apostrophe 3.58.0 → 3.58.1

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 3.58.1 (2023-10-18)
+
+### Security
+
+* Update `uploadfs` to guarantee users get a fix for a [potential security vulnerability in `sharp`](https://security.snyk.io/vuln/SNYK-JS-SHARP-5922108).
+This was theoretically exploitable only by users with permission to upload media to Apostrophe
+* Remove the webpack bundle analyzer feature, which had been nonfunctional for some time, to address a harmless npm audit warning
+* Note: there is one remaining `npm audit` warning regarding `postcss`. This is not a true vulnerability because only developers
+with access to the entire codebase can modify styles passed to `postcss` by Apostrophe, but we are working with upstream
+developers to determine the best steps to clear the warning
+
+### Fixes
+
+* Automatically add `type` to the projection only if there are no exclusions in the projection. Needed to prevent `Cannot do
+exclusion on field in inclusion projection` error.
+
 ## 3.58.0 (2023-10-12)
 
 ### Fixes

package/DEVELOPMENT.md

@@ -10,15 +10,3 @@ We generally aim to follow [Vue best practices](https://vuejs.org/v2/style-guide
 ### UI component styles
 
 As a rule, all user interface components should have their styles scoped (using the `scoped` attribute). This helps us write simpler CSS selectors and avoide a certain amount of style "bleed" across components. Global styles, and styles for top level Vue apps (e.g., `TheAposNotifications`), should be in `.scss` files and imported into the import file: `/modules/@apostrophecms/ui/ui/apos/scss/imports.scss`.
-
-## Analyzing bundle size
-
-It is possible to analyze the size of the admin UI webpack bundle:
-
-```
-APOS_BUNDLE_ANALYZER=1 node app @apostrophecms/asset:build
-```
-
-This will display a visualization in your browser.
-
-As of this writing, we are not optimizing the webpack build for production, so expect to see big numbers.

package/modules/@apostrophecms/asset/index.js

@@ -253,13 +253,6 @@ module.exports = {
 
           await deploy(deployFiles);
 
-          if (process.env.APOS_BUNDLE_ANALYZER) {
-            return new Promise((resolve, reject) => {
-              // Intentionally never resolve it, so the task never exits
-              // and the UI stays up
-            });
-          }
-
           async function moduleOverrides(modulesDir, source, pnpmPaths) {
             await fs.remove(modulesDir);
             await fs.mkdirp(modulesDir);

package/modules/@apostrophecms/asset/lib/webpack/apos/webpack.config.js

@@ -4,12 +4,6 @@ const scss = require('./webpack.scss');
 const vue = require('./webpack.vue');
 const js = require('./webpack.js');
 
-let BundleAnalyzerPlugin;
-
-if (process.env.APOS_BUNDLE_ANALYZER) {
-  BundleAnalyzerPlugin = require('webpack-bundle-analyzer').BundleAnalyzerPlugin;
-}
-
 module.exports = ({
   importFile,
   modulesDir,
@@ -84,8 +78,7 @@ module.exports = ({
       ],
       symlinks: false
     },
-    stats: 'verbose',
-    plugins: process.env.APOS_BUNDLE_ANALYZER ? [ new BundleAnalyzerPlugin() ] : []
+    stats: 'verbose'
   };
 
   return merge(config, ...tasks);

package/modules/@apostrophecms/asset/lib/webpack/apos/webpack.vue.js

@@ -1,4 +1,4 @@
-const VueLoaderPlugin = require('vue-loader/lib/plugin');
+const { VueLoaderPlugin } = require('vue-loader');
 
 module.exports = (options, apos) => {
   return {

package/modules/@apostrophecms/asset/lib/webpack/src/webpack.config.js

@@ -3,12 +3,6 @@ const merge = require('webpack-merge').merge;
 const scssTask = require('./webpack.scss');
 const srcBuildNames = [ 'src-build', 'src-es5-build' ];
 
-let BundleAnalyzerPlugin;
-
-if (process.env.APOS_BUNDLE_ANALYZER) {
-  BundleAnalyzerPlugin = require('webpack-bundle-analyzer').BundleAnalyzerPlugin;
-}
-
 module.exports = ({
   importFile,
   modulesDir,
@@ -99,7 +93,7 @@ module.exports = ({
       symlinks: false
     },
     stats: 'verbose',
-    plugins: process.env.APOS_BUNDLE_ANALYZER ? [ new BundleAnalyzerPlugin() ] : []
+    plugins: []
   };
 
   if (es5) {

package/modules/@apostrophecms/doc-type/index.js

@@ -1626,7 +1626,8 @@ module.exports = {
             const remove = [];
 
             // Add type in projection by default
-            if (!_.isEmpty(projection)) {
+            const hasExclusion = Object.values(projection).some(value => !value);
+            if (!_.isEmpty(projection) && !hasExclusion) {
               add.push('type');
             }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.58.0",
+  "version": "3.58.1",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -130,7 +130,7 @@
     "tinycolor2": "^1.4.2",
     "tough-cookie": "^4.0.0",
     "underscore.string": "^3.3.4",
-    "uploadfs": "^1.22.1",
+    "uploadfs": "^1.22.3",
     "v-tooltip": "^2.0.3",
     "vue": "^2.6.14",
     "vue-advanced-cropper": "^1.10.1",
@@ -157,8 +157,7 @@
     "stylelint": "^14.6.1",
     "stylelint-declaration-strict-value": "^1.8.0",
     "stylelint-order": "^5.0.0",
-    "vue-eslint-parser": "^7.1.1",
-    "webpack-bundle-analyzer": "^3.9.0"
+    "vue-eslint-parser": "^7.1.1"
   },
   "browserslist": [
     "ie >= 10"

package/test/pieces.js

@@ -1005,6 +1005,21 @@ describe('Pieces', function() {
     assert([ '_id', 'type', 'title' ].every(expectedKey => keys.includes(expectedKey)));
   });
 
+  it('can GET a single product using projections with fields omission', async function() {
+    const response = await apos.http.get(`/api/v1/product/${relatedProductId}`, {
+      qs: {
+        project: {
+          highSearchText: 0,
+          highSearchWords: 0,
+          lowSearchText: 0,
+          searchSummary: 0
+        }
+      }
+    });
+
+    assert(response);
+  });
+
   it('can GET a single article with reverse relationships', async function() {
     const response = await apos.http.get(`/api/v1/article/${relatedArticleId}`);
     assert(response);