Apostrophe 4.28.0: Static Builds for Astro, Pretty URLs for PDFs and Security Fixes

Release notes for Apostrophe 4.28.0 and extensions that were published in the cycle ending March 18th, 2026.
Bob Means Developer Relations Engineer

Hello Apostrophe Community!

ApostropheCMS 4.28.0 brings a significant expansion to our Astro integration with support for static site builds, a cleaner URL experience for uploaded PDFs, and a round of stability improvements. This release also includes several community-contributed fixes.

Static Builds for Astro + ApostropheCMS Projects in Beta

Teams using Astro as their frontend can now take advantage of static site generation. This means you can now pre-render your Astro frontend and deploy it to any CDN or static host — no Node.js server required — reducing hosting costs and complexity while improving performance and security. The @apostrophecms/apostrophe-astro integration module has been updated to support static builds, and a new core module called @apostrophecms/url handles URL generation for static contexts. As part of this, ApostropheCMS's query-string-based piece filtering, such as category or tag browsing, is converted to full URLs, making filtered views work correctly in a static context. The @apostrophecms/sitemap module has also been updated accordingly, so piece filter and pagination URLs are now included in generated sitemaps. This feature is currently in beta, and we encourage you to share your feedback.

Pretty URLs for Uploaded Files

The file library now supports a prettyUrls: true option for @apostrophecms/file. When enabled, PDFs are served at readable, slug-based URLs rather than the internal attachment filename. You can customize the URL by editing the slug field directly in the file manager. There is a small performance trade-off to be aware of, which is noted in the option documentation. Note that pretty URLs for files are not yet compatible with static builds — this will be addressed in the next release.

Additional Improvements

This release includes several stability and UX fixes worth noting:

  • Area widgets now render inside an inner wrapper that creates a separate z-index context, resolving conflicts between widget controls and the Apostrophe UI.
  • A fix for rich text links where the "open in new tab" checkbox could not be unchecked.
  • Relationship suggestion dropdowns now dismiss correctly when a choice is clicked, restoring behavior that had regressed in 4.27.1.

Community Contributions

We're grateful to community members who contributed fixes in this release cycle:

Eduardo Correal fixed a bug where the getOne API endpoint could not correctly retrieve documents that are not localized. Thanks, Eduardo!

OxEr3n reported a vulnerability in the @apostrophecms/import-export module that could allow a user with permission to edit the global settings document to write files to the public/ folder or overwrite site code accessible to the server process. The vulnerability was not publicly disclosed prior to this fix. If you are using the import-export module, upgrading promptly is recommended. Thanks to OxEr3n for responsible disclosure and for providing test cases.

0xkakashi reported a previously undisclosed vulnerability that allowed a compromised password to be used to perform CMS actions without 2FA. Sites not using two-factor authentication are unaffected, but if you are using @apostrophecms/login-totp or a similar module, upgrading immediately is strongly recommended. Thanks to 0xkakashi for reporting the issue and recommending a fix.

Additionally, the sanitize-html dependency has been updated to resolve a security issue in the underlying htmlparser2 library, which previously failed to correctly detect javascript: URLs encoded with zero-padded numeric character references. This fix also resolves double-encoding of entities inside textarea and option elements. Thanks to alex-rantos for this contribution.

This release contains important security fixes — we encourage all users to upgrade promptly with npm update, and particularly urge those using the @apostrophecms/import-export or @apostrophecms/login-totp modules to treat this as an urgent update. Let us know what you think on our

These improvements are ready for you to explore! Update your projects with npm update and let us know what you think on our roadmap.

🚀 Happy coding!

Written by Bob Means Developer Relations Engineer

A software developer/data scientist leveraging years of technical writing experience to help other programmers through tutorials and production of technical documentation.

Demo ApostropheCMS
Pricing