# Changelog ## UNRELEASED ### Adds * Adds focus states for media library's Uploader tile * Adds focus states file attachment's input UI * Simplified importing rich text widgets via the REST API. If you you have HTML that contains `img` tags pointing to existing images, you can now import them all quickly. When supplying the rich text widget object, include an `import` property with an `html` subproperty, rather than the usual `content` property. You can optionally provide a `baseUrl` subproperty as well. Any images present in `html` will be imported automatically and the correct `figure` tags will be added to the new rich text widget, along with any other markup acceptable to the widget's configuration. ### Changes * The various implementations of `newInstance` found in Apostrophe, e.g. for widgets, array items, relationship fields and documents themselves, have been consolidated in one implementation. The same code is now reused both on the front and the back end, ensuring the same result without the need to introduce additional back end API calls. ### Fixes * Uploaded SVGs now permit `` tags granted their `xlink:href` property is a local reference and begins with the `#` character. This improves SVG support while mitgating XSS vulnerabilities. * Default properties of object fields present in a widget now populate correctly even if never focused in the editor. ## 4.7.0 (2024-09-05) ### Changes * UI and UX of inline arrays and their table styles ### Adds * To aid debugging, when a file extension is unacceptable as an Apostrophe attachment the rejected extension is now printed as part of the error message. * The new `big-upload-client` module can now be used to upload very large files to any route that uses the new `big-upload-middleware`. * Add option `skipReplace` for `apos.doc.changeDocIds` method to skip the replacing of the "old" document in the database. * The `@apostrophecms/i18n` module now exposes a `locales` HTTP GET API to aid in implementation of native apps for localized sites. * Context menus can be supplied a `menuId` so that interested components can listen to their opening/closing. * Allow to set mode in `AposWidget` component through props. * Add batch operations to pages. * Add shortcuts to pages manager. * Add `replaces` (boolean, `false` by default) option to the context operation definition (registered via `apos.doc.addContextOperation()`) to allow the operation to require a replace confirmation before being executed. The user confirmation results in the Editor modal being closed and the operation being executed. The operation is not executed if the user cancels the confirmation. ### Changes * Wait for notify before navigating to a new page. * Send also `checkedTypes` via the pages body toolbar operations (e.g. 'batch') to the modal. ### Fixes * Fix link to pages in rich-text not showing UI to select page during edit. * Bumps `uploadfs` dependency to ensure `.tar.gz`, `.tgz` and `.gz` files uploaded to S3 download without double-gzipping. This resolves the issue for new uploads. * Registering duplicate icon is no longer breaking the build. * Fix widget focus state so that the in-context Add Content menu stays visible during animation * Fix UI of areas in schemas so that their context menus are layered overtop sibling schema fields UI * Fix unhandled promise rejections and guard against potential memory leaks, remove 3rd party `debounce-async` dependency * Adds an option to center the context menu arrow on the button icon. Sets this new option on some context menus in the admin UI. * Fixes the update function of `AposSlatLists` so that elements are properly reordered on drag ## 4.6.1 (2024-08-26) ### Fixes * Registering duplicate icon is no longer breaking the build. * Fix widget focus state so that the in-context Add Content menu stays visible during animation. * Fix UI of areas in schemas so that their context menus are layered overtop sibling schema fields UI. ### Removes * Inline array option for `alwaysOpen` replaced with UI toggles ## 4.6.0 (2024-08-08) ### Adds * Add a locale switcher in pieces and pages editor modals. This is available for localized documents only, and allows you to switch between locales for the same document. The locale can be switched at only one level, meaning that sub documents of a document that already switched locale will not be able to switch locale itself. * Adds visual focus states and keyboard handlers for engaging with areas and widgets in-context * Adds method `simulateRelationshipsFromStorage` method in schema module. This method populates the relationship field with just enough information to allow convert to accept it. It does not fully fetch the related documents. It does the opposite of prepareForStorage. * A new options object has been added to the convert method. Setting the `fetchRelationships` option to false will prevent convert from actually fetching relationships to check which related documents currently exist. The shape of the relationship field is still validated. ### Changes * Refactors Admin UI SASS to eliminate deprecation warnings from declarations coming after nested rules. * Bumps the sass-loader version and adds a webpack option to suppress mixed declaration deprecation warnings to be removed when all modules are updated. * Add `title` and `_url` to select all projection. * Display `Select all` message on all pages in the manager modal. * Refresh `checked` in manager modal after archive action. * Update `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`. * Updates rich text link tool's keyboard key detection strategy. * Buttons that appear on slats (preview, edit crop/relationship, remove) are visually focusable and keyboard accessible. * Added tooltip for update button. Thanks to [gkumar9891](https://github.com/gkumar9891) for this addition. ### Fixes * Fixes the rendering of conditional fields in arrays where the `inline: true` option is used. * Fixes the rich text link tool's detection and display of the Remove Link button for removing existing links * Fixes the rich text link tool's detection and display of Apostrophe Page relationship field. * Overriding standard Vue.js components with `editorModal` and `managerModal` are now applied all the time. * Accommodate old-style replica set URIs with comma-separated servers by passing any MongoDB URIs that Node.js cannot parse directly to the MongoDB driver, and avoiding unnecessary parsing of the URI in general. * Bump `oembetter` dependency to guarantee compatibility with YouTube. YouTube recently deployed broken `link rel="undefined"` tags on some of their video pages. * It is now possible to see the right filename and line number when debugging the admin UI build in the browser. This is automatically disabled when `@apostrophecms/security-headers` is installed, because its defaults are incompatible by design. ## 4.5.4 (2024-07-22) ### Fixes * Add a default projection to ancestors of search results in order to load a reasonable amount of data and avoid request timeouts. ## 4.5.3 (2024-07-17) ### Fixes * Enhanced media selection with touchpad on Windows by extending focus timeout. ## 4.5.2 (2024-07-11) ### Fixes * Ensure that `apos.doc.walk` never gets caught in an infinite loop even if circular references are present in the data. This is a hotfix for an issue that can arise when the new support for breadcrumbs in search results is combined with a more inclusive projection for page ancestors. * Correct a longstanding bug in `apos.doc.walk` that led items to be listed twice in the `ancestors` array passed to the iterator. * Correct a longstanding bug in `apos.doc.walk` that led ancestors that are themselves arrays to be misrepresented as a series of objects in the `ancestors` array passed to the iterator. * For additional guarantees of reliability the `_dotPath` and `_ancestors` arguments to `apos.doc.walk`, which were always clearly documented as for internal use only, can no longer be passed in externally. ## 4.5.1 (2024-07-11) ### Changes * Allow tiptap rich-text widget to open modals for images and links without closing the toolbar. ## 4.5.0 (2024-07-10) ### Adds * Allow to disable shortcut by setting the option `shortcut: false` * Adds a new color picker tool for the rich-text-widget toolbar that matches the existing `color` schema field. This also adds the same `pickerOptions` and `format` options to the rich-text-widget configuration that exist in the `color` schema field. * Add missing UI translation keys. * Infite scroll in media manager instead of pagination and related search fixes. * Improves loaders by using new `AposLoadingBlock` that uses `AposLoading` instead of the purple screen in media manager. * Select the configured aspect ratio and add `data-apos-field` attributes to the fields inside `AposImageRelationshipEditor.vue`. * Add `getShowAdminBar` method. This method can be overriden in projects to drive the admin bar visibility for logged-in users. ### Fixes * Removes unnecessary, broadly applied line-height setting that may cause logged-in vs logged-out visual discrepencies. * Remove double GET request when saving image update. * Fix filter menu forgetting selecting filters and not instantiating them. * Remove blur emit for filter buttons and search bar to avoid re requesting when clicking outside… * `this.modified` was not working properly (set to false when saving). We can now avoid to reload images when saving no changes. * In media manager images checkboxes are disabled when max is reached. * In media manager when updating an image or archiving, update the list instead of fetching and update checked documents to see changes in the right panel selected list. * The `password` field type now has a proper fallback default, the empty string, just like the string field type and its derivatives. This resolves bugs in which the unexpected `null` caused problems during validation. This bug was old, but was masked in some situations until the release of version `4.4.3`. * Identify and mark server validation errors in the admin UI. This helps editors identify already existing data fields, having validation errors when schema changes (e.g. optional field becomes required). * Removes `menu-offset` props that were causing `AposContextMenu` to not display properly. * Allows to pass a number or an array to `AposContextMenu` to set the offset of the context menu (main and cross axis see `floating-ui` documentation). * Fixes the relationship fields not having the data when coming from the relationship modal. * Fixes watch on `checkedDocs` passed to `AposSlatList` not being reactive and not seeing updated relationship fields. * Adds styles for 1 column expanded area ([#4608](https://github.com/apostrophecms/apostrophe/issues/4608)) * Fixes weird slug computations based on followed values like title. Simplifies based on the new tech design. * Prevent broken admin UI when there is a missing widget. * Fixes media manager not loading images when last infinite scroll page have been reached (when uploading image for example). * Upgrade oembetter versions to allow all vimeo urls. ### Changes * Update `Choose Images` selection behavior. When choosing images as part of a relationship, you click on the image or checkbox to add the image to the selection. If a max is set to allow only one image, clicking on the selected image will remove it from the selection. Clicking on another image will update the selection with the newly clicked image. If a max is set to allow multiple images, you can remove images from the selection by using the checkbox. Clicking on the image will bring the image schema in the right panel. You can upload images even if the max has been reached. We will append the uploaded images to the existing selection up to the max if any. * Update `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`. ## 4.4.3 (2024-06-17) ### Fixes * Do not use schema `field.def` when calling `convert`. Applying defaults to new documents is the job of `newInstance()` and similar code. If you wish a field to be mandatory use `required: true`. * As a convenience, using `POST` for pieces and pages with `_newInstance: true` keeps any additional `req.body` properties in the API response. This feature unofficially existed before, it is now supported. * Rollbacks watcher on `checked` array. Fixes, checked docs not being properly updated. ## 4.4.2 (2024-06-14) ### Fixes * Hotfix: the new `_parent` property of pieces, which refers to the same piece page as `_parentUrl`, is now a carefully pruned subset to avoid the risk of infinite recursion when the piece page has a relationship to a piece. Those who want `_parent` to be more complete can extend the new `pruneParent` method of the relevant piece page module. This regression was introduced in version 4.4.0. ## 4.4.1 (2024-06-12) ### Fixes * Depend on `stylelint-config-apostrophe` properly via npm, not github. ## 4.4.0 (2024-06-12) ### Adds * Adds a pinia store to handle modals logic. * Methods from the store are registered on `apos.modal` instead of methods from `TheAposModals` component. * No more need to emit `safe-close` when defining an `AposModal`, modal is automatically resolved when closed. * Adds field components access to the reactive document value. * Expose `AposContextMenu` owned method for re-calculation of the content position. * Field Meta components of `slug` and `string` types can now fire `replace-field-value` events with text value payload, which will replace the respective field value. * `AposInputString` now accepts a `rows` prop, in effect only when `field.textarea` is set to `true`. * Add `T,S` shortcut to open the Personal Settings. * Add `T,D` shortcut to open the Submitted Drafts. * Add a scrollbar to the shortcut list. * Add breadcrumbs to search results page. * Pages relationships have now their checkboxes disabled when max is reached. ### Changes * Improves widget tabs for the hidden entries, improves UX when validation errors are present in non-focused tabs. * When moving a page, recognize when the slug of a new child already contains the new parent's slug and not double it. For example, given we have two pages as children of the home page, page A and page B. Page A and page B are siblings. Page A has the slug `/peer` and page B has the slug `/peer/page`. Now we want page B to be the child of page A. We will now end up with page B slug as `/peer/page` and not `/peer/peer/page` as before. * `AposSpinner` now respects the colors for `heavy` weight mode and also accepts second, "light" color in this mode. Props JSDoc blocks are added. * `AposContextMenu` now respects the `menuOffset` component property. * Set `G,Shift+I` shortcut to open the Image Tags manager modal. * Set `G,Shift+F` shortcut to open the File Tags manager modal. * Remove slug from suggestion for images. * Increase suggestion search image size to 50px. * For suggestions with image, keep title on a single line and truncate title field with `...` when it hits the right side. ### Fixes * Rich Text editor properly unsets marks on heading close. * Widget client side schema validation. * Allow `G,Shift+I` shortcut style. * Detect shortcut conflicts when using multiple shortcuts. * Updating schema fields as read-only no longer reset the value when updating the document. * Fixes stylelint config file, uses config from our shared configuration, fixes all lint errors. * Fixes `TheAposCommandMenu` modals not computing shortcuts from the current opened modal. * Fixes select boxes of relationships, we can now check manually published relationships, and `AposSlatList` renders properly checked relationships. * Fixes issues in `AposInputArray` on production build to be able to add, remove and edit array items after `required` error. * Relationships browse button isn't disabled when max is reached. * In media manager images checkboxes are disabled when max is reached. ## 4.3.3 (2024-06-04) ### Fixes * Removes `$nextTick` use to re render schema in `AposArrayEditor` because it was triggering weird vue error in production. Instead, makes the AposSchema for loop keys more unique using `modelValue.data._id`, if document changes it re-renders schema fields. * In media manager image checkboxes are disabled when max is reached. * Fixes tiptap bubble menu jumping on Firefox when clicking on buttons. Also fixes the fact that double clicking on bubble menu out of buttons would prevent it from closing when unfocusing the rich text area. * In media manager images checkboxes are disabled when max is reached. * Makes the final fields accessible in the media manager right rail. ## 4.3.2 (2024-05-18) ### Fixes * Corrects a regression introduced in version 4.3.0 that broke the validation of widget modals, resulting in a confusing error on the page. A "required" field in a widget, for instance, once again blocks the save operation properly. ### Changes * Improves widget tab UI for the hidden entries, improves UX when validation errors are present in non-focused tabs. ## 4.3.1 (2024-05-17) ### Fixes * Databases containing documents that no longer correspond to any module no longer cause the migration that adds missing mode properties to fail (an issue introduced in version 4.2.0). Databases with no such "orphaned" documents were not affected. ## 4.3.0 (2024-05-15) ### Adds * Allows to disable page refresh on content changed for page types. * Widget editor can now have tabs. * Adds prop to `AposInputMixin` to disable blur emit. * Adds `throttle` function in ui module utils. * Adds a `publicBundle` option to `@apostrophecms/asset`. When set to `false`, the `ui/src` public asset bundle is not built at all in most cases except as part of the admin UI bundle which depends on it. For use with external front ends such as [apostrophe-astro](https://github.com/apostrophecms/apostrophe-astro). Thanks to Michelin for contributing this feature. ### Fixes * Do not show widget editor tabs when the developer hasn't created any groups. * `npm link` now works again for Apostrophe modules that are dependencies of a project. * Re-crop image attachments found in image widgets, etc. when replacing an image in the Media Manager. * Fixes visual transitions between modals, as well as slider transition on overlay opacity. * Changing the aspect ratio multiple times in the image cropper modal no longer makes the stencil smaller and smaller. ### Changes * Improves `debounce` function to handle async properly (waiting for previous async call to finish before triggering a new one). * Adds the `copyOfId` property to be passed to the `apos.doc.edit()` method, while still allowing the entire `copyOf` object for backwards compatibility. ### Fixes ## 4.2.1 (2024-04-29) ### Fixes * Fixes drag and drop regression in the page tree where pages were not able to be moved between parent and child. ## 4.2.0 (2024-04-18) * Typing a `/` in the title field of a page no longer confuses the slug field. Thanks to [Gauav Kumar](https://github.com/gkumar9891). ### Changes * Rich text styles are now split into Nodes and Marks, with independent toolbar controls for a better user experience when applying text styles. There is no change in how the `styles` option is configured. * Rich text style labels are fully localized. * `i18n` module now uses the regular `req.redirect` instead of a direct `res.redirect` to ensure redirection, enabling more possibilities for `@apostrophecms/redirect` module * Refactors `AposModal` component with composition api to get rid of duplicated code in `AposFocusMixin` and `AposFocus`. * `APOS_MONGODB_LOG_LEVEL` has been removed. According to [mongodb documentation](https://github.com/mongodb/node-mongodb-native/blob/main/etc/notes/CHANGES_5.0.0.md#mongoclientoptionslogger-and-mongoclientoptionsloglevel-removed) "Both the logger and the logLevel options had no effect and have been removed." * Update `connect-mongo` to `5.x`. Add `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`. ### Fixes * Updates the docs `beforeInsert` handler to avoid ending with different modes being set between `_id`, `aposLocale` and `aposMode`. * Adds a migration to fix potential corrupted data having different modes set between `_id`, `aposLocale` and `aposMode`. * Fix a crash in `notification` when `req.body` was not present. Thanks to Michelin for contributing this fix. * Addresses a console error observed when opening and closing the `@apostrophecms-pro/palette` module across various projects. * Fixes the color picker field in `@apostrophecms-pro/palette` module. * Ensures that the `data-apos-test` attribute in the admin bar's tray item buttons is set by passing the `action` prop to `AposButton`. * Prevents stripping of query parameters from the URL when the page is either switched to edit mode or reloaded while in edit mode. * Add the missing `metaType` property to newly inserted widgets. ### Security * New passwords are now hashed with `scrypt`, the best password hash available in the Node.js core `crypto` module, following guidance from [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html). This reduces login time while improving overall security. * Old passwords are automatically re-hashed with `scrypt` on the next successful login attempt, which adds some delay to that next attempt, but speeds them up forever after compared to the old implementation. * Custom `scrypt` parameters for password hashing can be passed to the `@apostrophecms/user` module via the `scrypt` option. See the [Node.js documentation for `scrypt`]. Note that the `maxmem` parameter is computed automatically based on the other parameters. ## 4.1.1 (2024-03-21) ### Fixes * Hotfix for a bug that broke the rich text editor when the rich text widget has a `styles` property. The bug was introduced in 4.0.0 as an indirect side effect of deeper watching behavior by Vue 3. ## 4.1.0 (2024-03-20) ### Fixes * Don't crash if a document of a type no longer corresponding to any module is present together with the advanced permission module. * AposLoginForm.js now pulls its schema from the user module rather than hardcoding it. Includes the addition of `enterUsername` and `enterPassword` i18n fields for front end customization and localization. * Simulated Express requests returned by `apos.task.getReq` now include a `req.headers` property, for greater accuracy and to prevent unexpected bugs in other code. * Fix the missing attachment icon. The responsibility for checking whether an attachment actually exists before calling `attachment.url` still lies with the developer. ### Adds * Add new `getChanges` method to the schema module to get an array of document changed field names instead of just a boolean like does the `isEqual` method. * Add highlight class in UI when comparing documents. ## 4.0.0 (2024-03-12) ### Adds * Add Marks tool to the Rich Text widget for handling toggling marks. * Add translation keys used by the multisite assembly module. * Add side by side comparison support in AposSchema component. * Add `beforeLocalize` and `afterLocalize` events. * Add custom manager indicators support via `apos.schema.addManagerIndicator({ component, props, if })`. The component registered this way will be automatically rendered in the manager modal. * Add the possibility to make widget modals wider, which can be useful for widgets that contain areas taking significant space. See [documentation](https://v3.docs.apostrophecms.org/reference/modules/widget-type.html#options). * Temporarily add `translation` module to support document translations via the `@apostrophecms-pro/automatic-translation` module. **The `translation` core module may be removed or refactored to reduce overhead in the core,** so its presence should not be relied upon. ### Changes * Migrate to Vue 3. This entails changes to some admin UI code, as detailed in our public announcement. There are no other backwards incompatible changes in apostrophe version 4.0.0. Certain other modules containing custom admin UI have also been updated in a new major version to be compatible, as noted in our announcement and on the migration page of our website. ### Fixes * Adds `textStyle` to Tiptap types so that spans are rendered on RT initialization * `field.help` and `field.htmlHelp` are now correctly translated when displayed in a tooltip. * Bump the `he` package to most recent version. * Notification REST APIs should not directly return the result of MongoDB operations. ## 3.63.2 (2024-03-01) ### Security * Always validate that method names passed to the `external-condition` API actually appear in `if` or `requiredIf` clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of Apostrophe modules could be called over the network, without arguments, and the results returned to the caller. While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities in ApostropheCMS code via [security@apostrophecms.com](mailto:security@apostrophecms.com). * Disable the `alwaysIframe` query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team. * Remove vestigial A2 code relating to polymorphic relationship fields. The code in question had no relevance to the way such a feature would be implemented in A3, and could be used to cause a denial of service by crashing and restarting the process. Thanks to the Michelin team. ## 3.63.1 (2024-02-22) ### Security * Bump dependency on `sanitize-html` to `^2.12.1` at a minimum, to ensure that `npm update apostrophe` is sufficient to guarantee a security update is installed. This security update prevents specially crafted HTML documents from revealing the existence or non-existence of files on the server. The vulnerability did not expose any other information about those files. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix. ## 3.63.0 (2024-02-21) ### Adds * Adds a `launder` method to the `slug` schema field query builder to allow for use in API queries. * Adds support for browsing specific pages in a relationship field when `withType` is set to a page type, like `@apostrophecms/home-page`, `default-page`, `article-page`... * Add support for `canCreate`, `canPreview` & `canShareDraft` in context operations conditions. * Add support for `canCreate`, `canEdit`, `canArchive` & `canPublish` in utility operations definitions. * Add `uponSubmit` requirement in the `@apostrophecms/login` module. `uponSubmit` requirements are checked each time the user submit the login form. See the documentation for more information. * Add field metadata feature, where every module can add metadata to fields via public API offered by `apos.doc.setMeta()`, `apos.doc.getMeta()`, `apos.doc.getMetaPath()` and `apos.doc.removeMeta()`. The metadata is stored in the database and can be used to store additional information about a field. * Add new `apos.schema.addFieldMetadataComponent(namespace, component)` method to allow adding custom components. They have access to the server-side added field metadata and can decide to show indicators on the admin UI fields. Currently supported fields are "string", "slug", "array", "object" and "area". ### Fixes * When deleting a draft document, we remove related reverse IDs of documents having a relation to the deleted one. * Fix publishing or moving published page after a draft page on the same tree level to work as expected. * Check create permissions on create keyboard shortcut. * Copy requires create and edit permission. * Display a more informative error message when publishing a page because the parent page is not published and the current user has no permission to publish the parent page (while having permission to publish the current one). * The `content-changed` event for the submit draft action now uses a complete document. * Fix the context bar overlap on palette for non-admin users that have the permission to modify it. * Show widget icons in the editor area context menu. ### Changes * Share Drafts modal styles made larger and it's toggle input has a larger hitbox. ## 3.62.0 (2024-01-25) ### Adds * Adds support for `type` query parameter for page autocomplete. This allows to filter the results by page type. Example: `/api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type`. * Add testing for the `float` schema field query builder. * Add testing for the `integer` schema field query builder. * Add support for link HTML attributes in the rich text widget via configurable fields `linkFields`, extendable on a project level (same as it's done for `fields`). Add an `htmlAttribute` property to the standard fields that map directly to an HTML attribute, except `href` (see special case below), and set it accordingly, even if it is the same as the field name. Setting `htmlAttribute: 'href'` is not allowed and will throw a schema validation exception (on application boot). * Adds support in `can` and `criteria` methods for `create` and `delete`. * Changes support for image upload from `canEdit` to `canCreate`. * The media manager is compatible with per-doc permissions granted via the `@apostrophecms-pro/advanced-permission` module. * In inline arrays, the trash icon has been replaced by a close icon. ### Fixes * Fix the `launder` and `finalize` methods of the `float` schema field query builder. * Fix the `launder` and `finalize` methods of the `integer` schema field query builder. * A user who has permission to `publish` a particular page should always be allowed to insert it into the published version of the site even if they could not otherwise insert a child of the published parent. * Display the "Browse" button in a relationship inside an inline array. ## 3.61.1 (2023-01-08) ### Fixes * Pinned Vue dependency to 2.7.15. Released on December 24th, Vue 2.7.16 broke the rich text toolbar in Apostrophe. ## 3.61.0 (2023-12-21) ### Adds * Add a `validate` method to the `url` field type to allow the use of the `pattern` property. * Add `autocomplete` attribute to schema fields that implement it (cf. [HTML attribute: autocomplete](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete)). * Add the `delete` method to the `@apostrophecms/cache` module so we don't have to rely on direct MongoDB manipulation to remove a cache item. * Adds tag property to fields in order to show a tag next to the field title (used in advanced permission for the admin field). Adds new sensitive label color. * Pass on the module name and the full, namespaced template name to external front ends, e.g. Astro. Also make this information available to other related methods for future and project-level use. * Fixes the AposCheckbox component to be used more easily standalone, accepts a single model value instead of an array. ### Fixes * Fix `date` schema field query builder to work with arrays. * Fix `if` on pages. When you open the `AposDocEditor` modal on pages, you now see an up to date view of the visible fields. * Pass on complete annotation information for nested areas when adding or editing a nested widget using an external front, like Astro. * We can now close the image modal in rich-text widgets when we click outside of the modal. The click on the cancel button now works too. * Fixes the `clearLoginAttempts` method to work with the new `@apostrophecms/cache` module `delete` method. ## 3.60.1 (2023-12-06) ### Fixes * corrected an issue where the use of the doc template library can result in errors at startup when replicating certain content to new locales. This was not a bug in the doc template library. Apostrophe was not invoking `findForEditing` where it should have. ## 3.60.0 (2023-11-29) ### Adds * Add the possibility to add custom classes to notifications. Setting the `apos-notification--hidden` class will hide the notification, which can be useful when we only care about the event carried by it. * Give the possibility to add horizontal rules from the insert menu of the rich text editor with the following widget option: `insert: [ 'horizontalRule' ]`. Improve also the UX to focus back the editor after inserting a horizontal rule or a table. ### Fixes * The `render-widget` route now provides an `options` property on the widget, so that schema-level options of the widget are available to the external front end when rendering a newly added or edited widget in the editor. Note that when rendering a full page, this information is already available on the parent area: `area.options.widgets[widget.type]` * Pages inserted directly in the published mode are now given a correct `lastPublishedAt` property, correcting several bugs relating to the page tree. * A migration has been added to introduce `lastPublishedAt` wherever it is missing for existing pages. * Fixed a bug that prevented page ranks from renumbering properly during "insert after" operations. * Added a one-time migration to make existing page ranks unique among peers. * Fixes conditional fields not being properly updated when switching items in array editor. * The `beforeSend` event for pages and the loading of deferred widgets are now handled in `renderPage` with the proper timing so that areas can be annotated successfully for "external front" use. * The external front now receives 100% of the serialization-friendly data that Nunjucks receives, including the `home` property etc. Note that the responsibility to avoid passing any nonserializable or excessively large data in `req.data` falls on the developer when choosing to use the `apos-external-front` feature. * Wraps the group label in the expanded preview menu component in `$t()` to allow translation ## 3.59.1 (2023-11-14) ### Fixes * Fix `if` and `requiredIf` fields inside arrays. With regard to `if`, this is a hotfix for a regression introduced in 3.59.0. ## 3.59.0 (2023-11-03) ### Changes * Webpack warnings about package size during the admin UI build process have been turned off by default. Warnings are still enabled for the public build, where a large bundle can be problematic for SEO. ### Fixes * Apostrophe warns you if you have more than one piece page for the same piece type and you have not overridden `chooseParentPage` to help Apostrophe decide which page is suitable as the `_url` of each piece. Beginning with this release, Apostrophe can recognize when you have chosen to do this via `extendMethods`, so that you can call `_super()` to fall back to the default implementation without receiving this warning. The default implementation still just returns the first page found, but always following the `_super()` pattern here opens the door to npm modules that `improve` `@apostrophecms/piece-page` to do something more sophisticated by default. * `newInstance` always returns a reasonable non-null empty value for area and object fields in case the document is inserted without being passed through the editor, e.g. in a parked page like the home page. This simplifies the new external front feature. ### Adds * An adapter for Astro is under development with support from Michelin. Starting with this release, adapters for external fronts, i.e. "back for front" frameworks such as Astro, may now be implemented more easily. Apostrophe recognizes the `x-requested-with: AposExternalFront` header and the `apos-external-front-key` header. If both are present and `apos-external-front-key` matches the `APOS_EXTERNAL_FRONT_KEY` environment variable, then Apostrophe returns JSON in place of a normal page response. This mechanism is also available for the `render-widget` route. * Like `type`, `metaType` is always included in projections. This helps ensure that `apos.util.getManagerOf()` can be used on any object returned by the Apostrophe APIs. ## 3.58.1 (2023-10-18) ### Security * Update `uploadfs` to guarantee users get a fix for a [potential security vulnerability in `sharp`](https://security.snyk.io/vuln/SNYK-JS-SHARP-5922108). This was theoretically exploitable only by users with permission to upload media to Apostrophe * Remove the webpack bundle analyzer feature, which had been nonfunctional for some time, to address a harmless npm audit warning * Note: there is one remaining `npm audit` warning regarding `postcss`. This is not a true vulnerability because only developers with access to the entire codebase can modify styles passed to `postcss` by Apostrophe, but we are working with upstream developers to determine the best steps to clear the warning ### Fixes * Automatically add `type` to the projection only if there are no exclusions in the projection. Needed to prevent `Cannot do exclusion on field in inclusion projection` error. ## 3.58.0 (2023-10-12) ### Fixes * Ensure Apostrophe can make appropriate checks by always including `type` in the projection even if it is not explicitly listed. * Never try to annotate a widget with permissions the way we annotate a document, even if the widget is simulating a document. * The `areas` query builder now works properly when an array of area names has been specified. ### Adds * Widget schema can now follow the parent schema via the similar to introduced in the `array` field type syntax (`<` prefix). In order a parent followed field to be available to the widget schema, the area field should follow it. For example, if area follows the root schema `title` field via `following: ['title']`, any field from a widget schema inside that area can do `following: ['