TL;DR
Strapi v4.19.1: Security Patch and Bug Fixes
This patch release addresses a security vulnerability and several critical bugs in Strapi v4.19.0. Key improvements include fixes for relation query sanitization, password handling, component name validation, and i18n locale swapping. The release also enhances content entry duplication with better handling of problematic fields. Users should upgrade immediately due to the security implications.
Highlight of the Release
- Security vulnerability patched (details withheld temporarily to allow users time to upgrade)
- Fixed issue where passwords were being sent unnecessarily when not changed
- Improved relation read query sanitization for better security
- Enhanced content entry duplication with better handling of problematic fields
- Fixed i18n locale swapping with content-types when Draft & Publish is disabled
Migration Guide
No specific migration steps are required for this patch release. Standard update procedures apply:
- Make a backup of your Strapi project before updating
- Update your Strapi version in your package.json:
npm install [email protected] --save
# or
yarn upgrade [email protected]
- Run the installation:
npm install
# or
yarn install
- Rebuild your admin panel:
npm run build
# or
yarn build
- Start your Strapi application:
npm run develop
# or
yarn develop
For general update guidance, refer to the official update guide.
For version-specific migration information, check the migration guides.
Upgrade Recommendations
Immediate Upgrade Recommended
Due to the security vulnerability addressed in this release, immediate upgrade is strongly recommended for all Strapi installations running version 4.19.0 or earlier.
The security patch is critical for maintaining the security of your Strapi application and protecting your data. Additionally, the bug fixes for password handling, relation queries, and component name validation improve overall system stability and security.
This is a patch release (4.19.1), so the upgrade should be straightforward with minimal risk of breaking changes.
Bug Fixes
Security and Data Integrity Fixes
-
Security Vulnerability Patch: A security vulnerability was addressed in this release. Detailed disclosure is temporarily delayed to give users time to upgrade.
-
Password Handling: Fixed an issue where passwords were being sent when they were not changed, improving security and preventing unintended password updates (#19295).
-
Relation Read Query: Sanitized relation read queries to prevent potential security issues and ensure proper data access control (#19227).
-
Component Name Validation: Added validation to check component names against collection type names to prevent naming conflicts (#19328).
-
i18n Plugin: Fixed locale swapping issues with content-types when Draft & Publish functionality is disabled (#19296).
-
Pagination: Fixed issues with pagination in relation queries to ensure correct data retrieval and display.
New Features
Enhanced Content Entry Duplication
The content manager now provides better handling of entry duplication:
- Lists problematic fields when autoclone fails
- Provides clearer feedback to users about duplication issues
- Allows unidirectional one-to-many relations in duplication
- Improves the user experience with ordered lists for breadcrumbs
- Uses less strict wording in the interface
Playwright Test Improvements
- Adjusted Playwright timeouts for more reliable testing
- Added ability to set timeouts from environment variables
Security Updates
Security Vulnerability Patch
This release includes a patch for a security vulnerability in Strapi. The Strapi team has temporarily delayed detailed disclosure of the exact vulnerability details and how it was patched to give users adequate time to upgrade before public disclosure.
The security fix is related to relation read query sanitization, which helps prevent unauthorized access to data through relation queries.
Performance Improvements
No specific performance improvements were highlighted in this release. The focus was primarily on security fixes and bug resolution.
Impact Summary
This patch release (v4.19.1) addresses a security vulnerability and several critical bugs in Strapi v4.19.0. The security fix is particularly important, as it patches a vulnerability related to relation read queries that could potentially expose data to unauthorized users.
The bug fixes improve several core functionalities:
- Password handling in the admin panel
- Relation query sanitization and pagination
- Component name validation
- i18n locale swapping with specific configurations
The enhancement to content entry duplication provides a better user experience for content editors by clearly identifying problematic fields during duplication and allowing more relation types to be duplicated.
Overall, this release significantly improves the security posture and stability of Strapi applications without introducing breaking changes. All users should upgrade promptly, especially given the security implications.
Full Release Notes
⚠️ Security Warning and Notice ⚠️
Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.
🔥 Bug fix
- [core:admin] Fix password is sent when it was not changed (#19295) @xyrolle
- [core:content-manager] Sanitize relation read query (#19227) @Bassel17
- [core:content-type-builder] Check component against collectionTypeNames (#19328) @Bassel17
- [plugin:i18n] fix(i18n): locale swapping with content-types & D&P disabled (#19296) @joshuaellis
💅 Enhancement
- [core:content-manager] feat(content-manager): better handle entry duplication (#19256) @remidej
⚙️ Chore
- [tooling] chore(workflows): update unit_front skipped test to use node 20 (#19363) @Feranchz
📚 Update and Migration Guides
- General update guide can be found here
- Migration guides can be found here 📚
