Tag Name: v3.0.0-beta.8
Release Date: 6/27/2019
StrapiOpen-source headless CMS built with Node.js. Provides developers with complete freedom in choosing their favorite tools and frameworks for frontend development.
Strapi v3.0.0-beta.8 brings important security fixes, UI enhancements, and plugin improvements. This release addresses a critical security vulnerability where admin passwords were stored in plaintext, improves the content deletion interface, adds Amazon SES domain configuration options, and updates documentation links. Administrators should upgrade immediately to protect sensitive credentials.
No specific migration steps are required for this update. However, administrators should update to this version immediately to address the security vulnerability related to plaintext password storage.
After updating:
Due to the critical security fix addressing plaintext password storage, all Strapi installations should be upgraded to v3.0.0-beta.8 as soon as possible. This is especially important for production environments where administrator accounts could be at risk.
The upgrade process from v3.0.0-beta.7 to v3.0.0-beta.8 should be straightforward with no breaking changes reported. Follow the standard Strapi update procedure:
npm install [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Or if using Yarn:
yarn upgrade [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Fixed a critical security issue where administrator passwords were being persisted in plaintext when editing admin user accounts. This vulnerability could potentially expose sensitive credentials if the database was compromised. The fix ensures passwords are properly hashed and protected throughout the user management workflow.
Addressed missing translations in various parts of the admin interface, improving the localization experience for non-English users.
Added the ability to specify a different Amazon SES domain for email sending. This enhancement provides more flexibility when configuring the email plugin, allowing developers to use custom domains for their transactional emails rather than being limited to a single domain configuration.
The content deletion interface has been enhanced with clearer labeling. The CTA (Call to Action) button now explicitly states "Delete Selected Entries" instead of the more ambiguous "Delete All" label, making it clearer that the action applies only to selected items rather than everything in the database.
Fixed a serious security vulnerability where administrator passwords were being stored in plaintext when editing admin user accounts. This issue has been resolved in PR #3540, ensuring that passwords are properly secured and not exposed in their unencrypted form. This fix significantly improves the security posture of Strapi installations by protecting sensitive administrator credentials.
No specific performance improvements were mentioned in this release.
This release significantly improves Strapi's security posture by fixing a critical vulnerability where administrator passwords were stored in plaintext. This change alone makes the update essential for all installations.
The UI enhancements for content deletion provide better clarity for content managers, reducing the risk of accidental mass deletions by making it clear which items will be affected by the delete action.
For developers using Amazon SES for email delivery, the added flexibility to configure custom domains provides more options for managing email sending reputation and deliverability.
While this is a beta release, the security improvements make it an important update that should be prioritized, especially in environments where administrator account security is paramount. The changes are focused on security and usability improvements rather than introducing potentially disruptive new features, making this a relatively safe update despite its beta status.
