v12.1.0
v12.1.0
View on GitHubView PackagePublished: Jul 1, 2026

Release Notes

⚠️ Potential Breaking Changes

  • @directus/api
    • Limited sensitive system mutations defined by GRAPHQL_SINGLE_USE_MUTATIONS to single use (#27801 by @br41nslug)
    • Removed /utils/hash/generate and /utils/hash/verify endpoints (#27774 by @br41nslug)
    • Fixed failed TUS file replacements leaving orphaned file records. Hardened upload path validation to prevent writes to extension and temporary storage directories (#27803 by @br41nslug)
    • Updated GraphQL WebSocket restrictions to match the HTTP endpoint and hid validation hints when introspection is disabled (#27801 by @br41nslug)
    • Added CORS_ORIGIN checks for websocket connections (#27812 by @br41nslug)
  • @directus/specs
    • Removed /utils/hash/generate and /utils/hash/verify endpoints (#27774 by @br41nslug)
  • @directus/sdk
    • Removed /utils/hash/generate and /utils/hash/verify endpoints (#27774 by @br41nslug)

✨ New Features & Improvements

  • @directus/app
    • Added PROJECT_OWNER_ENABLED env var to allow disabling owner info collection and sync (#27802 by @ComfortablyCoding)
    • Replaced tooltip with Reka UI one (#27029 by @HZooly)
    • Added v-kbd component and support { text, kbd } syntax in tooltip (#27029 by @HZooly)
    • Updated bundled esbuild to 0.28.1 (resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
  • @directus/api
    • Added PROJECT_OWNER_ENABLED env var to allow disabling owner info collection and sync (#27802 by @ComfortablyCoding)
  • @directus/env
    • Added PROJECT_OWNER_ENABLED env var to allow disabling owner info collection and sync (#27802 by @ComfortablyCoding)

🐛 Bug Fixes & Optimizations

  • @directus/app
    • Restored pre-v12 back button behavior: returns to the previously visited item/page when navigating via a relation, and to the collection listing when landing on an item directly (#27799 by @robluton)
    • Fixed the public page foreground image rendering side-by-side with the shader background instead of overlaying it (#27782 by @alvarosabu)
    • Added clearable indicator to input hash field (#27729 by @robluton)
    • Added lazy loading of social icons on v-button (#27724 by @alvarosabu)
    • Bumped version of @directus/license package (#27785 by @AlexGaillard)
    • Fixed array indexing (e.g. field[0] or field.0) in display and preview URL templates, so a template like {{ categories[0].name }} now resolves to the indexed value instead of rendering empty (#27773 by @dstockton)
    • Fixed a stored XSS vulnerability where the project color could break out of the generated favicon's SVG markup and inject arbitrary HTML (#27810 by @br41nslug)
    • Fixed an internal server error when validating out-of-range integer values (#27321 by @sourav-18)
    • Added interface settings for collection status field (#27781 by @robluton)
  • @directus/api
    • Bumped version of @directus/license package (#27785 by @AlexGaillard)
    • Fixed a Local File Inclusion vulnerability in MailService.renderTemplate (#27811 by @br41nslug)
    • Fixed Postgres value too long errors being misattributed to an unrelated field (#27768 by @MahinAnowar)
    • Added validation to restrict geometry types to known types (#27809 by @br41nslug)
    • Fixed batch update failures in the MCP files tool (#27121 by @aayushbaluni)
    • Updated dependencies to resolve security advisories and removed obsolete override pins (#27814 by @br41nslug)
    • Fixed accountability overrides in the graphql websocket (#27813 by @br41nslug)
    • Fixed MCP OAuth role resolution to use the users role instead of the root role (#27790 by @ComfortablyCoding)
    • Bumped hono and vite dependencies (#27820 by @br41nslug)
    • Fixed pre-validation side effects in services (#27800 by @br41nslug)
    • Fixed public websocket accountability handling (#27808 by @br41nslug)
  • @directus/extensions-sdk
    • Updated bundled esbuild to 0.28.1 (resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
  • @directus/system-data
    • Updated bundled esbuild to 0.28.1 (resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
    • Added interface settings for collection status field (#27781 by @robluton)
  • @directus/composables
    • Updated bundled esbuild to 0.28.1 (resolves GHSA-gv7w-rqvm-qjhr) (#27738 by @br41nslug)
  • @directus/validation
    • Fixed an internal server error when validating out-of-range integer values (#27321 by @sourav-18)
  • @directus/env
    • Limited sensitive system mutations defined by GRAPHQL_SINGLE_USE_MUTATIONS to single use (#27801 by @br41nslug)
  • @directus/utils
    • Classified the embedded IPv4 of IPv6 transition forms (IPv4-compatible, NAT64, 6to4) in IpBlocklist.checkAddress so they cannot bypass an IPv4 deny rule (#27698 by @joeltco)

📦 Published Versions