Apostrophe 4.30.0: A New Release Cadence, Accessibility Improvements, and Bug Fixes

[BoDonkey]

Hello Apostrophe Community!

Apostrophe 4.30.0 is a focused maintenance release: bug fixes, accessibility improvements, and security patches with no new features. It is also the first release under our new release model.

A New Release Cadence

Starting with this release, ApostropheCMS ships on a predictable two-track schedule designed to make upgrades safer and more manageable, particularly for teams running production sites with multiple stakeholders.

Monthly maintenance releases focus on bug fixes, security patches, and accessibility improvements. As a strong default, they will not introduce UI changes or new features — so they are generally safe to apply without workflow disruption. Occasionally, when a missing capability constitutes a significant enough gap in the UX that we consider it a bug, we may include a targeted correction. We'll flag those clearly when they occur.

Quarterly feature releases will group related work into coherent, themed sets with advance communication before they ship. The next quarterly release is scheduled for June 10, 2026, with a theme of Developer Activation.

And starting with our June release, the new two-track release plan will allow teams to decide whether to follow our latest releases in production, or receive those one quarter later while continuing to get bug fixes and security fixes in the meantime. This will allow dev teams to more fully evaluate “latest” while production remains on “stable.” We are still finalizing the technical approach for how teams will manage which track they are on, and will share that guidance ahead of the June release. In the meantime, npm update continues to work as it always has.

This model came directly out of feedback from enterprise teams who need to be able to apply a security patch without absorbing an unannounced UI change, and who need enough advance visibility into upcoming features to plan their own work. We think it will benefit teams of all sizes.

A new roadmap

As part of our new release cadence, we’ve also shared a clearer roadmap to upcoming quarterly feature releases. As always you can also submit and upvote possible features. Let us know what you think.

Layout Widget: Editor Control Over Gap

Previously, the spacing between items in a layout widget grid could only be set by a developer in module code. Editors can now control it themselves through the styles system, either site-wide via a global layoutGap preset, or per widget via a gap styles field. A new className option also allows developers to attach additional CSS class names to the widget's grid container for more flexible styling. This improvement applies to both standard Nunjucks-based projects and projects using the Astro integration. Note that, as always, developers must explicitly add this feature to their sites if they want it.

Accessibility Improvements

This release includes a focused round of fixes to bring the admin UI into closer compliance with accessibility guidelines, covering ARIA semantics, screen reader support, and labeling across the navigation bar, locale switcher, and admin bar controls. The @apostrophecms-pro/doc-template-library and @apostrophecms-pro/section-template-library modules also received improved tooltip labels.

Security Updates

This release includes six security fixes across apostrophe core, sanitize-html, launder, and @apostrophecms/cli. We encourage all users to upgrade promptly.

This release addresses:

• XSS vulnerabilities via the xmp tag in sanitize-html, which could pass forbidden markup through the sanitizer even when xmp was not explicitly permitted; via a malicious full name containing HTML executed in the page title tooltip, exposing other users to XSS; and via javascript: URLs in the image widget link field, exploitable by any user with editing privileges including contributors — a database migration is included to strip any such URLs already present
• Server-side request forgery in the rich text widget's HTML import feature, which could be used to probe internal networks or exfiltrate images from internal hosts. Image imports from external hosts are now opt-in via the new imageImportAllowedHostnames option on @apostrophecms/rich-text-widget. Note that this means you must configure these new options if you are using the API-based HTML import feature with img elements.
• An email phishing vector in the password reset feature, which could be used to send emails containing links to arbitrary external sites. The password reset feature now requires baseUrl or APOS_BASE_URL to be set before it will operate (this is automatic in multisite projects). This only affects projects with passwordReset: true enabled on the login module
• Shell injection in @apostrophecms/cli, where passwords or starter kit URLs containing malicious punctuation could be used to run arbitrary shell commands in scripted use

Dependency-related security fixes

• the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed. This was fixed by sanitize-html 2.17.4 and a dependency bump to ensure it is used in apostrophe.
• manual links in the image-widget were vulnerable to XSS. This was fixed by the use of the url field type, a database migration to clean up any existing XSS, and (for defense in depth) upgrades in launder to ensure it uses the same high-quality URL sanitization employed by sanitize-html.

Thanks to Vincenzo Turturro, Muhammad Uwais (two issues), SPIDY, Nitro13urn, Yiğit Şengezer, and Sainithin0309 for reporting these vulnerabilities.

Additional Fixes

• The layout widget now correctly regains full focus when switching back to Edit content mode
• Keyboard shortcuts for widget operations (copy, cut, paste, duplicate, remove) no longer intercept the browser's native clipboard behavior when no widget is focused — previously, logged-in users found that selecting and copying text on a page was blocked by the admin UI
• Illegal HTML id attribute values generated by the admin UI have been corrected
• A duplicate <meta charset> tag has been removed from outerLayoutBase.html; the charset is now consistently utf-8 (the legacy configuration option is ignored, as utf-8 is the only legal value per spec)
• Orderable table array items no longer drag the entire floating window
• apostrophe and oembetter have been updated to remove a number of services that formerly supported oembed for the general public but no longer do so. While there is no active security risk today, removing these eliminates potential XSS attack vectors should those domains ever lapse. Developers can further prune this list using the new minimumAllowlist and minimumEndpoints options on the @apostrophecms/oembed module
• aposResponse errors are now logged server-side in the Astro process
• Dependencies in @apostrophecms/cli have been bumped to close vulnerabilities in uuid, fast-xml-parser, and shelljs. The first two were not used in a sensitive or vulnerable way within ApostropheCMS; the shelljs vulnerability would only be exploitable if a developer could be convinced to enter malicious commands as CLI input

Community Contributions

We're grateful to the contributors who helped make this release possible. Sainithin0309 flagged the oembed long-term security concern that led to this cycle's cleanup. Harouna Traore contributed the aposResponse error logging improvement to the Astro integration.

---

You should upgrade

This release contains important security fixes and we encourage all users to upgrade promptly with npm update.

🚀 Happy coding!

Apostrophe 4.30.0

Adds

• Layout widget gap is now controllable through the styles system, both site-wide via a global layoutGap preset and per widget via a gap styles field. A new className option allows additional CSS classes to be added to the widget grid container.

Fixes

• Fixed layout widget not regaining full focus when switching back to Edit content mode.
• Fixed illegal HTML id attribute values generated by the admin UI.
• Fixed orderable table array items dragging the entire floating window.
• Fixed keyboard shortcuts for widget operations (copy, cut, paste, duplicate, remove) blocking the browser's native clipboard behavior when no widget was focused. Previously, selecting and copying text while logged in was intercepted unconditionally by the admin UI.
• Removed duplicate <meta charset> tag from outerLayoutBase.html and standardized charset to utf-8.
• Updated apostrophe and oembetter to remove oembed services that no longer support public access, eliminating them as a potential future XSS vector. New minimumAllowlist and minimumEndpoints options on @apostrophecms/oembed allow developers to prune the list further.

Security

• Password reset base URL requirement: The password reset feature now refuses to operate unless baseUrl or APOS_BASE_URL is set, preventing a vulnerability where ApostropheCMS could be convinced to send emails with links to attacker-controlled sites. Only affects projects with passwordReset: true on the login module. Thanks to SPIDY for reporting.
• XSS via full name field: A malicious full name containing HTML was executed in the page title tooltip in the admin bar, posing an XSS risk to other users. All multi-user projects should update promptly. Thanks to Muhammad Uwais for reporting.
• XSS via image widget link URL: Users with editing privileges could trigger arbitrary JavaScript via a javascript: URL in the image widget's link URL field. A migration is included to strip any such URLs already in the database. Thanks to Muhammad Uwais for reporting.
• SSRF via rich text HTML import: The rich text widget's HTML import feature no longer fetches images from arbitrary hosts, which could be used to probe internal networks or exfiltrate internal images. Configure imageImportAllowedHostnames on @apostrophecms/rich-text-widget to opt in. Thanks to Yiğit Şengezer and Sainithin0309 for reporting.
• the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself. This was fixed in sanitize-html and the dependency was bumped. Thanks to Vincenzo Turturro for reporting the vulnerability.
• the linkHref field of image widgets was an XSS vulnerability because it did not use the url field type. This means that a user with editing privileges could potentially carry out XSS. In addition, we have updated the launder module to sanitize URLs more robustly for the url field type, and bumped that dependency. Also, a database migration is included to clean any XSS attacks that could be present in existing links. Thanks to Muhammad Uwais for reporting the issue.

Accessibility

• Corrected ARIA semantics on the top admin navigation bar.
• Improved the document context title (admin bar middle group) and the underlying AposContextMenu machinery.
• Improved the locale switcher (AposLocalePicker).
• The Recently Edited Documents tray icon now exposes its action via aria-label.
• Fixed .apos-sr-only so screen-reader-only content is correctly exposed to the accessibility tree.
• Icon-only context-utility buttons in the admin bar tray (e.g. the global settings cog) now expose their action via aria-label.

Pro Modules

@apostrophecms-pro/cypress-tools 1.0.0-beta.27 (2026-04-15)

Automated functional browser tests are an important part of quality assurance for enterprise websites and web applications. Cypress is an industry-standard, open-source library for carrying out automated functional browser tests. This module provides a collection of conveniences for testing the ApostropheCMS admin UI within Cypress. Explore our documentation to learn how this extension can enhance your project. Once you're ready, obtain a license and install it through Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Adds

• Add dateFields support for apos:dbUpdate and apos:dbFind tasks to restore BSON date types lost during Cypress JSON serialization.
• Add getRecentlyEditedModal and openRecentlyEditedModal commands.

@apostrophecms-pro/doc-template-library 2.2.8

This module solves the "blank page problem" for developers and product managers, and makes it faster for editors to create content. doc-template-library allows for the configuration of default widgets and pre-populated content on piece or page templates, and to re-use existing layouts. Explore our documentation to discover how this extension can enhance your project. Then, effortlessly integrate it through our new Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Changes

• Update the translation for the trigger tooltip to be more descriptive of the action.

@apostrophecms-pro/section-template-library 1.0.1

Accelerate content creation and maintain design consistency by turning your best widgets into reusable section templates. Content teams can instantly insert components without recreating layouts from scratch. This module is now stable and ready for production use. Explore our documentation to discover how this extension can enhance your project. Then, effortlessly integrate it through our new Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Changes

• Update the translation for the trigger tooltip to be more descriptive of the action.

Free Modules

@apostrophecms/apostrophe-astro 1.12.0

Adds

• Editors can now control the layout widget gap through the styles system, both site-wide via a global layoutGap preset and per widget via a gap styles field. A new className option allows additional CSS class names to be added to the widget's grid container.
• Log aposResponse errors server-side in the Astro process. Thanks to Harouna Traore for this contribution.

Utilities

@apostrophecms/cli 3.6.1

The Apostrophe CLI is a cross-platform starting point for creating and configuring ApostropheCMS projects, providing a simple boilerplate generator and wrapping other useful functions into an easy to use command line tool.

Security

• Bump and clean up dependencies. This closes vulnerabilities in uuid and fast-xml-parser although they were not used in a sensitive or vulnerable way within ApostropheCMS. This also closes a vulnerability in shelljs which ould only be exploited if the developer could be convinced to enter malicious commands as part of their CLI input.
• Passwords and starter kit URLs containing intentionally malicious punctuation cannot be used to run arbitrary shell commands. Because the CLI is only used by developers, this would always have been an "own goal" situation, however this does make the CLI more robust for scripted use. Thanks to Nitro13urn for reporting the issue.

launder 1.7.1

Launder can be used to sanitize strings, integers, floats, urls, and more. It's best for cases where you've already used front-end validation to encourage smart input, and now you want to make sure your inputs are reasonable.

Security

• launder now uses and exports the best available naughtyHref function for detecting malicious URLs. sanitize-html now depends on it, and apostrophe now uses type: 'url' for the link URL field of image widgets, which leverages it. Prior to this fix, it was possible for any user with editing privileges, including a contributor, to trigger arbitrary JavaScript via a javascript: URL in the link URL field of an image widget. A migration has been included to strip any such malicious URLs already present in the database. All users of apostrophe are encouraged to upgrade to get this security fix. Thanks to Muhammad Uwais for reporting the issue.

sanitize-html 2.17.4

This module provides a simple HTML sanitizer with a clear API.

Changes

• sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

• Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

[boutell]

Just a quick follow-up to call out the two additional security vulnerabilities that did not make the list at the top of the post, due to the fact that they technically arrive via dependency bumps:

• Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed. This was fixed by sanitize-html 2.17.4 and a dependency bump to ensure it is used in apostrophe.
• Security vulnerability: manual links in the image-widget were vulnerable to XSS. This was fixed by the use of the url field type, a database migration to clean up any existing XSS, and (for defense in depth) upgrades in launder to ensure it uses the same high-quality URL sanitization employed by sanitize-html.