This week we’re holding our quarterly team meetings, so we’ll jump right to the new releases. We promise more 3.0 news in the next update.
As a reminder, you can install all of these modules into your project with
npm install. For new releases of those already in your project type
- Security: added support for limiting failed login attempts on the same account in a given time period. Thanks to Michelin for making this work and many of the following items possible via Apostrophe Enterprise Support.
- Security: apostrophe-login now emits a before event before the login attempt, which can be used to examine or cancel it.
- Security: those using our Google Authenticator support may now apply it only to users in certain groups, to make things easier for users with fewer privileges on the site.
- Schemas: you may now set a regular expression to validate any string schema field.
- NEW! Module to help developers build user guides for their Apostrophe sites.
- NEW! A module that extends Apostrophe Forms with a text field that validates with a regular expression of the editor’s choice, while still preventing DOS (Denial Of Service) attacks. If you don’t already use the apostrophe-forms module to add user-facing forms to your website, this is a good time to start. Thanks to Michelin for making this work and many other items in this list possible via Apostrophe Enterprise Support.
- NEW! Optional module to require users to complete a CAPTCHA (prove they are human) before logging in.
apostrophe-multisite 2.7.0, 2.8.0:
- Support for redirecting an entire site somewhere else. Useful when a site is retired or has old domain names that should point to it.
- Support for canonical redirects. Handy to ensure only the preferred domain name is seen after launch of a site, rather than a mix of www.example.com and example.com.
--verboseoption; runs quietly if not passed.
This is a beta release, please check it out and give us feedback to help move forward.
- Moves the index.js file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as needed, for instance using webpack. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions.
- Replaces lodash with utility packages: klona, is-plain-object, deepmerge, escape-string-regexp.
- Makes custom tag transformations less error-prone by escaping frame innerText. Thanks to Mike Samuel for the contribution.
Prior to this patch, tag transformations which turned an attribute
value into a text node could be vulnerable to code execution.
- Updates code to use modern features including const/let variable assignment.
- ESLint clean up.
- Updates is-plain-object to the 4.x major version.
- Updates srcset to the 3.x major version.
Thanks to Bogdan Chadkin for contributions to this major version update.
Meanwhile maintenance releases of
sanitize-html 1.x continue.
- Replaces srcset with parse-srcset. Thanks to Massimiliano Mirra for the contribution.
- Fixes CHANGELOG links. Thanks to Alex Mayer for the contribution.
- Adds a warning enforcing a single space inside of array brackets, which has always been our convention. This changed upstream, so we had to be more explicit.