TL;DR
Strapi v4.13.1 introduces a significant breaking change in how query parameters are handled in the Content API, now rejecting invalid parameters with errors instead of silently removing them. The release also includes important security patches (details to be disclosed on Sept 13, 2023), enhanced content management capabilities with new sorting and filtering options, workflow assignees feature, and improved TypeScript support with Entity Service types. UI improvements include a new settings menu in the list view and auto-focusing via URL parameters.
Highlight of the Release
- Breaking change: Invalid query parameters now return errors instead of being silently removed
- Security patches included (detailed disclosure planned for Sept 13, 2023)
- New workflow assignees feature for better content management workflows
- Improved content-manager sorting and filtering capabilities
- Enhanced TypeScript support with Entity Service types
- New settings menu in the list view for better content management
- Auto-focusing via URL parameters for improved navigation
Migration Guide
Breaking Change: Query Parameter Validation
Starting with Strapi v4.13.1, requests to the Content API using invalid query parameters will be rejected with an error response instead of being silently removed from the query. This is a breaking change that may affect your application.
What you need to do:
-
Review your API calls: Ensure that all parameters in your query strings are valid.
-
Update error handling: Make sure your client applications can handle error responses from the Content API.
-
For legacy behavior: If you need the previous behavior of filtering out invalid parameters, you will need to create a custom controller that only calls sanitizeQuery and not validateQuery.
// Example of a custom controller maintaining legacy behavior
module.exports = {
async find(ctx) {
// Only sanitize, don't validate
const sanitizedQuery = await strapi.service('api::your-model.your-model').sanitizeQuery(ctx);
const entities = await strapi.service('api::your-model.your-model').find(sanitizedQuery);
const result = await strapi.service('api::your-model.your-model').sanitizeOutput(entities, ctx);
return result;
},
};
For more information about this change, please refer to issue #17001.
Upgrade Recommendations
Priority: High
This release contains important security patches and a breaking change in how query parameters are handled. It is recommended to upgrade as soon as possible, especially if your application relies on the Content API.
Before upgrading:
-
Review your API calls: Check all places where you make requests to the Content API and ensure you're using valid query parameters.
-
Test in a staging environment: Due to the breaking change in query parameter handling, it's strongly recommended to test the upgrade in a staging environment first.
-
Backup your data: Always create a backup of your database and files before upgrading.
Upgrade steps:
-
Follow the general update guide to update your Strapi version.
-
If you encounter issues with the new query parameter validation, consider implementing custom controllers as described in the migration guide.
-
After upgrading, monitor your application logs for any errors related to invalid query parameters.
Who should upgrade immediately:
- Applications exposed to public networks (due to security fixes)
- Applications that rely heavily on the Content API
- Teams that want to take advantage of the new workflow assignee features and enhanced content management capabilities
Bug Fixes
Query Parameter Validation
Fixed an issue where invalid query parameters were silently removed instead of returning appropriate error responses. This improves API robustness and helps developers identify and fix issues in their API calls.
Role Name Display
Fixed an issue where role names were not properly displayed in the admin interface.
Review Workflow Fields
Fixed issues with review workflow fields in the user content type, ensuring they don't interfere with user management functionality.
Data Transfer for Assignee Feature
Fixed the data transfer functionality to properly handle the strapi_assignee field as a known feature.
Creator Fields Handling
Fixed an issue where creator fields were being unnecessarily cleaned, as they are not sent to the backend.
Error Handling
Improved error handling in the application to gracefully handle errors without disrupting the user experience.
TypeScript Circular Dependency
Fixed a circular dependency caused by Attribute.UID in Attribute.Any, improving TypeScript support.
New Features
Workflow Assignees
Users can now assign workflow tasks to specific team members, enhancing collaboration and content workflow management. This feature allows tracking who is responsible for content at different stages of the workflow.
Enhanced Content Manager Sorting & Filtering
The content manager now supports sorting by relational fields and non-visible attributes. This provides more flexibility in how content is organized and displayed in the list view.
New Settings Menu in List View
A new cog button icon has been added to the list view, providing quick access to view settings. This improves the user experience by making configuration options more accessible.
Auto-focusing via URL Parameters
Content fields can now be auto-focused using URL search parameters, making it easier to navigate directly to specific fields when editing content.
Entity Service Types for TypeScript
Improved TypeScript support with comprehensive Entity Service types, providing better type safety and developer experience when working with Strapi's entity service.
Net Promoter Score (NPS) Survey
Added functionality to collect user feedback through NPS surveys, helping Strapi understand user satisfaction and gather insights for product improvement.
Security Updates
Query Parameter Validation
Added a validation utility that is used to validate query parameters in API controllers, preventing potential security issues related to unvalidated input.
Users & Permissions Plugin
Added an allowedFields configuration option to the Users & Permissions plugin, providing more control over which fields can be accessed, enhancing security.
Security Patches
The release includes security patches for vulnerabilities that were identified. Detailed disclosure of these vulnerabilities is planned for September 13, 2023, to give users time to upgrade before public disclosure.
Performance Improvements
No specific performance improvements were highlighted in this release. The focus appears to be on feature enhancements, security fixes, and bug fixes rather than performance optimizations.
Impact Summary
Strapi v4.13.1 introduces a significant breaking change in how the Content API handles invalid query parameters, now returning errors instead of silently removing them. This improves API robustness but requires attention from developers to ensure their applications can handle these errors properly.
The release also includes important security patches (with detailed disclosure planned for September 13, 2023) that address vulnerabilities in the system. These security improvements, combined with the new allowedFields configuration option in the Users & Permissions plugin, enhance the overall security posture of Strapi applications.
For content editors and administrators, the release brings valuable enhancements to the content management experience. The new workflow assignees feature improves collaboration by allowing specific users to be assigned to workflow tasks. The enhanced sorting and filtering capabilities, including support for relational fields and non-visible attributes, provide more flexibility in content organization. The new settings menu in the list view and auto-focusing via URL parameters further improve the user interface and navigation.
Developers will benefit from improved TypeScript support with comprehensive Entity Service types, making it easier to work with Strapi's entity service in a type-safe manner.
Overall, this release represents a significant step forward in terms of security, content management capabilities, and developer experience, though it requires careful attention to the breaking change in query parameter handling.
Full Release Notes
⚠️ Breaking Changes ⚠️
Starting with Strapi v4.13.1, requests to the Content API using invalid query parameters will be rejected with an error response instead of being silently removed from the query. If you are seeing “Invalid parameter” errors in a Content API request, please ensure that every parameter in your query string is valid. If you need the previous behavior of filtering out invalid parameters, you will need to use a custom controller that only calls sanitizeQuery and not validateQuery. For more information as to why we made this change please see #17001
⚠️ Security Warning and Notice ⚠️
Strapi was made aware of a few vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.
For now the delay timeline looks like we will release the detailed information in the next two (2) weeks, we expect to do public disclosure (via a blog post) on Wednesday Sept 13th, 2023. The previous disclosure mentioned in v4.12.1 was delayed and will also be disclosed on Sept 13th, 2023.
💅 Enhancement
- [core:admin] List view: new cog button icon with the view settings in the list view page (#17551) @simotae14
- [core:admin] List view: new cog button icon with the view settings in the list view page (#17602) @simotae14
- [core:content-manager] Feat: Allow writeable & nonvisible fields as default sort (#17205) @Marc-Roig
- [core:utils] 💥 Throw error on missing schema in sanitization (#17693) @innerdvations
🚀 New feature
🔥 Bug fix
- [core:admin] fix: dont use relative paths, use webpack alias instead (#17733) @joshuaellis
- [core:admin] fix(app): Handle errors gracefully (#17833) @gu-stav
- [core:content-manager] fix: display role names (#17702) @Marc-Roig
- [core:data-transfer] [DTS] Only delete types of data that are being transferred (#17730) @innerdvations
- [core:review-workflows] fix: include strapi_assignee as a known feature in data transfer (#17768) @Marc-Roig
- [core:review-workflows] fix: Ignore review workflow fields on user content type modifications check (#17865) @Marc-Roig
- [core:strapi] feat: proxy content type in controller factory (#17772) @Marc-Roig
- [typescript] Fix circular dependency caused by Attribute.UID in Attribute.Any (#17569) @Convly
🚨 Security
- [core:utils] Add validate utility and use it to validate query params in API controllers (#17639) @innerdvations
- [plugin:users-permissions] [U&P] Add allowedFields configuration option (#17804) @innerdvations
⚙️ Chore
- [core:admin] Revert "Chore: Refactor admin app entries" (#17853) @gu-stav
- [dependencies] chore(deps-dev): bump the eslint group with 2 updates (#17825) @dependabot
- [dependencies] chore(deps): bump axios from 1.4.0 to 1.5.0 (#17827) @dependabot
- [dependencies] chore(deps): bump node-fetch from 2.6.9 to 2.7.0 (#17828) @dependabot
📚 Update and Migration Guides
- General update guide can be found here
- Migration guides can be found here 📚
![dependabot[bot]](https://github.com/dependabot[bot].png){kind=small}
