identity-only shape (#26560)
• content-manager: deduplicate MCP tool names when plugin has multiple content types (#26710)
• core/core: mcp misleading lifecycle docs (#26698)
• create-strapi-app: allow pnpm to build better-sqlite3 for SQLite scaffolds (#26675)
• data-transfer: transfer admin menu and auth logos with configuration (#26425)
• database: stop full-schema component_type IN on dynamic zone populate (#26734)
• document-service: preserve published relations from non-dp sources (#26654)
• strapi: default allowedHosts and pin Vite HMR to main server in dev (#26244)
• types: add explicit return types to recursive functions (#26704)

📚 Documentation Changes

• fix spelling typos in content-manager relations guide (#26724)

⚙️ Chore

• removing coderabbit status (#26703)
• core: upgrade package-json to 10.0.1 + rollup interop 'auto' (#26673)
• deps: bump markdown-it from 14.1.1 to 14.2.0 in the richtext-editor-security group across 1 directory (#26688)
• deps: bump dompurify from 3.4.5 to 3.4.9 (#26684)
• deps: bump nodemailer from 8.0.5 to 8.0.9 (#26689)
• deps: bump tar from 7.5.11 to 7.5.16 (#26691)
• deps: bump form-data from 4.0.4 to 4.0.6 (#26692)
• deps: bump anthropics/claude-code-action from 1.0.123 to 1.0.132 (#26727)
• deps: bump piscina from 4.9.2 to 4.9.3 (#26716)
• deps: bump undici from 6.25.0 to 6.27.0 (#26714)
• deps: bump dompurify from 3.4.9 to 3.4.11 (#26719)
• deps-dev: bump @babel/core (#26667)

💅 Enhancement

• upload: add optional replace method to upload providers (#26582)

❤️ Thank You

• akash-dabhi-qed @akash-dabhi-qed
• Andrei L @unrevised6419
• Andrew Bone
• Bassel Kanso @Bassel17
• Ben Irvin
• Giulio Montagner @giu1io
• guoyangzhen
• jasleenkaur-qed42
• Nico André
• Shivam S @BIGSUS24
• Simon Norris @cache-your-dreams
• Travis Swientek @travelton
• Vallabh Mahajan @Vallabh-1504
• Vishal Kumar Singh @singhvishalkr

⚠️ Changes to be aware of

Content Manager keyboard shortcuts

Save a draft with Cmd/Ctrl+Enter (or Cmd/Ctrl+S). Publish with Cmd/Ctrl+Shift+Enter. Since v5.31.3, plain Cmd/Ctrl+Enter published immediately — that shortcut now saves instead. (#26621)

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.

Activity summary

During the month of May, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 56 DLAs fixing 877 CVEs.

May was a much busier month than usual, especially due to the disclosed vulnerabilities on linux regarding Local Privilege Escalation (LPE), that included public proof-of-concept (PoC) exploits. These reports of course impacted Debian as a whole, and the situation warrants a special mention to the Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the pace and released linux packages on a weekly basis. On the LTS side, the Front Desk team also triaged a significant flow of high severity CVEs.

It is also important to note that Debian 12 (“bookworm”) will be handed over to the LTS Team on June 11th. If you benefit from Debian, especially during the full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS: https://www.freexian.com/lts/debian/.

Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on August 31st. After that, Freexian will continue the security support under the Extended LTS offer.

The team published several notable updates:

• As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
  • DLA 4560-1 for linux (5.10)
  • DLA 4561-1 for linux-6.1
  • DLA 4572-1 for linux (5.10)
  • DLA 4574-1 for linux-6.1
  • DLA 4587-1 for linux (5.10)
  • DLA 4588-1 for linux-6.1
  • DLA 4606-1 for linux (5.10)
  • DLA 4607-1 for linux-6.1
• exim update (DLA-4580-1), prepared by Thorsten, to address a vulnerability that may result in remote code execution.
• gnutls28 update (DLA-4595-1) by Guilhem Moulin, fixes several vulnerabilities that may result in execution of arbitrary code, information leak, authentication bypass, among other impacts.
• krb5 updates released as DLA-4603-1, fixing two vulnerabilities that may yield to a denial of service. Updated prepared by Emmanuel Arias
• lemonldap-ng (DLA-4602-1), released by Abhijith PA, fixing multiple vulnerabilities
• Two imagemagick updates (DLA-4559-1 and DLA-4609-1), prepared by Bastien Roucariès, fixing several vulnerabilities
• openjdk-11 and openjdk-17 updates (DLA-4566-1 and DLA-4565-1), both prepared by Emilio, to fix seven vulnerabilities.
• php7.4 update (DLA-4586-1) to fix six vulnerabilities that could result in remote code execution, information disclosure or denial of service. Update prepared by Guilhem Moulin.
• python3.9 update (DLA-4583-1), prepared by Arnaud Rebillout, addressing multiple vulnerabilities.

Contributions from outside the LTS Team:

We are greatly thankful for the contributions from people outside the LTS Team:

• Colin Watson prepared an OpenSSH update, that was released by Santiago as DLA-4584-1.
• Thomas Goirand handled a keystone update, whose advisory was done by Santiago and released as DLA-4611-1.
• Christopher Obbard kindly prepared a sentry-python update, released as DLA-4612-1.
• Christoph Goehre made two thunderbird updates (DLA-4562-1 and DLA-4582-1). As is customary, Emilio released the advisories.

The LTS Team has also contributed with updates to the latest Debian releases:

• Andreas proposed a firewalld update for bookworm to fix a local issue that may result in bypass control rules.
• Andreas proposed atril updates for trixie and bookworm.
• Arnaud did a python3.11 upload for bookworm.
• Arnaud proposed libarchive updates for trixie and bookworm.
• Arnaud completed the systemd update for bookworm.
• Bastien completed the uploads of gpsd for bookworm. He also did an upload of apache2 for bookworm.
• Emmanuel uploaded updates of libexif for trixie and bookworm
• Jochen Sprickerhof prepared pyjwt update for trixie and bookworm, released as DSA-6259-1.
• Lukas Märdian prepared trixie and bookworm updates for nghttp2, released as DSA-6266-1.
• Markus prepared updates of tomcat11 and tomcat10, released as DSA-6329-1 (for trixie) and DSA-6328-1 (for trixie and bookworm), respectively.
• Continuing the work to replace the unmaintained p7zip fork with 7zip, Sylvain prepared trixie and bookworm updates of 7zip.
• Thorsten completed the uploads of zvbi, taglib and libuev to bookworm and did an upload of libcoap3 for wtrixie.
• Tobi prepared libpng1.6 updates for trixie and bookworm, released as DSA-6263-1.

Moreover, thanks to our partnership with Catalyst, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as DSA-6297-1.

Individual Debian LTS contributor reports

• Abhijith PA
• Andreas Henriksson
• Andrej Shadura
• Arnaud Rebillout
• Bastien Roucariès
• Ben Hutchings
• Carlos Henrique Lima Melara
• Chris Lamb
• Daniel Leidert
• Emmanuel Arias
• Emilio Pozuelo Monfort
• Guilhem Moulin
• Jochen Sprickerhof
• Lee Garrett
• Lucas Kanashiro
• Lukas Märdian
• Markus Koschany
• Santiago Ruano Rincón
• Sylvain Beucler
• Thorsten Alteholz
• Tobias Frost

Thanks to our sponsors

Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 128 months)
  • Civil Infrastructure Platform (CIP) (for 96 months)
  • VyOS Inc (for 61 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 139 months)
  • CONET Deutschland GmbH (for 122 months)
  • University of Oxford (for 78 months)
  • EDF SA (for 50 months)
  • Dataport AöR (for 25 months)
  • CERN (for 23 months)
• Silver sponsors:
  • Domeneshop AS (for 143 months)
  • Nantes Métropole (for 137 months)
  • Akamai - Linode (for 133 months)
  • Univention GmbH (for 129 months)
  • Université Jean Monnet de St Etienne (for 129 months)
  • Ribbon Communications, Inc. (for 123 months)
  • Exonet B.V. (for 113 months)
  • Leibniz Rechenzentrum (for 107 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 91 months)
  • Dinahosting SL (for 78 months)
  • Upsun Formerly Platform.sh (for 72 months)
  • Moxa Inc. (for 66 months)
  • sipgate GmbH (for 64 months)
  • OVH US LLC (for 62 months)
  • Tilburg University (for 62 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 53 months)
  • THINline s.r.o. (for 26 months)
  • Copenhagen Airports A/S (for 20 months)
  • Conseil Départemental de l’Isère (for 6 months)
• Bronze sponsors:
  • Seznam.cz, a.s. (for 144 months)
  • Evolix (for 143 months)
  • Linuxhotel GmbH (for 141 months)
  • Intevation GmbH (for 140 months)
  • Daevel SARL (for 139 months)
  • Megaspace Internet Services GmbH (for 138 months)
  • Greenbone AG (for 137 months)
  • NUMLOG (for 137 months)
  • WinGo AG (for 136 months)
  • Entr’ouvert (for 128 months)
  • Adfinis AG (for 125 months)
  • Plat’Home (for 122 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 120 months)
  • Tesorion (for 120 months)
  • Bearstech (for 111 months)
  • LiHAS (for 111 months)
  • Catalyst IT Ltd (for 106 months)
  • Demarcq SAS (for 100 months)
  • Université Grenoble Alpes (for 86 months)
  • TouchWeb SAS (for 78 months)
  • SPiN AG (for 75 months)
  • CoreFiling (for 71 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 62 months)
  • Tem Innovations GmbH (for 57 months)
  • WordFinder.pro (for 57 months)
  • CNRS DT INSU Résif (for 56 months)
  • Soliton Systems K.K. (for 51 months)
  • Alter Way (for 48 months)
  • SOBIS Software GmbH (for 23 months)
  • Tuxera Inc. (for 15 months)
  • OPM-OP AS (for 6 months)

Wat als alles wat je deze week leuk, belangrijk of de moeite waard vond, gewoon gekocht was? Van de Superbowl-show van Bad Bunny tot Sydney Sweeney en haar “good jeans”, alles wordt geëngineerd door clipping farms en legers fake accounts. Het liefst in twee ruziënde kampen tegelijk, zodat journalisten zich er als useful idiots op storten. Bij Bad Bunny kwam een kwart van alle 3,7 miljoen posts van minder dan vier procent van de accounts. Reken maar uit.

Het ongemakkelijke gevolg: bereik is dus te koop, spotgoedkoop zelfs, en daarmee bijna niks meer waard. FVD speelt het spel al meedogenloos, terwijl de rest nog cringe ministersfilmpjes op LinkedIn zet. En precies daar komt Ernst-Jan, oftewel DutchProBlogger, met zijn vaste advies waar hij al twintig jaar gelijk in heeft: begin nou een nieuwsbrief, begin nou een podcast. Want als content bijna gratis wordt, blijft er nog één ding over dat niemand kan kopen: vertrouwen. Tim Ferriss zag zijn boekverkoop door AI met 57 procent kelderen en valt terug op duizend echte fans. De moraal is even simpel als urgent: het venster om je eigen publiek op te bouwen sluit.

Sterkte. En pas op voor Alexander Slopping.

Deze aflevering wordt mede mogelijk gemaakt door Denkproducties. Schrijf je via denkproducties.nl/pom in voor het Amsterdam Business Forum en je krijgt als POM-luisteraar automatisch toegang tot een exclusieve sessie met Seth Godin.

Door lezen over Carbon Equity, dat investeert in bedrijven die het klimaat redden, zoals Carbon Cure dat CO2 opslaat in beton? Kijk dan op carbonequity.com

En dan nog zelfpromo in relatie tot POM: bij AI Report draait een webinarreeks over hoe je een persoonlijk kennissysteem bouwt waar je taalmodel uit kan putten. Drie hoorcolleges, voor twaalf euro ben je al binnen via aireport.nl

The Extended Stable channel has been updated to 148.0.7778.280 for Windows and Mac which will roll out over the coming days/weeks.

The Stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Daniel Yip

Google Chrome