apostrophe 4.30.0 → 4.30.1-beta.1

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 4.30.1
+
+### Patch Changes
+
+- Sites with a custom filterByIndexPage method no longer experience failures in the sitemap module and potential creeping CPU performance penalties. A regression introduced with our static site support, but not specific to static sites.
+
 ## 4.30.0
 
 ### Adds
@@ -21,7 +27,7 @@
 - **XSS via full name field:** A malicious full name containing HTML was executed in the page title tooltip in the admin bar, posing an XSS risk to other users. All multi-user projects should update promptly. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting.
 - **XSS via image widget link URL:** Users with editing privileges could trigger arbitrary JavaScript via a `javascript:` URL in the image widget's link URL field. A migration is included to strip any such URLs already in the database. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting.
 - **SSRF via rich text HTML import:** The rich text widget's HTML import feature no longer fetches images from arbitrary hosts, which could be used to probe internal networks or exfiltrate internal images. Configure `imageImportAllowedHostnames` on `@apostrophecms/rich-text-widget` to opt in. Thanks to [Yiğit Şengezer](https://github.com/yigitsengezer) and [Sainithin0309](https://github.com/Sainithin0309) for reporting.
--  **the xmp tag could be used to pass forbidden markup through sanitize-html**, even when xmp itself. This was fixed in `sanitize-html` and the dependency was bumped. Thanks to [Vincenzo Turturro](https://github.com/sushi-gif) for reporting the vulnerability.
+- **the xmp tag could be used to pass forbidden markup through sanitize-html**, even when xmp itself. This was fixed in `sanitize-html` and the dependency was bumped. Thanks to [Vincenzo Turturro](https://github.com/sushi-gif) for reporting the vulnerability.
 - **the `linkHref` field of image widgets was an XSS vulnerability** because it did not use the `url` field type. This means that a user with editing privileges could potentially carry out XSS. In addition, we have updated the `launder` module to sanitize URLs more robustly for the `url` field type, and bumped that dependency. Also, a database migration is included to clean any XSS attacks that could be present in existing links. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting the issue.
 
 ### Accessibility
@@ -33,7 +39,6 @@
 - Fixed `.apos-sr-only` so screen-reader-only content is correctly exposed to the accessibility tree.
 - Icon-only context-utility buttons in the admin bar tray (e.g. the global settings cog) now expose their action via `aria-label`.
 
-
 ## 4.29.0 (2026-04-15)
 
 ### Adds

package/modules/@apostrophecms/piece-page-type/index.js

@@ -427,7 +427,14 @@ module.exports = {
           return metadata;
         }
         const [ pm ] = metadata;
+        // indexQuery is designed to be called with the
+        // index page in question as req.data.page. To
+        // reuse it for URL metadata purposes we must
+        // meet that expectation
+        const pageWas = req.data.page;
+        req.data.page = doc;
         const query = self.indexQuery(req);
+        req.data.page = pageWas;
         const filters = await self.getFiltersWithChoices(query, { allCounts: true });
 
         // 1. Enumerate every filter + choice combination

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "4.30.0",
+  "version": "4.30.1-beta.1",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "repository": {
@@ -117,12 +117,12 @@
     "webpack-merge": "^5.7.3",
     "xregexp": "^2.0.0",
     "@apostrophecms/emulate-mongo-3-driver": "^1.0.6",
-    "broadband": "^1.1.0",
     "boring": "^1.1.1",
     "express-cache-on-demand": "^1.0.4",
+    "broadband": "^1.1.0",
     "launder": "^1.7.1",
-    "oembetter": "^1.1.4",
     "postcss-viewport-to-container-toggle": "^2.3.0",
+    "oembetter": "^1.2.0",
     "sanitize-html": "^2.17.4",
     "uploadfs": "^1.26.1"
   },
@@ -132,8 +132,8 @@
     "mocha": "^11.7.5",
     "nyc": "^17.1.0",
     "stylelint": "^16.5.0",
-    "stylelint-config-apostrophe": "^4.4.0",
-    "eslint-config-apostrophe": "^6.0.2"
+    "eslint-config-apostrophe": "^6.0.2",
+    "stylelint-config-apostrophe": "^4.4.0"
   },
   "browserslist": [
     "ie >= 10"

package/.claude/settings.local.json

@@ -1,15 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(timeout 180 npx mocha:*)",
-      "Bash(timeout 600 npx mocha:*)",
-      "Bash(npm ls:*)",
-      "Bash(timeout 540 npx mocha:*)",
-      "Bash(echo:*)",
-      "Bash(timeout 10 node:*)",
-      "Bash(timeout 300 npx mocha:*)",
-      "Bash(timeout 60 npx mocha:*)",
-      "Bash(timeout 120 npx mocha:*)"
-    ]
-  }
-}

package/test/add-missing-schema-fields-project/node_modules/.package-lock.json

@@ -1,131 +0,0 @@
-{
-  "name": "add-missing-schema-fields-project",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "../..": {
-      "version": "4.28.0",
-      "license": "MIT",
-      "dependencies": {
-        "@apostrophecms/emulate-mongo-3-driver": "workspace:^",
-        "@apostrophecms/vue-material-design-icons": "^1.0.0",
-        "@ctrl/tinycolor": "^4.1.0",
-        "@floating-ui/dom": "^1.5.3",
-        "@opentelemetry/api": "^1.9.0",
-        "@opentelemetry/semantic-conventions": "^1.0.1",
-        "@paralleldrive/cuid2": "^2.2.2",
-        "@tiptap/extension-color": "^2.4.0",
-        "@tiptap/extension-floating-menu": "^2.0.3",
-        "@tiptap/extension-highlight": "^2.0.3",
-        "@tiptap/extension-link": "^2.0.3",
-        "@tiptap/extension-placeholder": "^2.0.3",
-        "@tiptap/extension-subscript": "^2.0.3",
-        "@tiptap/extension-superscript": "^2.0.3",
-        "@tiptap/extension-table": "^2.0.3",
-        "@tiptap/extension-table-cell": "^2.0.3",
-        "@tiptap/extension-table-header": "^2.0.3",
-        "@tiptap/extension-table-row": "^2.0.3",
-        "@tiptap/extension-text-align": "^2.0.3",
-        "@tiptap/extension-text-style": "^2.0.3",
-        "@tiptap/extension-underline": "^2.0.3",
-        "@tiptap/starter-kit": "^2.0.3",
-        "@tiptap/vue-3": "^2.0.3",
-        "@vue/compiler-sfc": "^3.3.8",
-        "autoprefixer": "^10.4.1",
-        "bluebird": "^3.7.2",
-        "body-parser": "^1.18.2",
-        "boring": "workspace:^",
-        "broadband": "workspace:^",
-        "cheerio": "^1.0.0-rc.10",
-        "chokidar": "^3.5.2",
-        "common-tags": "^1.8.0",
-        "concat-with-sourcemaps": "^1.1.0",
-        "connect-mongo": "^5.1.0",
-        "cookie-parser": "^1.4.5",
-        "cors": "^2.8.5",
-        "css-loader": "^5.2.4",
-        "cssnano": "^7.1.1",
-        "csv-parse": "^5.6.0",
-        "dayjs": "^1.9.8",
-        "dompurify": "^3.2.5",
-        "encodeurl": "^2.0.0",
-        "express": "^4.16.4",
-        "express-bearer-token": "^3.0.0",
-        "express-cache-on-demand": "workspace:^",
-        "express-session": "^1.18.2",
-        "fs-extra": "^7.0.1",
-        "glob": "^10.4.5",
-        "he": "^1.2.0",
-        "html-to-text": "^9.0.5",
-        "i18next": "^20.3.2",
-        "i18next-http-middleware": "^3.1.5",
-        "import-fresh": "^3.3.0",
-        "is-wsl": "^2.2.0",
-        "jsdom": "^24.1.0",
-        "klona": "^2.0.4",
-        "launder": "^1.4.0",
-        "lodash": "^4.17.21",
-        "mini-css-extract-plugin": "^1.6.0",
-        "minimatch": "^3.0.4",
-        "mkdirp": "^0.5.5",
-        "multer": "^2.0.2",
-        "node-fetch": "^2.6.1",
-        "nodemailer": "^7.0.10",
-        "nunjucks": "^3.2.1",
-        "oembetter": "^1.1.3",
-        "parseurl": "^1.3.3",
-        "passport": "^0.6.0",
-        "passport-local": "^1.0.0",
-        "path-to-regexp": "^1.8.0",
-        "performance-now": "^2.1.0",
-        "pinia": "^2.1.7",
-        "postcss": "^8.4.47",
-        "postcss-html": "^1.3.0",
-        "postcss-loader": "^8.1.1",
-        "postcss-scss": "^4.0.3",
-        "postcss-viewport-to-container-toggle": "workspace:^",
-        "prompts": "^2.4.1",
-        "qs": "^6.10.1",
-        "regexp-quote": "0.0.0",
-        "resolve": "^1.19.0",
-        "resolve-from": "^5.0.0",
-        "sanitize-html": "workspace:^",
-        "sass": "^1.80.3",
-        "sass-loader": "^16.0.0",
-        "server-destroy": "^1.0.1",
-        "sluggo": "^1.0.0",
-        "sortablejs": "^1.15.0",
-        "sortablejs-vue3": "^1.2.11",
-        "tiny-emitter": "^2.1.0",
-        "tough-cookie": "^4.0.0",
-        "underscore.string": "^3.3.4",
-        "uploadfs": "workspace:^",
-        "void-elements": "^3.1.0",
-        "vue": "^3.5.20",
-        "vue-advanced-cropper": "^2.8.8",
-        "vue-loader": "^17.1.0",
-        "vue-style-loader": "^4.1.3",
-        "webpack": "^5.72.0",
-        "webpack-merge": "^5.7.3",
-        "xregexp": "^2.0.0"
-      },
-      "devDependencies": {
-        "eslint": "^9.39.1",
-        "eslint-config-apostrophe": "workspace:^",
-        "form-data": "^4.0.4",
-        "mocha": "^11.7.1",
-        "nyc": "^17.1.0",
-        "stylelint": "^16.5.0",
-        "stylelint-config-apostrophe": "workspace:^"
-      },
-      "engines": {
-        "node": ">=16.0.0"
-      }
-    },
-    "node_modules/apostrophe": {
-      "resolved": "../..",
-      "link": true
-    }
-  }
-}