Release Notes

What's new

• Frontend Elevated Sessions #14424 by @duncanmcclean
• Frontend Two-Factor Authentication #14525 by @duncanmcclean
• Add config for disabling Elevated Sessions #14464 by @1stevengrant

What's fixed

• Better Collaboration Avatars #14511 by @jackmcdade
• Fix addon settings blueprint cache collision with field settings blueprint #14509 by @duncanmcclean
• Show dashed border in assets fieldtype when field is read-only #14507 by @duncanmcclean
• Fix duplicate slugs allowed with depth-conditional routes #14508 by @duncanmcclean
• Combobox 2.0 #13843 by @duncanmcclean
• Persist active tab in URL hash on globals publish form #14515 by @duncanmcclean
• Always display time zone in DatePicker #14518 by @jasonvarga
• Fix blank page when visiting CP routes with invalid items #14517 by @jasonvarga
• Improve rate limiting #14475 by @ryanmitchell
• Hide default Statamic logo on frontend auth pages #14522 by @jasonvarga
• Update currencies dictionary #14520 by @tdrayson
• Allow extending asset preset generation command #14521 by @daun
• Fix NavBuilder crash when nav item has an unresolved children Closure #14523 by @v-Woody
• Fix Eloquent user merge setting roles and groups as model attributes #14526 by @duncanmcclean
• Fix /!/nocache and /!/csrf CSRF exemption on Laravel 13 #14533 by @ynamite
• Improve Link fieldtype in listings #14535 by @duncanmcclean
• Fix TypeError when asset last_modified meta is null #14530 by @v-Woody
• Fix Live Preview iframe becoming unscrollable after resizing in Chromium #14542 by @duncanmcclean
• Fix CP auth error when using multiple user providers #14543 by @andjsch
• Fix blank term edit screen and JS error for restricted users #14537 by @joshuablum
• Fix durationForHumans deprecation warning and rounding #14541 by @duncanmcclean
• Fix elevated session redirect for POST endpoints #14544 by @jasonvarga
• Always show success when using forgot password form #14539 by @jasonvarga
• Publish container tweaks #14548 by @jasonvarga
• Fix updateChildPageUris empty check never short-circuiting #14547 by @duncanmcclean
• French translations #14514 by @ebeauchamps

What's new

• Fieldset sections #14297 by @jackmcdade
• Collaboration support #13974 by @joshuablum

What's fixed

• Use he-tree i18n prop for tree aria instructions #14499 by @jasonvarga
• Rename Add Block back to Add Set in replicators #14503 by @joshuablum
• Resolve Cascade content closure before checking content #14502 by @marcorieser
• Fix nocache database driver failing on MySQL with invalid UTF-8 #14505 by @jasonvarga
• Fix bard undos #14506 by @jackmcdade
• Fix collection listing search case insensitivity #14486 by @joshuablum
• Bump follow-redirects from 1.15.11 to 1.16.0 #14498 by @dependabot
• Bump dompurify from 3.3.3 to 3.4.0 #14500 by @dependabot

What's new

• Frontend Passkeys #14453 by @duncanmcclean
• Allow control over who can be impersonated in UserPolicy #14469 by @ryanmitchell

What's fixed

• Fix Bard arrow keys/undo #14467 by @jackmcdade
• Fix visible he-tree accessibility text in tree view #14465 by @duncanmcclean
• Append to Bard Entry links #11468 by @edalzell
• Disable broadcast provider when broadcasting driver is null #14471 by @jasonvarga
• Make the collapsible section icon smaller to fit in with the rest of UI #14478 by @jaygeorge
• Add .npmrc file #14477 by @duncanmcclean
• Fix SVG sanitization tests #14483 by @duncanmcclean
• Use cursor: pointer when selecting from asset grid #14487 by @joshuablum
• Remove negative assertions from TestCase #14458 by @duncanmcclean
• Harden OrderBys #14474 by @duncanmcclean
• Harden query value resolution #14476 by @duncanmcclean
• French translations #14479 by @ebeauchamps
• Bump axios from 1.14.0 to 1.15.0 #14473 by @dependabot

What's new

• Add support for filtering conditions in Assets Tag #13936 by @jackmcdade

What's fixed

• Add padding around 2FA QR code for dark mode scanning #14460 by @duncanmcclean
• Fix form submissions with non-UTF-8 data crashing the CP listing #14461 by @duncanmcclean
• Remove deprecated function calls #14457 by @justindantzer
• Upgrade to Vite 8 #14459 by @jasonvarga
• Nested fields should respect read-only state #14351 by @duncanmcclean

What's new

• Add support for public properties to PathDataManager #11697 by @marcorieser
• Add ability to filter submission exports #14432 by @jasonvarga
• Add elevated session guards to AssignGroups and AssignRoles actions #14450 by @jasonvarga

What's fixed

• Fix Stache index re-entrancy causing null URIs on cold stache #14181 by @o1y
• Fix form submission types #14430 by @daun
• Support decimal values in Range fieldtype #13096 by @hastinbe
• Add link tag to allowed Antlers tags #14438 by @edalzell
• Add @default support to Antlers content allowlists #14440 by @jasonvarga
• Centralize SVG sanitization and sanitize CSS in style tags #14442 by @jasonvarga
• Fix serializable_classes issues #14443 by @jasonvarga
• Fix addon settings always showing as migratable #14444 by @duncanmcclean
• Fix creating passkeys with JSON session serialization #14448 by @duncanmcclean
• Stop auto-logging in users after password reset #14454 by @jasonvarga
• Fix sync/desync on localizable nested fields #14335 by @duncanmcclean
• French translations #14431 by @ebeauchamps
• Bump defu from 6.1.4 to 6.1.6 #14434 by @dependabot
• Bump vite from 7.1.12 to 7.3.2 #14441 by @dependabot

What's new

• Default values can be computed #14279 by @edalzell
• Ability to add to the filename replacements list #14316 by @edalzell

What's fixed

• Harden OrderBys #14421 by @jasonvarga
• Serialize nocache regions before storing in cache #14422 by @jasonvarga
• Fix invalid HTML lang attribute #14427 by @duncanmcclean
• Add serializable classes to allowlist #14416 by @duncanmcclean
• Filter invalid UTF-8 locales from dictionary #14426 by @duncanmcclean
• Fallback to option key in listings when label is missing #14429 by @duncanmcclean
• Ensure moved/removed entries are statically invalidated #14386 by @ryanmitchell
• Catch axios errors in blueprint builder #14428 by @duncanmcclean
• Improve error handling when requiring starter kits #14411 by @duncanmcclean
• Ensure empty addon settings get default blueprint values #14384 by @ryanmitchell
• Bump lodash-es from 4.17.23 to 4.18.1 #14425 by @dependabot

What's new

• Add a Text component #14247 by @jaygeorge
• Emit asset.saved event from asset editor #14392 by @duncanmcclean

What's fixed

• Fix collection whereStatus logic #14380 by @jackmcdade
• Implement whereStatus() on search query builder #14387 by @ryanmitchell
• Blueprint button order changes #14365 by @jaygeorge
• Fix address bar overlapping bottom of content (typically on iOS) #14399 by @jaygeorge
• Fix nested Bard toolbar focus issues #14396 by @jaygeorge
• Fix nav section border radius #14409 by @jaygeorge
• Fix conditional field borders #14407 by @thomasvantuycom
• Fix collection listing dates from wrapping #14415 by @jaygeorge
• Fix Parameters make method #14418 by @jasonvarga
• Prevent npm packages from executing malicious code via postinstall #14417 by @duncanmcclean
• French translations #14393 by @ebeauchamps
• Bump brace-expansion from 2.0.2 to 2.0.3 #14383 by @dependabot

What's new

• GraphQL API Authentication #14292 by @duncanmcclean
• Ability to disable two-factor authentication #14263 by @duncanmcclean
• Ability to select the date formatting locale #14372 by @jasonvarga
• Number formatter #14373 by @jasonvarga

What's fixed

• Omit application name and URL from support:details #14359 by @jasonvarga
• Fix CP Nav active state when trailing slashes are enforced #14363 by @duncanmcclean
• Only change date for localizations with an explicit date set #14362 by @duncanmcclean
• Bring back responsive button groups #13336 by @daun
• Merge external class attrs through twMerge in UI components #14379 by @jasonvarga
• Reduce amount of data provided in Assets fieldtype meta #14366 by @duncanmcclean
• Filters can only be removed by clicking cross #14220 by @jaygeorge
• Bump reka-ui #14368 by @jasonvarga
• Bump picomatch from 2.3.1 to 2.3.2 #14360 by @dependabot

What's fixed

• Fix header z-index when creating a new nav #14337 by @jaygeorge
• Remove fixed height from SVGs in UI labels to prevent flickering #14338 by @jaygeorge
• Correct the Bard full-screen width #14348 by @jaygeorge
• Fix duplicate translation for "Edit Fieldset" #14349 by @duncanmcclean
• Delete unused moment translations #14354 by @duncanmcclean
• Revert "Fix translator locale" #14358 by @jasonvarga
• French translations #14339 by @ebeauchamps
• German translations #14352 by @helloDanuk

What's fixed

• DatePicker dates can't be strings #14295 by @edalzell
• Fix updated widget badge alignment #14303 by @jackmcdade
• Fix PHP sanitization edge cases #14300 by @duncanmcclean
• Fix Replicator Drag & Drop when multiple fields share the same handle #14310 by @duncanmcclean
• Fix live preview token scope #14304 by @jasonvarga
• Handle more cases in external url detection #14315 by @jasonvarga
• Allow external redirects from Form::getSubmissionRedirect #14318 by @jasonvarga
• Fix closure validation rules with Files fieldtype #14319 by @duncanmcclean
• Relationship fieldtype authorization tweaks #14307 by @duncanmcclean
• Add CSP header to svg route #14325 by @jasonvarga
• Add authorization to revision routes #14301 by @duncanmcclean
• Restrict markdown preview endpoint #14326 by @jasonvarga
• Sanitize password reset form redirect value #14327 by @jasonvarga
• Fix config through Antlers views #14328 by @jasonvarga
• Long dropdowns should be scrollable #14333 by @duncanmcclean
• Fix set picker position #14332 by @duncanmcclean
• Fix various timezone issues #14322 by @duncanmcclean
• Fix translator locale #14323 by @jasonvarga
• Fix 2FA setup modal not re-opening #14309 by @duncanmcclean
• Fix logo z-index in Outside.vue #14299 by @SteveEdson
• Fix translator error with Symfony Console 8 #14330 by @duncanmcclean
• Don't autofocus on non-root fields with "title" or "alt" name #14329 by @hivokas

What's fixed

• Hide "Duplicate Set" when max sets limit has been reached #14275 by @duncanmcclean
• Fix missing top border in read-only Assets fields #14277 by @duncanmcclean
• Hide set bodies when there are no fields #14282 by @jackmcdade
• Fieldset editing improvements #14283 by @jackmcdade
• Harden URL::isExternalToApplication() #14287 by @duncanmcclean
• Prevent opening set picker when max_sets limit has been reached #14290 by @duncanmcclean
• Harden password reset #14294 by @jasonvarga

What's new

• Add Asset::moveUnique() method #14236 by @lwekuiper

What's fixed

• Sanitize SVGs on reupload #14258 by @duncanmcclean
• Fix error saving preferences when theme translations exist #14266 by @duncanmcclean
• Prevent logging git dependabot errors #14257 by @aerni
• Fix incorrect variable in return doc #14265 by @indykoning
• Fix error on CreateForm component in Storybook #14264 by @duncanmcclean
• Allow using SVGs from vendor/node_modules directories #14261 by @duncanmcclean
• Fix date formats #14256 by @jasonvarga
• Ensure images are refreshed properly after cropping #14260 by @duncanmcclean
• Handle validation rules on Files fieldtype #14262 by @duncanmcclean
• Make stacks smoother #14210 by @jaygeorge
• Fix TimePicker resetting to AM when typing #14259 by @duncanmcclean
• Rename to security #14276 by @jasonvarga
• Prevent path traversal in file dictionary #14272 by @duncanmcclean
• Prevent term creation via fieldtype without permission #14274 by @duncanmcclean

What's fixed

• Alphabetically order listing/publish container context lists & document isDirty() #14245 by @duncanmcclean
• Relationship endpoint authorization #14254 by @jasonvarga
• Replicator fieldtype endpoint hardening #14255 by @jasonvarga
• Show "Drop to Upload" on top when dragging file onto Asset field #14250 by @duncanmcclean
• Avoid globe cursor when dragging & dropping Bard sets #14248 by @duncanmcclean

What's fixed

• Fix color mode preference values #14242 by @jasonvarga
• Add outside class to outside layout #14240 by @duncanmcclean
• Only remove Bard set when backspace key is hit #14189 by @duncanmcclean
• Removed a comment from the js code output of the StaticCacher #14233 by @micahhenshaw
• French translations #14243 by @ebeauchamps

What's fixed

• Add "Content Search" string to translator's $additionalStrings array #14226 by @duncanmcclean
• Make image manipulation presets more readable #14230 by @jaygeorge
• Fix undefined variable in Bard fieldtype #14238 by @duncanmcclean
• French translations #14232 by @ebeauchamps
• Bump tar from 7.5.10 to 7.5.11 #14231 by @dependabot