TL;DR
Strapi v4.12.1 is a security-focused patch release that addresses several vulnerabilities, improves performance with wildcard populate optimizations, adds case-insensitive filters to the content manager, and fixes multiple bugs in the upload, review workflows, and data transfer features. This release also officially drops Node.js 14 support and adds Node.js 20 compatibility.
Highlight of the Release
- Security fixes for multiple vulnerabilities (details to be disclosed on August 30, 2023)
- Added case-insensitive filters to content manager for improved content searching
- Performance optimizations for wildcard populate operations
- Dropped Node.js 14 support and added Node.js 20 compatibility
- Fixed issues with media library operations including thumbnail updates and folder deletion
Migration Guide
Node.js 14 to Node.js 16+ Migration
Strapi v4.12.1 has dropped support for Node.js 14, which reached end-of-life. You'll need to upgrade to Node.js 16, 18, or 20 to use this version of Strapi.
To migrate:
- Install a supported Node.js version (16, 18, or 20)
- Update your CI/CD pipelines to use a supported Node.js version
- Update your deployment environments to use a supported Node.js version
No code changes are required for this migration, but ensure that any Node.js-specific code in your custom plugins or configurations is compatible with Node.js 16+.
Upgrade Recommendations
This release contains important security fixes, so upgrading is highly recommended for all Strapi users, especially those with public-facing instances.
To upgrade from v4.12.0 to v4.12.1:
npm install @strapi/[email protected] @strapi/[email protected] @strapi/[email protected]
Or if using Yarn:
yarn upgrade @strapi/[email protected] @strapi/[email protected] @strapi/[email protected]
If you're upgrading from an earlier version than 4.12.0, please refer to the general update guide in the Strapi documentation.
Bug Fixes
Media Library Fixes
- Fixed issue where empty folders couldn't be deleted in the Media Library
- Fixed thumbnail updates when replacing media files
- Fixed issues with uploading assets from URLs
Review Workflows Fixes
- Fixed issue where Content API partial updates would fail when not populating the stage field
- Reordered review workflow permissions to appear in CRUD order instead of CUDR for better consistency
Data Transfer Fixes
- Fixed issues with relations in data transfer operations
- Added more detailed error messages for WebSocket upgrade errors during data transfer
Registration Fix
- Fixed registration process to properly handle null lastname values instead of empty strings
New Features
Case-insensitive filters in Content Manager
The Content Manager now supports case-insensitive filters for string fields, making it easier to search for content without worrying about exact case matching. This includes new operators:
$containsi: Case-insensitive version of contains- $startsi`: Case-insensitive version of starts with
$endsi: Case-insensitive version of ends with$eqi: Case-insensitive version of equals$nei: Case-insensitive version of not equals
Node.js 20 Support
Strapi now officially supports Node.js 20, allowing developers to use the latest LTS version of Node.js for their Strapi projects.
Security Updates
This release includes several security fixes that address vulnerabilities in Strapi. The Strapi team has intentionally delayed the detailed disclosure of these vulnerabilities to give users time to upgrade before public disclosure.
The security fixes include:
- Updates to both Admin and User & Permissions rate limiting to use lower path normalization
- Applied RBAC permissions to read fields
- Updated semver dependency to remove audit warnings
Full details of these security fixes are scheduled to be disclosed on August 30, 2023, via a blog post.
Performance Improvements
Wildcard Populate Optimizations
Significant performance improvements have been made to the wildcard populate feature. The implementation now transforms wildcards to exact populate definitions during sanitization steps, which reduces the overhead of processing wildcard populate requests.
This optimization is particularly beneficial for complex content types with many relations, as it reduces the amount of processing needed to handle populate operations.
Impact Summary
Strapi v4.12.1 is primarily a security and bug fix release with some notable performance improvements and feature enhancements.
The security fixes address multiple vulnerabilities, with details to be disclosed on August 30, 2023. These fixes are critical for securing Strapi instances, particularly those exposed to the public internet.
The performance improvements to wildcard populate operations will benefit applications with complex content structures and many relations, potentially reducing response times and server load.
The addition of case-insensitive filters to the content manager enhances the content editing experience, making it easier to search and filter content without worrying about exact case matching.
The bug fixes address issues across multiple areas of the application, including media library operations, review workflows, and data transfer functionality.
The compatibility change of dropping Node.js 14 support and adding Node.js 20 support ensures Strapi remains up-to-date with the Node.js ecosystem, but requires users to upgrade their Node.js version if still using Node.js 14.
Full Release Notes
⚠️ Security Warning and Notice ⚠️
Strapi was made aware of a few vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.
For now the delay timeline looks like we will release the detailed information in the next four (4) weeks, we expect to do public disclosure (via a blog post) on Wednesday Aug 30th, 2023.
⚙️ Chore
- [core:admin] Chore: Drop getRequestUrl from the admin app (#17439) @gu-stav
- [core:admin] Chore: Move marketplace and plugins hooks into their page contexts (#17533) @gu-stav
- [core:content-manager] Chore: Inline fetch functions and drop getRequestUrl from content-manager (#17437) @gu-stav
- [core:content-manager] Chore: Drop lodash from configure the view page (#17438) @gu-stav
- [core:content-manager] Chore: Cleanup configure the view styles (#17440) @gu-stav
- [core:strapi] Drop Node 14 support, add Node 20 (#16557) @innerdvations
- [dependencies] chore(deps): bump winston from 3.9.0 to 3.10.0 (#17268) @dependabot
- [dependencies] Update semver to remove audit warnings (#17449) @derrickmehaffy
- [dependencies] chore(deps-dev): bump the eslint group with 3 updates (#17507) @dependabot
- [dependencies] chore(deps-dev): bump core-js from 3.31.0 to 3.32.0 (#17508) @dependabot
- [docs] Fix some spelling and standardiZe regional usages (#17491) @innerdvations
- [tooling] tests(e2e): init playwright, add small test suite & cli (#14807) @alexandrebodin
💅 Enhancement
🔥 Bug fix
- [core:admin] Fix: Registration - Send null for lastname instead of empty string (#17462) @gu-stav
- [core:data-transfer] Fix data transfer relations (#17475) @christiancp100
- [core:review-workflows] fix: reorder rw permissions so they appear as CRUD (#17493) @Marc-Roig
- [core:review-workflows] fix: Content API partial update fails when not populating stage field (#17512) @Marc-Roig
- [core:upload] fixed: Media Library - Can`t delete empty folder #17263 (#17280) @noobCode-69
- [core:upload] Update media thumbnails on replace (#17455) @jhoward1994
- [core:upload] Fix: Upload assets from url (#17459) @Feranchz
- [tooling] Fix intermittently failing API tests by using consistent versions of sqlite packages (#17490) @innerdvations
📚 Update and Migration Guides
- General update guide can be found here
- Migration guides can be found here 📚
![dependabot[bot]](https://github.com/dependabot[bot].png){kind=small}