Apostrophe 4.29.0: Recently Edited Documents Manager, Unified Styles Editor

Hello Apostrophe Community!

ApostropheCMS 4.29.0 brings a new Recently Edited manager to the admin bar, a unified Styles Editor experience, and continued improvements to static build support for Apostrophe-Astro projects.

Recently Edited Documents Manager

The admin bar now includes a Recently Edited Documents Manager, making it faster for editors to locate and review recently changed content without hunting through piece or page managers. The manager displays all documents that have been edited across content types in a single unified view, with filtering by editor, document type, locale, edit action, and status. It appears alongside the existing Submitted Drafts action and surfaces recently touched documents across content types in one place.

The manager is also extensible: modules can contribute their own filter choices to the Recently Edited view. Pro module integrations take advantage of this in 4.29.0, with @apostrophecms-pro/automatic-translation adding an "Unpublished Translation" status filter and @apostrophecms/import-export adding an "Imported" action filter — making it easier to pick up multilingual or imported content right where you (or someone else) left it.

New Background Preset for the Styles Editor

The Styles Editor, the modal interface where developers predefine style options that editors can apply to widgets or globally, gains a new background preset in this release. It supports image, color, and gradient backgrounds with overlay, giving editors control over rich background treatments without writing custom CSS. Teams building visually varied layouts now have a structured, editor-friendly way to manage backgrounds as part of their predefined style options.

Static Build Improvements for Astro Projects

This release continues to expand static build support for Apostrophe-Astro projects. Pretty URL file attachments are now fully supported in the static build metadata pipeline: the getAllUrlMetadata API correctly annotates affected attachments, and the backend streaming proxy route properly resolves relative uploadfs URLs during static builds. A bug that prevented pretty URLs from working correctly with locale prefixes has also been fixed.

On the @apostrophecms/apostrophe-astro side, the writeAttachments step now supports per-entry base URL resolution, correctly downloading and writing pretty URL files to the appropriate output directory (e.g. dist/files/). A new attachmentFilter option, configurable as 'all' or 'prettyOnly', lets you skip regular uploadfs attachments when those are served by a CDN while still including backend-served pretty URL files (e.g. PDFs with friendly URLs) in the static output. The option can be set via the staticBuild.attachmentFilter integration option or the APOS_ATTACHMENT_FILTER environment variable.

Security Fixes

AI tooling has become remarkably effective at identifying previously undiscovered software vulnerabilities, and the open source ecosystem is feeling it — including us. This release includes six security fixes, more than we would typically see in a single cycle. We view this as a net positive: these issues are being found and fixed rather than quietly exploited, and in at least one case the work prompted us to introduce a new protective mechanism in core that makes an entire class of vulnerability less likely going forward.

This release addresses:

• XSS vulnerabilities in the @apostrophecms/seo module's SEO Title and Meta Description fields, in color schema fields, and in sanitize-html when option tags were explicitly permitted
• API data exposure via the .choices() and .counts() query builders, which could be used to access schema fields outside the publicApiProjection, and a separate publicApiProjection bypass for piece types
• A timing attack in the password reset flow that could disclose whether an email address or username was valid

Important: The SEO XSS fix requires upgrading both apostrophe and @apostrophecms/seo together. Upgrading only one will not fully resolve the vulnerability.

Thanks to K Shanmukha Srinivasulu Royal for reporting the SEO vulnerability, and to offset and restriction for reporting — and in restriction's case, proposing fixes for — three additional issues.

Additional Improvements

• The Styles and Column configuration panels in the Styles Editor modal have been merged into a single interface.
• The sitemap module now includes x-default hreflang tags in sitemap entries for improved international SEO targeting.
• We fixed a focus trap bug where keyboard focus in context menus would jump back to the first item after reaching the last.
• A misleading return statement in pruneDataForExternalFront — a method intended to be overridden to modify data in place before it is sent to Astro or a similar frontend — has been removed to prevent confusion when customizing that method.

This release contains important security fixes — we encourage all users to upgrade promptly with npm update, and particularly urge those using the @apostrophecms/import-export or @apostrophecms/login-totp modules to treat this as an urgent update. Let us know what you think on our

This release contains important security fixes — we encourage all users to upgrade promptly with npm update. Let us know what you think on our roadmap.

🚀 Happy coding!