17.3.5

What's Changed

🐛 Bug Fixes

• Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in #22656

Full Changelog: release-17.3.4...release-17.3.5

13.14.0

What's Changed Since 13.14.0-rc3

Full Changelog: release-13.14.0-rc3...release-13.14.0

What's Changed Since 13.14.0-rc2

🔒 Security Hardening

• Surface controllers: validate redirect URL in member operation surface controllers by @NguyenThuyLan in #22565

Full Changelog: release-13.14.0-rc2...release-13.14.0-rc3

What's Changed Since 13.14.0-rc1

📦 Dependencies

• Dependencies: Pin System.Security.Cryptography.Xml to resolve vulnerability warning (Umbraco 13) by @crixlis
  in #22513

Full Changelog: release-13.14.0-rc...release-13.14.0-rc2

What's Changed Since The Previous Version (13.13.1)

🚤 Performance

• Backport optimisations on content type save from #21910 to V13 by @kjac in #22314

Full Changelog: release-13.13.1...release-13.14.0-rc

17.4.0-rc

Upgrade Notes

Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, ApplicationMainUrl was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting UmbracoApplicationUrl explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the linked PR and the documentation.

There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a configuration option for templated websites, with extension points also applied for the Delivery API. We have optimised content cache rebuild after schema updates, with an option for deferred rebuild in the background. If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for lightweight external members will be worth reviewing.

If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability.

As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows.

What's Changed

🙌 Notable Changes

• Management API: Add JSON Schema support for data types and content types by @Migaroez in #21771
• Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in #22138
• Management API: Add document patch endpoint by @Migaroez in #22104
• Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in #22338
• Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in #22168
• Icons: extends icon data + improved search by @nielslyngsoe in #22436
• Members: Add lightweight external-only members (closes #12741) by @AndyButland in #22162
• Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in #22194

💥 Breaking Changes

• Application URL: Add ApplicationUrlDetection setting to control application URL auto-detection by @AndyButland in #22307

📦 Dependencies

• Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in #22334
• Dependencies: Update minor and patch versions by @AndyButland in #22498
• Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in #22464
• Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in #22537
• Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in #22278
• Dependencies: Pin System.Security.Cryptography.Xml to resolve vulnerability warning by @AndyButland in #22514

🚤 Performance

• Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in #22329
• Performance: Optimize FullDataSetRepositoryCachePolicy usage across all repositories by @AndyButland in #22264
• Performance: Optimize ContentTypeRepository deep-clone on cache reads (closes #22250) by @AndyButland in #22263
• Performance: Use GeneratedRegex instead of generating at runtime in string extensions by @Henr1k80 in #22534
• Performance: Avoid allocating a string if _publishedContentCache has a cached version in MediaCacheService by @Henr1k80 in #22535
• Performance: Micro-optimisation in UdiParser (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in #22506
• Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in #20292
• Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in #22471
• Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in #22340
• Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in #22239
• Migrations: Optimise sortable value population for date properties by @AndyButland in #22547
• Migrations: Fix potential OptimizeInvariantUrlRecords timeout on SQL Server (closes #22377) by @AndyButland in #22382
• Umb-icon color setting optimization by @nielslyngsoe in #22433

🌈 Accessibility Improvements

• Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in #22385
• Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in #22117
• Accessibility: Add labels to member workspace toggles by @andreaslborg in #22403
• Accessibility: Add label and localized placeholder to picker search field by @andreaslborg in #22402
• Accessibility: Add label to member type filter dropdown by @andreaslborg in #22397

🚀 New Features

• Entity Data Picker: Adds start node support to tree data-sources by @leekelleher in #22172
• Rich Text Editor: Filter paste, drag&drop, and media picker to allowed media types (closes #21824) by @iOvergaard in #22267
• Tiptap RTE: Add width/height to edit image properties (AB#65981) by @iOvergaard in #22266
• Document Blueprints: Add info workspace view by @NguyenThuyLan in #21951
• Notifications: Surface ProblemDetails detail in error notifications by @iOvergaard in #22298
• General: Add decoding="async" to relevant IMG-tags by @nielslyngsoe in #22428
• Backoffice Identity: Add Override method to IBackOfficeSecurityAccessor for background processing by @AndyButland in #22499
• Relations: Fire relation notifications for automatic relations (closes #22222) by @AndyButland in #22345
• User Groups: Add ability to manage users directly from the group workspace by @NguyenThuyLan in #22215
• Block Editor: Create Modal Size Overwrite by @nielslyngsoe in #22386

🐛 Bug Fixes

• Management API: Return descriptive 400 for property variance mismatch (closes #22076) by @AndyButland in #22100
• Sections: Sort sections by display name in user group assignment (closes #22094) by @AndyButland in #22112
• Block Editors: Resolves incorrect "Discard unsaved changes" message when editing blocks with live editing by @marcloveUSN in #22134
• Redirect Tracking: Fix segment change detection and optimise descendant traversal (closes #22082) by @AndyButland in #22091
• Routing: Resolve URL segment collision for siblings differing only in punctuation (closes #22070) by @0xRozier in #22090
• Last Synced: Adding A File System Approach to Subscriber Servers by @NillasKA in #22145
• Localization: Added missing for elements by @Lantzify in #22079
• Application URLs: Prevent back office hosts being overwritten in a shared database setup (closes #16741) by @matthewcare in #22160
• Migrations: Fi...

13.14.0-rc3

What's Changed Since 13.14.0-rc2

🔒 Security Hardening

• Surface controllers: validate redirect URL in member operation surface controllers by @NguyenThuyLan in #22565

Full Changelog: release-13.14.0-rc2...release-13.14.0-rc3

What's Changed Since 13.14.0-rc1

📦 Dependencies

• Dependencies: Pin System.Security.Cryptography.Xml to resolve vulnerability warning (Umbraco 13) by @crixlis
  in #22513

Full Changelog: release-13.14.0-rc...release-13.14.0-rc2

What's Changed Since The Previous Version (13.13.1)

🚤 Performance

• Backport optimisations on content type save from #21910 to V13 by @kjac in #22314

Full Changelog: release-13.13.1...release-13.14.0-rc

13.14.0-rc2

What's Changed Since 13.14.0-rc1

📦 Dependencies

• Dependencies: Pin System.Security.Cryptography.Xml to resolve vulnerability warning (Umbraco 13) by @crixlis
  in #22513

Full Changelog: release-13.14.0-rc...release-13.14.0-rc2

What's Changed Since The Previous Version (13.13.1)

🚤 Performance

• Backport optimisations on content type save from #21910 to V13 by @kjac in #22314

Full Changelog: release-13.13.1...release-13.14.0-rc

17.3.4

What's Changed

🐛 Bug Fixes

• Migrations: Fix RetrustForeignKeyAndCheckConstraints failing when data violates a constraint
  by @AndyButland in #22488

Full Changelog: release-17.3.3...release-17.3.4

17.3.3

What's Changed

🐛 Bug Fixes

• User Service: Prevent fetching all permissions when no IDs are provided by @krebil in #22424

Full Changelog: release-17.3.2...release-17.3.3

17.3.2

What's Changed

🐛 Bug Fixes

• Templating: Move production mode validation from service layer to Management API by @AndyButland in #22383
• Migrations: Fix potential OptimizeInvariantUrlRecords timeout on SQL Server (closes #22377) by @AndyButland in #22382
• Management API: Fix OAuth client registration permanently skipped after transient failure (closes #22356) by @AndyButland in #22368
• Property Editor Dialog: Set height to 100% for umb-property-editor-ui-picker-modal by @bjarnef in #22354

Full Changelog: release-17.3.1...release-17.3.2

17.3.1

What's Changed

🐛 Bug Fixes

• Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by - @AndyButland in #22340
• Builder Extensions: Make AddWebComponents() idempotent (closes #22344) by @AndyButland in #22347
• Media Picker: Fix folder selection regression for developer-configured media pickers (closes #22349) by @AndyButland in #22350
• Install: Ensure media directory exists before creating PhysicalFileProvider (closes #14877) by @AndyButland in #22281

Full Changelog: release-17.3.0...release-17.3.1

13.14.0-rc

What's Changed

• Backport optimisations on content type save from #21910 to V13 by @kjac in #22314

Full Changelog: release-13.13.1...release-13.14.0-rc