Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. Grav CMS
  3. Grav CMS - Package Updates

Grav CMS - Package Updates

Scheduled Pinned Locked Moved Grav CMS
92 Posts 3 Posters 67.9k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • girishG Offline
    girishG Offline
    girish
    Staff
    wrote on last edited by
    #81

    IMPORTANT Packages starting 1.8.6 to 1.9.0 have been revoked.

    1.8.6 - 1.8.13 - Upstream has removed all 1.7.50.x packages. See https://discourse.getgrav.org/t/upgrade-to-grav-v1-7-50-9-not-working/29222/4

    1.9.0 - had incorrect beta version update

    1 Reply Last reply
    0
    • Package UpdatesP Package Updates locked this topic on
    • Package UpdatesP Offline
      Package UpdatesP Offline
      Package Updates
      wrote on last edited by
      #82

      [1.9.1]

      • Update grav to 1.7.52
      • Full Changelog
      • GPM client now sends the running PHP version with index requests so the server can substitute PHP-aware compat fallbacks when a plugin's latest release requires a newer PHP than the client can run.
      • [security] Extended default uploads_dangerous_extensions to include md, yaml, yml, json, twig, ini page-content extensions that can be weaponised via permissive form-upload accept policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).
      • Added foundation for migrating to Grav 2.0: cross-major auto-upgrades are blocked in GPM, and core now surfaces a next_major hint so admin can point users at the new migrate-grav plugin
      • Added compatibility: blueprint support so plugins/themes can declare which Grav versions they support
      • Added self-upgrade preflight that flags incompatible plugins/themes and psr/log / Monolog conflicts before proceeding
      • Added upgrade resilience with automatic maintenance mode and opcache reset during self-upgrade
      • Added new cache-cleanup CLI command to prune obsolete cache entries
      • Added new onFlexDirectoryConfigBeforeSave event for Flex
      • More readable time output in bin/grav logviewer #4009
      • Fixed selectize field losing values when keyed options were used
      1 Reply Last reply
      0
      • Package UpdatesP Offline
        Package UpdatesP Offline
        Package Updates
        wrote last edited by
        #83

        [1.9.2]

        • Update grav to 1.7.53
        • Full Changelog
        • [security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked outright in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
        • [security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
        • [security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
        • [security] URL query image transforms (such as image.jpg?resize=) are now turned off by default and, when enabled, refuse oversized dimensions above a configurable pixel limit, closing an unauthenticated denial of service where huge resize values could exhaust server memory.
        1 Reply Last reply
        0
        • Package UpdatesP Offline
          Package UpdatesP Offline
          Package Updates
          wrote last edited by
          #84

          [1.10.0]

          • Update grav to 2.0.0
          • Full Changelog
          1 Reply Last reply
          0
          • Package UpdatesP Offline
            Package UpdatesP Offline
            Package Updates
            wrote last edited by
            #85

            [1.10.1]

            • configure reverse proxy and custom base url
            1 Reply Last reply
            0
            • Package UpdatesP Offline
              Package UpdatesP Offline
              Package Updates
              wrote last edited by
              #86

              [1.10.2]

              • Update grav to 2.0.1
              • Full Changelog
              • [security] ZIP archives extracted through the internal ZipArchiver are now rejected when their contents exceed safe limits on total uncompressed size, file count, or folder nesting depth, closing a second extraction path with the same decompression-bomb risk that was fixed for Direct Install (GHSA-928x-9mpw-8h56).
              • [security] Editor-authored Twig in page content now has its rendered output re-checked for XSS, closing a bypass where a payload assembled at render time (such as {{ "on" ~ "error" }}) passed the source validator and then emitted live markup (GHSA-2c4f-86xc-cr74).
              • A page marked Visible in the admin no longer vanishes from navigation after saving, because a blank visibility setting now falls back to its normal default instead of being read as hidden. Fixes getgrav/grav#4153.
              1 Reply Last reply
              0
              • Package UpdatesP Offline
                Package UpdatesP Offline
                Package Updates
                wrote last edited by
                #87

                [1.10.3]

                • Update grav to 2.0.2
                • Full Changelog
                • [security] ZIP extraction in both Direct Install and the internal archiver now enforces the uncompressed-size limit against the bytes actually written, rather than the size each entry claims, so an archive that understates its real size can no longer slip a decompression bomb past the limit (GHSA-8h9x-89f2-m7x3).
                • [security] Editor-authored Twig in page content can no longer read configuration secrets by dumping the config object through a filter such as print_r or json_encode, closing a sandbox bypass that exposed plugin credentials and API keys (GHSA-mc5q-6hpj-rp7j).
                • A failed bin/gpm self-upgrade now reports the specific reason it stopped and records the full details in logs/grav.log, instead of showing a generic "Unknown error" with nothing to act on. Fixes getgrav/grav#4158.
                • A page that displays inline SVG or MathML icons, such as the svg-icon shortcode or GitHub-style alert callouts, no longer renders blank when page-content Twig processing is enabled, because the render-time security scan now skips that legitimate icon markup while still catching injected scripts around it.
                1 Reply Last reply
                0
                • Package UpdatesP Offline
                  Package UpdatesP Offline
                  Package Updates
                  wrote last edited by
                  #88

                  [1.10.4]

                  • Update grav to 2.0.3
                  • Full Changelog
                  • Added an optional system.session.read_and_close setting that releases the session as soon as it has been read, so a site's simultaneous requests no longer queue up one behind another waiting on the session; off by default.
                  • A bin/gpm self-upgrade that stops while replacing core files now names the exact file or folder it could not remove and the reason why, and points out when the file is owned by a different user than the one running the command, which is the usual cause of an upgrade that works from the admin but fails on the command line. Fixes getgrav/grav#4162.
                  1 Reply Last reply
                  0
                  • Package UpdatesP Offline
                    Package UpdatesP Offline
                    Package Updates
                    wrote last edited by
                    #89

                    [1.10.5]

                    • Update grav to 2.0.4
                    • Full Changelog
                    • Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
                    • Added an onXssTrustedMarkup event that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.
                    • [security] Grav's .htaccess rules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79).
                    • [security] The user/data folder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes getgrav/grav#4169.
                    • [security] The Twig regex_replace filter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9).
                    • bin/gpm self-upgrade no longer fails on shared-folder setups such as a VirtualBox shared folder, where the bin directory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes getgrav/grav#4171.
                    • Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar, which can only display on normal pages. Fixes getgrav/grav-plugin-admin2#76.
                    • Resizing an image larger than its original size with ?resize= no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless ?forceresize is used. Fixes getgrav/grav#4173.
                    • Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes getgrav/grav#4175.
                    • Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list, so a resolved entry no longer lingers as if nothing happened. Fixes getgrav/grav-plugin-admin2#85.
                    1 Reply Last reply
                    0
                    • Package UpdatesP Offline
                      Package UpdatesP Offline
                      Package Updates
                      wrote last edited by
                      #90

                      [1.10.6]

                      • Update grav to 2.0.6
                      • Full Changelog
                      • [security] Flex user avatars stored under user/accounts/<username>/ (folder storage) are now served too; the 2.0.5 avatar carve-out only covered the flatfile user/accounts/avatars/ layout, so folder-storage avatars kept returning a 403. Existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
                      • A page's translatedLanguages() now returns each language's own route, so a translation with a localized slug: produces the correct cross-language link instead of repeating the default language's URL. Fixes getgrav/grav#4183.
                      • [security] Profile avatars display again instead of returning a 403; the folder hardening that locked down user/accounts now makes a narrow exception for avatar images while account data such as password hashes stays blocked, and existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
                      • Loading a page no longer fails with a "Failed to write cache file" error when Grav can't save the compiled template cache, such as on a shared folder, a full disk, or during a save-then-reload race; the page still renders and the problem is logged instead. Fixes getgrav/grav#4184.
                      1 Reply Last reply
                      0
                      • Package UpdatesP Offline
                        Package UpdatesP Offline
                        Package Updates
                        wrote last edited by
                        #91

                        [1.10.7]

                        • Update grav to 2.0.7
                        • Full Changelog
                        • [security] A page editor can no longer run commands on the server by hiding a callable directive in a form field's settings; dynamic field data now refuses dangerous functions and cannot be tricked into reaching one through a helper (GHSA-fj2p-qj2f-74v5).
                        • A page's translatedLanguages() now localizes ancestor slugs too, so a nested translation whose parent folder has a localized slug: produces the fully translated cross-language link instead of leaving parent segments in the current language. Fixes getgrav/grav#4186.
                        • Pointing the log stream at environment:// (for example log: environment://logs) no longer crashes the site or bin/grav clear with a "stream must either be a resource or a string" error when the per-environment folder does not exist; logging now falls back to the default logs/ folder instead. Fixes getgrav/grav#4172.
                        • The media:// stream now checks the per-environment user/env/<host>/media/ folder before the shared user/media/, so site media stored per environment resolves to the correct URL in the admin and in page content instead of a broken user/media/ link. Fixes getgrav/grav#4188.
                        • Large file downloads such as site backups are now streamed to the browser in chunks instead of being loaded into memory all at once, so a download bigger than PHP's memory limit no longer fails with a blank server error. Fixes getgrav/grav-plugin-api#12.
                        • Pages accessed with URL parameters such as pagination or taxonomy filters no longer recompile every Twig template on each request, restoring full template caching on exactly the pages that get the most traffic.
                        • A modular page that outputs trusted theme or plugin markup, such as a form with a reCAPTCHA field, is no longer wrongly blanked by the content security scan, which now checks the editor's own content instead of the finished template output. Fixes getgrav/grav-plugin-form#636.
                        • The setting that scans page content for XSS moved to security.content.xss_scan_output, since it applies to all page content rather than only Twig in content; the previous security.twig_content.xss_scan_output location keeps working and is moved to the new one automatically on upgrade.
                        • Frontend requests are noticeably faster across the board: the scheduler, backups machinery, error page renderer and logger now initialize only when actually used instead of on every page view, cutting over 50 PHP files from a typical request.
                        • New experimental opt-in page index (pages.lazy_index: true😞 pages, routes, children lists, sort orders and the taxonomy map load on demand from a per-page index instead of one large cache blob that has to be fully unserialized on every request, making per-request cost flat as sites grow: a 2,000 page test site renders as fast as a 2 page one and uses a quarter of the memory; SQLite powers the index when available with a pure PHP fallback, and the default behavior is completely unchanged until the flag is enabled.
                        1 Reply Last reply
                        0
                        • Package UpdatesP Offline
                          Package UpdatesP Offline
                          Package Updates
                          wrote last edited by
                          #92

                          [1.10.8]

                          • Update grav to 2.0.8
                          • Full Changelog
                          • An email or www. URL used as the visible text of a Markdown link is no longer turned into a second, nested link when GFM autolinks are enabled. Fixes getgrav/grav#4191.
                          • md5() can once again be called as a Twig function, not just as the |md5 filter, so themes and plugins that generate an id or cache-busting hash with md5(...) keep working instead of failing with an "Unknown function" error. Fixes getgrav/grav-theme-quark2#12.
                          • Replacing an image in place, such as swapping the image in a Flex object field, now shows the new image on the site instead of the previously cached version (updated getgrav/image to v4.1.3, which includes the source file's modification time and size in the derivative cache key). Fixes getgrav/grav#4195.
                          1 Reply Last reply
                          0

                          Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                          Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                          With your input, this post could be even better 💗

                          Register Login
                          Reply
                          • Reply as topic
                          Log in to reply
                          • Oldest to Newest
                          • Newest to Oldest
                          • Most Votes


                          • Login

                          • Don't have an account? Register

                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • Bookmarks
                          • Search