v12.1.0
v12.1.0
Release Notes
⚠️ Potential Breaking Changes
- @directus/api
- Limited sensitive system mutations defined by GRAPHQL_SINGLE_USE_MUTATIONS to single use (#27801 by @br41nslug)
- Removed
/utils/hash/generateand/utils/hash/verifyendpoints (#27774 by @br41nslug) - Fixed failed TUS file replacements leaving orphaned file records. Hardened upload path validation to prevent writes to extension and temporary storage directories (#27803 by @br41nslug)
- Updated GraphQL WebSocket restrictions to match the HTTP endpoint and hid validation hints when introspection is disabled (#27801 by @br41nslug)
- Added CORS_ORIGIN checks for websocket connections (#27812 by @br41nslug)
- @directus/specs
- Removed
/utils/hash/generateand/utils/hash/verifyendpoints (#27774 by @br41nslug)
- Removed
- @directus/sdk
- Removed
/utils/hash/generateand/utils/hash/verifyendpoints (#27774 by @br41nslug)
- Removed
✨ New Features & Improvements
- @directus/app
- Added
PROJECT_OWNER_ENABLEDenv var to allow disabling owner info collection and sync (#27802 by @ComfortablyCoding) - Replaced tooltip with Reka UI one (#27029 by @HZooly)
- Added
v-kbdcomponent and support{ text, kbd }syntax in tooltip (#27029 by @HZooly) - Updated bundled
esbuildto0.28.1(resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
- Added
- @directus/api
- Added
PROJECT_OWNER_ENABLEDenv var to allow disabling owner info collection and sync (#27802 by @ComfortablyCoding)
- Added
- @directus/env
- Added
PROJECT_OWNER_ENABLEDenv var to allow disabling owner info collection and sync (#27802 by @ComfortablyCoding)
- Added
🐛 Bug Fixes & Optimizations
- @directus/app
- Restored pre-v12 back button behavior: returns to the previously visited item/page when navigating via a relation, and to the collection listing when landing on an item directly (#27799 by @robluton)
- Fixed the public page foreground image rendering side-by-side with the shader background instead of overlaying it (#27782 by @alvarosabu)
- Added clearable indicator to input hash field (#27729 by @robluton)
- Added lazy loading of social icons on v-button (#27724 by @alvarosabu)
- Bumped version of @directus/license package (#27785 by @AlexGaillard)
- Fixed array indexing (e.g.
field[0]orfield.0) in display and preview URL templates, so a template like{{ categories[0].name }}now resolves to the indexed value instead of rendering empty (#27773 by @dstockton) - Fixed a stored XSS vulnerability where the project color could break out of the generated favicon's SVG markup and inject arbitrary HTML (#27810 by @br41nslug)
- Fixed an internal server error when validating out-of-range integer values (#27321 by @sourav-18)
- Added interface settings for collection status field (#27781 by @robluton)
- @directus/api
- Bumped version of @directus/license package (#27785 by @AlexGaillard)
- Fixed a Local File Inclusion vulnerability in
MailService.renderTemplate(#27811 by @br41nslug) - Fixed Postgres value too long errors being misattributed to an unrelated field (#27768 by @MahinAnowar)
- Added validation to restrict geometry types to known types (#27809 by @br41nslug)
- Fixed batch update failures in the MCP files tool (#27121 by @aayushbaluni)
- Updated dependencies to resolve security advisories and removed obsolete override pins (#27814 by @br41nslug)
- Fixed accountability overrides in the graphql websocket (#27813 by @br41nslug)
- Fixed MCP OAuth role resolution to use the users role instead of the root role (#27790 by @ComfortablyCoding)
- Bumped hono and vite dependencies (#27820 by @br41nslug)
- Fixed pre-validation side effects in services (#27800 by @br41nslug)
- Fixed public websocket accountability handling (#27808 by @br41nslug)
- @directus/extensions-sdk
- Updated bundled
esbuildto0.28.1(resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
- Updated bundled
- @directus/system-data
- @directus/composables
- Updated bundled
esbuildto0.28.1(resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
- Updated bundled
- @directus/validation
- Fixed an internal server error when validating out-of-range integer values (#27321 by @sourav-18)
- @directus/env
- Limited sensitive system mutations defined by GRAPHQL_SINGLE_USE_MUTATIONS to single use (#27801 by @br41nslug)
- @directus/utils
- Classified the embedded IPv4 of IPv6 transition forms (IPv4-compatible, NAT64, 6to4) in
IpBlocklist.checkAddressso they cannot bypass an IPv4 deny rule (#27698 by @joeltco)
- Classified the embedded IPv4 of IPv6 transition forms (IPv4-compatible, NAT64, 6to4) in
📦 Published Versions
@directus/[email protected]@directus/[email protected]@directus/[email protected][email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]@directus/[email protected]