5.10.2

• Updated Twig to 3.26. (#18924, #18926)
• Fixed a bug where editable tables registered unexpected debug toolbar output. (#18895, #18902)
• Fixed a JavaScript error that occurred when pasting nested entries within Matrix fields in Blocks view. (#18912)
• Fixed an error that could occur when editing elements on Apache servers. (#18923)

6.0.0-alpha.4

• Added support for plugins to register Laravel scheduled tasks that run via php artisan schedule:run.
• Updated yiisoft/html to 4.1.0. (#18920)
• Updated elvanto/litemoji to 5.2.0. (#18917)
• Updated pragmarx/google2fa to 9.0.0. (#18919)
• Fixed an error that occurred when opening element selector modals with string sources values. (#18915)
• Added “Elements” and “Deprecations” panels to Laravel Debugbar. (#18897)
• Fixed a bug where legacy redirect responses were not being returned as a redirect (#18893)
• Fixed an error that could occur when saving filesystems with null transient settings. (#18909)
• Fixed a bug where plugin routes were not being registered with the web middleware.
• Fixed an error that could occur when storing image transform indexes. (#18899)
• Fixed an error when loginPath or logoutPath was set to false in GeneralConfig. (#18894)
• Fixed a bug where plugin-registered Twig variables weren’t available via the craft template variable. (#18903)
• Fixed an error that occurred when using the legacy cache service with a new dependency object (#18904)
• Fixed a bug where clearing submitted values could retain the previous value. (#18905)
• Fixed a bug where a legacy Yii action controller would result in a 404 when returning null as the response (#18907)
• Fixed an error that could occur because ol and ul were not normalizing the attributes (#18907)
• Fixed an error that occurred when trying to upload an asset through a legacy filesystem plugin (#18908)

6.0.0-alpha.3

• Added the compiledTemplatesPath config setting. (#18861)
• Added a missing migration that adds minAuthors to the section table (#18875)
• Fixed a bug where the cpTrigger would be appended twice to the URL after running migrations from the control panel. (#18858)
• Fixed an error that occurred when rendering element indexes with blank source headings. (#18891)
• Fixed an error that occurred when uninstalling plugins. (#18862)
• Fixed an error that could occur when Control Panel HTML values were passed as Stringable objects. (#18883)
• Fixed a bug where plugin package config files could affect plugin settings before being published. (#18885)
• Fixed a bug where the control panel would continuously poll for queue job info, even if there were no active jobs. (#18853)
• Fixed a bug where legacy redirect responses were not being handled. (#18860)
• Fixed a bug where email addresses couldn’t be saved when applying unpublished user drafts. (#18882)
• Fixed a bug where the Updates utility wasn’t showing available updates. (#18884)

5.10.1

• Fixed a bug where assets’ Alternative Text values weren’t always being set when replacing an existing asset’s file. (#18713)
• Fixed a bug where element indexes had horizontal scroll bars while loading. (#18870)
• Fixed a bug where elements selected by Link fields weren’t getting replaced with their localized versions when propagating content for newly-created elements to other sites. (#18743)
• Fixed a bug where it wasn’t possible to replace the selected element within Link fields with a localized version of the same element. (#18873)
• Fixed a bug where nested entries weren’t getting their Post Date values set. (#18872)
• Fixed a bug where it was difficult to interact with element source paths within element selector modals. (#18876)

4.18.0.1

• Fixed a bug where the |default filter only accepted string values. (#18886)

6.0.0-alpha.2

• Added support for SQLite backups and restores. (#18803)
• Added support for Symfony-style array config files in config/craft/sanitizers/. (#18808)
• Added support for configuring the system time zone during installation. (#18794)
• Added the legacy paginate Twig variable back.
• Added CP access permission checks to Control Panel action routes.
• The craftAsset() Twig function now resolves to Vite versioned assets. (#18801)
• Renamed the |money Twig filter’s formatLocale argument to locale.
• Deprecated the csrfTokenName, enableCsrfCookie, and enableCsrfProtection general config settings. (#18806)
• Removed support for the Debug Toolbar. Laravel Debugbar can be used instead. (#18812)
• Improved Control Panel icon loading performance.
• Fixed a PHP error that occurred when saving a Structure section with a Max Levels value. (#18809)
• Fixed a bug where plugin settings pages were missing registered scripts and styles. (#18815)
• Fixed a PHP error that occurred when saving an entry type. (#18816)
• Fixed an issue with Typecast where typed setters wouldn't have precedence over private properties.
• Fixed a bug where Control Panel templates failed to load on Windows due to mismatched directory separators or drive-letter casing in CraftCms\Cms\View\TwigEngine. (#18804)
• Fixed a bug where Craft’s Vite hot file configuration could override the host application’s Vite hot file. (#18810)
• Fixed a bug where CraftCms\Cms\Support\Typecast could give private properties precedence over typed setters.
• Fixed a bug where runQueueAutomatically wasn’t being respected. (#18817)
• Fixed a bug where CraftCms\Cms\Validation\Rules\EnvValueRule could parse boolean values incorrectly.
• Fixed a bug where Blade templates weren’t resolving correctly.
• Fixed a bug where console command aliases weren’t prefixed with craft:.
• Fixed a bug where element duplication included IDs.
• Fixed a bug where legacy action requests didn’t resolve correctly when using DefaultController.
• Fixed a bug where legacy controller CSRF validation exclusions weren’t always respected.
• Fixed a bug where legacy plugin settings weren’t saved correctly.
• Fixed a bug where legacy redirects and streamed responses weren’t forwarded to Laravel correctly.
• Fixed a bug where preview requests could write template caches.
• Fixed a bug where private templates couldn’t be used as section templates.
• Fixed a bug where the legacy Application::EVENT_AFTER_REQUEST event wasn’t triggered.
• Fixed a bug where the password reset email throttle applied to Control Panel requests.
• Fixed a bug where the Support widget could render unescaped HTML.
• Fixed a bug where Twig macros were allowed in sandboxed templates.
• Fixed a bug where user passkeys weren’t persisting.
• Fixed an error that occurred when validation errors stored in the session were plain arrays.
• Fixed compatibility issues with legacy element queries.
• Fixed compatibility issues with legacy fallback routes.
• Fixed legacy model behavior when unsafe config keys were provided.
• Fixed permissions enforcement when duplicating Matrix blocks.
• Fixed permissions enforcement when saving user fields through generic element save endpoints.
• Fixed a bug where a yii\base\InvalidConfigException would be thrown when a Yii2-based plugin registered an asset bundle. (#18818)
• Fixed a bug where using {{ successMessageInput() }} would not decrypt the resulting message for the flash message.
• Fixed a bug where a missing widget from an uninstalled plugin would throw instead of mapping to a MissingWidget.
• Fixed a bug where an address' ownership ids could be overridden unintentionally.
• Fixed a bug where getHasSsoIdentity() would return false when Socialite was not installed but the user had an SSO identity.
• Fixed a bug where the site's offline status was not being enforced on matched element routes.
• Fixed a user photo validation issue with file extensions.
• Fixed a bug where legacy controllers could return null but were not considered handled.
• Improved performance of the dashboard by reducing the amount of queries for widgets
• Fixed a bug where criteria added to clones of executed element queries could be ignored. (#18826)
• Fixed a bug where Yii2 behaviors registered from plugins weren’t getting attached at the right time. (#18824)
• Fixed an error that occurred when running craft:install in environments where Laravel Prompts can only render tasks statically. (#18830)
• Fix legacy model array access for null properties (#18843)
• Fix Twig access to Laravel error bags (#18841)
• Fixed a bug where singles were throwing an exception (#18845)
• Fixed a bug where plugin settings were not saving consistently (#18849)
• Fixed a bug where deprecated string-based orderBy() arguments could cause element queries to throw an unknown column exception. (#18852)
• Fixed a bug where Laravel HTTP exceptions weren’t passed to legacy error handler event listeners. (#18854)
• Fixed a bug where FieldLayouts were being flashed to the session as arrays. (#18847)

5.10.0

Content Management

• Collapsed Matrix blocks now show their entries’ UI labels as preview text, whenever possible. (#18484)
• Element-level actions within nested element management fields (Matrix, Addresses, etc.) now consistently affect all selected elements, when performed on a selected element. (#18561)
• Elements within Matrix and Addresses fields now have “Paste above” actions when a compatible element is copied. (#17406)
• Elements now keep track of the index page’s URL their edit page was linked to from, and explicitly redirect back to that page after save, rather than always redirecting to the referrer. (#18680)
• Addresses fields now have a “Copy all addresses” field-level action. (#18561)
• Matrix fields’ “Expand”, “Collapse”, and “Copy” field-level actions now always affect all nested entries, regardless of whether any entries are selected. (#18561)
• Matrix fields no longer have “Duplicate” and “Delete” field-level actions. (#18561)
• Number fields now show their selected currency beside their input, if their Preview Format setting is set to “As currency values”. (#18498)
• Color field previews are now blank for fields without a value. (#18614)
• Text condition rules now have “does not equal”, “is one of” and “is not one of” operators.
• Numeric condition rules now have “is one of” and “is not one of” operators. (#18734)
• Editable table columns now set min-width styles based on their configured widths, if set. (#18534)
• Entry post dates are no longer automatically set until the entry is fully saved as enabled. (#18642)
• Element edit screens now have a “Save as a new draft” action when editing an explicitly-created draft. (#18722)
• Address edit screens now have “Field settings” action menu items. (#18544)
• Asset edit screens now have “Volume settings” and “Filesystem settings” action menu items. (#18544)
• Entries’ “Entry type settings” and “Section settings” action menu items are now only shown for element edit screens’ primary action menus.
• Category indexes can now have “Group” columns. (#18553)
• Element slideouts now automatically refresh when the same element is updated in another tab/slideout. (#18625)
• Added the “Time Zone” user preference. (#8518)
• Element indexes now automatically refresh after duplicating elements and the queue is completed, if there’s an active search term. (#18636)
• Timestamps in the control panel now include their time zone abbreviation. (#18639)
• Generated field values are no longer truncated within element cards. (#18646)
• Assets’ Alternative Text values are now automatically set on upload, based on descriptive text data found in the uploaded file’s metadata. (#18744)
• When deleting elements, a modal window is now shown alerting the user of any potential issues, such as existing relationships. (#18728)
• “Verification Code” and “Recovery Code” forms no longer get auto-submitted when entering a value.
• Number columns within Table fields are now formatted according to the user’s preferred formatting locale. (#18823)

Administration

• It’s now possible to replace the selected custom field for existing field layout elements. (#18814)
• Sections now have a “Min Authors” setting. (#18662)
• Time fields’ “Max Time” settings can now be set to an earlier time than “Min Time”, for overnight time ranges. (#18575)
• Component chips within component select inputs now have “Replace” actions.
• Newlines in system message bodies are now replaced with <br> tags. (#18058)
• Added the --to-default option to resave commands. (#18522)
• Added the --method option to the users/remove-2fa command. (#18732)

Development

• Added the heading()/h() and h1()…h6() Twig functions. (#18524)
• The tag() Twig function now accepts a string for its second argument. (#18524)
• The |attr, |parseAttr, and |removeClass Twig filters no longer log warnings when performed on a string without an HTML tag. (#17622)
• The |default Twig filter and is empty Twig test now treat all yii\base\Model instances as not empty. (#18727)
• The |number Twig filter now has a locale argument. (#18823)
• The |time and |datetime Twig filters now have withTimeZone arguments. (#18639)
• The |timestamp Twig filter now returns the current time, if applied to a null/empty string value. (#18642)
• dataUrl() is no longer allowed in sandboxed Twig environments by default.
• delete GraphQL queries now have a hardDelete argument. (#18511)
• Entry postDate values are now null on creation, rather than set to the dateCreated value. (#18642)
• Assets’ url GraphQL fields’ immediately arguments are no longer deprecated. (#18581)
• JSON fields now support array values in POST data. (#18705)
• Added craft\filters\SecFetchSiteFilter for request origin verification. (#18641)
• craft\fields\data\LinkData::getUrl() now has an $anyStatus argument, which can be set to false to prevent a value from being returned if a disabled/pending/expired element is linked. (#18527)
• Markdown parsing now respects the first number of ordered lists. (#18671)

Extensibility

• Added craft\base\DefaultableFieldInterface. (#18522)
• Added craft\base\Element::EVENT_DEFINE_DELETION_BLOCKERS. (#18728)
• Added craft\base\ElementActionInterface::getTriggerId().
• Added craft\base\ElementInterface::deletionBlockers(). (#18728)
• Added craft\base\ElementInterface::setDirtyFieldTracking().
• Added craft\elements\PopulateElementEvent::$content.
• Added craft\elements\db\ElementQuery::$activeQuery.
• Added craft\elements\db\ElementQueryInterface::collectIds().
• Added craft\elements\deletionblockers\BaseDeletionBlocker. (#18728)
• Added craft\elements\deletionblockers\DeletionBlockerInterface. (#18728)
• Added craft\elements\deletionblockers\EntryAuthorsBlocker. (#18728)
• Added craft\elements\deletionblockers\RelationDeletionBlocker. (#18728)
• Added craft\errors\FieldNotFoundException::$fieldId.
• Added craft\events\DefineElementDeletionBlockersEvent. (#18728)
• Added craft\fieldlayoutelements\CustomField::setFieldId().
• Added craft\helpers\ElementHelper::belongsToCanonicalOwner().
• Added craft\helpers\Html::jsWithVars().
• Added craft\helpers\Markdown. (#18671)
• Added craft\models\Section::$minAuthors. (#18662)
• Added craft\queue\jobs\ReplaceRelations. (#18728)
• Added craft\services\Elements::REF_TAG_PATTERN.
• Added craft\services\Entries::reassignEntries().
• Added craft\validators\TimeValidator::$outOfRange. (#18575)
• Added Craft.CpScreenSlideout::reload(). (#18625)
• Added Craft.ElementDeletionManager.
• craft\elements\PopulateElementEvent::$row no longer includes fieldValues or generatedFieldValues keys.
• craft\helpers\DateTimeHelper::timeZoneAbbreviation() is no longer deprecated, and now has a $date argument.
• craft\i18n\Formatter::asTime() and asDatetime() now have $withTimeZone arguments. (#18639)
• Removed craft\controllers\AppController::actionResourceJs(). (#18559)
• Craft.CP now triggers a queueCompleted event when the last queue job is completed.
• Deprecated craft\controllers\UsersController::EVENT_DEFINE_CONTENT_SUMMARY. ([#18728](https...

4.18.0

Development

• The |default Twig filter and is empty Twig test now treat all yii\base\Model instances as not empty. (#18727)
• Added craft\filters\SecFetchSiteFilter for request origin verification. (#18641)
• dataUrl() is no longer allowed in sandboxed Twig environments by default.

Extensibility

• Removed craft\controllers\AppController::actionResourceJs(). (#18559)

System

• Cross-domain script tags added by JavaScript are now loaded directly, rather than via a proxy. (#18559)
• Updated the built-in composer.phar to 2.9.8. (#18761)
• Fixed a moderate-severity JavaScript injection vulnerability. (GHSA-c55v-343g-5xff)
• Fixed a moderate-severity path traversal vulnerability. (GHSA-287w-mxq6-x2cp)

5.9.23

• Updated Yii to 2.0.55. (#18833)
• Fixed a bug where the “Move…” asset index action was always disabled for files. (#18798)
• Fixed a bug where nested elements would get soft-deleted after running the entrify/global-set command on subsequent environments. (#18767)
• Fixed a bug where row headings within Table fields weren’t getting statically translated in the control panel. (#13703)
• Fixed a bug where entry type chips within Matrix settings could be missing their action items.
• Fixed a bug where custom field override settings’ Label, Handle, and Instructions fields could be missing their placeholder values.
• Fixed a bug where site name and language values set to environment variables were getting replaced with their resolved values when installing Craft. (#18780)
• Fixed a bug where site name values set to environment variables were getting replaced with their resolved values on save. (#18789)
• Fixed a bug where browser tabs weren’t always getting refreshed when nested elements were reordered on another browser tab.
• Fixed a bug where reordering nested elements on a draft could reorder them on the canonical owner element as well. (#18751)
• Fixed a high-severity XSS vulnerability. (GHSA-24x4-j6x9-rfw5)
• Fixed a moderate-severity XSS vulnerability. (GHSA-xrqc-p465-2xvg)

4.17.16

• Updated Yii to 2.0.55. (#18833)
• Fixed a bug where the “Move…” asset index action was always disabled for files. (#18798)
• Fixed a high-severity XSS vulnerability. (GHSA-24x4-j6x9-rfw5)