Dependencies: Pin System.Security.Cryptography.Xml to resolve vulnerability warning#22514
Merged
AndyButland merged 1 commit intoApr 17, 2026
Conversation
…tography.Xml to ensure we don't depend on a vulnerable version.
|
Claude finished @AndyButland's task in 1m 1s —— View job PR ReviewTarget: Pins
No Critical, Important, or Suggestion findings. The change:
ApprovedThis looks good to be merged as-is, but please do a manual sanity check and testing before merging. |
Contributor
There was a problem hiding this comment.
Pull request overview
Pins a vulnerable transitive dependency to eliminate NU1903 vulnerability warnings during restore/build, following the repo’s established “transitive pinned versions” pattern.
Changes:
- Add a central transitive pin for
System.Security.Cryptography.Xmlto10.0.6. - Document why the pin exists and add a TODO to remove it when upstream dependencies are updated.
AndyButland
changed the title
System.Security.Cryptography.Xml to resolve vulnerability warning
NillasKA
approved these changes
Apr 17, 2026
Contributor
NillasKA
left a comment
NillasKA
left a comment
There was a problem hiding this comment.
LGTM.
Unsure when you want this in the build so i will leave you to do the labels.
Contributor
Author
|
Thanks @NillasKA, I'll do that. This can go in 17.4. |
AndyButland
deleted the
v17/security/resolve-system.security.cryptography.xml-warning
branch
This was referenced May 15, 2026
Merged
Merged
Merged
alexsee
pushed a commit
to alexsee/umbraco-container
that referenced
this pull request
May 21, 2026
Updated [Umbraco.Cms](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Updated [Umbraco.Cms.Persistence.Sqlite](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms.Persistence.Sqlite's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
alexsee
pushed a commit
to alexsee/umbraco-container
that referenced
this pull request
May 21, 2026
Updated [Umbraco.Cms.DevelopmentMode.Backoffice](https://github.com/umbraco/Umbraco-CMS) from 17.3.4 to 17.4.0. <details> <summary>Release notes</summary> _Sourced from [Umbraco.Cms.DevelopmentMode.Backoffice's releases](https://github.com/umbraco/Umbraco-CMS/releases)._ ## 17.4.0 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc3 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc3...release-17.4.0 ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 ... (truncated) ## 17.4.0-rc3 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-r2 ### 📦 Dependencies * Bump @umbraco-ui/uui to 1.17.3 by @iOvergaard in umbraco/Umbraco-CMS#22753 ### 🔒 Security * Backoffice: Add `localize.htmlString()` helper to prevent XSS in HTML-rendered translations by @iOvergaard in umbraco/Umbraco-CMS#22731 ### 🐛 Bug Fixes * Auth: Un-deprecate getLatestToken and route per-request fetches through it by @iOvergaard in umbraco/Umbraco-CMS#22736 * Color Picker: Refresh stored label when data type label changes (closes #22741) by @AndyButland in umbraco/Umbraco-CMS#22761 * Published Content: Fix Fallback.ToAncestors with no match throwing exception at property level (closes #22759) by @AndyButland in umbraco/Umbraco-CMS#22763 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc2...release-17.4.0-rc3 ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ... (truncated) ## 17.4.0-rc2 ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed Since 17.4.0-rc ### 🐛 Bug Fixes * Block permissions: Correction of read-only inheritance and language access (closes #22472, #21973) by @nielslyngsoe in umbraco/Umbraco-CMS#22522 * Redirect Tracker: Prevent creation of redirects from unrouteable URLs (closes #22652, #22256) by @AndyButland in umbraco/Umbraco-CMS#22657 * [Blueprints: Fix intermittent blank workspace when creating documents from blueprints (closes #21996)](umbraco/Umbraco-CMS#22422 (comment)) by @AndyButland in umbraco/Umbraco-CMS#22422 **Full Changelog**: umbraco/Umbraco-CMS@release-17.4.0-rc...release-17.4.0-rc2 ## What's Changed Since the Previous Version (17.3.5) ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 ... (truncated) ## 17.4.0-rc ## Upgrade Notes Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, `ApplicationMainUrl` was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting `UmbracoApplicationUrl` explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the [linked PR](umbraco/Umbraco-CMS#22307) and the [documentation](https://docs.umbraco.com/umbraco-cms/reference/configuration/webroutingsettings#application-url-detection). There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a [configuration option for templated websites](https://docs.umbraco.com/umbraco-cms/reference/website-output-caching), with extension points also [applied for the Delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/output-caching). We have optimised content cache rebuild after schema updates, with an option for [deferred rebuild in the background](https://docs.umbraco.com/umbraco-cms/reference/configuration/cache-settings#contenttyperebuildmode). If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for [lightweight external members](https://docs.umbraco.com/umbraco-cms/reference/security/lightweight-external-members) will be worth reviewing. If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability. As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows. ## What's Changed ### 🙌 Notable Changes * Management API: Add JSON Schema support for data types and content types by @Migaroez in umbraco/Umbraco-CMS#21771 * Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in umbraco/Umbraco-CMS#22138 * Management API: Add document patch endpoint by @Migaroez in umbraco/Umbraco-CMS#22104 * Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in umbraco/Umbraco-CMS#22338 * Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in umbraco/Umbraco-CMS#22168 * Icons: extends icon data + improved search by @nielslyngsoe in umbraco/Umbraco-CMS#22436 * Members: Add lightweight external-only members (closes #12741) by @AndyButland in umbraco/Umbraco-CMS#22162 * Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in umbraco/Umbraco-CMS#22194 ### 💥 Breaking Changes * Application URL: Add `ApplicationUrlDetection` setting to control application URL auto-detection by @AndyButland in umbraco/Umbraco-CMS#22307 ### 📦 Dependencies * Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in umbraco/Umbraco-CMS#22334 * Dependencies: Update minor and patch versions by @AndyButland in umbraco/Umbraco-CMS#22498 * Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in umbraco/Umbraco-CMS#22464 * Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in umbraco/Umbraco-CMS#22537 * Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in umbraco/Umbraco-CMS#22278 * Dependencies: Pin `System.Security.Cryptography.Xml` to resolve vulnerability warning by @AndyButland in umbraco/Umbraco-CMS#22514 ### 🚤 Performance * Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in umbraco/Umbraco-CMS#22329 * Performance: Optimize `FullDataSetRepositoryCachePolicy` usage across all repositories by @AndyButland in umbraco/Umbraco-CMS#22264 * Performance: Optimize `ContentTypeRepository` deep-clone on cache reads (closes #22250) by @AndyButland in umbraco/Umbraco-CMS#22263 * Performance: Use `GeneratedRegex` instead of generating at runtime in string extensions by @Henr1k80 in umbraco/Umbraco-CMS#22534 * Performance: Avoid allocating a string if `_publishedContentCache` has a cached version in `MediaCacheService` by @Henr1k80 in umbraco/Umbraco-CMS#22535 * Performance: Micro-optimisation in `UdiParser` (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in umbraco/Umbraco-CMS#22506 * Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in umbraco/Umbraco-CMS#20292 * Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in umbraco/Umbraco-CMS#22471 * Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in umbraco/Umbraco-CMS#22340 * Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in umbraco/Umbraco-CMS#22239 * Migrations: Optimise sortable value population for date properties by @AndyButland in umbraco/Umbraco-CMS#22547 * Migrations: Fix potential `OptimizeInvariantUrlRecords` timeout on SQL Server (closes #22377) by @AndyButland in umbraco/Umbraco-CMS#22382 * Umb-icon color setting optimization by @nielslyngsoe in umbraco/Umbraco-CMS#22433 ### 🌈 Accessibility Improvements * Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in umbraco/Umbraco-CMS#22385 * Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in umbraco/Umbraco-CMS#22117 ... (truncated) ## 17.3.5 ## What's Changed ### 🐛 Bug Fixes * Revert fix for making block editors read-only in trashed documents which causes a regression in certain multi-lingual block editing scenarios (closes #22472, re-opens #21982) by @nielslyngsoe in umbraco/Umbraco-CMS#22656 **Full Changelog**: umbraco/Umbraco-CMS@release-17.3.4...release-17.3.5 Commits viewable in [compare view](umbraco/Umbraco-CMS@release-17.3.4...release-17.4.0). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced May 21, 2026
This was referenced May 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves
NU1903build warnings about a high-severity vulnerability inSystem.Security.Cryptography.Xml 8.0.0(GHSA-w3x6-4m5h-cxqf and GHSA-37gx-xxp4-5rgx — denial of service via uncontrolled resource consumption / infinite loop inEncryptedXml, CVSS 7.5).The vulnerable package is pulled in transitively via:
Examine 3.7.1 is the latest stable release, and there is no updated direct dependency we can bump to clear the warning upstream. Following the existing pattern in
Directory.Packages.propsfor transitive pins (e.g.System.Net.Http,System.Private.Uri,System.Text.RegularExpressions), this adds a pinned version ofSystem.Security.Cryptography.Xmlat10.0.6— the patched version for the 10.x line per the advisories, and matching the10.0.6version used for otherMicrosoft.Extensions.*packages already in the file.A
TODOis included to remove the pin when Examine updates itsMicrosoft.AspNetCore.DataProtectionreference to a non-vulnerable version.