Hello Apostrophe Community!
ApostropheCMS 4.32.0 is a maintenance release focused on smoother external front-end integration, an internal HTTP client modernization, and a batch of editorial and admin UI fixes. This is our second monthly maintenance and third overall release under the new cadence. And because last month was a quarterly feature release, our stable and latest tracks have significant differences. So this is a good moment to remember that "stable" customers get this release's fixes and security updates now, with 4.31.0's new features arriving on schedule next quarter.
While maintenance releases are focused primarily on necessary fixes, in latest they do sometimes include changes intended to achieve broader compatibility and promote future stability. You’ll see examples of that below. For stable we adhere more strictly to the “fixes only” rule in each maintenance release.
Improved support for Non-HTML Pages
Files like robots.txt, sitemap.xml, and llms.txt aren't pages — they're literal content that should be served as-is. Modules can now declare these and they are returned via getLiteralContentRoutes, so external front-end integrations recognize and serve them correctly with no extra configuration, instead of mistakenly trying to render them as HTML-containing pages. This release applies the mechanism internally (@apostrophecms/sitemap and @apostrophecms/seo both use it for their generated files), and custom modules can use the same approach for their own literal content routes. This reduces the need for redundant code and lowers the risk of omissions.
Astro Integration: Now Supporting Astro v5–v7
The @apostrophecms/apostrophe-astro integration has been refactored to support Astro v5 through v7. This is a backward-compatible change but every project lead should read the migration guide before upgrading. Helpers can still be imported from the same locations as before, but those are now compatibility shims; projects should update their imports to the new locations described in the guide going forward. Since it is a feature, this change will not appear in stable until next quarter.
A Modernized HTTP Client
The server-side HTTP client (apos.http) now uses Node's built-in, actively-developed fetch instead of the node-fetch package which is strictly in maintenance mode. For the vast majority of projects this is a drop-in change — common apos.http.get() / apos.http.post() usage, form-data request bodies, cookie jars, and the timeout option all continue to work as before. Projects using more advanced options (a custom agent, a Host header override, or reading originalResponse as a raw stream) should review the changelog for the small set of adjustments needed. The same modernization has been applied to the oembetter package. Since it is a feature, this change will not appear in stable until next quarter.
Additional Improvements
This release also includes a collection of fixes to admin UI stability and editorial workflows:
- The admin UI no longer occasionally serves a stale build after a dependency change (for example after
npm installornpm update). - The media library's tag popover now loads all available image tags instead of only the first 50, and no longer creates duplicate tags.
- Rich text widgets no longer lose their entire contents when Backspace or delete is pressed right after typing /, and the widget copy/cut/paste keyboard shortcuts no longer hijack native text copy during an active text selection.
- Batch jobs now reliably report their total item count in completion notifications.
dateAndTimeschema fields no longer overflow their container in narrow layouts.- The
create-apostropheinstaller's SQLite database setup now works correctly under npm v12 and when run from a global@apostrophecms/cliinstall. Since it is a Q2 feature, SQLite support will not appear instableuntil next quarter.
Security Updates
This release includes fixes for five reported vulnerabilities across core and several modules, along with a dependency update. In apostrophe core, we've closed a gap that allowed relationship data excluded from publicApiProjection to be extracted through public REST API query builders, and restored a permission check that had regressed in the page move() operation. In sanitize-html, two separate issues allowed specially-crafted markup to bypass the tag allowlist under certain non-default configurations involving svg, math, textarea, or xmp tags. @apostrophecms/import-export has been hardened against malicious archive metadata reaching database queries unlaundered, and @apostrophecms/form no longer stores file attachments before a submission passes validation. We're grateful to the researchers who responsibly reported these issues. Full technical detail and credit for each fix is in the changelog below.
Separately, nodemailer has been bumped from 8.x to 9.x to pick up a fix for an upstream vulnerability where a message's raw option could be used to bypass file- and URL-access controls. Apostrophe's own use of nodemailer was not exposed to this issue, but we recommend all users upgrade promptly. See the changelog for details, including one small behavior change in outbound HTTPS certificate validation that self-signed or non-standard certificate setups should be aware of.
We recommend all projects update to 4.32.0 as soon as practical.
How to Update
Update your projects with npm update and let us know what you think on our roadmap.
The “stable” option
Our Hosting, Pro and Assembly customers also have the option of following our “stable” releases. The difference is simple: The stable releases receive new features one full quarter later, but receive bug fixes and security fixes at the same time as “latest.” In order for this to be an effective technique to increase stability, customers still need to actively evaluate “latest” so that they have meaningful head start on what is coming in “stable.” Customers interested in following this path should reach out for complete information on how to point their dependencies to “stable.”
Everything we ship as “latest” is 100% ready for production. The “stable” series is an option for those with a large investment in training, automated testing, etc. It allows delayed implementation of new features without falling behind on fixes.
🚀 Happy coding!