Bump craftcms/cms from 4.16.16 to 4.17.0

[dependabot]

Bumps craftcms/cms from 4.16.16 to 4.17.0.

Release notes

Sourced from craftcms/cms's releases.

4.17.0

Administration

• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Added the “View user” GraphQL schema option for Craft Solo. (#17863)
• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• The clear-cache command now accepts a space-delimited list of cache IDs that should be cleared.
• The up command now warns about any astray license issues before running migrations. (#18297)
• Compiled templates are now deleted by the up command rather than from migrate commands.
• Added the enableTwigSandbox config setting. (#18208, #18216)
• The disableGraphqlTransformDirective config setting is now deprecated.

Development

• Added support for referencing environment variables anywhere within settings that support them (e.g. foo/$ENV_NAME/bar or foo-${ENV_NAME}-bar). (#17949)
• It’s no longer possible to instantiate objects that don’t extend yii\base\BaseObject via the create() Twig function. (GHSA-94rc-cqvm-m4pw)
• Added the uuid() Twig function.
• The @parseRefs and @transform GraphQL directives are now optional for each GraphQL schema. (GHSA-7x43-mpfg-r9wj)

Extensibility

• Added craft\base\ElementInterface::setAttributesFromRequest().
• Added craft\services\Search::deleteOrphanedIndexJobs().
• Added craft\web\GqlResponseFormatter.
• Added craft\web\Response::FORMAT_GQL.
• Added craft\web\View::renderSandboxedObjectTemplate().
• Added craft\web\View::renderSandboxedString().
• Added craft\web\View::renderSandboxedTemplate().
• Added craft\web\twig\AllowedInSandbox. (#18219)
• Added craft\web\twig\SecurityPolicy.
• Added craft\web\twig\nodes\BaseNode.
• craft\helpers\FileHelper::writeToFile() now throws an exception if the file path isn’t writable, or there isn’t sufficient free space on the disk. (#17762)
• craft\helpers\UrlHelper now encodes square brackets in generated URLs. (#17840)
• craft\web\Request::accepts() now accepts wildcard characters (*) in the $contentType argument, to check for a range of MIME types (e.g. application/*+json).
• craft\web\Request::getAcceptsJson() now returns true for requests with Content-Type headers that match application/*+json, in addition to application/json.
• The _includes/forms/radio.twig template now escapes the label variable. A raw HTML label can be passed by wrapping the label value in raw() or craft\helpers\Template::raw().
• Craft.ui.createCheckbox() now escapes the config.label property. A raw HTML label can be passed via the config.labelHtml property.
• Craft.ui.createSelect() now escapes options’ label properties. Raw HTML labels can be passed via labelHtml properties.

System

• GraphQL API responses now set their Content-Type header to application/graphql-response+json.
• GraphQL API responses now set cache headers based on whether a mutation was performed, regardless of the request type.
• Global set queries no longer register cache tags.
• A rate limit is now enforced for users/send-password-reset-email requests. (#17337)
• Updated Yii to 2.0.54.
• Updated Twig to 3.19. (#17603)
• Fixed a bug where Table fields with the “Static Rows” setting enabled would lose track of which values belonged to which row headings, if the “Default Values” table was reordered. (#17090)
• Fixed a bug where deadlocks could occur when updating elements’ search indexes. (#18139)
• Fixed a bug where element index pages weren’t retaining their search query param if present on the initial request.
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed low-severity XSS vulnerabilities. (GHSA-4mgv-366x-qxvx)
• Fixed a moderate-severity RCE vulnerability. (GHSA-v47q-jxvr-p68x)
• Fixed moderate-severity permission escalation vulnerabilities. (GHSA-2xfc-g69j-x2mp, GHSA-jxm3-pmm2-9gf6)

... (truncated)

Changelog

Sourced from craftcms/cms's changelog.

4.17.0 - 2026-01-27

Administration

• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Added the “View user” GraphQL schema option for Craft Solo. (#17863)
• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• The clear-cache command now accepts a space-delimited list of cache IDs that should be cleared.
• The up command now warns about any astray license issues before running migrations. (#18297)
• Compiled templates are now deleted by the up command rather than from migrate commands.
• Added the enableTwigSandbox config setting. (#18208, #18216)
• The disableGraphqlTransformDirective config setting is now deprecated.

Development

• Added support for referencing environment variables anywhere within settings that support them (e.g. foo/$ENV_NAME/bar or foo-${ENV_NAME}-bar). (#17949)
• It’s no longer possible to instantiate objects that don’t extend yii\base\BaseObject via the create() Twig function. (GHSA-94rc-cqvm-m4pw)
• Added the uuid() Twig function.
• The @parseRefs and @transform GraphQL directives are now optional for each GraphQL schema. (GHSA-7x43-mpfg-r9wj)

Extensibility

• Added craft\base\ElementInterface::setAttributesFromRequest().
• Added craft\services\Search::deleteOrphanedIndexJobs().
• Added craft\web\GqlResponseFormatter.
• Added craft\web\Response::FORMAT_GQL.
• Added craft\web\View::renderSandboxedObjectTemplate().
• Added craft\web\View::renderSandboxedString().
• Added craft\web\View::renderSandboxedTemplate().
• Added craft\web\twig\AllowedInSandbox. (#18219)
• Added craft\web\twig\SecurityPolicy.
• Added craft\web\twig\nodes\BaseNode.
• craft\helpers\FileHelper::writeToFile() now throws an exception if the file path isn’t writable, or there isn’t sufficient free space on the disk. (#17762)
• craft\helpers\UrlHelper now encodes square brackets in generated URLs. (#17840)
• craft\web\Request::accepts() now accepts wildcard characters (*) in the $contentType argument, to check for a range of MIME types (e.g. application/*+json).
• craft\web\Request::getAcceptsJson() now returns true for requests with Content-Type headers that match application/*+json, in addition to application/json.
• The _includes/forms/radio.twig template now escapes the label variable. A raw HTML label can be passed by wrapping the label value in raw() or craft\helpers\Template::raw().
• Craft.ui.createCheckbox() now escapes the config.label property. A raw HTML label can be passed via the config.labelHtml property.
• Craft.ui.createSelect() now escapes options’ label properties. Raw HTML labels can be passed via labelHtml properties.

System

• GraphQL API responses now set their Content-Type header to application/graphql-response+json.
• GraphQL API responses now set cache headers based on whether a mutation was performed, regardless of the request type.
• Global set queries no longer register cache tags.
• A rate limit is now enforced for users/send-password-reset-email requests. (#17337)
• Updated Yii to 2.0.54.
• Updated Twig to 3.19. (#17603)
• Fixed a bug where Table fields with the “Static Rows” setting enabled would lose track of which values belonged to which row headings, if the “Default Values” table was reordered. (#17090)
• Fixed a bug where deadlocks could occur when updating elements’ search indexes. (#18139)
• Fixed a bug where element index pages weren’t retaining their search query param if present on the initial request.
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed low-severity XSS vulnerabilities. (GHSA-4mgv-366x-qxvx)
• Fixed a moderate-severity RCE vulnerability. (GHSA-v47q-jxvr-p68x)

... (truncated)

Commits

• 1c169ab Finish 4.17.0
• 5c2d58b Merge pull request #18304 from craftcms/t9n/4.x
• a5e773c New translations app.php (French, Canada)
• 758f4ed Merge pull request #18301 from craftcms/t9n/4.x
• 51d587c New translations app.php (German, Switzerland)
• 30fe72e New translations app.php (Swedish)
• 009d072 New translations app.php (Persian)
• dbc0e3f New translations app.php (Arabic)
• 23edb43 New translations app.php (French)
• 2522306 New translations app.php (Norwegian Bokmal)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.