Changelogs

Fixes

• Scaled back some excessively verbose log entries. [#27910]
• Corrected role checks when requiring multiple roles to access a resource. [#27909]

Dependencies, Components, Etc.

• Updated Postgres JDBC driver. The vulnerability this update resolves did not affect dotCMS, as we do not use the setting in question. Still, automated scans that don't know any better were very noisy about this. So… we may as well. [#27894]

Enhancements & Adjustments

• Page API additionally returns content related to the Page asset itself, on calls with a depth of 2. [#27775]
• Removed a number of unnecessary database calls from content editor screen. [#27187]
• Task detail comments now display in reverse chronological order. [#25729]

Interface

• The dropdown menu in the content comparison tool will now display more than 20 versions at a time for comparison. [#26815]

Fixes

• Bundles now display the user who created them to appropriately permissioned users. [#26224]
• Fixed errors when deleting unpublished bundles via REST API calls. [#26201]
• Bundles now properly display contents in excess of 20 items when expanded in the Publishing Queue. [#26170]
• Image fields now correctly receive headers in CSV exports of contentlets. [#26004]
• Fixed unresponsive Import button when importing categories via CSV. [#25653]
• Users with limited permissions can edit Pages and content within their purview, even if they do not have access to the Content Search tool. [#22698]
• Optimized queries to reduce Site Browser loading time when accessing a folder with more than 1,000 items. [#23195]

Interface

• Hid the download button for bundles pushed to static environment, as these are not downloadable. [#26542]

Fixes

• All edits to the System Template will create an offshoot layout instead of modifying the template itself. [#26415]
• Updated starter image: The Language Variable Content Type has been flagged in the starter as not being a system type, enabling user creation of this content. [#25891]
• Limited users with appropriate permissions can now create Content Types on the System Host. [#25296]
• Custom Layouts now always push with their associated Page, even if selecting a Push Publishing filter that does not include Templates. [#22385]

Fixes

• Reserved names are now evaluated in case-insensitive fashion, for improved consistency. [#26796]
• Relationship fields' maximum variable lengths have been extended from 35 to 255 characters. [#26605]
• The presence of a non-required Site/Folder field in a Content Type no longer causes duplication of contentlets of that type to fail. [#26459]
• The Workflow API can now archive content successfully. [#22921]
• Fixed reserved-name protection for identifier and inode. [#22372]

Fixes

• Publish Date parameter no longer prevents the scheduled content from being exported. [#27007]
  • Also fixes a related issue that prevents export while filtering by a large number of categories.
• Changed default Pub/Sub provider value in line with recently built Pub/Sub architecture. [#26706]
• Folder permissions are now properly editable on an individual basis, even if the folder uses a legacy inode. [#26693]
• Fixed improper encoding of Cyrillic URLs via Vanity URL redirect. [#26640]
• Relationship fields now respect and reflect the order in which related contentlets are received via Workflow Action. [#26439]
• The sysPublishDate field has been restored to the ElasticSearch object; it now indexes and queries properly. [#25233]
• Languages API no longer throws 400 errors when duplicates of non-unique keys exist. [#24082]

Enhancements & Adjustments

• Debug logging has been added to the SASS compiler's execution process, to better reflect and diagnose any problems it encounters. [#27008]
• Added indexes to the databases responsible for inode and identifier lookups, improving lookup performance by a factor of as much as 4600x on large sites. [#26926]

Fixes

• Resolved a bug capping the number of sites the site selector would display to limited-permissions users. [#26980]
• Fixed GraphQL caching, which now behaves in the expected manner. [#26970]
• GraphQL now returns Date & Time fields in the correct, system-standard format. [#26890]
• Restored the catalina.out Velocity log, once again visible in the Log Viewer. [#26934]

Enhancements & Adjustments

• Implemented new session-sharing library; now sessions can be serialized and replicated as needed across servers in a cluster. [#24291]
• The JSON viewtool now supports all JSON data types, rather than just strings. [#21529]
• The SASS compiler has returned to minifying CSS output by default. [#24227]
• A set of probes — for startup, readiness, and liveness — has been defined for dotCMS instances running on Kubernetes. [#24885]

Fixes

• Fixed issue that could newly created content to disappear from a Page not using the default language due to the new content's failure to inherit the correct language value. [#18575]
• Velocity2 cache no longer stores empty containers from non-existent language-versions of the content in question, leading to existent language-versions showing up as blank. [#22534]
• Relationship fields now properly update via Workflow API calls. [#24167]
• Added check to prevent Date fields from being deleted while they're in use as the Publish or Expire Date for a Content Type; this prevents misbehavior related to lingering references to a nonexistent field. The fields have been exorcised and warded against such ghostly doings. [#24266]
• The Content Palette no longer includes archived content. [#24292]
• Tightened up the Block Editor's default rendering behavior, preventing the addition of a trailing space after marks and hyperlinks. [#24406]
• OSGi framework has been adjusted to restart less often, in many cases not needing to at all. [#24468]
• Beefed up URL-Mapped content resiliency; now, if a detail page is deleted or otherwise broken, and/or a URL map pattern is absent for a given Content Type, you'll still be able to view those pages. Of course, you'll want to fix that situation, but at least you're not throwing 404s in the meantime. [#24490]
• Added keepalive calls to prevent a case where the Log Viewer connection could time out. [#24775]
• starter.zip files should now import and export properly in all cases. [#24874]
• MonitorResource no longer throws exceptions if DOT_SYSTEM_STATUS_API_IP_ACL is not set. [#25613]
• Removed the 255-character limit on the validation of text fields; this was likely to affect, for instance, Vanity URLs with very long addresses. [#26774]
• Pub/Sub architecture now defaults to SSL connections, preventing failures when interfacing with PostgreSQL instances that only accept SSL. [#26481]

Content

• The Block Editor gains a bit more vertical perspective, now accepting superscript and subscript marks. [#25489]
• Added a button to preview URL-Mapped content in Edit Mode; it can be accessed from the task menu when editing a contentlet. [#23955]

Enhancements & Adjustments

• Added two-second delay on invalid login — i.e., a nonexistent user — similar to the behavior on receiving an incorrect password. [#23903]
• Added indexes to Workflow database tables, significantly improving query performance. [#24086]

Fixes

• Modifying a template no longer removes content from page columns, unless the column or container was expressly removed. [#23181]
• Fetching language keys for an unsupported language now falls back to default administrative language configured from the System → Configuration tool, rather than the default content language configured through the Types & Tags → Languages tool. [#23777]
• Large numbers of Site Search indexes no longer cause errors when loading the index list. [#24816]
• WYSIWYG fields are now once again able to reference images via their virtual path. [#24894]
• CMS Admin role can view all bundles, regardless of who created them. [#25127]
• The image processor now retains and respects a certain user-specified resampling parameter (resize_ro) through the entire method call, rather than reverting to a default due to a missing link in the chain. [#25193]
• On a Relationship field with the showFields field variable set, Binary and Image fields now properly display thumbnails instead of paths. [#25411]
  • Likewise, if one included field is the title field, the correct value for each title will be displayed, instead of displaying the value of the first in the list across each. [#25870]
• Creating a new field with the same name, but different type, than a previously deleted field now correctly generates a new identifier for the field instead of incorrectly reusing the previous one. [#25827]
• Filtering in the site selector dropdown will always prioritize exact matches. [#24921]
• The current contentlet no longer appears in the Block Editor's contentlet searches, to prevent embedding recursive embedding — the finishing touch to our efforts to safely disarm Russell's Paradox. [#24797]

Enhancements & Adjustments

• Built new PostgreSQL Pub/Sub listener to replace the impossibl Postgres driver with a vanilla one. This gives us a better diagnostic view of the process, and helps rule out some factors in rare but difficult-to-diagnose cases where the driver fails to connect. [#26019]
• Implemented new session-sharing library; now sessions can be serialized and replicated as needed across servers in a cluster. [#24291] [#24294] [#24990] [#25541] [#25570]
• Added to the Maintenance pane the ability to restart not only a dotCMS instance, but an entire cluster. [#22507]
• The /api/v1/categories endpoint now accepts the query parameter showChildrenCount=true to show the number of children in a category. [#23254]

Visual Fixes

• Personas no longer appear in Tag lists with a separate and distinct icon than other tags; a tag is a tag is a tag. [#26159]
• Reinstated title bar to query dialogs on content search screen. Repaired their styling, too. [#23554] [#23739]

Fixes

• Elasticsearch queries no longer add :persona to a Tag field that also happens to be a Persona. Whereas the :persona appendage had been stripped of its meaning and function earlier this year, in release 22.03, this is mostly a bit of tidying up. [#26158]
• Suggestion lists for Tag fields now properly collate tags from content deeper in the folder structure, rather than just the site root. [#26131]
• Radio-button fields with the Data Type set to True/False now correctly evaluate values of 0 or 1 as valid boolean values in Elasticsearch queries. [#26046]
• Unnecessary XML encoding has been removed from environmental variables that originate from the Tomcat access log file. [#23669]
• Widgets with WYSIWYG fields set to Code view no longer encounter value length errors when saving. [#21855]

Content

• The Block Editor now supports h4, h5, and h6 headings by default. [#25660]
• On an export, users now have the option to exclude old versions of dotCMS content, outputting only live and working/draft versions. [#25510]

Enhancements & Adjustments

• Added a feature to map legacy SAML configuration IDs to site IDs, storing this as an App secret on a host, and using it to facilitate login URL routing. [#25636]

Fixes

• Downloading a starter from the back end is now a streamed process that begins as the assets are being incorporated into an archive. This prevents timeouts under certain administrative setups — such as running dotCMS behind a load balancer — and limits the danger of the destination container over-allocating space in the case of multiple requests. That's a mouthful, but two birds with one stone merits a yarn. [#23733]
• In the Job Scheduler, the default Site Search index is specified with (Default) appended to its alias. This caused the Job Scheduler to throw an error when adding a new reindex to the schedule, until that additional text was manually cleared. Well, that snag has been fixed. [#24176]
• The Copy URL button at the top of the page viewing mode interfaces now copies the whole URL, and not just the path. [#24683]
• Improved debouncing on undo/redo operations in the Block Editor; the number of undo or redo steps should now more or less conform to expectation. [#24716]
• NavTool's getNav method now returns only published links. [#24829]
• Mending conflicts with the Integrity Checker will no longer result in null values on contentlet_as_json database fields. [#25229]
• Pushing a newly created folder as a limited user with appropriate permissions no longer fails. [#25371]
• When performing a “Publish (all)” on its contents, a folder will no longer flop and bellyache to draw sympathy from the referee. [#25440]
• The Block Editor's hyperlink search feature now respects non-default languages. [#25567]
• Pagination has been restored to Content API calls with the /related path parameter. [#25666]
• Uploading multiple files will now respect the language filter when assigning the files a system language, instead of defaulting to English. [#25797]
• Creating a version of content in a second language no longer removes all related content from all language versions of that contentlet. [#25896]
• Content API and Elasticsearch queries now properly return metadata keywords. [#25618]
• Fixed an issue that would cause the Block Editor, on Chromium-based browsers, to represent content pasted from a Word document as an image rather than a sequence of blocks. [#25726]

Content

• The Page API now accepts a depth parameter, permitting access to related content through contentlets embedded on a Page. [#18123]

Enhancements & Adjustments

• Added new Show Preview button to the page viewing mode screens; you can now view a fully rendered preview of your changes in a new tab, outside of the context of the dotCMS back end. [#23948]

Fixes

• The presence or absence of a trailing slash in URLs no longer yields a different result, such as a 404 response code. [#23276]
• When changing the language of a piece of content, it will likewise alter its relationships to point to versions of subordinate contentlets in the same language, where available. [#24415]
• Corrected a Javascript console error preventing the contextual menu from functioning when right-clicking a role name in the Roles & Tools tool. [#24424]

  Note: If you are using a version affected by this bug, you can still use the operations of that menu through the + button's dropdown menu while the role is selected.

• Stopped Sites now correctly display on the Site Selector; only archived Sites are hidden. [#25120]
• Fixed an error preventing the display of a contentlet containing an empty Block Editor field. [#25121]
• Fixed Site Browser sorting; the default pattern is to show folders first, alphabetically, and then all other items in the current folder by descending modified date. [#25136]
• The presence of language query parameters was interfering with attempts to correctly render images when performing a static Push Publish. We've added a workaround to ensure all images render statically in a multilingual context. [#25217]
• Mending conflicts with the Integrity Checker will no longer result in null values on certain database fields. [#25224]
• WYSIWYG fields now accept images regardless of whether the content is in the default language; after all, even with language barriers, it's not hard to convey that you want to have your picture taken. [#25258]
• The sorting listener on Key/Value fields has been made field-discrete; this prevents a situation where sorting keys in a contentlet with multiple Key/Value fields could cause the two fields' data to combine. [#25402]
• The date-format mismatch identified in [#25008] had been fixed in API responses, but persisted in Velocity contexts; this fixes it there, too. [#25293]
• Added a user limitation to the admin panel's nav update event, to limit calls to the menu endpoint and prevent usability issues. [#25556]
• Specified tag_inode table column insert order on an upgrade task to prevent an issue when upgrading between 23.01 LTS patch releases. [#25720]
• OPTIONS requests to REST APIs no longer generate a 500 error status, and now return proper CORS headers. [#25775]

Dependencies, Components, Etc.

• Removing old Dojo resources from packaging. [#24840]
• Removing old jaxws libraries no longer in use. [#24843]

Enhancements & Adjustments

• Added a new $dotsecrets viewtool to pass sensitive data through Velocity. [#23175]

Fixes

• Fixed the retrieval of Personas via Lucene query; persona tags neither require, nor yield different results with, :persona appended to the tag name. [#22872]
• When using the tasks page's “hamburger” button (⋮) menu, the Publish action now fires directly — i.e., the expected behavior — instead of opening the Push Publish dialog. [#23395]
• The image editor's Download button is now once more hunky-dory. [#23924]
• Users with an ID length of more than 36 characters are no longer prevented from locking content. [#24133]
• Fixed a date-format mismatch between an old format used in some places and a new one in others. [#25008]
• Creating content in more than two successive languages without leaving the content editor no longer throws an error. [#24286]
• Folders no longer fail to push publish if they contain archived content. [#24705]
• For those who prefer Podman over Docker: File assets now upload properly to dotCMS containers managed via Podman. [#24937]
• Resolved an issue that caused content to push publish to a working (draft) state instead of a live state in the specific case where an alternate-language version of that same content exists in an archived state. (That sentence went through like eight drafts; you need to take a deep breath before summarizing a bug this particular.) [#25044]
• getResizeUri method now returns valid URLS for a resized binary image — no more double-slash shenanigans. [#25203]
• Fixed an issue preventing Templates from saving. [#25212]
• The Block Editor's content & asset search is no longer intimidated into silence by certain non-alphanumeric character inputs. Dash all you want; it won't flinch. [#25230]

Breaking Changes

• Fixed a permission error that prevented a user with a custom role with appropriate permissions from using Workflow API operations. While this will not change observed behaviors, permissions-based fixes are generally classed as breaking changes due to how they may affect the hypothetical user working around them. [#23199]

Content

• Added video blocks to the Block Editor. Import videos either from your dotCMS file system, from your local files, or elsewhere online, and situate them within your Block Editor field's content. These videos are stored as full dotAssets, and can be reused freely. Default video rendering settings live in dotVideo.vtl, alongside other rendering defaults in /velocity/static/storyblock/. [#23863] [#23436] [#24465]

Enhancements & Adjustments

• The Block Editor's image-block popup now includes a tab for uploading a local file. [#23237]
• The paragraph block has been removed from the configurable Allowed Blocks list, to better convey its inviolable “default block” status. [#23764]

Fixes

• Whitelisting a block on a Block Editor field will no longer result in error when adding images to that field. [#23920]
• Solved rendering issue with fields converted from WYSIWYG to Block Editor that contain code. [#24422] [#24230]
• Fixed issue that could potentially cause errors when push publishing a Block Editor field. [#24299]
• Solved rendering issue with fields converted from WYSIWYG to Block Editor that contain code. [#24422]
• Block Editor now no longer allows recursively adding a contentlet to itself, which could render the content unrecoverable. [#23846]
• WYSIWYG Editor no longer throws errors when inserting an image with a different default site language than the editor. [#24285]
• Removed a wide assortment of unnecessary cache invalidations when saving and/or updating content. This also counts as a performance optimization, though we shall list it as a fix for reasons of honor. [#24781]
• Restored behavior whereby the file browser dialog shows files in the default language as a fallback if they do not exist in the requested language. [#24444]
• Push publishing will now properly respect timezone selections made from the dialog in the Publishing Queue's Bundles tab. [#25037]

Enhancements & Adjustments

• Significantly shortened startup time by optimizing vanity URL loading procedures. [#23982]
• Image permits, which control the number of threads dotCMS's image editor can occupy at once, have been made more permissive through better use of caching. They are now less likely to cap out on routine operations, without compromising their intended purpose of easing system resource burdens. [#23807]
• Increased number of password hash iterations from 20,000 to 600,000, in line with current OWASP recommendations for a SHA256 algorithm. [#23915]
• Changed the way JSON Web Tokens are handled, removing an issuer check and replacing it with additional reliance on jwt_secret.dat. This makes possible the use of the same JWT tokens across multiple environments. [#24395]

Fixes

• Block Editor fields that had been converted from WYSIWYG fields save all changes correctly. [#24565]
• Image fields now filter properly according to user input. [#23449]
• Resolved errors resulting from blanking an existing date field or checking “Never” on an expiration date field. [#22667] [#22350]

  Note: Originally appeared in 23.01 agile; the issue was subsequently reopened and underwent a bit more work.

• Fixed issue preventing content with double quotes in its title from displaying properly in a Relationship field. [#23396]
• Leaving the “publishing” Date/time field blank on content preset for scheduled publishing, no longer causes that content to re-publish if unpublished. We determined this behavior was simply too silly. [#24344]
• Permissions tabs — appearing in folder properties, contentlets, templates, etc. — no longer fail to load. [#23889]
• Fixed an update task that absolutizes container paths: It erroneously added the site to the same path multiple times in certain situations. Well, not anymore. [#24436]
• Copying a folder that contains Pages with both live and draft versions will no longer result in an error; duplicate your folders fearlessly. [#24441]
• Created a background task to ensure the proper conversion of legacy content to the contentlet_as_JSON schema for those upgrading from years-old versions. [#24093]
• Fixed PostgreSQL error observed in upgrades from 22.03.4 LTS to 23.01.1 LTS. [#24380]
• Improved publishing procedures for environments with many locales and relationships, preventing slowdowns. This sounds like it should be under Enhancements, but those slowdowns could get pretty significant. So, here we are. [#24245]

dotCMS 23.01.1 is the official designation of dotCMS 23.01 as a long-term supported release.

Representing the vast sum of changes since 22.03 — ten months of wild-eyed development, birthing new features with prophetic zeal — this roundup is large enough that we'll soon be reorganizing the changelog layout to accommodate this and, indeed, others like it.

For the moment, you'll find the new patches to 23.01 in the first section; underneath that, a feature rollup covering everything new from 22.05 through 23.01.

Finally, for a more conversational look at the LTS-to-LTS changes, check out the announcement on our blog!

LTS Patch (Changes Over 23.01)

Enhancements & Adjustments

• You can now enable multiple user IDs to possess the same email address by setting the environment variable DOT_SAML_ALLOWUSERSWITHDIFFID_REPEATEDEMAIL to true. [#24138]
• S3Client can now be configured to interact with Simple Storage Service (S3) object stores other than Amazon S3. [#22151]

Fixes

• File Browser now properly displays multilingual content, not limited by the configured user-interface language. [#24358]
• Fixed File Browser display behavior; now displays Page and file assets in expected fasion. [#24272]
• Corrected the exclusion of two asset directories from back-end exports; both are now present and accounted for. [#23810]
• Resolved issue preventing latest upgrade for MSSQL database users. [#23761]
• Categories are no longer removed from content mass-imported via CSV file. [#23440]
• Language parameters update correctly when redirecting via Rule. [#24158]
• Widgets now correctly display in non-default languages on working (i.e., draft) versions of Pages. [#24059]
• Fixed issue preventing saving content in a secondary language while a working/draft version exists in the default language. [#23280]
• CSS files now push publish to S3 buckets without issue or compilation error. [#24351]
• Navigation no longer shows duplicate results — both requested and default languages — when requesting multilingual content in the non-default language. [#23890]

(Un)Breaking Changes

• The dotcache directive no longer caches objects declared with set directive within the block; caching of generic objects should be handled manually through the Dotcache viewtool. Note that this is a breaking change if upgrading from 23.01, which introduced the behavior, but not for any previous version — that is, it effectively unbreaks the change of agile 23.01. [#24075]

LTS-to-LTS Feature Rollup

Below are the key changes of note since the last LTS. For a lighter summary, see 23.01.1 LTS: The Upgrade to Upgrade To, on our blog.

Content

• Added the new Block Editor field. [Many!]
  • Create and edit content as self-contained “blocks” stored as portable JSON, well suited to either headless or traditional use.
  • Choose from a variety of block types: paragraphs, headings, images, lists, tables, block quotes, and more.
  • Can contain and display contentlets created in dotCMS — with user-defined rendering, whitelisting, and automatic updating.
  • Fully editable inline in Edit Mode.
  • Transform WYSIWYG fields into Block Editor fields at the push of a button.
• Added ability to copy Content Types. [#21697]
• Removed limit on number of widgets or forms displayed in Content Selector popup. [#21811]
• Implemented storage of content info as JSON for MSSQL databases — as previously implemented for PostgreSQL. [#21219]
• A Push Remove Now action has been created to facilitate push-removal within a workflow. [#22021]
• Image paths can now be copied from Site Browser context (right-click) menus, using the new Copy Path item. [#22146]
• Introducing the new JSON Field, an easy way to store and access JSON data. [#22829]
• When performing a “shallow push” — i.e., Push Publishing with the “Only Selected Items” filter selected — tree entries are included in the push. This renders the behavior more intuitive in certain cases. [#18742]
• Unique fields on global Content Types can now be specified as unique globally or unique per site. This is handled via the uniquePerSite field variable, which defaults to false. [#21781] [#22250]
• Added ability to create a whitelist of acceptable keys for Key/Value fields. [#19562]
• It is now possible to retrieve parent content through a child contentlet's Relationship Field by using Lucene queries.[#22319]
• System content:
  • Certain System fields in certain Base Content Types have been rendered user-removable. [#15847]
  • Removed various system fields — tags, categories, relationships, constants, host, and folder — from the immutable JSON object storage in the database. Folder and host are passed in during the construction of a contentlet; the rest are loaded lazily. [#21858]
  • Moved the System Template and System Containers to velocity's static WEB-INF/velocity/application path. #21265

Enhancements & Adjustments

• Velocity improvements:
  • We've built a new Velocity Playground developer tool, allowing users to easily test and preview Velocity snippets before deployment. Debug with gusto — maybe even élan! [#23610]
  • Caches storing all Velocity macros now flush and refresh according to a more eager strategy, triggered either by flushing the Velocity2 cache manually via the System → Maintenance panel, or by editing any dot_velocity_macro.vtl file. [#22297]
  • Added a method to assign categories to content via Velocity, usable in a Workflow via Velocity script actionlet. [#23009]
  • It is now possible to read field variable key-value pairs from within Velocity, allowing evaluation at load time from your Velocity template files — and giving user-defined field variables more utility. [#22618]
  • Added new $dotcache Viewtool, a generic object cache, permits a wide assortment of highly convenient caching and storage behaviors! [#23037] [#23430] [#23431] [#23432] [#23575]
  • Added $dotContentMap, a built-in Velocity content object that lets you access content in a container without performing a pull.
• API improvements:
  • Added a new API Playground tool to the Dev Tools, built using Swagger. [#22298]
  • Refactored HostAPI: Improved caching and respect for permissions; now reliant on the database instead of ElasticSearch, and on variable names instead of Content Type names. [#21476]
  • Metadata for Binary Fields is now exposed through API responses. [#23552]
  • Push Publishing filters can now be added or updated via a REST API call. [#21823]
  • Added new API endpoints for creating, reading, updating, or deleting containers. [#21626]
  • Permissions operations now have REST API endpoints. [#22524]
  • New /api/v1/page/copyContent endpoint allows copying of content in the context of a page, duplicating the object and editing the tree entry. In other words, this is a “Save as Copy” method that allows content to be modified for a single page rather than all pages. [#23224]
    • Added in the same breath: New /api/v1/page/{pageIdentifier}/_deepcopy endpoint allows a “deep copy” of an entire page — copying both the page itself and all content contained therein.
• Edit Mode Anywhere changes:
  • Now works in AWS Amplify and other hosting platforms. [#21877]
  • No longer sends the page.rendered property on POST unless enabled in the app. [#21786]
  • URL Override plugin's functionality is now part of the core, available out of the box. [#21713]
• Logging:
  • The log viewer has been rebuilt for performance and reliability. [#23043] [#23042] [#22968] [#22978] [#23039]
  • Additional logging has been added to SAML operations. [#23048]
  • Pulled various log messages that are more on the “noise” than “signal” end. [#23757] [#22144] [#23781]
• User experience tweaks, simplifications, etc.:
  • Enter key now activates the primary action — e.g., Next, Submit, etc. — for all dialogs in the system. [#19158] [#22566]
  • Improved clickability when relating content — click anywhere in the list's rows to toggle!
  • Add custom content tools to traditional navigation through a simple menu option in the Content Type list, or through API calls. [#21797]
  • In the traditional interface, clicking on an entry in the Categories menu now provides a list of child categories, for improved navigation. [#23252]
  • Angular dropdown menus, such as the site selector, now allow for keyboard navigation. [#22835]
• Changed folder handling to enforce knowable & consistent folder ID behavior. [#21801]
• Replaced Vanity URL base content type's Site field with a Host Folder field. [#21889]
• The Multipart Web Interceptor plugin, which scans multipart or form requests that use PUT or POST to upload files, has been fully integrated into the core product. [#21854]
• Date and time fields have been modified in MSSQL databases to take into account time zones. [#21169]
• Versions of the same content across different languages can now display publishing dates distinct from one another. [#21518]
• Updated dot-binary-file web component to support the maxFileLength attribute. [#18019]
• Image filter scale has been mapped to the resize filter that replaced it, improving backwards compatibility. [#22463]
• Switched to using Tomcat's RemoteIpValve for DNS resolution. [#19569]
• Updated the Next.js starter: Upgraded to the latest Next.js version, and reviewed compliance with community guidelines. Read more about using dotCMS with Next.js on our blog. [#22992][#22994][#22995]
• Added an app that implements the prerender.io filter as a WebIntercepter and allows a user to configure prerender via Settings → Apps → dotCMS prerender App. [#20903]
• Now compatible with Husky. [#21857]
• Various performance improvements!
  • Optimized routines for bulk adjustment of permissions. [#19358]
  • Removed performance drag from supporting on-the-fly configuration changes via file watchers and other blocking patterns, which are unsuited to a containerized paradigm. [#21619]
  • Sped up the process of fetching a piece of content's categories via Velocity. You might say we've increased its Velocity. Stop frowning at me. [#22864]
  • Implemented lazy loading for workflow histories to improve load times for history-rich content. [#22068]
  • Tomcat no longer performs scans for Tag Library Descriptor files at startup, speeding up initialization. [#22716]
  • General library-driven improvements to paste behavior across a variety of fields and data types. [#22019]
  • Related content spanning multiple locales has been made more performant, shortening load times. [#22910]
  • Added DOT_IMAGE_GENERATION_SIMULTANEOUS_REQUESTS environment variable to limit the maximum number of threads image processing can consume. [#23384]

Visual Adjustments

• “Paper” layering styles (e.g., gaps and drop-shadows) removed from back end, reclaiming some space. [#23369]
• Significant cleanup operations and general improvements have been undertaken on the user interface for Containers. Error messages, toasts, layout elements, context menus, and more have received some TLC for a cleaner and smoother user experience. [#23141] [#23142] [#23143] [#23144] [#23146] [#23200]
• “Break lines, not layouts!” The field variable interface now handles lengthy keys and values more gracefully; long text now wraps to additional lines within invariant columns. This supersedes the old behavior of “plunging into chaos.” [#23119]
• Page titles now update to display the name of content being edited; multitab without fear! [#21701]
• Fixed cases of contextual menus cutting off at the bottom of their parent display pane. [#21979] [#23461]
• Replaced browser-native alert() message box after user account changes data in the My Account dialog. [#22276]
• When changing a password, verbose error message now displays when new password does not meet security requirements. [#22204]
• Fixed pagination errors on the UI site selector; now displays a maximum of 15 results at a time, with live text filtering of choices. [#22734]
• Slight adjustment to the styling of cards in the Apps section. [#23367]
• The read-only system container and system template are now more visually clear as to this status, with a greyed-out color scheme and contextual buttons removed. [#22216] [#22217]
• Pagination now displays properly when querying related content by REST API. [#22236]
• Updated labeling to more clearly distinguishing between a “key” and a “token” in the user interface — a subtle but “key” difference! [#23007]
• Push publishing queue displays all bundles, even when one or more fail to publish. [#23062]
• Removed extraneous descriptive text from dropdowns in Edit Mode. [#23406]
• Date and Date/Time fields now highlight the current date. [#23551]

Dependencies, Components, Etc.

• JSON handling: Removed GSON in favor of Jackson. [#21641]
• Updated ProseMirror, TipTap, and Tomcat. [#22058] [#21849]
• The version of Java used in docker images has been updated. [#22426] [#22852]
• Upgraded Nx and Angular. [#22337]
• Updated Dojo. [#22132] (Note: Also listed under Breaking Changes.)
  • Smoke-tested Dojo update. [#22885]
• Moved from Libsass to Dart Sass for SASS/CSS compilation. [#22196]
• Tomcat native library location has been fixed for Apple M1 contexts. [#22893]
• Updated GNU General Public License text. [#23352]
• PDFBox library updated to 2.0.27. [#23384-comment]
• Stabilized internal Tomcat path to prevent breaking changes on minor-version updates. [#23407]
• Removed unused jsass and Apache commons text libraries, to avoid flags associated with the text4shell vulnerability. Although dotCMS was never susceptible to said vulnerability, we thought it best to avoid even the suggestion of it. [#23475]
• Upgraded the PostgreSQL JDBC driver. As with the previous bullet point, this resolves a vulnerability that did not strictly affect dotCMS. [#23531]
• We've carved npm out of the front-end build process and wrapped the latter in a Maven module, as a first step toward using Maven for the full build. [#23556]
• ⚠️ MSSQL database support is deprecated ⚠️; 23.01 will be the last LTS major version to support MSSQL.

Plugins

• Improved OSGi plugin loading in server-cluster context. [#21882]
• Fixed error preventing OSGi plugin undeployment. [#21879]
• Fixed ability to upload multiple OSGi assets at once. [#21685]
• Fragments now only load when forced. On uploading, dotCMS reads the Export-Package from the fragment manifest, adds this to the OSGi-extras file, then moves the fragment to the undeployed folder and restarts the OSGi framework. This prevents interference with other plugins and allows OSGI to be cleanly started. [#22055]
• Created new OSGi system framework for loading system bundles — minimal, speedy, and stable. [#22184]
• Override plugin now starts correctly in certain prior versions. [#22043]

Development Improvements

• Migrated Actions to monorepo. [#21761]
• Improved test times. [#22495]
• Consolidated build jobs. [#21755]
• Migrated Postman tests to GitHub Actions. [#21758]
• Resolved vulnerabilities and identified by SonarQube. [#23405]
• Updated GitHub Actions code in response to command deprecations. [#23332]
• Update tasks have been updated and backported, improving maintenance of future LTS releases. [#22916]

Breaking Changes

• Replaced repackaged JSON-handling classes with more tractable code. [#22118]
• Updated several default configuration values, such as disallowing HTTP by default. [#22006]
• Removed unnecessary Spring jars for better parsimony and tidiness. [#21944]
• Initial admin password is now an automatically generated, non-guessable password recorded in the logs. Setting the configuration option INITIAL_ADMIN_PASSWORD can allow for overriding the generated password with a preset one. [#21916]
• Moved to using Gradle 7.3.3 in the build scripts. [#21684]
• AspectJ has been removed. Instead, Bytebuddy is now inited at runtime and rewrites the bytecode to weave the annotations into the classes. Additionally, ByteBuddy does not need to be included as a java agent. [#21684]
• By default, dotCMS no longer follows redirects when accessing remote URLs programmatically. This change is configurable, and can be reversed by setting the REMOTE_CALL_ALLOW_REDIRECTS property to true. [#22512]
• Updated Dojo. [#22132]
• Removed unused MySQL and Oracle drivers; users relying on either of these will need to provide their own drivers in their plugins. [#23531-comment]