Bi-Weekly Release: login security options and other improvements

This week we’re holding our quarterly team meetings, so we’ll jump right to the new releases. We promise more 3.0 news in the next update.

New Releases

As a reminder, you can install all of these modules into your project with npm install. For new releases of those already in your project type npm update.

apostrophe 2.111.0:

  • Security: added support for limiting failed login attempts on the same account in a given time period. Thanks to Michelin for making this work and many of the following items possible via Apostrophe Enterprise Support.
  • Security: apostrophe-login now emits a before event before the login attempt, which can be used to examine or cancel it.
  • Security: those using our Google Authenticator support may now apply it only to users in certain groups, to make things easier for users with fewer privileges on the site.
  • Schemas: you may now set a regular expression to validate any string schema field.

apostrophe-guides 1.0.0:

  • NEW! Module to help developers build user guides for their Apostrophe sites.

apostrophe-forms-regexp-text-field-widgets 1.0.0:

  • NEW! A module that extends Apostrophe Forms with a text field that validates with a regular expression of the editor’s choice, while still preventing DOS (Denial Of Service) attacks. If you don’t already use the apostrophe-forms module to add user-facing forms to your website, this is a good time to start. Thanks to Michelin for making this work and many other items in this list possible via Apostrophe Enterprise Support.

apostrophe-login-recaptcha 1.1.0:

  • NEW! Optional module to require users to complete a CAPTCHA (prove they are human) before logging in.

apostrophe-multisite 2.7.0, 2.8.0:

  • Support for redirecting an entire site somewhere else. Useful when a site is retired or has old domain names that should point to it.
  • Support for canonical redirects. Handy to ensure only the preferred domain name is seen after launch of a site, rather than a mix of and

apostrophe-i18n-static 1.1.0:

  • --verbose option; runs quietly if not passed.

sanitize-html 2.0.0-beta:

This is a beta release, please check it out and give us feedback to help move forward.

  • Moves the index.js file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as needed, for instance using webpack. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions.
  • Replaces lodash with utility packages: klona, is-plain-object, deepmerge, escape-string-regexp.
  • Makes custom tag transformations less error-prone by escaping frame innerText. Thanks to Mike Samuel for the contribution.
    Prior to this patch, tag transformations which turned an attribute
    value into a text node could be vulnerable to code execution.
  • Updates code to use modern features including const/let variable assignment.
  • ESLint clean up.
  • Updates is-plain-object to the 4.x major version.
  • Updates srcset to the 3.x major version.

Thanks to Bogdan Chadkin for contributions to this major version update.

sanitize-html 1.27.2:

Meanwhile maintenance releases of sanitize-html 1.x continue.

  • Replaces srcset with parse-srcset. Thanks to Massimiliano Mirra for the contribution.
  • Fixes CHANGELOG links. Thanks to Alex Mayer for the contribution.

eslint-config-apostrophe 3.3.0:

  • Adds a warning enforcing a single space inside of array brackets, which has always been our convention. This changed upstream, so we had to be more explicit.
1 Like