Bump apostrophe from 2.113.1 to 3.4.0

[dependabot]

Bumps apostrophe from 2.113.1 to 3.4.0.

Changelog

Sourced from apostrophe's changelog.

3.4.0 - 2021-09-13

Security

• Changing a user's password or marking their account as disabled now immediately terminates any active sessions or bearer tokens for that user. Thanks to Daniel Elkabes for pointing out the issue. To ensure all sessions have the necessary data for this, all users logged in via sessions at the time of this upgrade will need to log in again.
• Users with permission to upload SVG files were previously able to do so even if they contained XSS attacks. In Apostrophe 3.x, the general public so far never has access to upload SVG files, so the risk is minor but could be used to phish access from an admin user by encouraging them to upload a specially crafted SVG file. While Apostrophe typically displays SVG files using the img tag, which ignores XSS vectors, an XSS attack might still be possible if the image were opened directly via the Apostrophe media library's convenience link for doing so. All SVG uploads are now sanitized via DOMPurify to remove XSS attack vectors. In addition, all existing SVG attachments not already validated are passed through DOMPurify during a one-time migration.

Fixes

• The apos.attachment.each method, intended for migrations, now respects its criteria argument. This was necessary to the above security fix.
• Removes a lodash wrapper around @apostrophecms/express bodyParser.json options that prevented adding custom options to the body parser.
• Uses req.clone consistently when creating a new req object with a different mode or locale for localization purposes, etc.
• Fixes bug in the "select all" relationship chooser UI where it selected unpublished items.
• Fixes bug in "next" and "previous" query builders.
• Cutting and pasting widgets now works between locales that do not share a hostname, provided that you switch locales after cutting (it does not work between tabs that are already open on separate hostnames).
• The req.session object now exists in task req objects, for better compatibility. It has no actual persistence.
• Unlocalized piece types, such as users, may now be selected as part of a relationship when browsing.
• Unpublished localized piece types may not be selected via the autocomplete feature of the relationship input field, which formerly ignored this requirement, although the browse button enforced it.
• The server-side JavaScript and REST APIs to delete pieces now work properly for pieces that are not subject to either localization or draft/published workflow at all the (localize: false option). UI for this is under discussion, this is just a bug fix for the back end feature which already existed.
• Starting in version 3.3.1, a newly added image widget did not display its image until the page was refreshed. This has been fixed.
• A bug that prevented Undo operations from working properly and resulted in duplicate widget _id properties has been fixed.
• A bug that caused problems for Undo operations in nested widgets, i.e. layout or multicolumn widgets, has been fixed.
• Duplicate widget _id properties within the same document are now prevented on the server side at save time.
• Existing duplicate widget _id properties are corrected by a one-time migration.

Adds

• Adds a linter to warn in dev mode when a module name include a period.
• Lints module names for apostrophe- prefixes even if they don't have a module directory (e.g., only in app.js).
• Starts all warnDev messages with a line break and warning symbol (⚠️) to stand out in the console.
• apos.util.onReady aliases apos.util.onReadyAndRefresh for brevity. The apos.util.onReadyAndRefresh method name will be deprecated in the next major version.
• Adds a developer setting that applies a margin between parent and child areas, allowing developers to change the default spacing in nested areas.

Changes

• Removes the temporary trace method from the @apostrophecms/db module.
• Beginning with this release, the apostrophe:modulesReady event has been renamed apostrophe:modulesRegistered, and the apostrophe:afterInit event has been renamed apostrophe:ready. This better reflects their actual roles. The old event names are accepted for backwards compatibility. See the documentation for more information.
• Only autofocuses rich text editors when they are empty.
• Nested areas now have a vertical margin applied when editing, allowing easier access to the parent area's controls.

3.3.1 - 2021-09-01

Fixes

• In some situations it was possible for a relationship with just one selected document to list that document several times in the returned result, resulting in very large responses.
• Permissions roles UI localized correctly.
• Do not crash on startup if users have a relationship to another type. This was caused by the code that checks whether any users exist to present a warning to developers. That code was running too early for relationships to work due to event timing issues.

3.3.0 - 2021-08-30

... (truncated)

Commits

• 111a2e3 Merge pull request #3412 from apostrophecms/release-3.4.0
• 315f7a2 release date and version number
• 72b6cc5 Merge pull request #3411 from apostrophecms/pro-2063-b
• d74bb84 PRO-2063 use klona when adding a patch to the patchesSinceLoaded list
• d029558 Merge pull request #3409 from apostrophecms/pro-2063
• 38ae0a4 typo
• 7a68e01 do not overpromise
• aaf844b PRO-2063: fixed, but now I am going to back off on sitewide widget _id unique...
• 8cb7510 Merge pull request #3408 from apostrophecms/pro-2060
• ee6f60c PRO-2060: a fix introduced in 3.3.1 revealed broken render-widget logic that ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.