Update npm dependencies for v17.4.0-rc#22464
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the backoffice (npm) dependency set for the v17.4.0-rc line, aligning multiple workspace packages and making small TypeScript cleanups to keep the codebase compatible with updated toolchain/linting.
Changes:
- Bump a wide range of root devDependencies (ESLint/Storybook/Prettier/etc.) and several workspace package dependencies (e.g., TipTap, marked, dompurify, diff).
- Apply small TypeScript refactors (mostly removing redundant initializers and adding explicit types) across several packages.
- Reclassify
icon-ballto thesimpleIconssection in the icon registry data.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/Umbraco.Web.UI.Client/package.json | Major/minor devDependency updates for the backoffice toolchain. |
| src/Umbraco.Web.UI.Client/src/packages/core/package.json | Bumps diff, @hey-api/openapi-ts, and icon-source dev deps. |
| src/Umbraco.Web.UI.Client/src/packages/tiptap/package.json | Updates TipTap dependencies to 3.22.3. |
| src/Umbraco.Web.UI.Client/src/external/marked/package.json | Updates marked to ^18.0.0. |
| src/Umbraco.Web.UI.Client/src/external/dompurify/package.json | Updates dompurify to ^3.4.0. |
| src/Umbraco.Web.UI.Client/src/packages/tiptap/extensions/block/block.tiptap-toolbar-api.ts | Removes redundant = undefined initializer. |
| src/Umbraco.Web.UI.Client/src/packages/property-editors/date-time/property-editor-ui-date-time-picker-base.ts | Adds explicit typing for timeZoneToStore. |
| src/Umbraco.Web.UI.Client/src/packages/members/member/repository/detail/member-detail.server.data-source.ts | Simplifies scaffold icon retrieval by using a const. |
| src/Umbraco.Web.UI.Client/src/packages/media/media/repository/detail/media-detail.server.data-source.ts | Simplifies scaffold icon/collection retrieval and removes an unused type import. |
| src/Umbraco.Web.UI.Client/src/packages/documents/documents/repository/detail/document-detail.server.data-source.ts | Simplifies scaffold icon/collection retrieval and removes an unused type import. |
| src/Umbraco.Web.UI.Client/src/packages/media/media/components/input-image-cropper/image-cropper.element.ts | Tightens local variable typing for calculations and fixed-position data. |
| src/Umbraco.Web.UI.Client/src/packages/media/media/components/input-image-cropper/image-cropper-preview.element.ts | Tightens local variable typing for preview calculations. |
| src/Umbraco.Web.UI.Client/src/packages/core/sorter/sorter.controller.ts | Tightens local variable typing in placement/auto-scroll code paths. |
| src/Umbraco.Web.UI.Client/src/packages/core/search/search-modal/search-modal.element.ts | Simplifies local variable initialization for extension API creation. |
| src/Umbraco.Web.UI.Client/src/packages/core/router/router-slot/util/shadow.ts | Replaces pre-increment with roots + 1 in recursive traversal. |
| src/Umbraco.Web.UI.Client/src/packages/core/resources/try-execute/try-execute.controller.ts | Adjusts local variable declaration style in error notification handler. |
| src/Umbraco.Web.UI.Client/src/packages/core/icon-registry/icon-dictionary.json | Moves icon-ball entry from lucide to simpleIcons. |
| src/Umbraco.Web.UI.Client/src/packages/clipboard/property/context/clipboard.property-context.ts | Removes redundant empty-array initialization prior to assignment. |
| src/Umbraco.Web.UI.Client/src/mocks/handlers/document/publishing.handlers.ts | Adds cause to thrown errors when rethrowing non-Error failures. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
PR ReviewTarget: Updates frontend devDependencies and a handful of production dependencies to their latest versions for v17.4.0-rc, with accompanying ESLint-driven code fixes (removing redundant initializations,
Suggestions
Approved with Suggestions for improvementGood to go, but please carefully consider the importance of the suggestions. |
…7/task/npm-update-dependencies
it is an isolated project and so can be used independent of the backoffice
Contributor
|
@claude please review this again after the new changes since your last review and take special care around the icon auto-generated files. |
|
Review posted - see below for full findings on PR 22464 npm dep update. |
|
Review: Good dep maintenance PR. See summary in separate comment. |
Review SummaryThis PR updates dev dependencies to their latest versions for v17.4.0-rc. The non-lockfile changes are clean and well-structured. Good changes
Items to verify1.
2. TipTap bump (3.16.0 → 3.22.3) — core RTE runtime dependency
3. Both if/else branches do assign Nit: Many icon files are reformatted by the prettier 3.6.2 → 3.8.2 bump. No functional issue, just makes the diff noisier for reviewers. Overall a solid maintenance PR. The main asks are manual testing confirmation for |
iOvergaard
approved these changes
Apr 20, 2026
Contributor
iOvergaard
left a comment
iOvergaard
left a comment
There was a problem hiding this comment.
I've tested Marked and Tiptap, regenerated the icon files and MSW and openapi SDK files. It all looks pretty solid.
iOvergaard
added
dependencies
This was referenced May 18, 2026
Merged
Merged
alexsee
pushed a commit
to alexsee/umbraco-container
that referenced
this pull request
May 21, 2026
Updated [Umbraco.Cms](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Updated [Umbraco.Cms.Persistence.Sqlite](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms.Persistence.Sqlite's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
alexsee
pushed a commit
to alexsee/umbraco-container
that referenced
this pull request
May 21, 2026
Updated [Umbraco.Cms.DevelopmentMode.Backoffice](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms.DevelopmentMode.Backoffice's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced May 21, 2026
This was referenced May 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Summary
Update development dependencies to their latest compatible versions, including both minor/patch updates and major version bumps where appropriate.
Changes
Major version bumps:
Minor/patch updates:
Testing
npm run buildpassesnpm run dev— backoffice UI loads correctly