Skip to content

fix(deps): update dependency @strapi/strapi to v5 [security] #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @strapi/strapi to v5 [security] #119

wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Oct 18, 2025
edited by github-actions bot
Loading

This PR contains the following updates:

Package Change Age Confidence
@strapi/strapi (source) ^4.25.13 -> ^5.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-3930

Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.

Release Notes

strapi/strapi (@​strapi/strapi)

v5.24.2

Compare Source

⚠️ Security Warning and Notice ⚠️

Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

5.24.2 (2025-09-29)

🚀 New feature
🔥 Bug fix
  • database is corrupt with orphaned relations (#​24316)
  • assert admin.auth.secret on bootstrap instead of init (a1b9cf7971)
  • support auth.options config in sessions (#​24460)
  • stop repair script from running automatically (#​24470)
❤️ Thank You

⚠️ Notice on Admin JWT Changes

This release fundamentally changes how Admin Panel login and register JWTs work from 5.23.6.

If your project or plugins rely on undocumented functionality or internal behavior related to the Admin JWT, those implementations are very likely to break after upgrading and affect your ability to log in to the Strapi Admin Panel.

For more information on the new feature configuration settings, please see the configuration docs for Users and Permissions and Admin Panel

v5.24.1

Compare Source

⚠️ This version is deprecated. Please use 5.24.2 🙏

5.24.1 (2025-09-25)

includes release notes from deprecated 5.24.0

🚀 New feature
🔥 Bug fix
  • database is corrupt with orphaned relations (#​24316)
  • assert admin.auth.secret on bootstrap instead of init (a1b9cf7971)
❤️ Thank You

⚠️ Notice on Admin JWT Changes

This release does not introduce breaking changes in any documented Strapi APIs or functions.
However, it fundamentally changes how Admin Panel login and register JWTs work.

If your project or plugins rely on undocumented functionality or internal behavior related to the Admin JWT, those implementations are very likely to break after upgrading and affect your ability to log in to the Strapi Admin Panel.

For more information on the new feature configuration settings, please see the configuration docs for Users and Permissions and Admin Panel

v5.24.0: [Deprecated] v5.24.0

Compare Source

⚠️ This version is deprecated. Revert to 5.23.6 for now 🙏

5.24.0 (2025-09-24)

🚀 New feature
🔥 Bug fix
  • database is corrupt with orphaned relations (#​24316)
❤️ Thank You

⚠️ Notice on Admin JWT Changes

This release does not introduce breaking changes in any documented Strapi APIs or functions.
However, it fundamentally changes how Admin Panel login and register JWTs work.

If your project or plugins rely on undocumented functionality or internal behavior related to the Admin JWT, those implementations are very likely to break after upgrading and affect your ability to log in to the Strapi Admin Panel.

For more information on the new feature configuration settings, please see the configuration docs for Users and Permissions and Admin Panel

v5.23.6

Compare Source

5.23.6 (2025-09-19)
🔥 Bug fix
  • create UID from singular name instead of display name (#​24408)
❤️ Thank You

v5.23.5

Compare Source

5.23.5 (2025-09-17)

🔥 Bug fix
💅 Enhancement
  • remove default notification title (#​24337)
🚨 Security
  • deps: update form-data, axios, and sha.js (#​24389)
❤️ Thank You

v5.23.4

Compare Source

5.23.4 (2025-09-10)
🔥 Bug fix
  • add support for custom field attributes in schema mapping (#​24310)
  • errors when trying to link design-system locally (#​24247)
  • saving deletion of optional components not working (#​24317)
⚙️ Chore
❤️ Thank You

v5.23.3

Compare Source

5.23.3 (2025-09-04)

🔥 Bug fix
  • syncing components in draft and publish relations (#​24227)
❤️ Thank You

v5.23.2

Compare Source

5.23.2 (2025-09-03)

🔥 Bug fix
  • update route serialization utility to handle non-array values correctly (#​24245)
⚙️ Chore
  • change close stale issue github action (#​24260)
  • close stale issue starts from oldest issue (#​24264)
  • close stale exclude PRs. include all assignees. (#​24265)
  • stale issues remove dry run (#​24270)
  • label and close issues before 2022 (#​24272)
  • label and close issues before 2023 (#​24278)
  • label and close issues before 2024 (#​24279)
❤️ Thank You

v5.23.1

Compare Source

5.23.1 (2025-08-27)

🔥 Bug fix
  • add missing userid to amplitude events (3780331997)
  • reordering dynamic zones messes up indexes during validation (#​24195)
  • corrected UI of searchbar on content manager (#​23813)
  • wrong count of non draftAndPublish entries (#​24211)
⚙️ Chore
  • implement a new prompt to enable A/B test and track the event (#​24125)
  • update guided tour tracking events (#​24192)
❤️ Thank You

v5.23.0

Compare Source

5.23.0 (2025-08-20)
🚀 New feature
  • CTB: add conditional fields form to custom fields advanced settings (#​24175)
🔥 Bug fix
  • wrong count for published entries in homepage widget (#​24152)
  • update tracking on homepage widgets (#​24153)
  • refactor openAPI log (#​24182)
💅 Enhancement
❤️ Thank You

v5.22.0

Compare Source

5.22.0 (2025-08-13)

🚀 New feature
🔥 Bug fix
  • homepage widgets adjustments (#​24071)
  • reordering newly created components in dz cause error on save (#​24114)
  • guided tour adds paddings to pages instead of using offset (#​24170)
⚙️ Chore
  • new workflow to tag issues before 2021 to prepare for cleanup - github issues management (#​24098)
  • change query to include parameters instead of filtering response in github action (#​24116)
  • revert uuid (#​24067)
❤️ Thank You
  • Adrien L
  • Marion Kamoike-Bouguet @​oiorain
  • markkaylor

v5.21.0

Compare Source

5.21.0 (2025-08-06)

🚀 New feature
  • key statistics homepage widget (#​23938)
  • homepage upcoming releases widget (#​23998)
  • Added firstPublishedAt field which sets the datetime when a content is first published. (#​22512, #​23160)
🔥 Bug fix
  • do not overwrite modified names in create ct modal (06dce79903)
  • create relation and save flaky test (#​24041)
  • do not overwrite modified names in create ct modal (be03ffa02a)
  • incorrect config won't run example app (#​24063)
  • color of release status icon (#​23842)
  • allow audit logs to be increased up to the license maximum (#​24061)
  • include encryption key in javascript template (#​24076)
  • update openapi package with correct configuration (#​24099)
  • core: handle time to dateTime and dateTime to time conversion with postgres (#​24073)
⚙️ Chore
  • overwrite names if displayName actually changes (687c4fd496)
  • update guided tour documentation (#​24046)
  • add empty project to examples (#​24049)
  • improve getstarted dummy preview page (#​24091)
  • content-manager: fix typo in code comment (402f6df180)
  • openapi: update dependencies to version 5.20.0 (7a83ebacc4)
❤️ Thank You

v5.20.0

Compare Source

⚠️ Security Warning and Notice ⚠️

Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

5.20.0 (2025-07-30)
🚀 New feature
  • add conditional fields e2e tests (#​23843)
🔥 Bug fix
  • document_id must appear in the GROUP BY clause (947c3a83d8)
  • resolved filter overlapping issue by changing z-index (#​23953)
  • update autocomplete attribute in RelationsInput component to filter by contains (#​23579)
  • add reducer to be able to mutate widgets in register function (#​23908)
  • resolved filter overlap with datepicker by reducing zIndex of filter … (#​23884)
  • conditional validation preview publish (#​23894)
  • port comparison (6e535cb756)
  • add full support for wildcards (33c610560b)
  • handle undefined origins (77cb37d43d)
  • prevent full screen loader regression in preview page (#​24038)
  • support wildcards in arrays of origins (4754eca8ef)
  • prevent validation error when updating user without password change (#​23898)
  • content-type-builder: fix schema validation when max is equal to min (#​24032)
⚙️ Chore
💅 Enhancement
  • promote preview configuration docs (#​23961)
❤️ Thank You

v5.19.0

Compare Source

5.19.0 (2025-07-23)

🚀 New feature
  • add preview device selector (#​23985)
  • cloud-cli: support async project creation notifications (a970fea681)
🔥 Bug fix
  • sign file URLs in upload service and in graphql (#​23834)
⚙️ Chore
❤️ Thank You

v5.18.1

Compare Source

5.18.1 (2025-07-16)
🚀 New feature
🔥 Bug fix
  • add Introduction step in the Single collection Edit view (#​23943)
  • yarn build issue (#​23906)
⚙️ Chore
❤️ Thank You

v5.18.0

Compare Source

5.18.0 (2025-07-09)
🚀 New feature
🔥 Bug fix
  • preserve non-localized fields when updating localized content for new locale (#​23830)
  • use documentId as mainField fallback (#​23796)
  • make upgrade tool work with a proxy (#​23847)
  • added missing e2e test for homepage profile widget (#​23850)
  • resolve labels overflowing issue in Api-Token creation Permissions Accordian. (#​23526)
  • guided tour test types (#​23877)
  • fix condition loss on relation field (#​23885)
  • release build process (#​23917)
  • api-tokens: update lastUsedAt if it's null (#​23870)
⚙️ Chore
❤️ Thank You

v5.17.0

Compare Source

5.17.0 (2025-07-02)

🚀 New feature
  • content-manager: conditional fields (#​23616)
🔥 Bug fix
  • design of user status (#​23771)
  • locale selector dropdown showing incorrect status in content man… (#​23434)
  • remove policy from license-limit-info that breaks releases (#​23424)
  • media library new folder not created when hitting enter (#​22735)
  • Cleaner fallback for documents and audio files in the Media Libr… (#​22378)
  • update of logo (#​23749)
⚙️ Chore
❤️ Thank You

v5.16.1

Compare Source

5.16.1 (2025-06-25)

🔥 Bug fix
  • resolved the issue with search field not closing (#​22415)
  • standardization of the menu items (#​23264)
  • add the disabled state of the creatable button with no permissions (#​23630)
  • graphql: draft and publish document does not forward root query args (#​23737)
  • upload: import cropperjs css by styled components (#​23707)
⚙️ Chore
❤️ Thank You

v5.16.0

Compare Source

5.16.0 (2025-06-17)

🚀 New feature
🔥 Bug fix
  • updated word break property for word wrap around (#​23265, #​23430)
  • design issues (#​23719)
  • serve the correct document when we duplicate a document with a locale different than the default one (#​23709)
  • display name of upload plugin in roles settings (#​23739)
  • min/max value for components not clear (#​23741)
  • bulk publish mutliple locales does not validate required media (#​23750)
  • content-manager: documentId missing from fields for the view and… (#​23604)
  • upload: draggable element style (#​22098)
⚙️ Chore
  • content-type-builder: add DidUpdateCTBSchema event (#​23651)
  • upgrade formidable to 3.5.4 (#​23722)
  • strapi DS v2.0.0-rc.26 bump (#​23752)
💅 Enhancement
🚨 Security
❤️ Thank You

v5.15.1

Compare Source

5.15.1 (2025-06-11)

🔥 Bug fix
  • repeatable components should not load relations when creating a new entry (#​22549)
  • one to many relations returns published and draft versions (#​23673)
  • default timezone releases issue (#​23629)
  • content-manager: ui issue when too many elements in dz in configure the view (6711be04e4)
  • content-manager: dragging moves incorrect field in configure the view (#​23602)
  • upload: switching tab when updating pagination (2f28b9dcef)
⚙️ Chore
  • move generateFileName to image-manipulation to allow overriding (7de63df3ae)
  • create strapi mock for test (9c04fd0da8)
  • update nodemailer from 6.9.1 to 6.10.1 (#​23678)
  • strapi DS v2.0.0-rc.25 bump (c1c86417e9)
💅 Enhancement
  • prevent edit view unnecessary rerenders (#​23667)
  • types: export configuration Shared types (#​22620)
  • debounce blocks editor update (#​23681)
❤️ Thank You

v5.15.0

Compare Source

5.15.0 (2025-06-04)

🚀 New feature
  • cli: Introduce the Growth Trial prompt (#​23498)
🔥 Bug fix
  • fixed cancel and publish button from dialog modal of bulk publish #​20809 (#​20809)
  • improve type signature core-store getter (#​23593)
  • blocks ui (#​23311)
  • avoid history data loss when license is missing (#​23562)
  • issue #​23572 support undefined allowed types (#​23572)
  • header behind other elements (0dc28a7d00)
  • ctb custom field need to allow extra configs (32feefe431)
  • content-type: improve field validation logic in permission settings (#​23581)
  • document-service: implement document ID uniqueness check and add corresponding tests (#​23577)
⚙️ Chore
🚨 Security
❤️ Thank You

v5.14.0

Compare Source

Changelog for releases/5.14.0
🚀 Feature

Revamp the Content-Type Builder (CTB) with undo/redo, drag & drop attributes, collapsible sections, concurrent editing, new shortcuts, and numerous UX/UI enhancements (#​23288) by @​alexandrebodin

image

✨ Enhancements
🐛 Bug Fixes
  • Adjust Rollup configuration to ensure CSS files are correctly included in production builds (#​23547) by @​simotae14
  • Implement a check for review workflow service availability within the releases feature (#​23568) by @​remidej
  • Prevent "add to release" bulk actions from displaying when draft and publish functionalities are disabled (#​23578) by @​remidej
  • Resolve issue with broken pagination in the Content Manager's assets modal (#​23592) by @​Adzouz
⚙️ Chores
❤️ Thank You

v5.13.1

Compare Source

5.13.1 (2025-05-21)

🔥 Bug fix
  • update model reference in FormLayout for consistent localization (3d33977c2c)
  • types: add missing flags prop to admin config (#​23486)
  • types: add missing settings.useTypescriptMigrations prop to database config (#​23489)
📚 Documentation Changes
  • openapi: add architecture documentation to OpenAPI (#​23444)
❤️ Thank You

v5.13.0

Compare Source

5.13.0 (2025-05-07)
🚀 New feature
  • future branch create relations initiative (#​23379)
  • make widgets api stable (#​23470)
🔥 Bug fix
  • rich text editors focus mode modals (#​23378)
  • widget type not exported from core (#​23416)
  • updated icon button to include disabled flag for repeatable comp (#​23427)
  • typo in data-transfer CLI (#​23422)
  • Error MISSING_TRANSLATION errors for locale 'ru' (#​21575)
  • define an initial ComponentProvider on top of the Relation Modal (#​23472)
  • use text for encrypted key of viewable api token (#​23477)
  • preview: pass documentId as undefined if the entry is singleType (#​23302)
📚 Documentation Changes
  • openapi: add initial OpenAPI documentation to core docs (#​23443)
⚙️ Chore
  • strapi DS v2.0.0-rc.22 (#​23372)
  • strapi DS v2.0.0-rc.23 (#​23384)
  • resolve babel (#​23391)
  • track registered widgets (#​23412)
  • improve uniqueness of deviceId + userId (#​23120)
  • Amazon SES readme plugin config improvements (#​23390)
  • update cloud cli (#​23392)
  • homepage: move widget controllers, services, and routes from admin to content-manager (#​23407)
💅 Enhancement
❤️ Thank You

v5.12.7

Compare Source

5.12.7 (2025-04-30)

🔥 Bug fix
  • widget type not exported from core (#​23416)
  • updated icon button to include disabled flag for repeatable comp (#​23427)
  • typo in data-transfer CLI (#​23422)
⚙️ Chore
  • track registered widgets (#​23412)
  • improve uniqueness of deviceId + userId (#​23120)
  • homepage: move widget controllers, services, and routes from admin to content-manager (#​23407)
❤️ Thank You

v5.12.6

Compare Source

5.12.6 (2025-04-23)

🔥 Bug fix
  • rich text editors focus mode modals (#​23378)
  • preview: pass documentId as undefined if the entry is singleType (#​23302)
⚙️ Chore
❤️ Thank You

v5.12.5

Compare Source

5.12.5 (2025-04-16)

🔥 Bug fix
  • relation icons shape in the relation modal (#​22371)
  • optimize schema validation lookup for mysql/mariadb (#​23331)
⚙️ Chore
  • remove sdk-plugin dependencies from user deps (#​23250)
  • release backmerge (670dd814bc)
  • deps: bump undici in the npm_and_yarn group across 1 directory (#​23133)
💅 Enhancement
  • support for IPv6 addresses in absolute urls (#​23212)
❤️ Thank You

v5.12.4

Compare Source

5.12.4 (2025-04-09)
🔥 Bug fix
⚙️ Chore
💅 Enhancement
❤️ Thank You

v5.12.3

Compare Source

5.12.3 (2025-04-02)

🔥 Bug fix
  • upgrade: incorrect path to codemods (02e3d8da28)
❤️ Thank You
  • Mark Kaylor

v5.12.2

Compare Source

5.12.2 (2025-04-02)

🔥 Bug fix
⚙️ Chore
  • refactor rollup utils and move to preserveModule for better tree shaking (4bd7b4e8f5)
  • apply feedback, improve warnings (6b93a97ac7)
  • bump vite from 5.4.13 to 5.4.15 (#​23248)
💅 Enhancement
  • add user menu with profile settings and role display (#​22954)
❤️ Thank You

v5.12.1

Compare Source

5.12.1 (2025-03-28)

🔥 Hotfix
  • fix broken SSO login introduced in 5.12.0 (#​23247)
❤️ Thank You

v5.12.0

Compare Source

5.12.0 (2025-03-26)

🚀 New feature
  • add on-the-fly relation editing in modals (#​22997)
  • add preview side editor for growth/ee users (#​22997)
  • adding a link to chargebee portal for managing seats (ccc540ffcb)
🔥 Bug fix
  • bidirectional relations sync (4e64ec6cec)
  • incorrect token source in pr diff (#​23142)
  • incorrect file path and parameters for pr_diff (#​23143)
  • deprecated step summary output (#​23144)
  • bidirectional relations sync (ad216ff22f)
  • remove useless rotf future flag (#​23139)
  • ui issues on purchae pages (#​23084)
  • add z index property to the menu content in blocks and markdown (#​23150)
  • relation label fix overflow behaviour (#​23125)
  • add the correct locale and document Id when we reorder the relations (#​23152)
  • run cronjobs closer to app start (08528cceda)
  • On production build webhooks detail page intermediate value issue #​23099 (#​23099)
  • correctly read asset stream for dts asset remote providers (#​23169)
  • add the correct document in the back button history when we confirm dialog (#​23184)
  • issue with layout property in InputRenderer (#​23183)
  • removing the Strapi Cloud condition for Manage seats (cdde94f005)
  • one more Strapi Cloud condition for Manage seats (4ac8513411)
  • final final Strapi Cloud condition for Manage seats (4d1d36a71c)
  • adding license type with it's typing (ea6268bc6a)
  • reverting licenseType to type (ff5b6069b9)
  • manage seats link for gold license (1cf3c821d1)
  • updating message for Gold licenses (01abcb251f)
  • removing type because we use the licenseLimitInformation instead (c7e57b2c40)
  • updating tests for Managing seats (c3f2ca2808)
  • now my code is prettier (7d410c85ab)
  • prettier translations as well (8e0423d29d)
  • handling type === gold check in license notifications (4be9ba6828)
  • prettier on my notification file (31611b4598)
  • updating license notifications and their tests (f4754bded9)
  • prettier notification tests (16829452be)
  • preserve cookie in sso login (#​23240)
  • database: improve sub queries handling in the qb (#​23129)
  • relations: no components available in relation modal dynamic zone (#​23151)
📚 Documentation Changes
  • add strapi/permissions documentation (#​23091)
⚙️ Chore
💅 Enhancement
  • add tracking for editing relations on-the-fly and preview (#​23206)
  • admin session presists across tabs (#​23188)
  • add advanced preview license check (#​23221)
🚨 Security
  • deps: upgrade axios to 1.8.2 for CWE-918 (#​23105)
❤️ Thank You
  • Bassel Kanso @​Bassel17
  • Ben Irvin
  • Derrick Mehaffy
  • HichamELBSI
  • Jean-Sébastien Herbaux
  • Lucas Boilly @​lucasboilly
  • Marc-Roig
  • markkaylor
  • Rémi de Juvigny @​remidej
  • seenabaaz
  • Simon Norris
  • Simone

[v5.11.3]

Configuration

📅 Schedule: Branch creation - "" in timezone America/Vancouver, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@renovate
Copy link
Author

renovate bot commented Oct 18, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: cms/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: bcmi-cms@0.1.0
npm error Found: react-router-dom@5.3.4
npm error node_modules/react-router-dom
npm error   react-router-dom@"5.3.4" from the root project
npm error
npm error Could not resolve dependency:
npm error peer react-router-dom@"^6.0.0" from @strapi/strapi@5.31.0
npm error node_modules/@strapi/strapi
npm error   @strapi/strapi@"^5.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-11-19T03_47_50_287Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-11-19T03_47_50_287Z-debug-0.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant