Strapi Release: 4.0.0-beta.4

TL;DR

Strapi v4.0.0-beta.4 introduces password encryption by default in the entity service, fixes critical issues with Sentry integration and server reloading, and improves query parameter handling. This beta release enhances security and stability while preparing for the final v4 release.

Highlight of the Release

• Default password encryption in the entity service
• Switch from bcrypt to bcryptjs for better compatibility
• Fixed Sentry integration when initialization fails
• Improved server reloading without SIGTERM signals
• Better handling of nested publication states in REST API

Migration Guide

Migrating from bcrypt to bcryptjs

If you were explicitly using the bcrypt package in your custom code, you should consider switching to bcryptjs for consistency with Strapi's core. The API is compatible, so in most cases, you can simply update your imports:

// Before
const bcrypt = require('bcrypt');

// After
const bcrypt = require('bcryptjs');

Handling Password Fields

If you were manually handling password encryption in your custom code, you may now rely on the entity service's default encryption. Review your code to remove any redundant encryption logic that might cause double-hashing.

Query Parameters Update

If you were using _locale in your queries, update them to use locale instead. Also, any remaining usages of _where should be updated to use the new query format.

Upgrade Recommendations

This beta release contains important security enhancements and bug fixes. If you're already using Strapi v4 beta, upgrading to v4.0.0-beta.4 is highly recommended, especially if you're storing sensitive user information or experiencing issues with server reloading or Sentry integration.

For those still on Strapi v3, this beta release shows continued progress toward a stable v4 release, but production migrations should still wait for the final v4.0.0 release.

Bug Fixes

Sentry Integration Fix

Fixed an issue where the Sentry middleware would still be used even if Sentry initialization failed, potentially causing application errors. The system now properly checks if Sentry is initialized before applying the middleware.

Server Reload Fix

Resolved a problem where the server would send SIGTERM signals during reloads, causing unnecessary termination of processes. This improves the stability of the development workflow.

License Loading Fix

Addressed an issue with license loading that could prevent proper initialization of Enterprise Edition features.

Admin EE Routes Registration

Fixed an error that occurred when registering admin Enterprise Edition routes when the feature was disabled.

New Features

Password Encryption by Default

Password fields in the entity service are now automatically encrypted using bcryptjs. This provides a significant security enhancement without requiring developers to manually implement encryption logic. The system handles various input types (strings, buffers) and includes safeguards to prevent double-hashing.

Query Parameter Improvements

A new filters system has been initialized for the query layer to implement publication state filtering. This lays the groundwork for more advanced filtering capabilities in the future. The update also includes the removal of deprecated query parameters and _where occurrences, with _locale being moved to simply locale for better consistency.

Security Updates

Enhanced Password Security

The implementation of default password encryption in the entity service significantly improves the security posture of Strapi applications. Previously, developers needed to manually implement password encryption, which could lead to inconsistent security practices or potential oversights. With this change, all password fields are automatically encrypted using industry-standard bcryptjs hashing, reducing the risk of password exposure in case of data breaches.

Performance Improvements

Improved Dependency Management

Switched from bcrypt to bcryptjs for password hashing. While bcryptjs is a pure JavaScript implementation that might be slightly slower than the native bcrypt module, it offers better cross-platform compatibility and eliminates the need for native dependencies, which can simplify deployment and reduce build issues across different environments.

Impact Summary

Strapi v4.0.0-beta.4 significantly enhances security by implementing automatic password encryption in the entity service, removing the burden from developers to manually implement this critical security feature. The switch from bcrypt to bcryptjs improves cross-platform compatibility while maintaining security standards.

The release also addresses several stability issues, particularly with Sentry integration and server reloading, making the development experience more reliable. Query parameter handling improvements, including publication state filtering and the standardization of parameter names, lay groundwork for more consistent API interactions.

These changes collectively represent important progress toward a stable v4 release, with a focus on security, developer experience, and platform stability.

Full Release Notes