❌

Lees weergave

v5.50.0

5.50.0 (2026-07-02)

πŸš€ New feature

  • admin: add active devices session management (#26628)
  • cli: add security defaults to create-strapi-app templates (#26737)
  • database: export lifecycle event type (#25637)
  • provider-email-sendgrid: add region option for EU data residency (#25907)
  • provider-upload-aws-s3: accept a credential provider function (#26796)
  • translations: comprehensive Japanese (ja) translation update for admin and 9 plugins (#26687)
  • ts: augment all context error response methods (#25424)

πŸ”₯ Bug fix

  • refresh token cookies missing Max-Age when sessions.cookie.maxAg… (#26747)
  • add test database healthchecks (#26511)
  • generate apis in named directories (#26354)
  • admin: retry lazy chunk loads and improve loading and error UX (#25954)
  • admin: open "Upgrade your admin panel" link in new tab (#26510)
  • admin: remove @ts-expect-error in useQueryParams hook (#25006)
  • admin: hide boolean clear action when field is disabled (#26294)
  • admin: restore default locale in permissions when adding i18n to ct (#26548)
  • admin: keep static fallback paths url-safe (#26518)
  • admin: stop storing IP addresses in session metadata (#26873)
  • ci: use allowlisted thollander action ref in experimental publish workflow (#26768)
  • content-api: validate populate for polymorphic structures (#25854)
  • content-manager: warn before publishing with draft relations (#26736)
  • content-manager: use ListViewTable relation-loaded translation key (#26798)
  • content-manager: serve live preview script from server endpoint (#26732)
  • content-manager: capitalize component category names in dynamic zone (#24426, #26337)
  • content-manager: add Japanese EditView shortcut hint translations (#26814)
  • content-manager: prevent dynamic zone crash when value is null (#26816)
  • content-manager: skip publish warning for M2M links to published entries (#26858)
  • content-type-builder: improve component category validation error message (#25455)
  • core: preserve M2M relation order on published version after reo… (#26791)
  • core: maxFileSize error not detected in body middleware (#25011)
  • core: resolve relations on non-localized entries with stale locale column (#26805)
  • create-strapi-app: scaffold pnpm 11 allowBuilds for Strapi Cloud (#26757)
  • create-strapi-app: enable strict TypeScript in app scaffolds (#26779)
  • create-strapi-app: limit odd Node major warning to versions before 26 (#26810)
  • data-transfer: restore localizations links that use document_id refs (#26870)
  • graphql: preserve M2M relation order with pagination (#26577, #26785)
  • test: tighten jest ignore patterns to match path segments (#26753)
  • translations: correct ja "characters" mistranslation in WYSIWYG controls (#26845)
  • types: tighten Core.Config typings with backward-compatible deprecations (#26787)
  • upload: disable asset editing and deletion on published entries (#26127)
  • users-permissions: accept documentId for the role relation on user create/update (#26715)
  • users-permissions: correct "occured" β†’ "occurred" typo in error notifications (#26508)
  • utils: prevent crash on null dynamic zone entry during traversal (#24303, #26842)

πŸ“š Documentation Changes

  • fix typos and grammar slips in content-manager docs (#26600)

βš™οΈ Chore

  • add ai-tooling sync script for skill symlinks (#26594)
  • rename ai-tooling yarn scripts to ai:* (#26767)
  • reduce Vercel noise on PRs (contributor-docs ignore step) (#26772)
  • cloud plugin updates (#26801)
  • update cli deploy copies (f0fa460525)
  • deps: hoist @types/node to root and align with 20, min supported engine (#26291)
  • deps: upgrade TypeScript to 5.9.3 (#26782)
  • deps: bump hono from 4.12.23 to 4.12.27 (#26761)
  • deps: bump design-system to v2.2.1 (#26788)
  • deps: bump axios from 1.18.0 to 1.18.1 (#26762)
  • deps: upgrade lint-staged to 16 and scope linting to staged files (#26765)
  • deps: remove unused @strapi/ts-zen dev dependency (#26759)
  • typescript: enable erasableSyntaxOnly and noUncheckedSideEffectImports (#26790)
  • workflows: make documentation flag name more obvious (#26649)

πŸ’… Enhancement

  • admin: add uz-Cyrl native name to languageNativeNames (#24920)
  • strapi: lazy-load TypeScript chain for non-build CLI commands (#26265)
  • utils: add env.required for strict scaffold secrets (#26830)

🚨 Security

  • users-permissions: default legacy JWT verify to HS256 (#26752)

❀️ Thank You

  •  

BookStack v26.05.2

Security Release

This is a security release to address some edge case vulnerabilities related to URL filtering, redirect handling, and permission checking, while also updating dependencies to help prevent known potential vulnerabilities in those being exploited.

Upgrading is advised for instances with public access enabled, or for instances where untrusted users are able to edit content.

Thanks to Gurmandeep Deol (LinkedIn) and MFK25 for responsibly reporting issues addressed in this release.

Full List of Changes

  • Added Serbian language to language_select array. Thanks to @PolarniMeda. (#6153)
  • Updated PHP package versions.
  • Updated translations with the latest crowdin changes.
  • Updated content allow-filtering to consider protocols used in srcset attributes.
  • Updated URL filtering with a more thorough centralized utility class.
  • Updated comment delete action to also check comment visibility permissions.
  • Updated referring URL use with stronger source validation.
  • Updated translations with latest crowdin changes. (#6166)

  •  
❌