Bi-Weekly Release:

This week we’re holding our quarterly team meetings, so we’ll jump right to the new releases. We promise more 3.0 news in the next update.

New Releases

As a reminder, you can install all of these modules into your project with npm install. For new releases of those already in your project type npm update.

apostrophe 2.111.0:

  • Security: added support for limiting failed login attempts on the same account in a given time period. Thanks to Michelin for making this work and many of the following items possible via Apostrophe Enterprise Support.
  • Security: apostrophe-login now emits a before event before the login attempt, which can be used to examine or cancel it.
  • Security: those using our Google Authenticator support may now apply it only to users in certain groups, to make things easier for users with fewer privileges on the site.
  • Schemas: you may now set a regular expression to validate any string schema field.

apostrophe-guides 1.0.0:

  • NEW! Module to help developers build user guides for their Apostrophe sites.

apostrophe-forms-regexp-text-field-widgets 1.0.0:

  • NEW! A module that extends Apostrophe Forms with a text field that validates with a regular expression of the editor’s choice, while still preventing DOS (Denial Of Service) attacks. If you don’t already use the apostrophe-forms module to add user-facing forms to your website, this is a good time to start. Thanks to Michelin for making this work and many other items in this list possible via Apostrophe Enterprise Support.

apostrophe-login-recaptcha 1.1.0:

  • NEW! Optional module to require users to complete a CAPTCHA (prove they are human) before logging in.

apostrophe-multisite 2.7.0, 2.8.0:

  • Support for redirecting an entire site somewhere else. Useful when a site is retired or has old domain names that should point to it.
  • Support for canonical redirects. Handy to ensure only the preferred domain name is seen after launch of a site, rather than a mix of www.example.com and example.com.

apostrophe-i18n-static 1.1.0:

  • --verbose option; runs quietly if not passed.

sanitize-html 2.0.0-beta:

This is a beta release, please check it out and give us feedback to help move forward.

  • Moves the index.js file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as needed, for instance using webpack. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions.
  • Replaces lodash with utility packages: klona, is-plain-object, deepmerge, escape-string-regexp.
  • Makes custom tag transformations less error-prone by escaping frame innerText. Thanks to Mike Samuel for the contribution.
    Prior to this patch, tag transformations which turned an attribute
    value into a text node could be vulnerable to code execution.
  • Updates code to use modern features including const/let variable assignment.
  • ESLint clean up.
  • Updates is-plain-object to the 4.x major version.
  • Updates srcset to the 3.x major version.

Thanks to Bogdan Chadkin for contributions to this major version update.

sanitize-html 1.27.2:

Meanwhile maintenance releases of sanitize-html 1.x continue.

  • Replaces srcset with parse-srcset. Thanks to Massimiliano Mirra for the contribution.
  • Fixes CHANGELOG links. Thanks to Alex Mayer for the contribution.

eslint-config-apostrophe 3.3.0:

  • Adds a warning enforcing a single space inside of array brackets, which has always been our convention. This changed upstream, so we had to be more explicit.