Release 26.04.30-01

Release: v26.04.28-02 → v26.04.30-01

Caution

Rollback Warning: This release contains irrevertable changes that are non-trivial to rollback from.

• GraphQL API: The page query error response shape changes for missing pages — { data: { page: null } } becomes { data: { page: null }, errors: [{ extensions: { code: 'NOT_FOUND' } }] }; headless consumers detecting 404 via response.data?.page === null must migrate to errors[0]?.extensions?.code. (#35044)
• Content Analytics: The legacy CubeJS analytics endpoints under /v1/analytics/content are fully removed and replaced by a new proxy layer; consumers calling those endpoints directly must migrate to the new /v1/analytics/ proxy. (#35450)

Features & Enhancements

• Edit Content: The References card in the General tab is now clickable when a contentlet has page references, opening a dialog that lists every referencing page with its site, URL, container, owner, and persona. (#35442)
• Content Drive: A new chip-style filter component for the toolbar summarizes active filter selections inline (none / single value / "A, B" / "A and N more"). (#35465)
• Apps: App descriptors now support custom icon and color fields; the Page Scanner app is rebranded to Page Health. (#35444)
• Content Analytics: Replaces the CubeJS integration with a new /v1/analytics/ proxy layer that routes to the dot-ca-event-manager service, and migrates the frontend analytics data access layer to the new event-based API. (#35450, #35513)
• Content Analytics: The system status endpoint (/api/v1/system/status) now evaluates Content Analytics health via lightweight, read-only checks against the CA Event Manager service, reporting OK, NOT_CONFIGURED, or CONFIGURATION_ERROR. (#35524)
• Folders: Folder deletion is now blocked when the folder contains live (published) content; configurable via the BLOCK_FOLDER_DELETE_WITH_LIVE_CONTENT flag. (#35500)

Fixes and Known Issues

• GraphQL: Page query errors now carry a stable extensions.code value (NOT_FOUND, PERMISSION_DENIED, BAD_REQUEST) instead of brittle string-matched messages; the @dotcms/client SDK is updated to branch on the code rather than the message text. (#35044)
• Content Type: Fixed the ensure parameter in multi-type search pagination — pinned items no longer duplicate across pages or cause other items to be permanently skipped. (#35453)
• UVE: The style editor form now renders correctly inside the Universal Visual Editor. (#35497)
• Categories: Creating a category via the Angular portlet without an explicit active field now correctly defaults to active instead of inactive. (#35502)
• Clone: DB_BASE_URL parsing now correctly handles URLs that include an explicit port number. (#35511)
• Rules REST API: /api/portlet/rules/include now returns 400 for invalid or missing IDs and 404 for non-existent rules, replacing the previous HTTP 200 with debug HTML. (#35499)
• Block Editor: Subscript and superscript marks now render as <sub>/<sup> in Story Block HTML output rather than being silently dropped. (#35506)
• Block Editor: Multi-word queries with spaces now correctly narrow contentlet search results in the contentlet picker. (#35510)
• Content References API: Anonymous (unauthenticated) requests to the content references endpoints are now rejected with HTTP 401. (#35509)
• REST API: Jersey's WADL descriptor (/api/application.wadl) is now disabled and returns 404, preventing unauthenticated enumeration of all REST endpoints. (#35498)
• UVE: Removed the duplicate "copy page URL" button from the editor toolbar; the copy control on the URL pill is the single canonical entry point. (#35518)

Deprecations, End of Life, and Reminders

• SDK (@dotcms/client): DotCMSPageResponse.error (singular) is deprecated in favor of the errors[] array and will be removed in August 2026. (#35044)

Infrastructure & Security

• Docker: Runtime images now default to jemalloc (with mimalloc still installed) and bundle Microsoft's jaz Java launcher, enabling native memory profiling and JVM crash-dump capture without rebuilding the image. (#35410)
• CI/CD: The rollback safety check is extracted to a dedicated GitHub Actions workflow with cancel-in-progress concurrency and automatic stale label cleanup before each re-evaluation. (#35522)