Strapi Release: 4.0.0-beta.21

TL;DR

Strapi v4.0.0-beta.21 focuses on security improvements and dependency updates. This release addresses supply chain security by adding repository information to NPM packages, updates dependencies including Sharp and Tar (fixing a security vulnerability), and improves file watching functionality. The release also includes documentation improvements for contributors.

Highlight of the Release

• Security enhancement: Fixed vulnerability in tar dependency by updating to version 6.1.9
• Supply chain security improvement: Added repository information to NPM packages for better provenance tracking
• Developer experience: Improved file watcher to only ignore admin folders within the project scope
• Dependency update: Upgraded Sharp to version 0.29.0

Migration Guide

No migration steps are required for this release as it primarily contains security updates, dependency upgrades, and documentation improvements. Users can update to this version without any specific migration actions.

Upgrade Recommendations

This release is recommended for all users, especially those concerned about security, as it includes important security fixes for the tar package vulnerability and improves supply chain security through better package provenance information. Since this is still a beta release (v4.0.0-beta.21), it's primarily intended for testing and development environments rather than production deployments.

Bug Fixes

File Watcher Fix

Fixed an issue with the file watcher that was incorrectly ignoring all admin folders, including those in parent directories. The watcher now properly ignores admin folder occurrences only from the current project folder onwards, preventing potential issues with file monitoring in complex directory structures.

New Features

No significant new features were added in this release. The changes primarily focus on security improvements, dependency updates, and documentation enhancements.

Security Updates

Tar Package Vulnerability Fix

Updated the tar package to version 6.1.9 to address a security vulnerability. This update was applied to both the main package and the create-strapi-starter package.

Supply Chain Security Enhancement

Added repository information to multiple NPM packages to improve supply chain security and enable better tracking of packages back to their public sources. This change helps combat the rise in supply chain attacks where OSS dependencies are used as attack vectors. The following packages now include repository information:

• strapi-helper-plugin
• strapi-plugin-documentation
• strapi-plugin-graphql
• strapi-plugin-i18n
• strapi-plugin-sentry
• strapi-plugin-upload
• strapi-provider-upload-rackspace

Performance Improvements

No specific performance improvements were mentioned in this release. The focus was primarily on security enhancements, dependency updates, and documentation improvements.

Impact Summary

This release strengthens Strapi's security posture by addressing supply chain concerns and fixing a vulnerability in the tar dependency. It also improves the developer experience with better file watching behavior and updated dependencies. While there are no major new features, the security enhancements make this an important update for development and testing environments using the v4 beta. The changes reflect Strapi's commitment to security and collaboration with industry initiatives like the Linux Foundation's OpenSSF to enhance open-source software security.

Full Release Notes