npm - includio-cms - Versions diffs - 0.13.2 → 0.13.4 - Mend

includio-cms 0.13.2 → 0.13.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/CHANGELOG.md +32 -0
package/ROADMAP.md +19 -2
package/dist/admin/api/handler.js +2 -0
package/dist/admin/api/media-gc.js +8 -3
package/dist/admin/api/regenerate-posters.d.ts +2 -0
package/dist/admin/api/regenerate-posters.js +32 -0
package/dist/admin/api/replace.js +4 -0
package/dist/admin/api/rest/middleware/apiKey.js +7 -1
package/dist/admin/api/upload.js +4 -0
package/dist/admin/client/collection/collection-entries.svelte +8 -4
package/dist/admin/client/collection/grid-view.svelte +1 -1
package/dist/admin/client/entry/entry-header.svelte +37 -44
package/dist/admin/client/entry/entry-header.svelte.d.ts +1 -2
package/dist/admin/client/entry/entry-version.svelte +9 -3
package/dist/admin/client/entry/entry.svelte +20 -1
package/dist/admin/client/maintenance/maintenance-page.svelte +153 -0
package/dist/admin/components/fields/seo-field.svelte +30 -16
package/dist/admin/remote/entry.remote.js +3 -4
package/dist/admin/state/content-language.svelte.d.ts +0 -3
package/dist/admin/state/content-language.svelte.js +7 -11
package/dist/admin/utils/entryLabel.js +2 -3
package/dist/cms/runtime/api.d.ts +5 -0
package/dist/cms/runtime/types.d.ts +13 -8
package/dist/core/cms.js +3 -0
package/dist/core/fields/layoutUtils.d.ts +2 -2
package/dist/core/fields/layoutUtils.js +3 -10
package/dist/core/server/entries/operations/get.js +2 -2
package/dist/core/server/media/mimeBlocklist.d.ts +1 -0
package/dist/core/server/media/mimeBlocklist.js +31 -0
package/dist/core/server/media/operations/batchRegenerateVideoPosters.d.ts +15 -0
package/dist/core/server/media/operations/batchRegenerateVideoPosters.js +112 -0
package/dist/files-local/index.d.ts +1 -0
package/dist/files-local/index.js +3 -140
package/dist/files-local/sanitizeFilename.js +2 -1
package/dist/files-local/video.d.ts +9 -0
package/dist/files-local/video.js +145 -0
package/dist/paraglide/messages/_index.d.ts +3 -36
package/dist/paraglide/messages/_index.js +3 -71
package/dist/paraglide/messages/hello_world.d.ts +5 -0
package/dist/paraglide/messages/hello_world.js +33 -0
package/dist/paraglide/messages/login_hello.d.ts +16 -0
package/dist/paraglide/messages/login_hello.js +34 -0
package/dist/paraglide/messages/login_please_login.d.ts +16 -0
package/dist/paraglide/messages/login_please_login.js +34 -0
package/dist/sveltekit/server/handle.js +8 -0
package/dist/updates/0.13.3/index.d.ts +2 -0
package/dist/updates/0.13.3/index.js +21 -0
package/dist/updates/0.13.4/index.d.ts +2 -0
package/dist/updates/0.13.4/index.js +14 -0
package/dist/updates/index.js +3 -1
package/package.json +1 -1
package/dist/admin/utils/translationStatus.d.ts +0 -17
package/dist/admin/utils/translationStatus.js +0 -133
package/dist/demo/reset.d.ts +0 -1
package/dist/demo/reset.js +0 -26
package/dist/paraglide/messages/en.d.ts +0 -5
package/dist/paraglide/messages/en.js +0 -14
package/dist/paraglide/messages/pl.d.ts +0 -5
package/dist/paraglide/messages/pl.js +0 -14

package/dist/paraglide/messages/login_please_login.js ADDED Viewed

@@ -0,0 +1,34 @@
+/* eslint-disable */
+import { getLocale, trackMessageCall, experimentalMiddlewareLocaleSplitting, isServer } from '../runtime.js';
+const en_login_please_login = /** @type {(inputs: {}) => string} */ () => {
+	return `Login to your account`
+};
+const pl_login_please_login = /** @type {(inputs: {}) => string} */ () => {
+	return `Zaloguj się na swoje konto`
+};
+/**
+* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
+*
+* - Changing this function will be over-written by the next build.
+*
+* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
+* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
+*
+* @param {{}} inputs
+* @param {{ locale?: "en" | "pl" }} options
+* @returns {string}
+*/
+/* @__NO_SIDE_EFFECTS__ */
+const login_please_login = (inputs = {}, options = {}) => {
+	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
+		return /** @type {any} */ (globalThis).__paraglide_ssr.login_please_login(inputs)
+	}
+	const locale = options.locale ?? getLocale()
+	trackMessageCall("login_please_login", locale)
+	if (locale === "en") return en_login_please_login(inputs)
+	return pl_login_please_login(inputs)
+};
+export { login_please_login as "login.please_login" }

package/dist/sveltekit/server/handle.js CHANGED Viewed

@@ -65,5 +65,13 @@ export function includioCMS(cmsConfig) {
         handles.push(handleAuth);
     }
     handles.push(adminGuard);
+    handles.push(securityHeaders);
     return handles;
 }
+const securityHeaders = async ({ event, resolve }) => {
+    const response = await resolve(event);
+    response.headers.set('X-Content-Type-Options', 'nosniff');
+    response.headers.set('X-Frame-Options', 'DENY');
+    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    return response;
+};

package/dist/updates/0.13.3/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { CmsUpdate } from '../index.js';
2	+ export declare const update: CmsUpdate;

package/dist/updates/0.13.3/index.js ADDED Viewed

@@ -0,0 +1,21 @@
+export const update = {
+    version: '0.13.3',
+    date: '2026-03-23',
+    description: 'Security hardening, per-language content fixes',
+    features: [
+        'Timing-safe API key comparison (prevents timing attacks)',
+        'MIME type blocklist on upload and file replace endpoints',
+        'Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy',
+        'CMS constructor validates that at least one language is configured'
+    ],
+    fixes: [
+        'Form submission rate limiting applies to all requests (not just multipart uploads)',
+        'Form submission uses SvelteKit getClientAddress() instead of spoofable x-forwarded-for header',
+        'Removed demo reset endpoint with hardcoded fallback secret',
+        'Added .catch() handlers for unhandled promise rejections in admin components',
+        'Per-language content language state and entry label fixes'
+    ],
+    breakingChanges: [
+        'CMS config with empty languages array now throws an error at initialization'
+    ]
+};

package/dist/updates/0.13.4/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { CmsUpdate } from '../index.js';
2	+ export declare const update: CmsUpdate;

package/dist/updates/0.13.4/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+export const update = {
+    version: '0.13.4',
+    date: '2026-03-24',
+    description: 'Video poster regeneration, filename sanitization',
+    features: [
+        'Batch regenerate video posters & thumbnails from admin maintenance page with SSE progress',
+        'Video poster status reporting in media GC endpoint',
+        'Extracted video processing to reusable module'
+    ],
+    fixes: [
+        'Filename sanitization normalizes Unicode to NFC (prevents NFD/NFC mismatch)'
+    ],
+    breakingChanges: []
+};

package/dist/updates/index.js CHANGED Viewed

@@ -35,7 +35,9 @@ import { update as update0120 } from './0.12.0/index.js';
 import { update as update0130 } from './0.13.0/index.js';
 import { update as update0131 } from './0.13.1/index.js';
 import { update as update0132 } from './0.13.2/index.js';
-export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132];
+import { update as update0133 } from './0.13.3/index.js';
+import { update as update0134 } from './0.13.4/index.js';
+export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134];
 export const getUpdatesFrom = (fromVersion) => {
     const fromParts = fromVersion.split('.').map(Number);
     return updates.filter((update) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "includio-cms",
-	"version": "0.13.2",
+	"version": "0.13.4",
 	"scripts": {
 		"dev": "vite dev",
 		"build": "vite build && npm run prepack",

package/dist/admin/utils/translationStatus.d.ts DELETED Viewed

@@ -1,17 +0,0 @@
-import type { Field } from '../../types/fields.js';
-export type TranslationCompleteness = 'complete' | 'partial' | 'empty';
-export interface LangStatus {
-    filled: number;
-    total: number;
-    percentage: number;
-    status: TranslationCompleteness;
-    missingFields: {
-        slug: string;
-        label: string;
-    }[];
-}
-/**
- * Compute translation status for each language.
- * Checks all localized fields (text, richtext, content) + seo/url sub-fields.
- */
-export declare function computeTranslationStatus(data: Record<string, unknown>, fields: Field[], languages: string[]): Record<string, LangStatus>;

package/dist/admin/utils/translationStatus.js DELETED Viewed

@@ -1,133 +0,0 @@
-import { getAtPath } from './objectPath.js';
-/** Extract a label string from Localized, preferring pl then en then slug. */
-function extractLabel(label, fallback) {
-    if (!label)
-        return fallback;
-    if (typeof label === 'string')
-        return label;
-    return label.pl || label.en || fallback;
-}
-/** Check if a value counts as "filled" for a given field type. */
-function isFieldFilled(value, fieldType) {
-    if (value == null)
-        return false;
-    switch (fieldType) {
-        case 'text':
-            return typeof value === 'string' && value.length > 0;
-        case 'content': {
-            if (typeof value !== 'object')
-                return false;
-            const doc = value;
-            return doc.type === 'doc' && Array.isArray(doc.content) && doc.content.length > 0;
-        }
-        case 'seo': {
-            if (typeof value !== 'object')
-                return false;
-            const seo = value;
-            // At least title or description filled
-            return ((typeof seo.title === 'string' && seo.title.length > 0) ||
-                (typeof seo.description === 'string' && seo.description.length > 0));
-        }
-        case 'url': {
-            if (typeof value !== 'object')
-                return false;
-            const url = value;
-            return typeof url.url === 'string' && url.url.length > 0;
-        }
-        default:
-            return false;
-    }
-}
-/** Collect all localized fields from a field list, including nested seo/url sub-fields. */
-function collectLocalizedFields(fields) {
-    const result = [];
-    for (const field of fields) {
-        if (field.localized === false)
-            continue;
-        const label = extractLabel(field.label, field.slug);
-        if (field.type === 'text' || field.type === 'content') {
-            result.push({ slug: field.slug, label, type: field.type, required: !!field.required });
-        }
-    }
-    // SEO and URL fields are always localized by nature (sub-fields are lang-keyed)
-    for (const field of fields) {
-        if (field.type === 'seo') {
-            const label = extractLabel(field.label, field.slug);
-            result.push({ slug: field.slug, label, type: 'seo', required: !!field.required });
-        }
-        if (field.type === 'url') {
-            const label = extractLabel(field.label, field.slug);
-            result.push({ slug: field.slug, label, type: 'url', required: !!field.required });
-        }
-    }
-    return result;
-}
-/** Resolve the value of a field for a given language. */
-function resolveFieldValue(data, field, lang) {
-    if (field.type === 'seo') {
-        const seoData = getAtPath(data, field.slug);
-        if (seoData && typeof seoData === 'object') {
-            const seo = seoData;
-            const title = extractLangValue(seo.title, lang);
-            const desc = extractLangValue(seo.description, lang);
-            return { title, description: desc };
-        }
-        return undefined;
-    }
-    else if (field.type === 'url') {
-        const urlData = getAtPath(data, field.slug);
-        if (urlData && typeof urlData === 'object') {
-            const url = urlData;
-            const urlVal = url.url && typeof url.url === 'object'
-                ? url.url[lang]
-                : undefined;
-            return { url: urlVal || '' };
-        }
-        return undefined;
-    }
-    else {
-        const fieldData = getAtPath(data, field.slug);
-        if (fieldData && typeof fieldData === 'object' && !Array.isArray(fieldData)) {
-            return fieldData[lang];
-        }
-        return undefined;
-    }
-}
-/**
- * Compute translation status for each language.
- * Checks all localized fields (text, richtext, content) + seo/url sub-fields.
- */
-export function computeTranslationStatus(data, fields, languages) {
-    const allLocalizedFields = collectLocalizedFields(fields);
-    // Pre-filter: keep field if required OR has content in at least one language
-    const localizedFields = allLocalizedFields.filter((field) => field.required ||
-        languages.some((lang) => isFieldFilled(resolveFieldValue(data, field, lang), field.type)));
-    const result = {};
-    for (const lang of languages) {
-        let filled = 0;
-        const total = localizedFields.length;
-        const missingFields = [];
-        for (const field of localizedFields) {
-            const value = resolveFieldValue(data, field, lang);
-            if (isFieldFilled(value, field.type)) {
-                filled++;
-            }
-            else {
-                missingFields.push({ slug: field.slug, label: field.label });
-            }
-        }
-        const percentage = total === 0 ? 100 : Math.round((filled / total) * 100);
-        const status = percentage === 100 ? 'complete' : percentage === 0 ? 'empty' : 'partial';
-        result[lang] = { filled, total, percentage, status, missingFields };
-    }
-    return result;
-}
-/** Extract lang value from a possibly lang-keyed value. */
-function extractLangValue(value, lang) {
-    if (typeof value === 'string')
-        return value;
-    if (value && typeof value === 'object') {
-        return (value[lang]) || '';
-    }
-    return '';
-}

package/dist/demo/reset.d.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- export declare function resetDemoData(): Promise<void>;

package/dist/demo/reset.js DELETED Viewed

@@ -1,26 +0,0 @@
-import { getCMS } from '../core/cms.js';
-import { seedDemoData } from './seed.js';
-export async function resetDemoData() {
-    const cms = getCMS();
-    const db = cms.databaseAdapter;
-    // Delete all entries (get all, then delete each)
-    const allCollectionEntries = await db.getEntries({ type: 'collection' });
-    const allSingletonEntries = await db.getEntries({ type: 'singleton' });
-    const allEntries = [...allCollectionEntries, ...allSingletonEntries];
-    for (const entry of allEntries) {
-        // Delete all versions for this entry
-        const versions = await db.getEntryVersions({ entryIds: [entry.id] });
-        for (const version of versions) {
-            await db.deleteEntryVersion({ id: version.id });
-        }
-        // Delete the entry itself
-        await db.deleteEntry({ id: entry.id });
-    }
-    // Delete all media files
-    const mediaFiles = await db.getMediaFiles({ data: {} });
-    for (const file of mediaFiles) {
-        await db.deleteMediaFile(file.id);
-    }
-    // Re-seed
-    await seedDemoData();
-}

package/dist/paraglide/messages/en.d.ts DELETED Viewed

@@ -1,5 +0,0 @@
-export const hello_world: (inputs: {
-    name: NonNullable<unknown>;
-}) => string;
-export const login_hello: (inputs: {}) => string;
-export const login_please_login: (inputs: {}) => string;

package/dist/paraglide/messages/en.js DELETED Viewed

@@ -1,14 +0,0 @@
-/* eslint-disable */
-export const hello_world = /** @type {(inputs: { name: NonNullable<unknown> }) => string} */ (i) => {
-	return `Hello, ${i.name} from en!`
-};
-export const login_hello = /** @type {(inputs: {}) => string} */ () => {
-	return `Welcome back`
-};
-export const login_please_login = /** @type {(inputs: {}) => string} */ () => {
-	return `Login to your account`
-};

package/dist/paraglide/messages/pl.d.ts DELETED Viewed

@@ -1,5 +0,0 @@
-export const hello_world: (inputs: {
-    name: NonNullable<unknown>;
-}) => string;
-export const login_hello: (inputs: {}) => string;
-export const login_please_login: (inputs: {}) => string;

package/dist/paraglide/messages/pl.js DELETED Viewed

@@ -1,14 +0,0 @@
-/* eslint-disable */
-export const hello_world = /** @type {(inputs: { name: NonNullable<unknown> }) => string} */ (i) => {
-	return `Hello, ${i.name} from pl!`
-};
-export const login_hello = /** @type {(inputs: {}) => string} */ () => {
-	return `Witaj ponownie`
-};
-export const login_please_login = /** @type {(inputs: {}) => string} */ () => {
-	return `Zaloguj się na swoje konto`
-};