apostrophe 4.30.1-beta.1 → 4.31.0-alpha.1

package/CHANGELOG.md

@@ -1,10 +1,70 @@
 # Changelog
 
-## 4.30.1
+## 4.31.0
+
+### Minor Changes
+
+- 33bb4c0: Added support for `draggable: false` on non-inline `array` schema fields. Previously this option was only respected when `inline: true`. When set on a standard (modal-based) array field, drag-and-drop reordering and keyboard reordering are now disabled in the array editor's slat list.
+- dfd25cf: Introduced support for postgres://, sqlite://, and multipostgres:// database URIs in addition to mongodb://. The new db-connect API supports all of the database operations currently used in our own core, pro and multisite modules. For more information see the documentation.
+- 950927d: The session secret and the uploadfs `disabledFileKey` can now be supplied via the `APOS_SESSION_SECRET` and `APOS_UPLOADFS_DISABLED_FILE_KEY` environment variables. As with other Apostrophe environment variables, these take precedence over the corresponding `app.js` configuration.
+- cf1a639: Fixed an issue where using the Tab key to navigate within modals could incorrectly jump focus to a wrong element instead of the next input field.
+
+  Fixed Tab navigation escaping out of modals when the form contained hidden sections or elements that became disabled after editing.
+
+- 77a2968: Fix layout widget not regaining full focus on switching back to Edit content mode.
+- f67c272: Fixed adding or removing an area field from a schema breaking existing documents on an external front such as Astro.
+
+  - `AposArea` now renders only schema-backed areas. A missing area no longer throws, and an area orphaned by removing its field from the schema (while its content remains in the document) renders nothing instead of breaking sibling areas in edit mode. Logged-in editors get a diagnostic message in place of an orphaned area; anonymous visitors see nothing.
+  - Editable documents sent to an external front now materialize empty area objects for schema area fields added after the document was created, so they can be edited in context.
+  - `apos.util.getManagerOf` accepts a `{ log }` option to suppress its error log when probing objects that may not have a manager.
+
+- bc8f7be: Editors can now control the layout-widget gap through the styles system, both site-wide via a global `layoutGap` preset and per widget via a `gap` styles field. New Layout widget option `className` allows for additional CSS class names to be added to the widget Grid container.
 
 ### Patch Changes
 
-- Sites with a custom filterByIndexPage method no longer experience failures in the sitemap module and potential creeping CPU performance penalties. A regression introduced with our static site support, but not specific to static sites.
+- 2e2f3b4: Accessibility: corrected ARIA semantics on the top admin navigation bar.
+- 2e2f3b4: Accessibility: improvements to the document context title (admin bar middle group) and the underlying `AposContextMenu` machinery.
+- 2e2f3b4: Accessibility: improve the locale switcher (`AposLocalePicker`).
+- 2e2f3b4: Accessibility: the Recently Edited Documents tray icon (admin bar) now exposes its action through `aria-label`.
+- 2e2f3b4: Accessibility: fix `.apos-sr-only` so screen-reader-only content is exposed to the accessibility tree.
+- 2e2f3b4: Accessibility: icon-only context-utility buttons in the admin bar tray (e.g. the global settings cog) now expose their action through `aria-label`.
+- 41670a3: Security fix: the password reset request feature will refuse to operate unless the baseUrl option or the APOS_BASE_URL environment variable has been set (note that this is automatic in multisite projects). This fix is necessary to prevent a vulnerability that can be used to convince ApostropheCMS to send emails containing links to other sites. It is only a vulnerability if you have enabled the passwordReset: true option for the login module. Thanks to [SPIDY](https://github.com/Mujahidkhan525) for reporting the issue.
+- 9f458b5: Fix illegal HTML id attribute values generated by the admin UI
+- 08845c5: - Removed duplicate <meta charset> tag from `outerLayoutBase.html`
+  - Standardized charset to utf-8 (the legacy configuration option is now ignored). Per the spec this is the only legal setting, so we classify this as a bug fix
+  - Altered unused/legacy i18n template helper to return `utf-8`, ensuring backwards compatibility
+- b9b32bd: Keyboard shortcuts for widget operations (copy, cut, paste, duplicate, remove) no longer block the browser's native clipboard behavior when no widget is focused. Previously, selecting and copying text on a page while logged in was prevented by the admin UI intercepting those shortcuts unconditionally.
+- 2191c8a: Fix more admin UI a11y issues
+- 08dfcac: Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an
+  XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be
+  updated promptly to close this vulnerability. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting the issue.
+- 5d1a028: Security: launder now uses and exports the best available naughtyHref function for detecting malicious URLs. sanitize-html now depends on it, and apostrophe now uses type: 'url' for the link URL field of image widgets, which leverages it. Prior to this fix, it was possible for any user with editing privileges, including a contributor, to trigger arbitrary JavaScript via a javascript: URL in the link URL field of an image widget. A migration has been included to strip any such malicious URLs already present in the database. All users of apostrophe are encouraged to upgrade to get this security fix. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting the issue.
+- 8098017: Security: the HTML import feature of the rich text widget no longer permits images to be fetched
+  from arbitrary hosts. This could be used to probe internal networks, and to exfiltrate images from
+  internal hosts if their URLs were known. Instead, the `imageImportAllowedHostnames` option of the
+  `@apostrophecms/rich-text-widget` must be configured to opt into that feature.
+
+  Thanks to [Yiğit Şengezer](https://github.com/yigitsengezer) and [Sainithin0309](https://github.com/Sainithin0309) for reporting this issue.
+
+- b7f9ad5: Sites with a custom filterByIndexPage method no longer experience failures in the sitemap module and potential creeping CPU performance penalties. A regression introduced with our static site support, but not specific to static sites.
+- b360b05: fixes issue where orderable table array items drag the entire floating window
+- e9b3bac: apostrophe and oembetter have been updated to eliminate a number of services that formerly supported
+  oembed for the general public, but no longer do so. While there is no security risk today, removing
+  these ensures that if these domains are ever allowed to lapse, they do not become an XSS
+  attack vector in the future.
+
+  Because oembed responses are not always iframes, it is important that this list be maintained
+  over time. In addition, developers always have the option to prune it on their own by setting
+  the new minimumAllowlist and minimumEndpoints options of the @apostrophecms/oembed module.
+
+  Thanks to [Sainithin0309](https://github.com/Sainithin0309) for pointing out the potential
+  long-term security concern.
+
+- Updated dependencies [862d760]
+- Updated dependencies [5d1a028]
+- Updated dependencies [8d4c882]
+  - sanitize-html@2.17.5
+  - launder@1.7.2
 
 ## 4.30.0
 

package/claude-tools/detect-handles.js

@@ -0,0 +1,46 @@
+// Require this before running mocha to detect what activates process.stdin
+// Usage: npx mocha -t 10000 --require ./claude-tools/detect-handles.js test/assets.js
+
+console.log(`stdin paused at startup: ${process.stdin.isPaused()}`);
+console.log(`stdin readableFlowing at startup: ${process.stdin.readableFlowing}`);
+
+// Monkey-patch stdin.resume to capture the call stack
+const origResume = process.stdin.resume.bind(process.stdin);
+process.stdin.resume = function(...args) {
+  console.log('\n=== process.stdin.resume() called ===');
+  console.log(new Error().stack);
+  return origResume(...args);
+};
+
+// Monkey-patch stdin.on to detect 'data' listener additions
+const origOn = process.stdin.on.bind(process.stdin);
+process.stdin.on = function(event, ...args) {
+  if (event === 'data' || event === 'readable') {
+    console.log(`\n=== process.stdin.on('${event}') called ===`);
+    console.log(new Error().stack);
+  }
+  return origOn(event, ...args);
+};
+
+// Periodically check stdin state changes
+let lastState = process.stdin.readableFlowing;
+const checker = setInterval(() => {
+  if (process.stdin.readableFlowing !== lastState) {
+    console.log(`\n=== stdin readableFlowing changed: ${lastState} -> ${process.stdin.readableFlowing} ===`);
+    console.log(new Error().stack);
+    lastState = process.stdin.readableFlowing;
+  }
+}, 100);
+checker.unref();
+
+const origRun = require('mocha/lib/runner').prototype.run;
+require('mocha/lib/runner').prototype.run = function(fn) {
+  return origRun.call(this, function(failures) {
+    console.log(`\nstdin paused at end: ${process.stdin.isPaused()}`);
+    console.log(`stdin readableFlowing at end: ${process.stdin.readableFlowing}`);
+    setTimeout(() => {
+      process.exit(failures ? 3 : 0);
+    }, 2000);
+    if (fn) fn(failures);
+  });
+};

package/claude-tools/minimal-hang-test.js

@@ -0,0 +1,28 @@
+// Minimal test to isolate what causes the hang.
+// Must reference the test/ directory as root for proper module resolution.
+const t = require('../test-lib/test.js');
+const path = require('path');
+
+// Fake a module object rooted in test/ like the real tests do
+const fakeModule = {
+  id: path.join(__dirname, '../test/fake'),
+  filename: path.join(__dirname, '../test/fake.js'),
+  paths: [path.join(__dirname, '../test/node_modules')]
+};
+
+describe('Minimal hang test', function() {
+  this.timeout(60000);
+  let apos;
+
+  after(async function() {
+    await t.destroy(apos);
+    console.log('after: destroy complete');
+  });
+
+  it('should create and use apos without hanging', async function() {
+    apos = await t.create({
+      root: fakeModule
+    });
+    console.log('apos created successfully');
+  });
+});

package/claude-tools/mongo-close-test.js

@@ -0,0 +1,11 @@
+// Test whether a MongoDB connection keeps the process alive after close()
+const mongoConnect = require('../../../packages/db-connect/lib/mongodb-connect');
+
+(async () => {
+  const uri = 'mongodb://localhost:27017/test_handle_leak';
+  console.log('Connecting...');
+  const client = await mongoConnect(uri);
+  console.log('Connected. Closing...');
+  await client.close();
+  console.log('Closed. Process should exit now if no leaked handles.');
+})();

package/claude-tools/stdin-ref-test.js

@@ -0,0 +1,14 @@
+// Check if process.stdin keeps the process alive
+// If this script hangs, stdin is ref'd. If it exits, stdin is unref'd.
+
+console.log(`stdin isTTY: ${process.stdin.isTTY}`);
+console.log(`stdin readableFlowing: ${process.stdin.readableFlowing}`);
+console.log(`stdin isPaused: ${process.stdin.isPaused()}`);
+
+// Check ref status
+if (typeof process.stdin.unref === 'function') {
+  console.log('stdin has unref method');
+}
+
+console.log('Waiting to see if process exits on its own...');
+// Don't do anything - just see if the process exits

package/eslint.config.js

@@ -7,7 +7,9 @@ module.exports = defineConfig([
     '**/blueimp/**/*.js',
     'test/public',
     'test/apos-build',
-    'coverage'
+    'test/modules/jsx-mixed-test/views/syntax-error.jsx',
+    'coverage',
+    'claude-tools'
   ]),
   apostrophe
 ]);

package/modules/@apostrophecms/area/index.js

@@ -140,7 +140,7 @@ module.exports = {
               // so this logic is reproduced partially
               self.apos.doc.walk(area, (o, k, v) => {
                 if (v && v.metaType === 'area') {
-                  const manager = self.apos.util.getManagerOf(o);
+                  const manager = self.apos.util.getManagerOf(o, { log: false });
                   if (!manager) {
                     self.apos.util.warnDevOnce(
                       'noManagerForDocInExternalFront',
@@ -285,6 +285,95 @@ module.exports = {
           self.missingWidgetTypes[name] = true;
         }
       },
+      // Build an empty area and attach it to `parent[name]`. When the area's
+      // location can be resolved inside the *persisted* document, also stub it
+      // into the database so the backend recognizes it for later edits.
+      // Returns the area.
+      //
+      // Options:
+      // - `throwIfNotFound` (default `false`): when `parent` is doc-backed but
+      //   the document or the container cannot be located in the database,
+      //   throw a `notfound` error instead of returning an in-memory-only
+      //   stub. The `{% area %}` tag opts in to preserve its historical
+      //   behavior; the external front annotator leaves it off so a render is
+      //   never brought down by such a case.
+      //
+      // Used by the `{% area %}` tag and the external front annotator as the
+      // single source of truth for stubbing schema areas that have no value
+      // yet.
+      async addMissingArea(parent, name, { throwIfNotFound = false } = {}) {
+        const area = {
+          metaType: 'area',
+          _id: self.apos.util.generateId(),
+          items: []
+        };
+        parent[name] = area;
+
+        const docId = parent._docId ??
+          (parent.metaType === 'doc' ? parent._id : null);
+        const areaDotPath = await self.resolvePersistedAreaDotPath(parent, name);
+        if (!areaDotPath) {
+          if (throwIfNotFound && docId) {
+            throw self.apos.error('notfound');
+          }
+          return area;
+        }
+
+        const result = await self.apos.doc.db.updateOne(
+          {
+            _id: docId,
+            // Idempotent and race-safe: only write when still absent.
+            [areaDotPath]: { $eq: null }
+          },
+          {
+            $set: { [areaDotPath]: self.apos.util.clonePermanent(area) }
+          }
+        );
+        if (result.modifiedCount === 0) {
+          // Another request stubbed it first (or it already existed): adopt
+          // the persisted `_id` so we render the same area.
+          const refreshed = await self.apos.doc.db.findOne({ _id: docId });
+          const persisted = refreshed && self.apos.util.get(refreshed, areaDotPath);
+          if (persisted?._id) {
+            area._id = persisted._id;
+          }
+        }
+        return area;
+      },
+
+      // Resolve the MongoDB dot-path at which `parent[name]` should be stored,
+      // computed from the *persisted* document so it always reflects real
+      // storage (not the in-memory graph with its loaded relationships). The
+      // `parent` object is located inside the freshly read document by its
+      // `_id`. Returns the dot-path string, or `null` when the area cannot be
+      // safely persisted (no doc id, doc not in the database, or `parent` is
+      // not part of the persisted document, e.g. loaded relationship data).
+      async resolvePersistedAreaDotPath(parent, name) {
+        const docId = parent._docId ??
+          (parent.metaType === 'doc' ? parent._id : null);
+        if (!docId) {
+          return null;
+        }
+        const mainDoc = await self.apos.doc.db.findOne({ _id: docId });
+        if (!mainDoc) {
+          return null;
+        }
+        if (parent._id === docId) {
+          return name;
+        }
+        if (!parent._id) {
+          return null;
+        }
+        const found = self.apos.util.findNestedObjectAndDotPathById(
+          mainDoc,
+          parent._id,
+          { ignoreDynamicProperties: true }
+        );
+        if (!found) {
+          return null;
+        }
+        return `${found.dotPath}.${name}`;
+      },
       prepForRender(area, context, fieldName) {
         const manager = self.apos.util.getManagerOf(context);
         const field = manager.schema.find(field => field.name === fieldName);
@@ -451,7 +540,10 @@ module.exports = {
         // Loop over the docs in the array passed in.
         for (const doc of within) {
           if (self.apos.externalFrontKey) {
-            self.apos.template.annotateDocForExternalFront(doc, { scene: req.scene });
+            await self.apos.template.annotateDocForExternalFront(
+              doc,
+              { scene: req.scene }
+            );
           }
 
           const rendered = [];

package/modules/@apostrophecms/area/lib/custom-tags/area.js

@@ -59,46 +59,7 @@ module.exports = function(self) {
       }
       area = doc[name];
       if (!area) {
-        // Problem: area is in schema but that doesn't guarantee it
-        // has a value, for instance the field could be new in the schema.
-        // But we need an area _id. Stub it into the db on the fly
-        // without race conditions
-        area = {
-          metaType: 'area',
-          _id: self.apos.util.generateId(),
-          items: []
-        };
-        doc[name] = area;
-        const docId = doc._docId || ((doc.metaType === 'doc') ? doc._id : null);
-        if (docId) {
-          let mainDoc = await self.apos.doc.db.findOne({ _id: docId });
-          if (!mainDoc) {
-            throw self.apos.error('notfound');
-          }
-          let docDotPath;
-          try {
-            docDotPath = (doc._id === docId) ? '' : self.apos.util.findNestedObjectAndDotPathById(mainDoc, doc._id).dotPath;
-          } catch (e) {
-            // Race condition: someone removed the area's parent object.
-            // Unlikely thanks to advisory locking
-            throw self.apos.error('notfound');
-          }
-          const areaDotPath = docDotPath ? `${docDotPath}.${name}` : name;
-          await self.apos.doc.db.updateOne({
-            _id: docId,
-            // Prevent race condition
-            [areaDotPath]: {
-              $eq: null
-            }
-          }, {
-            $set: {
-              [areaDotPath]: self.apos.util.clonePermanent(area)
-            }
-          });
-          mainDoc = await self.apos.doc.db.findOne({ _id: docId });
-          // Prevent race condition
-          area._id = self.apos.util.get(mainDoc, areaDotPath)._id;
-        }
+        area = await self.apos.area.addMissingArea(doc, name, { throwIfNotFound: true });
       }
       const manager = self.apos.util.getManagerOf(doc);
       const field = manager.schema.find(field => field.name === name);

package/modules/@apostrophecms/area/ui/apos/components/AposBreadcrumbOperations.vue

@@ -119,7 +119,6 @@ export default {
         icon: 'plus-icon',
         type: 'group',
         modifiers: [ 'small', 'inline' ],
-        role: 'menuitem',
         class: 'apos-area-modify-controls__button',
         iconSize: 16,
         disableFocus: !this.isFocused

package/modules/@apostrophecms/area/ui/apos/components/AposWidgetControls.vue

@@ -90,7 +90,6 @@ export default {
         icon: 'plus-icon',
         type: 'group',
         modifiers: [ 'small', 'inline' ],
-        role: 'menuitem',
         class: 'apos-area-modify-controls__button',
         iconSize: 16,
         disableFocus: !this.tabbable

package/modules/@apostrophecms/attachment/index.js

@@ -656,7 +656,10 @@ module.exports = {
       // to avoid template errors
       getMissingAttachmentUrl() {
         const defaultIconUrl = '/modules/@apostrophecms/attachment/img/missing-icon.svg';
-        self.apos.util.warn('Template warning: Impossible to retrieve the attachment url since it is missing, a default icon has been set. Please fix this ASAP!');
+        const e = new Error();
+        self.apos.util.warn('Template warning: Impossible to retrieve the attachment url since it is missing, a default icon has been set. Please fix this ASAP!\n\n' +
+          e.stack
+        );
         // Convert static asset path to full URL, which matters when static
         // assets are in uploadfs
         return self.apos.asset.url(defaultIconUrl);

package/modules/@apostrophecms/db/index.js

@@ -4,11 +4,12 @@
 //
 // ### `uri`
 //
-// The MongoDB connection URI. See the [MongoDB URI documentation](https://docs.mongodb.com/manual/reference/connection-string/).
+// The databse connection URI. See the [MongoDB URI documentation](https://docs.mongodb.com/manual/reference/connection-string/)
+// and the postgres documentation.
 //
 // ### `connect`
 //
-// If present, this object is passed on as options to MongoDB's "connect"
+// If present, this object is passed on as options to the database adapters "connect"
 // method, along with the uri. See the [MongoDB connect settings documentation](http://mongodb.github.io/node-mongodb-native/2.2/reference/connecting/connection-settings/).
 //
 // By default, Apostrophe sets options to retry lost connections forever,
@@ -20,9 +21,16 @@
 //
 // ### `client`
 //
-// An existing MongoDB connection (MongoClient) object. If present, it is used
+// An existing MongoDB-compatible client object. If present, it is used
 // and `uri`, `host`, `connect`, etc. are ignored.
 //
+// ### `adapters`
+//
+// An array of adapters, each of which must provide `name`, `connect(uri, options)`,
+// and `protocols` properties. `name` may be used to override a core adapter,
+// such as `postgres` or `mongodb`. `connect` must resolve to a client object
+// supporting a sufficient subset of the mongodb API.
+//
 // ### `versionCheck`
 //
 // If `true`, check to make sure the database does not belong to an
@@ -49,15 +57,15 @@
 // in your project. However you may find it easier to just use the
 // `client` option.
 
-const mongodbConnect = require('../../../lib/mongodb-connect');
-const escapeHost = require('../../../lib/escape-host');
+const dbConnect = require('@apostrophecms/db-connect');
+const escapeHost = require('../../../lib/escape-host.js');
 
 module.exports = {
   options: {
     versionCheck: true
   },
   async init(self) {
-    await self.connectToMongo();
+    await self.connectToDb();
     await self.versionCheck();
   },
   handlers(self) {
@@ -81,14 +89,12 @@ module.exports = {
   },
   methods(self) {
     return {
-      // Open the database connection. Always uses MongoClient with its
-      // sensible defaults. Builds a URI if necessary, so we can call it
-      // in a consistent way.
-      //
-      // One default we override: if the connection is lost, we keep
-      // attempting to reconnect forever. This is the most sensible behavior
-      // for a persistent process that requires MongoDB in order to operate.
-      async connectToMongo() {
+      // Connect to the database and sets self.apos.dbClient
+      // and self.apos.db. Builds a mongodb URI by default,
+      // accepting host, port, user, password and name options
+      // if present. More typically a URI is specified via
+      // APOS_DB_URI, or via APOS_MONGODB_URI for bc.
+      async connectToDb() {
         if (self.options.client) {
           // Reuse a single client connection http://mongodb.github.io/node-mongodb-native/2.2/api/Db.html#db
           self.apos.dbClient = self.options.client;
@@ -96,32 +102,67 @@ module.exports = {
           self.connectionReused = true;
           return;
         }
-        let uri = 'mongodb://';
-        if (process.env.APOS_MONGODB_URI) {
-          uri = process.env.APOS_MONGODB_URI;
+        let uri;
+        const viaEnv = process.env.APOS_DB_URI || process.env.APOS_MONGODB_URI;
+        if (viaEnv) {
+          uri = viaEnv;
         } else if (self.options.uri) {
           uri = self.options.uri;
         } else {
-          if (self.options.user) {
-            uri += self.options.user + ':' + self.options.password + '@';
-          }
-          if (!self.options.host) {
-            self.options.host = 'localhost';
-          }
-          if (!self.options.port) {
-            self.options.port = 27017;
+          const validAdapters = [ 'mongodb', 'sqlite', 'postgres', 'multipostgres' ];
+          const adapter = process.env.APOS_DEFAULT_DB_ADAPTER || self.options.defaultAdapter || 'mongodb';
+          if (!validAdapters.includes(adapter)) {
+            throw new Error(`Invalid defaultAdapter: "${adapter}". Must be one of: ${validAdapters.join(', ')}`);
           }
           if (!self.options.name) {
             self.options.name = self.apos.shortName;
           }
-          uri += escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
+          if (adapter === 'sqlite') {
+            const path = require('path');
+            uri = `sqlite://${path.resolve(self.apos.rootDir, 'data', self.options.name + '.sqlite')}`;
+          } else {
+            const credentials = self.options.user
+              ? encodeURIComponent(self.options.user) + ':' + encodeURIComponent(self.options.password) + '@'
+              : '';
+            if (adapter === 'mongodb') {
+              if (!self.options.host) {
+                self.options.host = 'localhost';
+              }
+              if (!self.options.port) {
+                self.options.port = 27017;
+              }
+              uri = 'mongodb://' + credentials + escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
+            } else {
+              // postgres or multipostgres
+              if (!self.options.host) {
+                self.options.host = 'localhost';
+              }
+              if (!self.options.port) {
+                self.options.port = 5432;
+              }
+              uri = adapter + '://' + credentials + escapeHost(self.options.host) + ':' + self.options.port + '/' + self.options.name;
+            }
+          }
         }
 
-        self.apos.dbClient = await mongodbConnect(uri, self.options.connect);
+        self.apos.dbClient = await dbConnect(uri, {
+          ...self.options.connect,
+          adapters: self.options.adapters
+        });
         self.uri = uri;
         // Automatically uses the db name in the connection string
         self.apos.db = self.apos.dbClient.db();
       },
+      // Connect to a database using the appropriate adapter based on the URI protocol.
+      // Returns a client object compatible with the MongoDB driver interface.
+      // This method has no side effects — it does not set apos.db or apos.dbClient.
+      // It can be used to make temporary connections, e.g. for dropping a test database.
+      async connectToAdapter(uri, options) {
+        return dbConnect(uri, {
+          ...options,
+          adapters: self.options.adapters
+        });
+      },
       async versionCheck() {
         if (!self.options.versionCheck) {
           return;

package/modules/@apostrophecms/doc-type/ui/apos/logic/AposDocContextMenu.js

@@ -273,13 +273,13 @@ export default {
       });
     },
     moduleName() {
-      if (apos.modules[this.context.type].action === apos.modules['@apostrophecms/page'].action) {
+      if (apos.modules[this.context.type]?.action === apos.modules['@apostrophecms/page'].action) {
         return '@apostrophecms/page';
       }
       return this.context.type;
     },
     moduleOptions() {
-      return apos.modules[this.moduleName];
+      return apos.modules[this.moduleName] || {};
     },
     isUpdateOperation() {
       return !!this.context._id;
@@ -482,7 +482,9 @@ export default {
       );
     },
     preview(doc) {
-      window.open(doc._url, '_blank').focus();
+      // window.open() returns null when a popup blocker intercepts it,
+      // so guard before calling focus().
+      window.open(doc._url, '_blank')?.focus();
     },
     async copy(doc) {
       // If there are changes warn the user before discarding them before

package/modules/@apostrophecms/express/index.js

@@ -579,6 +579,8 @@ module.exports = {
           name: self.apos.shortName + '.sid',
           cookie: {}
         });
+        // Env overrides config, per Apostrophe convention.
+        sessionOptions.secret = process.env.APOS_SESSION_SECRET || sessionOptions.secret;
         _.defaults(sessionOptions.cookie, {
           path: '/',
           httpOnly: true,

package/modules/@apostrophecms/http/index.js

@@ -2,7 +2,7 @@ const _ = require('lodash');
 const qs = require('qs');
 const fetch = require('node-fetch');
 const tough = require('tough-cookie');
-const escapeHost = require('../../../lib/escape-host');
+const escapeHost = require('../../../lib/escape-host.js');
 const util = require('util');
 
 module.exports = {

package/modules/@apostrophecms/i18n/i18n/en.json

@@ -205,6 +205,7 @@
   "editImageRelationshipTitle": "Adjust Image",
   "editRelationship": "Edit Relationship",
   "editRelationshipFor": "Edit Relationship for {{ title }}",
+  "editSubform": "Edit {{ label }}",
   "editType": "Edit {{ type }}",
   "editWidget": "Edit Widget",
   "editWidgetForeignTooltip": "Click to edit this content in its natural context",
@@ -569,6 +570,7 @@
   "richTextHighlight": "Mark",
   "richTextHorizontalRule": "Horizontal Rule",
   "richTextHorizontalRuleDescription": "Add a horizontal separator",
+  "richTextEditor": "Rich text editor",
   "richTextInsertMenuHeading": "Insert element...",
   "richTextItalic": "Italic",
   "richTextLink": "Link",
@@ -632,6 +634,7 @@
   "slugInUse": "Slug already in use",
   "someoneElseTookControl": "{{ who }} took control of this document in another tab or window. A document can only be edited in one place at a time.",
   "splitCell": "Split Cell",
+  "status": "Status",
   "style": "Style",
   "styleAlignment": "Alignment",
   "styleBackground": "Background",

package/modules/@apostrophecms/image/ui/apos/components/AposMediaManagerEditor.vue

@@ -14,7 +14,7 @@
           v-if="activeMedia.attachment && activeMedia.attachment._urls"
           class="apos-media-editor__thumb"
           :src="activeMedia.attachment._urls[restoreOnly ? 'one-sixth' : 'one-third']"
-          :alt="activeMedia.description"
+          :alt="activeMedia.description || ''"
         >
       </div>
       <ul class="apos-media-editor__details">
@@ -484,7 +484,7 @@ export default {
 
     & {
       line-height: var(--a-line-tallest);
-      color: var(--a-base-4);
+      color: var(--a-base-2);
     }
   }