Payload CMS Release: 2.19.1
Tag Name: v2.19.1
Release Date: 6/4/2024
Payload CMSPayload CMS is a modern, self-hosted headless content management system built with TypeScript, Node.js, and MongoDB. It's designed specifically for developers who want full control over their content management system while maintaining a powerful admin interface for content editors.
TL;DR
Payload CMS v2.19.1 - Security Patch Release
This patch release addresses a critical security vulnerability in the ajv dependency by pinning it to version 8.14.0. The issue was related to a prototype pollution vulnerability in ajv that could potentially lead to security exploits. Additionally, the release removes the unused css-minimizer-webpack-plugin from the bundler-webpack package, streamlining dependencies.
Highlight of the Release
- Fixed security vulnerability in
ajvdependency by pinning to version 8.14.0 - Removed unused
css-minimizer-webpack-pluginfrom bundler-webpack package - Improved overall security posture of the CMS
Migration Guide
No migration steps are required for this update. This is a drop-in replacement that can be installed with your standard update process:
npm install [email protected]
# or
yarn add [email protected]
# or
pnpm add [email protected]
Upgrade Recommendations
Priority: High
All users should upgrade to v2.19.1 as soon as possible to address the security vulnerability in the ajv dependency. This is especially important for production environments that may be exposed to untrusted inputs.
The update is backward compatible and requires no code changes or migration steps.
Bug Fixes
Security Bug Fix
- Fixed prototype pollution vulnerability: Overrode the
ajvdependency version to 8.14.0 wherever possible throughout the codebase to address a known security vulnerability (ajv-validator/ajv#2446)
Maintenance Fix
- Removed unused dependency: Removed
css-minimizer-webpack-pluginfrom the bundler-webpack package as it was not being used, helping to reduce the dependency footprint
New Features
No new features were introduced in this patch release. This is strictly a security and maintenance update.
Security Updates
Ajv Prototype Pollution Vulnerability
This release addresses a critical security vulnerability in the ajv dependency by pinning it to version 8.14.0. The vulnerability, documented in ajv-validator/ajv#2446, relates to prototype pollution that could potentially allow attackers to execute malicious code or manipulate application behavior.
By overriding the dependency version throughout the codebase, this release ensures that all instances of ajv used by Payload CMS are protected from this vulnerability.
Performance Improvements
No specific performance improvements were included in this release. The focus was on addressing security concerns and cleaning up dependencies.
Impact Summary
This release primarily impacts the security posture of Payload CMS installations by addressing a prototype pollution vulnerability in the ajv dependency. While the vulnerability's practical exploitability may vary depending on your specific implementation, it's considered best practice to update promptly to mitigate any potential risk.
The removal of the unused css-minimizer-webpack-plugin from the bundler-webpack package is a maintenance improvement that helps reduce the dependency footprint without affecting functionality.
Overall, this is a straightforward security patch that should be applied to all Payload CMS installations without delay. The changes are minimal and focused on security hardening rather than introducing new features or changing existing behavior.
Full Release Notes
Statistics:
File Changed4
Line Additions125
Line Deletions29
Line Changes154
Total Commits2
User Affected:
- Protected from potential security vulnerabilities in the `ajv` dependency
- No longer exposed to prototype pollution risks in dependency chain
- Benefit from cleaner dependency tree with removal of unused webpack plugin
Contributors:
