Grav CMS - Package Updates

Package Updates

[1.8.10]

Package Updates

[1.8.11]

Update grav to 1.7.50.7
Full Changelog
Exclude dev files from exports
Remove dev file in clean command
Ignore .github and .phan folders during self-upgrade
Fixed path check in self-upgrade
Fixed an issue where non-upgradable root-level folders were snapshotted
Added new bin/gpm preflight command
Added --safe and --legacy overrides for bin/gpm self-upgrade command
Improved JS assets pipeline handling to support different loading strategies
More safe-upgrade fixes around safe guarding /user/ and maintaining permissions better
Fixed a regex issue that corrupted safe-upgrade output

Package Updates

[1.8.12]

Package Updates

[1.8.13]

Package Updates

[1.9.0]

Update grav to 1.8.0-beta.25
Full Changelog
Use dev-master branch of Clockwork to support Monolog2 / Monolog3
AVIF image support via updates to getgrav/Image library
Upgraded to Doctrine Collection 2.2
Fixes for PHP 8.4 - Implicitly nullable parameter declarations deprecated
Added back Missing RocketTheme\Toolbox\Event\EventSubscriberInterface for Gantry5
Various fixes to use $log->debug(), $log->info(), $log->warning() and $log->error() For Monolog2 support
Fixed a PHP compatibility issue with AbstractLazyCollection
Deferred Extension support in Forked version of Twig 3
Added separate strict_mode.twig2_compat and strict_mode.twig3_compat toggles to manage auto-escape behaviour and automatic Twig 3 compatible template rewrites
Fix for cache blowing up when upgrading from 1.7 to 1.8 via CLI

girish

IMPORTANT Packages starting 1.8.6 to 1.9.0 have been revoked.

1.9.0 - had incorrect beta version update

Package Updates

[1.9.1]

Update grav to 1.7.52
Full Changelog
GPM client now sends the running PHP version with index requests so the server can substitute PHP-aware compat fallbacks when a plugin's latest release requires a newer PHP than the client can run.
[security] Extended default uploads_dangerous_extensions to include md, yaml, yml, json, twig, ini page-content extensions that can be weaponised via permissive form-upload accept policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).
Added foundation for migrating to Grav 2.0: cross-major auto-upgrades are blocked in GPM, and core now surfaces a next_major hint so admin can point users at the new migrate-grav plugin
Added compatibility: blueprint support so plugins/themes can declare which Grav versions they support
Added self-upgrade preflight that flags incompatible plugins/themes and psr/log / Monolog conflicts before proceeding
Added upgrade resilience with automatic maintenance mode and opcache reset during self-upgrade
Added new cache-cleanup CLI command to prune obsolete cache entries
Added new onFlexDirectoryConfigBeforeSave event for Flex
More readable time output in bin/grav logviewer #4009
Fixed selectize field losing values when keyed options were used

Package Updates

[1.9.2]

Update grav to 1.7.53
Full Changelog
[security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked outright in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
[security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
[security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
[security] URL query image transforms (such as image.jpg?resize=) are now turned off by default and, when enabled, refuse oversized dimensions above a configurable pixel limit, closing an unauthenticated denial of service where huge resize values could exhaust server memory.

Package Updates

[1.10.0]

Package Updates

[1.10.1]

Package Updates

[1.10.2]

Update grav to 2.0.1
Full Changelog
[security] ZIP archives extracted through the internal ZipArchiver are now rejected when their contents exceed safe limits on total uncompressed size, file count, or folder nesting depth, closing a second extraction path with the same decompression-bomb risk that was fixed for Direct Install (GHSA-928x-9mpw-8h56).
[security] Editor-authored Twig in page content now has its rendered output re-checked for XSS, closing a bypass where a payload assembled at render time (such as {{ "on" ~ "error" }}) passed the source validator and then emitted live markup (GHSA-2c4f-86xc-cr74).
A page marked Visible in the admin no longer vanishes from navigation after saving, because a blank visibility setting now falls back to its normal default instead of being read as hidden. Fixes getgrav/grav#4153.

Package Updates

[1.10.3]

Update grav to 2.0.2
Full Changelog
[security] ZIP extraction in both Direct Install and the internal archiver now enforces the uncompressed-size limit against the bytes actually written, rather than the size each entry claims, so an archive that understates its real size can no longer slip a decompression bomb past the limit (GHSA-8h9x-89f2-m7x3).
[security] Editor-authored Twig in page content can no longer read configuration secrets by dumping the config object through a filter such as print_r or json_encode, closing a sandbox bypass that exposed plugin credentials and API keys (GHSA-mc5q-6hpj-rp7j).
A failed bin/gpm self-upgrade now reports the specific reason it stopped and records the full details in logs/grav.log, instead of showing a generic "Unknown error" with nothing to act on. Fixes getgrav/grav#4158.
A page that displays inline SVG or MathML icons, such as the svg-icon shortcode or GitHub-style alert callouts, no longer renders blank when page-content Twig processing is enabled, because the render-time security scan now skips that legitimate icon markup while still catching injected scripts around it.

Cloudron Forum