Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by dependabot[bot] · Pull Request #22334 · umbraco/Umbraco-CMS

dependabot · 2026-04-02T06:48:48Z

Bumps lodash from 4.17.23 to 4.18.1.

Release notes

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

Updated [Umbraco.Cms](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Updated [Umbraco.Cms.Persistence.Sqlite](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms.Persistence.Sqlite's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Updated [Umbraco.Cms.DevelopmentMode.Backoffice](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms.DevelopmentMode.Backoffice's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 2, 2026

iOvergaard approved these changes Apr 7, 2026

View reviewed changes

iOvergaard merged commit 3b69a2f into main Apr 7, 2026
28 checks passed

iOvergaard deleted the dependabot/npm_and_yarn/src/Umbraco.Web.UI.Login/lodash-4.18.1 branch April 7, 2026 11:56

dependabot Bot mentioned this pull request May 21, 2026

Bump Umbraco.Cms and Umbraco.Cms.Persistence.Sqlite alexsee/umbraco-container#180

Closed

This was referenced May 31, 2026

Bump the umbraco group with 1 update AndrewMcLachlan/ASM#392

Merged

Bump the umbraco group with 6 updates mikaelaolsson/jalles-tc-public-web#110

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login#22334

Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login#22334
iOvergaard merged 1 commit into
mainfrom
dependabot/npm_and_yarn/src/Umbraco.Web.UI.Login/lodash-4.18.1

dependabot Bot commented on behalf of github Apr 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Apr 2, 2026

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`lodash.*` modular packages