v4.13.1

⚠️ Breaking Changes ⚠️

Starting with Strapi v4.13.1, requests to the Content API using invalid query parameters will be rejected with an error response instead of being silently removed from the query. If you are seeing “Invalid parameter” errors in a Content API request, please ensure that every parameter in your query string is valid. If you need the previous behavior of filtering out invalid parameters, you will need to use a custom controller that only calls sanitizeQuery and not validateQuery. For more information as to why we made this change please see #17001

⚠️ Security Warning and Notice ⚠️

Strapi was made aware of a few vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

For now the delay timeline looks like we will release the detailed information in the next two (2) weeks, we expect to do public disclosure (via a blog post) on Wednesday Sept 13th, 2023. The previous disclosure mentioned in v4.12.1 was delayed and will also be disclosed on Sept 13th, 2023.

💅 Enhancement

• [core:admin] List view: new cog button icon with the view settings in the list view page (#17551) @simotae14
• [core:admin] List view: new cog button icon with the view settings in the list view page (#17602) @simotae14
• [core:content-manager] Feat: Allow writeable & nonvisible fields as default sort (#17205) @Marc-Roig
• [core:utils] 💥 Throw error on missing schema in sanitization (#17693) @innerdvations

🚀 New feature

• [core:admin] Feature/nps (#17570) @simotae14
• [core:content-manager] Feature: Workflow Assignees (#17288) @jhoward1994
• [core:content-manager] Enhancement: Improve content-manager sorting & filtering capabilities (#17477) @gu-stav
• [core:content-manager] feat: add auto-focussing via URLSearchParam to content-manager (#17613) @joshuaellis
• [typescript] [Feature] Entity Service types (#17799) @innerdvations @Convly @Bassel17 @christiancp100 @marcoautiero

🔥 Bug fix

• [core:admin] fix: dont use relative paths, use webpack alias instead (#17733) @joshuaellis
• [core:admin] fix(app): Handle errors gracefully (#17833) @gu-stav
• [core:content-manager] fix: display role names (#17702) @Marc-Roig
• [core:data-transfer] [DTS] Only delete types of data that are being transferred (#17730) @innerdvations
• [core:review-workflows] fix: include strapi_assignee as a known feature in data transfer (#17768) @Marc-Roig
• [core:review-workflows] fix: Ignore review workflow fields on user content type modifications check (#17865) @Marc-Roig
• [core:strapi] feat: proxy content type in controller factory (#17772) @Marc-Roig
• [typescript] Fix circular dependency caused by Attribute.UID in Attribute.Any (#17569) @Convly

🚨 Security

• [core:utils] Add validate utility and use it to validate query params in API controllers (#17639) @innerdvations
• [plugin:users-permissions] [U&P] Add allowedFields configuration option (#17804) @innerdvations

⚙️ Chore

• [core:admin] Revert "Chore: Refactor admin app entries" (#17853) @gu-stav
• [dependencies] chore(deps-dev): bump the eslint group with 2 updates (#17825) @dependabot
• [dependencies] chore(deps): bump axios from 1.4.0 to 1.5.0 (#17827) @dependabot
• [dependencies] chore(deps): bump node-fetch from 2.6.9 to 2.7.0 (#17828) @dependabot

📚 Update and Migration Guides

• General update guide can be found here
• Migration guides can be found here 📚