Hello Apostrophe Community!
Apostrophe 4.31.0 is our first quarterly feature release, and its theme is Developer Activation — a focused set of changes that make ApostropheCMS meaningfully easier to adopt, extend, and deploy. This release introduces JSX as a server-side templating option, a redesigned CLI installer, support for PostgreSQL and SQLite databases, and several security patches that warrant prompt attention from all users.
JSX Templates
Apostrophe page, widget, and component templates can now be written in JSX as an alternative to Nunjucks. For developers already comfortable with React or another JSX-aware framework, this means real JavaScript control flow, modern editor support, and accurate error reporting with source maps — without standing up a separate front-end project.
JSX templates are a server-side templating feature, not a React runtime. There is no virtual DOM, no client runtime, and no framework requirement. JSX and Nunjucks coexist freely in the same project and can be migrated incrementally, allowing teams to convert individual templates over time while keeping existing layouts in place. Nunjucks remains a fully supported, first-class option. And Astro continues to be a great option for those who need dynamic islands, support for multiple frontend frameworks on the back end, or static build support.
We're releasing JSX now to gather community feedback, and will be updating our documentation over time to show it as the preferred authoring path for new projects. See the JSX templates guide to get started.
A New Interactive CLI Installer
apos create now delegates to the new create-apostrophe package, delivering a guided interactive installer that walks developers through project name, starter kit selection, and database configuration via prompts. This was a heavily requested improvement on our roadmap, and substantially lowers the barrier to getting a new Apostrophe project running from scratch.
Under the hood, create-apostrophe is a standalone installer that can also be invoked directly via npm create apostrophe@latest. It supports SQLite, MongoDB, and PostgreSQL out of the box, handles sample data for demo kits, and creates an admin user — all in a single flow.
PostgreSQL, SQLite, and Multi-Postgres Database Support
ApostropheCMS now supports PostgreSQL and SQLite databases, in addition to MongoDB. Connection is via standard URI: postgres://, sqlite:// and, for multisite projects, multipostgres:// URIs are all recognized by the new db-connect API, which covers all database operations used in our own core, Pro and Assembly modules.
This opens the door for teams with existing PostgreSQL investments, and gives developers a lightweight SQLite option for local development.
Command-line utilities are also provided to dump and restore databases in a universal way, across all three databases.
See the database configuration documentation for details.
Security Updates
This release includes several proactively identified and responsibly disclosed security fixes across core, @apostrophecms/seo, and sanitize-html. We recommend all users upgrade promptly with npm update.
Full details are available in the changelog below and in the published GitHub security advisories.
Additional Improvements
Beyond the headline features, this release focuses on editing stability and deployment ergonomics.
Resilient schemas: Adding or removing area fields from a schema no longer breaks existing documents on external front ends like Astro. Missing or orphaned areas now fail gracefully, and newly added fields are materialized as empty objects, so editors can work with them immediately in context.
Streamlined configuration: Session secrets and uploadfs keys can now be set via environment variables, bringing them in line with the rest of Apostrophe's environment-based configuration and modern CI/CD practices.
Community Contributions
Thanks to tonghuaroot, H3xV0rT3x, 5h1kh4r, EchoSkorJjj, hibrian827, and Dipanshu singh for their security reports and contributions in this release.
Node 20: End of Support
Node 20 has officially passed its end of life date upstream, and is not supported by Apostrophe 4.31.0. Those who are still using Node 20 should upgrade locally to Node 22 or 24, test their code, and deploy to Node 22 or 24.
Node 26: Start of Support
Node 26 is not yet an official long-term-support release upstream, so most users should continue to use Node 22 or 24 in production for now. However, we have introduced Node 26 support in this release of Apostrophe.
The “stable” option
Everything above reflects our standard, “latest” module releases. Our Hosting, Pro and Assembly customers also have the option of following our “stable” releases. The difference is simple: The stable releases receive new features one full quarter later, but receive bug fixes and security fixes at the same time as “latest.” In order for this to be an effective technique to increase stability, customers still need to actively evaluate “latest” so that they have meaningful head start on what is coming in “stable.” Customers interested in following this path should reach out for complete information on how to point their dependencies to “stable.”
Everything we ship as “latest” is 100% ready for production. The “stable” series is an option for those with a large investment in training, automated testing, etc. It allows delayed implementation of new features without falling behind on fixes.
You should upgrade
This release contains important security fixes and we encourage all users to upgrade promptly with npm update. Let us know what you think on our roadmap.
🚀 Happy coding!