Apostrophe 4.29.0: Recently Edited Documents Manager, Unified Styles Editor

[BoDonkey]

Hello Apostrophe Community!

Apostrophe 4.29.0 brings a new Recently Edited Documents manager to the admin bar, a unified Styles Editor experience, and continued improvements to static build support for Apostrophe-Astro projects.

Apostrophe.4.29.0_.Recently.Edited.Documents.mp4

Recently Edited Documents Manager

The admin bar now includes a Recently Edited Documents manager, making it faster for editors to locate and review recently changed content without hunting through piece or page managers. The manager displays all documents that have been edited across content types in a single unified view, with filtering by editor, document type, locale, edit action, and status. It appears alongside the existing Submitted Drafts action and surfaces recently touched documents across content types in one place.

The manager is also extensible: modules can contribute their own filter choices to the Recently Edited view. Pro module integrations take advantage of this in 4.29.0, with @apostrophecms-pro/automatic-translation adding an "Unpublished Translation" status filter and @apostrophecms/import-export adding an "Imported" action filter — making it easier to pick up multilingual or imported content right where you (or someone else) left it.

New Background Preset for the Styles Editor

The Styles Editor, the modal interface where developers predefine style options that editors can apply to widgets or globally, gains a new background preset in this release. It supports image, color, and gradient backgrounds with overlay, giving editors control over rich background treatments without writing custom CSS. Teams building visually varied layouts now have a structured, editor-friendly way to manage backgrounds as part of their predefined style options.

Static Build Improvements for Astro Projects

This release continues to expand static build support for Apostrophe-Astro projects. Pretty URL file attachments are now fully supported in the static build metadata pipeline: the getAllUrlMetadata API correctly annotates affected attachments, and the backend streaming proxy route properly resolves relative uploadfs URLs during static builds. A bug that prevented pretty URLs from working correctly with locale prefixes has also been fixed.

On the @apostrophecms/apostrophe-astro side, the writeAttachments step now supports per-entry base URL resolution, correctly downloading and writing pretty URL files to the appropriate output directory (e.g. dist/files/). A new attachmentFilter option, configurable as 'all' or 'prettyOnly', lets you skip regular uploadfs attachments when those are served by a CDN while still including backend-served pretty URL files (e.g. PDFs with friendly URLs) in the static output. The option can be set via the staticBuild.attachmentFilter integration option or the APOS_ATTACHMENT_FILTER environment variable.

Security Fixes

AI tooling has become remarkably effective at identifying previously undiscovered software vulnerabilities, and the open source ecosystem is feeling it — including us. This release includes six security fixes, more than we would typically see in a single cycle. We view this as a net positive: these issues are being found and fixed rather than quietly exploited, and in at least one case the work prompted us to introduce a new protective mechanism in core that makes an entire class of vulnerability less likely going forward.

This release addresses:

• XSS vulnerabilities in the @apostrophecms/seo module's SEO Title and Meta Description fields, in color schema fields, and in sanitize-html when option tags were explicitly permitted
• API data exposure via the .choices() and .counts() query builders, which could be used to access schema fields outside the publicApiProjection, and a separate publicApiProjection bypass for piece types
• A timing attack in the password reset flow that could disclose whether an email address or username was valid

Important: The SEO XSS fix requires upgrading both apostrophe and @apostrophecms/seo together. Upgrading only one will not fully resolve the vulnerability.

Thanks to K Shanmukha Srinivasulu Royal for reporting the SEO vulnerability, and to offset and restriction for reporting — and in restriction's case, proposing fixes for — three additional issues.

Additional Improvements

• The Styles and Column configuration panels in the Styles Editor modal have been merged into a single interface.
• The sitemap module now includes x-default hreflang tags in sitemap entries for improved international SEO targeting.
• We fixed a focus trap bug where keyboard focus in context menus would jump back to the first item after reaching the last.
• A misleading return statement in pruneDataForExternalFront — a method intended to be overridden to modify data in place before it is sent to Astro or a similar frontend — has been removed to prevent confusion when customizing that method.

---

This release contains important security fixes — we encourage all users to upgrade promptly with npm update. Let us know what you think on our roadmap.

🚀 Happy coding!

Apostrophe 4.29.0

Adds

• Added support for pretty URL file attachments in the static build metadata pipeline. When @apostrophecms/file has options.prettyUrls enabled, the getAllUrlMetadata API now annotates affected attachments properly. The backend streaming proxy route was also fixed to correctly resolve relative uploadfs URLs during static builds.
• Introduced Recently Edited manager as Admin Bar action, next to the existing Submitted Drafts. Allows modules to contribute filter choices.
• Fix batch operations executed in a modal in a different locale causing wrong browser URL rewrite
• Add background preset to the Styles Editor, supporting image, color, and gradient background CSS generation.

Fixes

• Fix a focus trap bug where in the context menu focus would jump back to the first element when reaching the last one.
• Bug fix: the "pretty URLs" feature of @apostrophecms/file is now compatible with locale prefixes.
• Removed misleading return from pruneDataForExternalFront, a method intended to be overridden to modify data "in place" before it is sent to Astro or a similar frontend.
• Fix layout column breadcrumb operations leaking in layout edit mode.

Changes

• Combine Styles and Column configuration in a single Styles Editor experience.
• Use shorter placeholder text for relationship inputs in small/micro contexts.

Security

• Fix an XSS vulnerability allowing arbitrary markup to be inserted via the "SEO Title" or "Meta Description" fields provided by the @apostrophecms/seo module. The fix requires upgrading BOTH apostrophe and @apostrophecms/seo. A new mechanism for safely emitting JSON nodes has been introduced to make this type of vulnerability unlikely in the future. Thanks to K Shanmukha Srinivasulu Royal for reporting the vulnerability.
• Fixed a security hole in the .choices() and .counts() query builders: formerly, these query builders could be used by the public to exfiltrate schema fields not included in the publicApiProjection, or fields locked down with a viewPermission property. Thanks to offset for reporting this issue, which was not made public prior to the release of the fix.
• Fixed an XSS vulnerability in color fields, which formerly accepted - followed by anything, including </style>, which could be used to inject other markup. Thanks to restriction for reporting the issue and proposing the fix.
• Resolved a publicApiProjection bypass vulnerability for piece types. Thanks to restriction for reporting the issue and proposing the fix.
• Ensured a minimum 2-second delay in the password reset flow to avoid disclosing whether the email or username was valid or not. Thanks to restriction for reporting the issue and proposing the fix.

Pro Modules

@apostrophecms-pro/automatic-translation 1.5.0

This bundle allows automatic translation of documents (pages and pieces) when localizing content. It comes with two translation providers: Google Cloud Translation and DeepL, and supports custom providers. Explore our documentation to learn how this extension can enhance your project. Once you're ready, obtain a license and install it through Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Adds

• Adds support for a "Unpublished Translation" status filter in the Recently Edited manager.

@apostrophecms-pro/cypress-tools 1.0.0-beta.27

Automated functional browser tests are an important part of quality assurance for enterprise websites and web applications. Cypress is an industry-standard, open-source library for carrying out automated functional browser tests. This module provides a collection of conveniences for testing the ApostropheCMS admin UI within Cypress. Explore our documentation to learn how this extension can enhance your project. Once you're ready, obtain a license and install it through Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Adds

• Add dateFields support for apos:dbUpdate and apos:dbFind tasks to restore BSON date types lost during Cypress JSON serialization.
• Add getRecentlyEditedModal and openRecentlyEditedModal commands.

Free Modules

@apostrophecms/apostrophe-astro 1.10.0

This module integrates ApostropheCMS into your Astro application.

Adds

• The writeAttachments step now supports per-entry base URL resolution, correctly downloading and writing pretty URL files to the appropriate output directory (e.g. dist/files/). A new attachmentFilter option ('all' or 'prettyOnly') lets you skip regular uploadfs attachments when those are served by a CDN while still including backend-served pretty URL files in the static output. Configurable via the staticBuild.attachmentFilter integration option or the APOS_ATTACHMENT_FILTER environment variable.

Changes

• Refactor after core changes done to the internal layout data.

@apostrophecms/import-export 3.5.2

This module enables import and export of pages and pieces, with or without related documents such as files, images, and other related types.

Changes

• Adds support for a "Imported" action filter in the Recently Edited manager.

@apostrophecms/seo 1.4.1

Comprehensive SEO module providing meta field management and Schema.org structured data generation (JSON-LD) for all pages and pieces.

Security

• Fix an XSS vulnerability allowing arbitrary markup to be inserted via the "SEO Title" or "Meta Description" fields. The fix requires upgrading BOTH @apostrophecms/seo and apostrophe. Thanks to K Shanmukha Srinivasulu Royal for reporting the vulnerability.

@apostrophecms/sitemap 1.3.0

The Apostrophe Sitemap module generates XML sitemaps for websites powered by ApostropheCMS.

Adds

• Added x-default hreflang tag to sitemap entries for improved international SEO targeting.

Security

• Fix an XSS vulnerability allowing arbitrary markup to be inserted via the "SEO Title" or "Meta Description" fields provided by the @apostrophecms/seo module. The fix requires upgrading BOTH apostrophe and @apostrophecms/seo. A new mechanism for safely emitting JSON nodes has been introduced to make this type of vulnerability unlikely in the future. Thanks to K Shanmukha Srinivasulu Royal for reporting the vulnerability.

Utilities

sanitize-html 2.17.3

This module provides a simple HTML sanitizer with a clear API.

Security

• Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.