@strapi/core 0.0.0-experimental.a1da9b829e36a866a425439d22ab6f484b547d9f → 0.0.0-experimental.a1edcc9d9fab426bad8fd1a111e6d06cb07849be

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @strapi/core might be problematic. Click here for more details.

Files changed (183) hide show
  1. package/dist/Strapi.d.ts +1 -0
  2. package/dist/Strapi.d.ts.map +1 -1
  3. package/dist/Strapi.js +20 -4
  4. package/dist/Strapi.js.map +1 -1
  5. package/dist/Strapi.mjs +20 -4
  6. package/dist/Strapi.mjs.map +1 -1
  7. package/dist/configuration/config-loader.js.map +1 -1
  8. package/dist/configuration/config-loader.mjs.map +1 -1
  9. package/dist/configuration/urls.js.map +1 -1
  10. package/dist/configuration/urls.mjs.map +1 -1
  11. package/dist/constants.d.ts +3 -0
  12. package/dist/constants.d.ts.map +1 -0
  13. package/dist/constants.js +6 -0
  14. package/dist/constants.js.map +1 -0
  15. package/dist/constants.mjs +4 -0
  16. package/dist/constants.mjs.map +1 -0
  17. package/dist/container.js.map +1 -1
  18. package/dist/container.mjs.map +1 -1
  19. package/dist/core-api/routes/index.js.map +1 -1
  20. package/dist/core-api/routes/index.mjs.map +1 -1
  21. package/dist/core-api/routes/validation/mappers.d.ts.map +1 -1
  22. package/dist/core-api/routes/validation/mappers.js +35 -0
  23. package/dist/core-api/routes/validation/mappers.js.map +1 -1
  24. package/dist/core-api/routes/validation/mappers.mjs +35 -0
  25. package/dist/core-api/routes/validation/mappers.mjs.map +1 -1
  26. package/dist/core-api/routes/validation/utils.js.map +1 -1
  27. package/dist/core-api/routes/validation/utils.mjs.map +1 -1
  28. package/dist/core-api/service/collection-type.js.map +1 -1
  29. package/dist/core-api/service/collection-type.mjs.map +1 -1
  30. package/dist/core-api/service/single-type.js.map +1 -1
  31. package/dist/core-api/service/single-type.mjs.map +1 -1
  32. package/dist/domain/content-type/index.js.map +1 -1
  33. package/dist/domain/content-type/index.mjs.map +1 -1
  34. package/dist/domain/module/index.js.map +1 -1
  35. package/dist/domain/module/index.mjs.map +1 -1
  36. package/dist/ee/index.js.map +1 -1
  37. package/dist/ee/index.mjs.map +1 -1
  38. package/dist/ee/license.js +1 -2
  39. package/dist/ee/license.js.map +1 -1
  40. package/dist/ee/license.mjs +1 -2
  41. package/dist/ee/license.mjs.map +1 -1
  42. package/dist/loaders/apis.js.map +1 -1
  43. package/dist/loaders/apis.mjs.map +1 -1
  44. package/dist/loaders/components.js.map +1 -1
  45. package/dist/loaders/components.mjs.map +1 -1
  46. package/dist/loaders/plugins/get-enabled-plugins.js.map +1 -1
  47. package/dist/loaders/plugins/get-enabled-plugins.mjs.map +1 -1
  48. package/dist/loaders/plugins/index.js +1 -1
  49. package/dist/loaders/plugins/index.js.map +1 -1
  50. package/dist/loaders/plugins/index.mjs +1 -1
  51. package/dist/loaders/plugins/index.mjs.map +1 -1
  52. package/dist/loaders/src-index.js.map +1 -1
  53. package/dist/loaders/src-index.mjs.map +1 -1
  54. package/dist/middlewares/logger.js.map +1 -1
  55. package/dist/middlewares/logger.mjs.map +1 -1
  56. package/dist/middlewares/response-time.js.map +1 -1
  57. package/dist/middlewares/response-time.mjs.map +1 -1
  58. package/dist/middlewares/security.d.ts.map +1 -1
  59. package/dist/middlewares/security.js +2 -15
  60. package/dist/middlewares/security.js.map +1 -1
  61. package/dist/middlewares/security.mjs +2 -15
  62. package/dist/middlewares/security.mjs.map +1 -1
  63. package/dist/migrations/database/5.0.0-discard-drafts.d.ts +21 -7
  64. package/dist/migrations/database/5.0.0-discard-drafts.d.ts.map +1 -1
  65. package/dist/migrations/database/5.0.0-discard-drafts.js +1501 -58
  66. package/dist/migrations/database/5.0.0-discard-drafts.js.map +1 -1
  67. package/dist/migrations/database/5.0.0-discard-drafts.mjs +1502 -59
  68. package/dist/migrations/database/5.0.0-discard-drafts.mjs.map +1 -1
  69. package/dist/migrations/first-published-at.js.map +1 -1
  70. package/dist/migrations/first-published-at.mjs.map +1 -1
  71. package/dist/package.json.js +13 -12
  72. package/dist/package.json.js.map +1 -1
  73. package/dist/package.json.mjs +13 -12
  74. package/dist/package.json.mjs.map +1 -1
  75. package/dist/providers/index.d.ts.map +1 -1
  76. package/dist/providers/index.js +2 -0
  77. package/dist/providers/index.js.map +1 -1
  78. package/dist/providers/index.mjs +2 -0
  79. package/dist/providers/index.mjs.map +1 -1
  80. package/dist/providers/session-manager.d.ts +3 -0
  81. package/dist/providers/session-manager.d.ts.map +1 -0
  82. package/dist/providers/session-manager.js +23 -0
  83. package/dist/providers/session-manager.js.map +1 -0
  84. package/dist/providers/session-manager.mjs +21 -0
  85. package/dist/providers/session-manager.mjs.map +1 -0
  86. package/dist/registries/apis.js.map +1 -1
  87. package/dist/registries/apis.mjs.map +1 -1
  88. package/dist/registries/custom-fields.js.map +1 -1
  89. package/dist/registries/custom-fields.mjs.map +1 -1
  90. package/dist/registries/namespace.js.map +1 -1
  91. package/dist/registries/namespace.mjs.map +1 -1
  92. package/dist/registries/plugins.js.map +1 -1
  93. package/dist/registries/plugins.mjs.map +1 -1
  94. package/dist/registries/policies.js.map +1 -1
  95. package/dist/registries/policies.mjs.map +1 -1
  96. package/dist/services/config.js.map +1 -1
  97. package/dist/services/config.mjs.map +1 -1
  98. package/dist/services/content-api/index.js.map +1 -1
  99. package/dist/services/content-api/index.mjs.map +1 -1
  100. package/dist/services/content-api/permissions/index.js.map +1 -1
  101. package/dist/services/content-api/permissions/index.mjs.map +1 -1
  102. package/dist/services/content-source-maps.d.ts +2 -1
  103. package/dist/services/content-source-maps.d.ts.map +1 -1
  104. package/dist/services/content-source-maps.js +29 -7
  105. package/dist/services/content-source-maps.js.map +1 -1
  106. package/dist/services/content-source-maps.mjs +29 -7
  107. package/dist/services/content-source-maps.mjs.map +1 -1
  108. package/dist/services/core-store.js.map +1 -1
  109. package/dist/services/core-store.mjs.map +1 -1
  110. package/dist/services/document-service/components.d.ts +26 -1
  111. package/dist/services/document-service/components.d.ts.map +1 -1
  112. package/dist/services/document-service/components.js +16 -4
  113. package/dist/services/document-service/components.js.map +1 -1
  114. package/dist/services/document-service/components.mjs +15 -5
  115. package/dist/services/document-service/components.mjs.map +1 -1
  116. package/dist/services/document-service/repository.js +1 -1
  117. package/dist/services/document-service/repository.js.map +1 -1
  118. package/dist/services/document-service/repository.mjs +1 -1
  119. package/dist/services/document-service/repository.mjs.map +1 -1
  120. package/dist/services/document-service/transform/fields.js.map +1 -1
  121. package/dist/services/document-service/transform/fields.mjs.map +1 -1
  122. package/dist/services/document-service/transform/id-map.js.map +1 -1
  123. package/dist/services/document-service/transform/id-map.mjs.map +1 -1
  124. package/dist/services/document-service/utils/clean-component-join-table.d.ts +7 -0
  125. package/dist/services/document-service/utils/clean-component-join-table.d.ts.map +1 -0
  126. package/dist/services/document-service/utils/clean-component-join-table.js +145 -0
  127. package/dist/services/document-service/utils/clean-component-join-table.js.map +1 -0
  128. package/dist/services/document-service/utils/clean-component-join-table.mjs +143 -0
  129. package/dist/services/document-service/utils/clean-component-join-table.mjs.map +1 -0
  130. package/dist/services/entity-service/index.js.map +1 -1
  131. package/dist/services/entity-service/index.mjs.map +1 -1
  132. package/dist/services/entity-validator/blocks-validator.js.map +1 -1
  133. package/dist/services/entity-validator/blocks-validator.mjs.map +1 -1
  134. package/dist/services/entity-validator/index.js.map +1 -1
  135. package/dist/services/entity-validator/index.mjs.map +1 -1
  136. package/dist/services/metrics/index.js +2 -1
  137. package/dist/services/metrics/index.js.map +1 -1
  138. package/dist/services/metrics/index.mjs +2 -1
  139. package/dist/services/metrics/index.mjs.map +1 -1
  140. package/dist/services/metrics/middleware.d.ts +2 -1
  141. package/dist/services/metrics/middleware.d.ts.map +1 -1
  142. package/dist/services/metrics/middleware.js +2 -2
  143. package/dist/services/metrics/middleware.js.map +1 -1
  144. package/dist/services/metrics/middleware.mjs +2 -2
  145. package/dist/services/metrics/middleware.mjs.map +1 -1
  146. package/dist/services/metrics/sender.d.ts.map +1 -1
  147. package/dist/services/metrics/sender.js +2 -1
  148. package/dist/services/metrics/sender.js.map +1 -1
  149. package/dist/services/metrics/sender.mjs +2 -1
  150. package/dist/services/metrics/sender.mjs.map +1 -1
  151. package/dist/services/server/compose-endpoint.js.map +1 -1
  152. package/dist/services/server/compose-endpoint.mjs.map +1 -1
  153. package/dist/services/server/index.js.map +1 -1
  154. package/dist/services/server/index.mjs.map +1 -1
  155. package/dist/services/server/middleware.js.map +1 -1
  156. package/dist/services/server/middleware.mjs.map +1 -1
  157. package/dist/services/server/register-routes.js.map +1 -1
  158. package/dist/services/server/register-routes.mjs.map +1 -1
  159. package/dist/services/server/routing.js.map +1 -1
  160. package/dist/services/server/routing.mjs.map +1 -1
  161. package/dist/services/session-manager.d.ts +167 -0
  162. package/dist/services/session-manager.d.ts.map +1 -0
  163. package/dist/services/session-manager.js +529 -0
  164. package/dist/services/session-manager.js.map +1 -0
  165. package/dist/services/session-manager.mjs +526 -0
  166. package/dist/services/session-manager.mjs.map +1 -0
  167. package/dist/services/webhook-runner.js +2 -2
  168. package/dist/services/webhook-runner.js.map +1 -1
  169. package/dist/services/webhook-runner.mjs +2 -2
  170. package/dist/services/webhook-runner.mjs.map +1 -1
  171. package/dist/services/worker-queue.js +2 -2
  172. package/dist/services/worker-queue.js.map +1 -1
  173. package/dist/services/worker-queue.mjs +2 -2
  174. package/dist/services/worker-queue.mjs.map +1 -1
  175. package/dist/utils/fetch.js.map +1 -1
  176. package/dist/utils/fetch.mjs.map +1 -1
  177. package/dist/utils/filepath-to-prop-path.js.map +1 -1
  178. package/dist/utils/filepath-to-prop-path.mjs.map +1 -1
  179. package/dist/utils/load-config-file.js.map +1 -1
  180. package/dist/utils/load-config-file.mjs.map +1 -1
  181. package/dist/utils/startup-logger.js.map +1 -1
  182. package/dist/utils/startup-logger.mjs.map +1 -1
  183. package/package.json +13 -12
package/dist/middlewares/security.mjs CHANGED
@@ -1,5 +1,6 @@
1
1
  import { defaultsDeep, mergeWith } from 'lodash/fp';
2
2
  import helmet from 'koa-helmet';
3
+ import { CSP_DEFAULTS } from '@strapi/utils';
3
4
 
4
5
  const defaults = {
5
6
  crossOriginEmbedderPolicy: false,
@@ -9,21 +10,7 @@ const defaults = {
9
10
  contentSecurityPolicy: {
10
11
  useDefaults: true,
11
12
  directives: {
12
- 'connect-src': [
13
- "'self'",
14
- 'https:'
15
- ],
16
- 'img-src': [
17
- "'self'",
18
- 'data:',
19
- 'blob:',
20
- 'https://market-assets.strapi.io'
21
- ],
22
- 'media-src': [
23
- "'self'",
24
- 'data:',
25
- 'blob:'
26
- ],
13
+ ...CSP_DEFAULTS,
27
14
  upgradeInsecureRequests: null
28
15
  }
29
16
  },
package/dist/middlewares/security.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n crossOriginEmbedderPolicy: false,\n crossOriginOpenerPolicy: false,\n crossOriginResourcePolicy: false,\n originAgentCluster: false,\n contentSecurityPolicy: {\n useDefaults: true,\n directives: {\n 'connect-src': [\"'self'\", 'https:'],\n 'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n 'media-src': [\"'self'\", 'data:', 'blob:'],\n upgradeInsecureRequests: null,\n },\n },\n xssFilter: false,\n hsts: {\n maxAge: 31536000,\n includeSubDomains: true,\n },\n frameguard: {\n action: 'sameorigin',\n },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n return mergeWith(\n (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n existingConfig,\n newConfig\n );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n (config, { strapi }) =>\n (ctx, next) => {\n let helmetConfig: Config = defaultsDeep(defaults, config);\n\n const specialPaths = ['/documentation'];\n\n const directives: {\n 'script-src': string[];\n 'img-src': string[];\n 'manifest-src': string[];\n 'frame-src': string[];\n } = {\n 'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n 'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n 'manifest-src': [],\n 'frame-src': [],\n };\n\n // if apollo graphql playground is enabled, add exceptions for it\n if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n const { config: gqlConfig } = strapi.plugin('graphql');\n specialPaths.push(gqlConfig('endpoint'));\n\n directives['script-src'].push(`https: 'unsafe-inline'`);\n directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n directives['manifest-src'].push(`'self'`);\n directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n directives['frame-src'].push(`'self'`);\n directives['frame-src'].push('sandbox.embed.apollographql.com');\n }\n\n // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n helmetConfig = mergeConfig(helmetConfig, {\n crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n contentSecurityPolicy: {\n directives,\n },\n });\n }\n\n /**\n * These are for vite's watch mode so it can accurately\n * connect to the HMR websocket & reconnect on failure\n * or when the server restarts.\n *\n * It only applies in development, and only on GET requests\n * that are part of the admin route.\n */\n\n if (\n ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n ctx.method === 'GET' &&\n ctx.path.startsWith(strapi.config.get('admin.path'))\n ) {\n helmetConfig = mergeConfig(helmetConfig, {\n contentSecurityPolicy: {\n directives: {\n 'script-src': [\"'self'\", \"'unsafe-inline'\"],\n 'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n },\n },\n });\n }\n\n return helmet(helmetConfig)(ctx, next);\n };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,UACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,aAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}
1
+ {"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\nimport { CSP_DEFAULTS } from '@strapi/utils';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n crossOriginEmbedderPolicy: false,\n crossOriginOpenerPolicy: false,\n crossOriginResourcePolicy: false,\n originAgentCluster: false,\n contentSecurityPolicy: {\n useDefaults: true,\n directives: {\n ...CSP_DEFAULTS,\n upgradeInsecureRequests: null,\n },\n },\n xssFilter: false,\n hsts: {\n maxAge: 31536000,\n includeSubDomains: true,\n },\n frameguard: {\n action: 'sameorigin',\n },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n return mergeWith(\n (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n existingConfig,\n newConfig\n );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n (config, { strapi }) =>\n (ctx, next) => {\n let helmetConfig: Config = defaultsDeep(defaults, config);\n const specialPaths = ['/documentation'];\n\n const directives: {\n 'script-src': string[];\n 'img-src': string[];\n 'manifest-src': string[];\n 'frame-src': string[];\n } = {\n 'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n 'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n 'manifest-src': [],\n 'frame-src': [],\n };\n\n // if apollo graphql playground is enabled, add exceptions for it\n if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n const { config: gqlConfig } = strapi.plugin('graphql');\n specialPaths.push(gqlConfig('endpoint'));\n\n directives['script-src'].push(`https: 'unsafe-inline'`);\n directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n directives['manifest-src'].push(`'self'`);\n directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n directives['frame-src'].push(`'self'`);\n directives['frame-src'].push('sandbox.embed.apollographql.com');\n }\n\n // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n helmetConfig = mergeConfig(helmetConfig, {\n crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n contentSecurityPolicy: {\n directives,\n },\n });\n }\n\n /**\n * These are for vite's watch mode so it can accurately\n * connect to the HMR websocket & reconnect on failure\n * or when the server restarts.\n *\n * It only applies in development, and only on GET requests\n * that are part of the admin route.\n */\n\n if (\n ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n ctx.method === 'GET' &&\n ctx.path.startsWith(strapi.config.get('admin.path'))\n ) {\n helmetConfig = mergeConfig(helmetConfig, {\n contentSecurityPolicy: {\n directives: {\n 'script-src': [\"'self'\", \"'unsafe-inline'\"],\n 'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n },\n },\n });\n }\n\n return helmet(helmetConfig)(ctx, next);\n };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","CSP_DEFAULTS","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;AAQA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;AACV,YAAA,GAAGC,YAAY;YACfC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,UACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,aAAahC,QAAU2B,EAAAA,MAAAA,CAAAA;AAClD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAM1B,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIqB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B/B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAACgC,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtDhC,YAAAA,UAAU,CAAC,SAAU,CAAA,CAACgC,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/EhC,YAAAA,UAAU,CAAC,cAAe,CAAA,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxChC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,kDAAA,CAAA;AAChChC,YAAAA,UAAU,CAAC,WAAY,CAAA,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC9B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACsC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC1B,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO2C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}
package/dist/migrations/database/5.0.0-discard-drafts.d.ts CHANGED
@@ -1,14 +1,28 @@
1
1
  /**
2
- * This migration is responsible for creating the draft counterpart for all the entries that were in a published state.
2
+ * Migration overview
3
+ * ===================
4
+ * 1. Create bare draft rows for every published entry, cloning only scalar fields (no relations/components yet).
5
+ * We do this with a single INSERT … SELECT per content type to avoid touching the document service for every single v4 entry.
3
6
  *
4
- * In v4, entries could either be in a draft or published state, but not both at the same time.
5
- * In v5, we introduced the concept of document, and an entry can be in a draft or published state.
7
+ * 2. Rewire all relations so the newly created drafts behave exactly like calling `documentService.discardDraft()`
8
+ * on every published entry:
9
+ * - Join-table relations (self, manyToMany, etc.) are copied in bulk.
10
+ * - Foreign keys (joinColumn relations) are updated so draft rows point to draft targets.
11
+ * - Component relations are copied while respecting the discard logic: each draft gets its own component instance,
12
+ * and the component’s relations (including nested components) are remapped to draft targets.
6
13
  *
7
- * This means the migration needs to create the draft counterpart if an entry was published.
14
+ * 3. Components are duplicated at the database layer (new component rows + join-table rows). We deliberately clone
15
+ * instead of sharing component IDs so that draft edits don’t mutate published data.
8
16
  *
9
- * This migration performs the following steps:
10
- * 1. Creates draft entries for all published entries, without it's components, dynamic zones or relations.
11
- * 2. Using the document service, discard those same drafts to copy its relations.
17
+ * Why we do it this way
18
+ * ----------------------
19
+ * Efficiency: calling the document service per entry would issue several queries per relation/component. The SQL
20
+ * batches mirror the service’s behavior but execute in O(content types × batches), so the migration scales to
21
+ * millions of entries.
22
+
23
+ * • Memory safety: any caches that track per-record information (component parent lookups, clone maps) are scoped to
24
+ * a single batch of 1,000 entries. Schema-level caches (component metadata, join table names) remain global because
25
+ * they’re tiny and reused.
12
26
  */
13
27
  import type { Database, Migration } from '@strapi/database';
14
28
  type DocumentVersion = {
package/dist/migrations/database/5.0.0-discard-drafts.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"5.0.0-discard-drafts.d.ts","sourceRoot":"","sources":["../../../src/migrations/database/5.0.0-discard-drafts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAI5D,KAAK,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,KAAK,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAqF3C;;;;;GAKG;AACH,wBAAuB,iBAAiB,CAAC,EACvC,EAAE,EACF,GAAG,EACH,GAAG,EACH,gBAAuB,GACxB,EAAE;IACD,EAAE,EAAE,QAAQ,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;IACZ,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,oDAgCA;AA2DD,eAAO,MAAM,qBAAqB,EAAE,SAQnC,CAAC"}
1
+ {"version":3,"file":"5.0.0-discard-drafts.d.ts","sourceRoot":"","sources":["../../../src/migrations/database/5.0.0-discard-drafts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAW5D,KAAK,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,KAAK,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AA8pE3C;;;;;GAKG;AACH,wBAAuB,iBAAiB,CAAC,EACvC,EAAE,EACF,GAAG,EACH,GAAG,EACH,gBAAuB,GACxB,EAAE;IACD,EAAE,EAAE,QAAQ,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;IACZ,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,oDAgCA;AAED,eAAO,MAAM,qBAAqB,EAAE,SAQnC,CAAC"}