Content Toolkit

Strapi Release: 3.6.11

Tag Name: v3.6.11

Release Date: 11/22/2022

Open-source headless CMS built with Node.js. Provides developers with complete freedom in choosing their favorite tools and frameworks for frontend development.

Open Source Headless Developer-Friendly

TL;DR

Strapi v3.6.11 focuses on security improvements through dependency updates and drops support for Node.js 12. This release includes several important package upgrades to address security vulnerabilities and ensure better compatibility with modern environments. Users should upgrade to maintain security compliance and benefit from the latest dependency improvements.

Highlight of the Release

Dropped support for Node.js 12 which reached End-of-Life
Updated multiple dependencies to address security vulnerabilities
Improved security posture through package updates including sanitize-html, moment, and others
Updated koa-passport to version 5.0.0 for better authentication handling

Migration Guide

Migration from v3.6.10 to v3.6.11

Node.js Version Requirement:
- Ensure your environment is running Node.js 14 or higher, as Node.js 12 support has been dropped.
- If you're still on Node.js 12, you'll need to upgrade your Node.js version before updating Strapi.
Dependency Updates:
- If you have custom code that directly interacts with any of the updated dependencies (particularly koa-passport, sharp, or sanitize-html), review their respective changelogs for breaking changes.
- Test your application thoroughly after upgrading, especially if you have custom plugins or extensions.
General Update Process:
- Follow the standard Strapi update procedure as outlined in the official documentation.
- Update your package.json to reference the new version: "strapi": "3.6.11"
- Run npm install or yarn install to update dependencies.
- Restart your Strapi application and verify functionality.

No database migrations are required for this update.

Upgrade Recommendations

Priority: High

This upgrade is highly recommended for all Strapi v3 users due to the security improvements included in the dependency updates. The update addresses several potential vulnerabilities in dependencies like moment and sanitize-html.

Timing:

For production environments: Plan to upgrade within your next maintenance window.
For development environments: Update immediately to ensure development parity with production.

Preparation:

Ensure your environment supports Node.js 14 or higher before upgrading.
Back up your database and application files before proceeding.
Test the upgrade in a staging environment that mirrors your production setup.
Review any custom code that might interact with the updated dependencies.

If you're still using Node.js 12, prioritize upgrading your Node.js version first, as this is a breaking change in this release.

Bug Fixes

No specific bug fixes were mentioned in this release. The focus was on dependency updates and security improvements rather than addressing specific bugs.

New Features

No new features were introduced in this release. This update focuses primarily on security improvements through dependency updates and maintaining compatibility with supported Node.js versions.

Security Updates

This release includes several security-focused dependency updates:

git-url-parse: Updated from 11.4.4 to 13.1.0
immer: Updated from ^8.0.1 to 9.0.16
koa-passport: Updated from 4.1.4 to 5.0.0
moment: Updated from ^2.29.1 to ^2.29.4 (addresses known security vulnerabilities)
sanitize-html: Updated from 2.3.3 to 2.7.2 (improves HTML sanitization security)
sharp: Updated from 0.29.0 to 0.31.1
package-json: Updated from 6.5.0 to 7.0.0
Several nested dependencies were also updated as a result of these upgrades

These updates address various security vulnerabilities and ensure better protection against potential exploits.

Performance Improvements

While not explicitly mentioned as performance improvements, the dependency updates may provide some performance benefits as a side effect of using newer versions with optimizations from their respective maintainers.

Impact Summary

Strapi v3.6.11 is primarily a security and maintenance release that focuses on updating dependencies to address potential vulnerabilities. The most significant change is dropping support for Node.js 12, which is now End-of-Life. This requires users to ensure they're running Node.js 14 or higher.

The dependency updates improve the overall security posture of Strapi installations without changing core functionality. Notable updates include moment to address known CVEs, sanitize-html for improved content sanitization, and koa-passport for authentication handling.

For most users, this update will be transparent in terms of functionality but will provide important security improvements. The update process should be straightforward for those already running on Node.js 14+, but will require additional steps for those still on Node.js 12.

This release continues Strapi's commitment to maintaining the security and stability of the v3 branch while users transition to v4.

Full Release Notes

🚨 Security

[dependencies] v3 dependencies (#14914) @alexandrebodin @derrickmehaffy

⚠️ Import Notice / Breaking Change ⚠️

⚠️ Dropped Node 12 Support as it's EOL

Specific updates

git-url-parse: 11.4.4 -> 13.1.0
immer: ^8.0.1 -> 9.0.16
koa-passport: 4.1.4 -> 5.0.0
moment: ^2.29.1 -> ^2.29.4
sanitize-html: 2.3.3 -> 2.7.2
sharp: 0.29.0 -> 0.31.1
package-json: 6.5.0 -> 7.0.0
Several nested dependencies updated as a result of these upgrades

For more information please see this comment

📚 Update and Migration Guides

General update guide can be found here

Statistics:

File Changed42

Line Additions336

Line Deletions410

Line Changes746

Total Commits12

User Affected:

Need to ensure their environment runs Node.js 14 or higher as Node 12 support has been dropped
May need to update their code if they directly interact with any of the updated dependencies
Will benefit from security improvements in updated packages