Update dependency craftcms/cms to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
craftcms/cms (source)	^3.4.0 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2022-37250

Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.

CVE-2022-37248

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.

CVE-2022-37251

Craft CMS 3.70-RC1–3.7.55.1 and 4.0.0-RC1–4.2.0.1 are vulnerable to Cross Site Scripting (XSS) via entry revisions and drafts. Versions 3.7.55.2 and 4.2.1 contain patches for this issue.

CVE-2022-37247

Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.

CVE-2022-37246

Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.

CVE-2023-23927

Summary

When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the
admin dashboard.

PoC

2023-01-30.18-43-49.mp4

Impact

Tested with the free version of Craft CMS 4.3.6.1

CVE-2023-36260

An issue discovered in Craft CMS version 4.6.1.1 allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.

---

Release Notes

craftcms/cms (craftcms/cms)

v5.6.11

Compare Source

• Added craft\base\conditions\BaseTextConditionRule::isEmpty().
• Added craft\htmlpurifier\RelAttrLinkTypeDef.
• The default HTML Purifier config now allows rel attributes to be set to any value. (#​16798)
• Tightened up relation preview styling in element indexes and cards. (#​16771)
• Fixed an error that could occur when generating an image transform URL via a console request. (#​16793)
• Fixed a bug where _includes/forms/button.twig was always adding class="btngroup-btn-first" to the resulting button HTML.
• Fixed a bug where Assets fields with {slug} in the subpath could create folders named after temporary slugs. (#​16799)
• Fixed a bug where date and time inputs without values were showing clear buttons. (#​16804)
• Fixed an error that could occur when executing “Updating element slugs and URIs” queue jobs. (#​16787)
• Fixed a bug where automatic slug generation wasn’t working after changing entry types. (#​16816)
• Fixed a bug where “Slug” condition rules weren’t considering temporary slugs to be empty. (#​16817)
• Fixed a bug where lazy eager-loading was invoked even if the source element was queried alone.
• Fixed a bug where element selection condition rules weren’t remembering their element ID value if they were created before Craft 5.6.
• Fixed an error that could occur when saving a Commerce variant. (#​16789)
• Fixed a bug where two entries could be created simultaneously when creating a new entry via the “New entry” menu on the Entries index page. (#​16487)
• Fixed an error that could occur if a field was removed from a field layout, if another field had been conditional based on it. (#​16801)
• Fixed an error that occurred when attempting to save a nested entry via a slideout, which had been duplicated from another entry and wasn’t yet fully saved. (#​16807)
• Fixed a bug where field values could be lost after switching entry types. (#​16797)
• Fixed a bug where focus wasn’t returned to the action menu trigger after closing a field layout element’s settings slideout. (#​16824)
• Fixed styling issues. (#​16791, #​16823)

v5.6.10

Compare Source

• The Fields/UI Elements toggle and “New field” button are now always visible within field layout designers’ library HUDs.
• (Really) fixed a bug where field layout designers’ library HUDs weren’t scrollable. (#​16775)
• Fixed a styling issue. (#​16777)

v5.6.9

Compare Source

• Fixed a bug where newly-created custom fields wouldn’t have their full settings intact for afterSave().

v5.6.8

Compare Source

• Added craft\base\Element::ancestors().
• Added craft\base\Element::descendants().
• Fixed an error that occurred when deleting a category or Structure section entry if its ancestors were eager-loaded. (#​16722)
• Fixed a bug where category and entry edit pages didn’t include breadcrumbs for any disabled ancestor elements.
• Fixed a bug where the “Delete (with descendants)” bulk element action wasn’t deleting disabled descendants.
• Fixed a bug where asset files could be deleted when modified. (#​16686)
• Fixed an error that could occur if a Matrix field was saved from a console request. (#​16724)
• Fixed a bug where the Sort field within element index View menus wasn’t updating after the sort attribute/direction was changed by pressing on a table header.

v5.6.7

Compare Source

• Fixed a bug where multiple “New file uploaded.” notifications could be shown at once. (#​16688)
• Fixed an error that could occur during garbage collection if the database user didn’t have permission to disable foreign key constraints. (#​16700)
• Fixed a bug where datepickers could have scrollbars. (#​16697)
• Fixed a bug where asset files could be prematurely deleted when moved to a different volume, if an error occurred. (#​16686)
• Fixed a bug where clearing out a Structure section’s Parent field wasn’t persisting if editing the entry for a newly-added site. (#​16691)
• Fixed a bug where SVG asset transforms could get two preserveAspectRatio attributes. (#​16709)
• Fixed a bug where Number fields weren’t handling semi-numeric strings properly. (craftcms/feed-me#1575)
• Fixed an error that could occur if a field’s input HTML contained <style> tags. (nystudio107/craft-retour#329)
• Fixed a bug where slideouts weren’t fully initializing/deinitializing their UI for users who preferred reduced motion. (#​16707)
• Fixed a bug where GraphQL types for entry types were being named using sections’ and fields’ handle overrides. (#​16713)
• Fixed styling issues. (#​16699, #​16712, #​16721)

v5.6.6

Compare Source

• Fixed a bug where multi-site elements’ search indexes could be updated twice.
• Fixed a bug where some nested Matrix entries weren’t getting propagated to newly-added sites of their owners, if any blocks had been modified. (#​16640)
• Fixed an error that could occur when deleting a draft.
• Fixed an error that could occur when saving a Structure section entry, if it had an Assets field with a dynamic subpath that referenced level. (#​16661)
• Fixed a bug where “Fit” image transforms were showing the “Default Focal Point” setting. (#​16665)
• Fixed a bug where the “Image Position” setting wasn’t saving for “Letterbox” image transforms. (#​16648)
• Fixed a bug where the up command, the app/migrate action, and the Project Config utility weren’t aware of pending project config changes if a database backup was restored but caches weren’t cleared. (#​16668)
• Fixed a bug where condition rules weren’t always getting created with their condition set. (#​16676)
• Fixed an error that occurred when opening the filter HUD within the element selection modal for a relational field, if the user didn’t have permission to view the selected source outside of the field. (#​16678)
• Fixed a bug where Number fields weren’t getting sorted properly in PostgreSQL. (#​15828)
• Fixed a bug where Matrix fields’ “Default View Mode” settings included a “Display in a structured table” option. (#​16631)
• Fixed a bug where user addresses weren’t getting restored when soft-deleted users were restored. (#​16636)
• Fixed a bug where pressing the “New entry” button multiple times quickly would create multiple nested entries, circumventing the “Max Entries” settings. (#​16642)
• Fixed a bug where Link fields without values were always getting marked as dirty when making another change to the element. (#​16649)
• Fixed an error that could occur when programmatically duplicating a nested element for a new site. (#​16659)
• Fixed a bug where Link fields’ “URL Suffix” and “Target” advanced fields were getting enabled even if they had been disabled in Craft 5.5. (#​16663)
• Fixed an error that occurred when executing the users/remove-2fa command.
• Fixed a potential phishing attack vector.
• Fixed styling issues. (#​16683, #​16684)

v5.6.5

Compare Source

• Fixed an error that could occur when saving elements with nested elements on multi-site installs. (#​16609)

v5.6.4

Compare Source

• Fixed an error that occurred when accessing the edit/<elementId> route for a draft that no longer existed.
• Fixed a bug where Matrix fields set to inline-editable blocks view were showing drafts of nested entries.
• Fixed a bug where element card attributes weren’t saving for field layouts that didn’t have any tabs. (#​16589)
• Fixed an error that occurred when attempting to move entries to a new section, if they didn’t exist in the primary site. (#​16421)
• Fixed a bug where Link fields weren’t responsive for newly-created nested entries. (#​16592)
• Fixed an error that could occur when executing the utils/prune-orphaned-entries command. (#​16598)

v5.6.3

Compare Source

• Fixed a bug where craft\db\QueryBatcher::getSlice() wasn’t using the database connection passed to the class constructor. (#​16579)
• Fixed an error that could occur when eager-loading nested elements’ owners, if any of the queried elements didn’t have an owner ID. (#​16570, #​16572, #​16576)
• Fixed a bug where collapsed elements within element indexes in structure view weren’t showing their expand/collapse toggles.
• Fixed a bug where Color fields weren’t getting fully instantiated within slideouts, Live Preview, and after copying the field value from another site. (#​16571)
• Fixed a bug where buttons weren’t getting focus rings.
• Fixed a bug where light text didn’t meet minimum contrast requirements.
• Fixed an error that could occur when attempting to edit a recursively-nested entry. (#​16566)
• Fixed a bug where custom options set to Checkboxes and Radio Buttons fields weren’t showing up in field previews. (#​16575)

v5.6.2

Compare Source

• The Login page now displays the Login Page Logo above the login form, rather than within the header. (#​16564)
• The field layout element library HUD is no longer closed automatically when an element is selected. (#​16521)
• The “Settings” global nav item now has an alternate icon when allowAdminChanges is disabled, indicating that settings are read-only. (#​16563)
• Added craft\web\User::getDefaultReturnUrl().
• Fixed a bug where Entries fields’ entry select modals could show expand/collapse toggles for Structure sections, for elements that didn’t have any selectable descendants. (#​16506)
• Fixed a bug where changes to custom fields within nested Matrix entries weren’t getting merged into existing drafts for the same owner element. (#​16519)
• Fixed a bug where native fields (e.g. Title) were showing changed statuses when viewing revisions, if they had been updated since the time the revision was created.
• Fixed a bug where eager-loading element queries could create an excessive amount of cache invalidation tags.
• Fixed a bug where it was possible to enable elements for new sites with validation errors. (#​16505)
• Fixed a bug where ʻokina characters weren’t being removed in auto-generated slugs. (#​16548)
• Added a cp.login.alternative-login-methods hook to the system login template.
• Fixed a bug where Color fields’ custom color inputs were including presets based on the color palette.
• Fixed a bug where nested Matrix entries weren’t getting assigned a post date if they were created while saving the owner element with a custom validation scenario. (#​16504)
• Fixed a bug where plugin settings pages weren’t displaying a read-only notice and had Save buttons, when allowAdminChanges was false. (#​16509)
• Fixed a bug where eager-loading elements on nested entries resulted in a large number of database queries.
• Fixed a bug where field action menus were showing on fields that didn’t have a label or visible field handle. (#​16510)
• Fixed a styling issue. (#​16515)
• Fixed a bug where the login modal could be displayed too short for its contents.
• Fixed a bug where SSO logins would redirect to the front end by default.
• Fixed a bug where SSO users were able to “reset” their passwords.
• Fixed JavaScript error that occurred if there was problem sending a password-reset email.
• Fixed an error that could occur when working with an entry whose type is no longer allowed by its section/field. (#​16539)
• Fixed a bug where tooltips were displaying behind slideouts. (#​16529)
• Fixed a bug where field translation indicators and action menu buttons could be autofocussed when creating a new entry within a Matrix field, or opening an element editor slideout. (#​16528)
• Fixed a bug where field values copied from another site weren’t always saving. (#​16537)
• Fixed errors that could occur on Ajax requests when deleting an inline-editable Matrix block. (#​16540)
• Fixed compatibility with the Google Authenticator app for TOTP-based authentication. (#​16466, #​16552)
• Fixed a bug where the Updates utility wasn’t showing the “Update all” button if multiple updates were available. (#​16565)
• Fixed a bug where craft\services\Sso::findUser() wasn't accounting for soft-deleted users. (#​16491)
• Fixed a bug where Color fields weren’t getting fully instantiated when present on a newly-created nested entry within a Matrix field. (#​16554)
• Fixed a bug where content footers could bleed out of their containers on smaller screens. (#​16557)
• Fixed a bug where email settings weren’t validating if any System Email Address or Reply-To Address site override settings were set to environment variables. (#​16559)
• Fixed a bug where tooltips could be closed immediately. (#​16530)

v5.6.1

Compare Source

• Added craft\base\conditions\BaseTextConditionRule::isEmpty().
• Added craft\htmlpurifier\RelAttrLinkTypeDef.
• The default HTML Purifier config now allows rel attributes to be set to any value. (#​16798)
• Tightened up relation preview styling in element indexes and cards. (#​16771)
• Fixed an error that could occur when generating an image transform URL via a console request. (#​16793)
• Fixed a bug where _includes/forms/button.twig was always adding class="btngroup-btn-first" to the resulting button HTML.
• Fixed a bug where Assets fields with {slug} in the subpath could create folders named after temporary slugs. (#​16799)
• Fixed a bug where date and time inputs without values were showing clear buttons. (#​16804)
• Fixed an error that could occur when executing “Updating element slugs and URIs” queue jobs. (#​16787)
• Fixed a bug where automatic slug generation wasn’t working after changing entry types. (#​16816)
• Fixed a bug where “Slug” condition rules weren’t considering temporary slugs to be empty. (#​16817)
• Fixed a bug where lazy eager-loading was invoked even if the source element was queried alone.
• Fixed a bug where element selection condition rules weren’t remembering their element ID value if they were created before Craft 5.6.
• Fixed an error that could occur when saving a Commerce variant. (#​16789)
• Fixed a bug where two entries could be created simultaneously when creating a new entry via the “New entry” menu on the Entries index page. (#​16487)
• Fixed an error that could occur if a field was removed from a field layout, if another field had been conditional based on it. (#​16801)
• Fixed an error that occurred when attempting to save a nested entry via a slideout, which had been duplicated from another entry and wasn’t yet fully saved. (#​16807)
• Fixed a bug where field values could be lost after switching entry types. (#​16797)
• Fixed a bug where focus wasn’t returned to the action menu trigger after closing a field layout element’s settings slideout. (#​16824)
• Fixed styling issues. (#​16791, #​16823)

v5.6.0

Compare Source

• Fixed an error that occurred when creating a new Structure section. (#​16476)

v5.5.10

Compare Source

• Fixed a bug where the control panel could display a notice about the Craft CMS license belonging to a different domain, even when accessing the control panel from the correct domain. (#​16396)
• Fixed a bug where Unicode special characters weren’t getting stripped out of search keywords. (#​16430)
• Fixed an error that could occur when setting relatedTo* GraphQL arguments to null. (#​16431)
• Fixed a bug where field layout elements’ action menus could have an empty action group.
• Fixed a bug where Single section entries could be duplicated after running the entry-types/merge command. (#​16394)
• Fixed a styling bug with the system message modal. (#​16410)
• Fixed a bug where relational fields could eager-load elements from a different instance of the same field, if one of the instances had no relations. (#​16191)
• Fixed a bug where the utils/prune-revisions command was deleting nested entry revisions.

v5.5.9

Compare Source

• Fixed a bug where custom fields could cause validation errors when running the users/create command.
• Fixed a bug where deleting a volume folder wasn’t fully deleting asset data in descendant folders.
• Fixed a bug where children and descendants eager-loading wasn’t working on some environments. (#​16381, #​16382)
• Fixed a JavaScript error that could occur if there was a problem applying changes to field layout elements. (#​16380)
• Fixed a bug where field layout designers were validating field names, handles, and instructions, even if they weren’t overridden within the field instance. (#​16380)
• Fixed an error that occurred when upgrading to Craft 5. (#​16383)
• Fixed a bug where “Full Name” could appear twice in the user card attributes list. (#​16358)
• Fixed a bug where multi-site element queries could return an incorrect number of results if the search param was used in conjunction with offset or limit. (#​16183)

v5.5.8

Compare Source

• Fixed a bug where custom fields were getting included in rendered field layout forms, even if their getInputHtml() method returned an empty string.
• Fixed a bug where the password input on the Set Password page wasn’t including the “Show” button.
• Fixed a SQL error that could occur if an element was saved with a title longer than 255 characters.
• Fixed a bug where some UI messages began with a lowercase letter in some languages. (#​16354)
• Fixed errors that could occur when working with field layouts for element types that are no longer installed. (#​16352)
• Fixed an error that could occur when creating nested entries within Matrix fields. (#​16331)
• Fixed a bug where element index View menus could include a “Use defaults” button when no view customizations had been made.
• Fixed a bug where new entries’ slugs weren’t getting propagated to other sites, if their entry type had a dynamic title format. (#​16347)
• Fixed a bug where address cards were only showing the first two lines of the address. (#​16353)
• Fixed a bug where @transform GraphQL directives weren’t always working on Assets fields with overridden handles. (#​15718)
• Fixed an error that occurred when adding “Full Name” to user cards. (#​16358)
• Fixed an error that could occur if craft\base\NestedElementTrait::getOwner() or getPrimaryOwner() were called on a nested element whose owner didn’t exist in the same site. (#​16359)
• Fixed a styling issue. (#​16342)
• Fixed an RCE vulnerability. (CVE-2025-23209)

v5.5.7

Compare Source

• Fixed a bug where elements’ getPrev() and getNext() methods could cause duplicate queries. (#​16329)
• Fixed a bug where assets that were shorter than the preview thumb container weren’t getting vertically centered within it.
• Fixed a bug where it was possible to set a focal point on SVGs, even though focal points on SVGs aren’t supported. (#​16258)
• Fixed a bug where ancestors, children, descendants, and parent eager-loading wasn’t working for previewed elements. (#​16327)
• Fixed a bug where field conditions weren’t taking effect within Matrix fields set to inline-editable blocks mode, if the owner element didn’t support drafts. (#​16315)
• Fixed a bug where Matrix fields’ entry types weren’t maintaining their original block type order when upgrading to Craft 5. (#​16314)
• Fixed a bug where element card labels were getting cut off when wrapped. (#​16325)
• Fixed a PHP error that could occur when eager-loading owner or primaryOwner on nested elements. (#​16339)

v5.5.6

Compare Source

• Fixed a bug where Tags fields had “Replace” actions. (#​16310)
• Fixed styling issues. (#​16298, #​16312)

v5.5.5

Compare Source

• Fixed a bug where asset, category, and entry sources defined by the EVENT_REGISTER_SOURCES event didn’t have any custom fields available to them, unless the EVENT_REGISTER_FIELD_LAYOUTS event was also used to define the available field layouts for the event-defined source. (#​16256)
• Fixed a bug where Link fields were getting string types in CustomFieldBehavior rather than craft\fields\data\LinkData.
• Fixed a JavaScript error that could occur when creating new nested elements. (#​16262)

v5.5.4

Compare Source

• Reduced the likelihood of a deadlock error occurring when updating search indexes. (#​15221)
• The PHP Info utility is no longer shown in environments where the phpinfo() function is disabled. (#​16229)
• “View” buttons within element indexes are now disabled when the selected view mode has no applicable settings. (#​16242)
• Fixed an error that could occur when duplicating an element with an Assets field that had a dynamic subpath. (#​16214)
• Fixed a bug where renaming asset folders could move them to the webroot on Windows. (#​16215)
• Fixed a bug where utilities’ isSelectable() methods weren’t being respected.
• Fixed an exception that could be thrown when displaying entry indexes, if any EVENT_INIT or EVENT_DEFINE_BEHAVIORS entry event handlers were calling getType() on the entry. (#​16254)
• Fixed a bug where element slideouts had Save buttons even if the user didn’t have permission to save the element. (#​16205)
• Fixed a bug where pagination wasn’t working properly on the Entry Types index page when searching. (#​16204)
• Fixed an error that could occur when saving an element with an invalid Link field value. (#​16212)
• Fixed a bug where sortable checkbox selects were displaying menu buttons even when only one option was selected. (#​16213)
• Fixed a bug where it wasn’t possible to sort embedded element indexes by custom fields.
• Fixed a bug where changes to nested elements weren’t getting saved to a draft of the parent, if the element editor was triggered via the “Edit” action menu item. (#​16251)
• Fixed a bug where all elements would get soft-deleted when deleting a section on PostgreSQL. (#​16230)
• Fixed a bug where entry cards could contain two entry type icons if the “Entry Type” attribute was included in the card view designer. (#​16234)
• Fixed a bug where address error summaries weren’t linking to Latitude/Longitude fields properly. (#​16244)
• Fixed a styling issue.

v5.5.3

Compare Source

• Element indexes now sort by ID by default, for sources that don’t define a default sort option.
• Fixed a bug where element indexes were sorting by the first sortable attribute alphabetically by default, rather than the first sortable attribute defined by the element type.
• Fixed a bug where craft\events\ApplyFieldSaveEvent::$field wasn’t being set consistently by craft\services\Fields::EVENT_BEFORE_APPLY_FIELD_SAVE. (#​16156)
• Fixed a bug where the address field layout’s project config data wasn’t getting recreated when running project-config/rebuild. (#​16189)
• Fixed an error that could occur when creating a nested element. (#​16162)
• Fixed a bug where custom fields weren’t being displayed at 25% width when they should have. (#​16165)
• Fixed a bug where the “Default Table Columns” element source settings could contain duplicate checkbox options. (#​16177)
• Fixed a JavaScript error that broke nested element creation in global sets. (#​16182)
• Fixed a bug where Number fields weren’t rounding existing values based on the precision specified by the Decimals setting. (#​16181)

v5.5.2

Compare Source

• Fixed an error that could occur if an invalid folder ID was passed to craft\services\Assets::deleteFoldersByIds(). (#​16147)
• Fixed a SQL error that occurred when creating a new Single section. (#​16145)
• Fixed an error that occurred when running the resave/all command, if any of the options passed weren’t supported by other resave/* commands. (#​16148)
• Fixed an error that occurred when restoring a soft-deleted custom field. (#​16150)
• Fixed an RCE vulnerability.

v5.5.1

Compare Source

• Fixed a bug where the control panel could display a notice about the Craft CMS license belonging to a different domain, even when accessing the control panel from the correct domain. (#​16396)
• Fixed a bug where Unicode special characters weren’t getting stripped out of search keywords. (#​16430)
• Fixed an error that could occur when setting relatedTo* GraphQL arguments to null. (#​16431)
• Fixed a bug where field layout elements’ action menus could have an empty action group.
• Fixed a bug where Single section entries could be duplicated after running the entry-types/merge command. (#​16394)
• Fixed a styling bug with the system message modal. (#​16410)
• Fixed a bug where relational fields could eager-load elements from a different instance of the same field, if one of the instances had no relations. (#​16191)
• Fixed a bug where the utils/prune-revisions command was deleting nested entry revisions.

v5.5.0

Compare Source

• Fixed an error that prevented custom fields from loading on the Settings → Fields.

v5.4.10

Compare Source

• Fixed a bug where it wasn’t possible to create new nested Matrix entries for global sets. (#​16041)

v5.4.9

Compare Source

• The install command now runs through database connection setup, if Craft can’t yet connect to the database. (#​15943)
• authorId, authorIds, authors, and sectionId are now reserved field handles for entry types. (#​15923)
• Added craft\elements\db\NestedElementQueryInterface.
• Added craft\services\Gc::$silent.
• Fixed a bug where admin table header cells weren’t indicating when they were sorted. (#​15897)
• Fixed an error that occurred when creating a database backup, if the System Name contained any quote-like characters. (#​15933)
• Fixed a bug where buttons could bleed out of their containers. (#​15931, #​15946)
• Fixed a PHP error. (#​15915)
• Fixed a bug where uninstalled/missing plugins weren’t getting status indicators on the Plugins index page.
• Fixed errors that occurred when working with nested entries for a newly-added site. (#​15898)
• Fixed a bug where it wasn’t possible to scroll the section select modal when moving entries to a different section. (#​15900)
• Fixed a bug where query params in the format of '<operator> <values>' weren’t being parsed correctly.
• Fixed a bug craft\services\Entries::saveSection() and craft\services\Volumes::saveVolume() weren’t respecting predefined UUID values on new models.
• Fixed a bug where Addresses fields in element index view weren’t showing newly-created addresses. (#​15911)
• Fixed a bug where disabled Money fields were showing the clear button.
• Fixed a bug where element slideouts had a “Save” button when viewing a revision. (#​15930)
• Fixed a bug where element edit pages had a “Revert content from this revision” button for elements that didn’t support revisions. (#​15930)
• Fixed an error that occurred when loading a soft-deleted nested entry from a revision. (#​15930)
• Fixed a bug where the entrify/tags and entrify/global-set commands would prompt for the target section after one had just been created.
• Fixed a bug where entrify commands weren’t copying the original field instance UUIDs into newly-created entry types, causing content to appear missing. (#​15935)
• Fixed a bug where element editor slideouts could create unnecessary provisional drafts. (#​15938)
• Fixed an information disclosure vulnerability.

v5.4.8

Compare Source

• Added craft\helpers\App::isTty().
• Fixed a styling issue with Color field inputs. (#​15868)
• Fixed a deprecation error. (#​15873)
• Fixed a bug where element sources weren’t keyboard-selectable. (#​15876)
• Fixed a bug where Craft wasn’t auto-detecting interactive terminals on Windows.
• Fixed a bug where element actions were allowed on nested entries when viewing a revision. (#​15879)
• Fixed a bug where element error summaries weren’t linking to recursively-nested Matrix fields properly. (#​15797)
• Fixed a bug where eager-loaded relation fields were loading all related elements across all instances of the field. (#​15890)
• Fixed a bug where expanding the site statuses UI for an entry within a slideout would remove the expand button from the main entry’s form. (#​15893)
• Fixed a privilege escalation vulnerability.

v5.4.7

Compare Source

• Custom field condition rules are now ignored if they reference a field with an incompatible type. (#​15850)
• Fixed an error that could occur if Hyper was installed. (#​15867)
• Fixed an error occurred when running migrate commands with an invalid --plugin option value.

v5.4.6

Compare Source

• Improved relational fields’ drag-n-drop responsiveness in Safari. (#​15728)
• Fixed a bug where entries’ deletedWithEntryType values in the entries table weren’t getting set back to null after being restored.
• Fixed a bug where it wasn’t possible to discard changes for related elements via slideouts, if they didn’t exist in the primary site. (#​15798)
• Fixed an error that could occur when restoring a soft-deleted entry type and section, if any entries had been soft-deleted alongside the entry type. (#​15787)
• Fixed a bug where Tags fields weren’t working properly when their label was hidden. (#​15800)
• Fixed an information disclosure vulnerability.

v5.4.5

Compare Source

• Fixed a JavaScript error. (#​15784)

v5.4.4

Compare Source

[!IMPORTANT]
This update fixes a critical data deletion bug for PostgreSQL installs.

• Fixed a data deletion bug that occurred during garbage collection on PostgreSQL. (#​14891)
• Fixed a bug where image constraint labels weren’t translated within the Image Editor.
• Fixed a bug where image orientation labels weren’t getting translated for screen readers within the Image Editor.
• Fixed a PHP error. (#​14635)
• Fixed a bug where elements’ default field values weren’t getting populated on creation. (#​15706)
• Fixed a bug where URL field previews could bleed out of their container. (#​15722)

v5.4.3

Compare Source

• Updated Twig to 3.14. (#​15704)
• Fixed a bug where soft-deleted structures weren’t getting hard-deleted via garbage collection. (#​15705)
• Fixed a bug where address’ Label fields were being marked as translatable. (#​15702)
• Fixed an error that could occur when saving an entry with a Matrix field, if the nested entries didn’t have slugs.
• Fixed a bug where relation fields weren’t merging uploaded asset IDs with the existing field values. (#​15707)
• Fixed a styling issue with inline-editable Matrix block tabs. (#​15703)
• Fixed a bug where the control panel layout could shift briefly when removing an element from an element select input. (#​15712)
• Fixed an RCE vulnerability.
• Fixed an XSS vulnerability.

v5.4.2

Compare Source

• Added craft\services\Security::isSystemDir().
• Fixed a bug where craft\helpers\StringHelper::lines() was returning an array of Stringy\Stringy objects, rather than strings.
• Fixed styling issues with Template field layout UI elements’ selector labels.
• Fixed a validation error that could occur when saving a relational field, if the “Maintain hierarchy” setting had been enabled but was no longer applicable. (#​15666)
• Fixed a bug where formatted addresses weren’t using the application locale consistently. (#​15668)
• Fixed a bug where Tip and Warning field layout UI elements would display in field layouts even if they had no content. (#​15681)
• Fixed an error that could occur when reverting an element’s content from a revision, if the element had been added to additional sites since the time the revision was created. (#​15679)
• Fixed a PHP error that occurred when running PHP 8.2 or 8.3.
• Fixed a bug where disabled entries became enabled when edited within Live Preview. (#​15670)
• Fixed a bug where new nested entries could get incremented slugs even if there were no elements with conflicting URIs. (#​15672)
• Fixed a bug where users’ Addresses screens were displaying addresses that belonged to the user via a custom Addresses field. (#​15678)
• Fixed a bug where Addresses fields weren’t always returning data in GraphQL.
• Fixed a bug where partial addresses weren’t getting garbage collected.
• Fixed a bug where orphaned nested addresses weren’t getting garbage collected. (#​15678)
• Fixed a bug where orphaned nested entries weren’t getting garbage collected after their field had been hard-deleted. (#​15678)
• Fixed a JavaScript error that could occur when bulk-editing elements. (#​15694)
• Fixed an information disclosure vulnerability.

v5.4.1

Compare Source

• Fixed a bug where it wasn’t possible to create new nested Matrix entries for global sets. (#​16041)

v5.4.0

Compare Source

• Fixed a PHP error that could occur on element indexes. (#​15648)

v5.3.6

Compare Source

• Fixed a bug where it wasn’t possible to override named transforms in GraphQL queries. (#​15572)
• Fixed a bug where address subdivision fields could be incorrectly labelled and/or populated with the wrong options. (#​15551, #​15584)
• Fixed an error that occurred if Country tables were included within element index tables or cards. (#​15583)
• Fixed a bug where {% cache %} tags were caching content for Live Preview requests. (#​15586)
• Fixed a bug where it wasn’t possible to remove nested entries in Matrix fields if the Min Entries setting had been reached. (#​15575)
• Fixed a bug where Matrix and Addresses fields weren’t displaying or validating unpublished drafts. (#​15536)
• Fixed a bug where element selector modals within Link fields didn’t have site selector menus. (#​15594)

v5.3.5

Compare Source

• Updated jQuery UI to 1.14.0. (#​15558)
• Fixed a bug where craft\helpers\App::env() and normalizeValue() could return incorrect results for values that looked like floats. (#​15533)
• Fixed a bug where the users/set-password action wasn’t respecting redirect params. (#​15538)
• Fixed a bug where the “Default Values” Table field setting wasn’t escaping column headings. (#​15552)
• Fixed a bug where Craft couldn’t be installed with existing project config files, if any plugins specified their schema version via composer.json. (#​15559)
• Fixed a bug where Money fields’ min, max, and default values weren’t being set to the correct currency. (#​15565, #​15566)
• Fixed a bug where Money fields weren’t handling negative values correctly. (#​15565, #​15567)
• Fixed a bug where PHP-originated Craft Console API requests weren’t timing out if the API was down. (#​15571)
• Fixed a bug where admin tables weren’t displaying disabled statuses. (#​15540)
• Fixed a JavaScript error that occurred when adding a row to an editable table that didn’t allow reordering rows. (#​15543)
• Fixed an error that occurred when editing an element with a Link field previously set to a URL value, if the field no longer allows URLs. (#​15542)
• Fixed an error that could occur when upgrading to Craft 5. (#​15539, #​15555)

v5.3.4

Compare Source

• Fixed a bug where the system name in the control panel’s global sidebar was getting hyperlinked even if the primary site didn’t have a URL. (#​15525)
• Fixed a bug where site crumbs on global set edit pages were including sites the user didn’t have permission to acc

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.