5.40.0 (2026-03-18)

🚀 New feature

• add package manager dropdown before version in bug report template (#25679)

🔥 Bug fix

• add maxwidth to documentactions menu (#25664)
• formatErrorMessages array values formatting (#24196)
• admin: alias singleton frontend deps in vite (#25682)
• content-manager: reduce excessive rerendering in components and dynamic zones (#25631)
• content-manager: skip non-draftAndPublish relations in countDraftRelations (#25453)
• i18n: show locale key in disabled select when editing locale (#25124)

📚 Documentation Changes

• fix docs links in README (#25715)

⚙️ Chore

• use https instead of git url in package.repository.url (#25698)
• content-manager: optimize relations handling in EditView component (#25683)
• core: parallelize and cache dynamic zone populate (#25685)

💅 Enhancement

• resolved filter editability on clicking filter tag (#24057)
• core: remove beta on Document API, enforce deprecation on EntityService API (#25744)

❤️ Thank You

• akash-dabhi-qed @akash-dabhi-qed
• Andrea Cappuccio @hood
• Bassel Kanso @Bassel17
• calm @calm329
• Jamie Howard @jhoward1994
• markkaylor
• mathildeleg @mathildeleg
• Nico André
• Nikolas Rimikis @Leptopoda
• Pierre Wizla
• Varun Chawla @veeceey

5.38.1 (2026-03-11)

Superseded on March 11, 2026 by v5.39.0 due to versioning mistake.
Please use v5.39.0.

5.39.0 (2026-03-11)

🚀 New feature

• expand accordion by default when inserting a new component in a document (#24230)
• content-manager: filter list view by publication status (#25510)

🔥 Bug fix

• added shift+tab to blocks editors (#24122)
• single type publish permission error (#24754)
• es translations (#25655)
• typo 'compatability' to 'compatibility' in error messages (#25535)
• content-manager: export ContentManagerPlugin type for plugin dev… (#24149)
• content-manager: reduce excessive rerendering in relation fields (#25623)
• content-manager: reduce rerenders for conditional fields (#25617)
• content-releases: publish in right order to preserve relations (#25551)
• guided-tour: no overlay in dark mode (#25485)
• openapi: correctly merge plugin router prefix with route paths (#25616)
• types: fix document findOne params (#25613)
• upload: add crossOrigin attribute to image preview (#24946)

⚙️ Chore

• upgrade to glob 13 (#25610)
• upgrade better-sqlite3 to 12.6.2 (#25611)
• remove eslint-plugin-rxjs (#25612)
• upgrade koa to 20.8.4 and minimatch to 10.2.4 (#25624)
• eslintignore coverage (#25649)
• stop adding issues to GitHub projects in issues_handleLabel workflow (#25677)
• update package metadata (#25599)
• *: register vitest dependency in Yarn catalog (#25400)
• core/permissions: ensure engine properly merges conditions (#25569)
• deps: bump js-yaml from 3.14.1 to 3.14.2 (#24858)
• deps: bump qs from 6.14.2 to 6.15.0 (#25555)
• deps: bump jws from 3.2.2 to 3.2.3 (#24981)
• deps: bump elliptic from 6.5.7 to 6.6.1 (#24803)
• deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#24841)
• deps: bump mdast-util-to-hast from 13.2.0 to 13.2.1 (#24950)
• deps: bump jws from 3.2.2 to 3.2.3 (#25652)
• deps: bump tar from 7.5.9 to 7.5.10 (#25642)
• deps: bump serialize-javascript from 6.0.1 to 6.0.2 (#25653)

🚨 Security

• upload: improve mimetype detection for uploads (#25177)

❤️ Thank You

• Adrien L
• Akash Santra @Akash504-ai
• akash-dabhi-qed @akash-dabhi-qed
• Ayoub Hidri @ayhid
• Bassel Kanso @Bassel17
• Ben Irvin
• Brandon Aaron @brandonaaron
• Daniel Garcia @dagadevelop
• Gouttfi @Gouttfi
• jeanvier
• markkaylor
• Nico André
• Nikolas Rimikis @Leptopoda
• Owen Rossi-Keen @Smoke3785

5.38.0 (2026-03-04)

🚀 New feature

• content-manager: add relationOpenMode setting (modal/page/newTab) (#25433)
• email-nodemailer: upgrade to Nodemailer v8 with advanced email features and Admin UI capabilities (#25392)
• i18n: add missing french translations (#23093)

🔥 Bug fix

• typo 'recieved' to 'received' across codebase (#25541)
• markdown editor number list is created with wrong numbers (#24631)
• add i18n for boolean cell values (#22314)
• folder subtitles for folders without assets or subfolders (#22694)
• vite and webpack config when linking ds locally (#25530)
• types: add missing typing for proxy.koa config (#25575)

⚙️ Chore

• bump design-system to v2.2.0 (#25584)
• deps: bump rollup from 4.27.4 to 4.59.0 (#25566)
• upload: add import from url (#25496)

❤️ Thank You

• Adrien L
• Altay Akkus
• Ayoub Hidri @ayhid
• Daniel Garcia @dagadevelop
• Grégory Boutte
• Jorrit Schippers
• markkaylor
• mathildeleg @mathildeleg
• Schero D. @Schero94
• Tewson Seeoun @tewson

5.37.1 (2026-02-26)

🔥 Bug fix

• core: preserve component clone integrity in discard-drafts migration

❤️ Thank You

• Bassel Kanso @Bassel17
• Ben Irvin

5.37.0 (2026-02-26)

🔥 Bug fix

• improve subnav on mobile so it works with banner (#25450)
• layout page broken (#25501)
• add design-system to config (#25435)
• radix ui dialog dependency version (#25549)

📚 Documentation Changes

• fix typos in content-releases frontend intro (#25471)

⚙️ Chore

• add bot and contributor detection to community-label workflow (#25497)
  (#25494))
• docs: revise README for AWS S3 provider updates (#25449)

💅 Enhancement

• improve mobile ux of list view (#25366)

🚨 Security

• feature: add strictParam, addQueryParams, addInputParams (#25528)
• deps: upgrade to tar 7.5.9 (#25504)
• deps: upgrade multiple dependencies (#25506)
• deps: bump bn.js from 4.12.0 to 4.12.3 (#25521)
• deps: bump minimatch from 9.0.3 to 10.2.1 ([#25494]

❤️ Thank You

• Adrien L
• Ayoub Hidri @ayhid
• Ben Irvin
• mathildeleg @mathildeleg
• Pierre Wizla
• Simon Norris @cache-your-dreams
• Ziyi @butcherZ

5.36.1 (2026-02-18)

🔥 Bug fix

• handle undefined tours property (#25290)
• core: handle negative and zero min/max validation for number fields (#25409)
• history: improve error handling and batch deletion in cron jobs (#25425)
• migrations: speed up discard-drafts with bulk batches (#25293)
• ts: ignore generated .strapi folder (#25086)
• utils: bump preferred-pm to fix npm workspace detection (#25406)

⚙️ Chore

• add --no-build-admin option to 'strapi develop' command (#25415)
• */vitest: introduce Vitest and vitest-config package (#25286)
• ci: redirect question issues to GitHub Discussions (#25441)
• deps: bump @casl/ability from 6.5.0 to 6.7.5 (#25430)
• deps: bump qs from 6.14.1 to 6.14.2 (#25444)

🚨 Security

• upgrade to tar 7 (#25380)
• update react-router (#25391)
• deps: upgrade axios from v1.12.2 to v1.13.5 (#25427)

❤️ Thank You

• Andrei L @unrevised6419
• Bassel Kanso @Bassel17
• Ben Irvin
• DMehaffy
• Florent Baldino @Baldinof
• Jamie Howard @jhoward1994
• Jonas Thelemann
• Josh Stuible
• Nico André
• SARGUNESH S V @sargunesh25
• Simen @Eventyret

5.36.0 (2026-02-11)

🚀 New feature

• persistent list view settings (#24246)
• strapi/create: type strapi configs (#21859)
• upload-aws-s3: add extended configuration for S3-compatible providers (#25263)

🔥 Bug fix

• responsive drawer for content history (#25344)
• scrolling in sidenav also scroll content (#25379)
• match database package version (#25389)
• content-manager: preserve origin id when cloning, to fetch relations so they are corrected re-populated (#25307)
• preview-config: allow and await for async handler (#25396)
• upload-aws-s3: use baseUrl even if upload location lacks protocol (#23400)

💅 Enhancement

• improve mobile design for edit view forms (#25320)
• create-strapi-app: add --non-interactive mode for CI and scripts (#25373)

🚨 Security

• upgrade apollo to 4.13.0 (#25375)

❤️ Thank You

• Adrien L
• Andrei L @unrevised6419
• Ben Irvin
• Enrique Carpintero
• jayesh70599 @jayesh70599
• Marian Vonsien @mvo-zyres
• mathildeleg @mathildeleg
• Paul Bratslavsky @PaulBratslavsky
• Schero D. @Schero94

5.35.0 (2026-02-04)

🚀 New feature

• upload: add focal point picker for images (#25267)

🔥 Bug fix

• prevent bulk publish modal from closing during API refetch (#24632)
• update ko.json (#23501)
• mobile actions drawer in content manager edit view (#25243)
• upload: prevent asset deletion when clicking cancel on EditAssetDialog (#25318)

⚙️ Chore

• bump yarn 4.5 to 4.12 (#25284)

💅 Enhancement

• improve mobile design for content history forms (#25338)

🚨 Security

• update multiple subdependencies (#25337)

❤️ Thank You

• Adrien L
• Ben Irvin
• Dhruv Maradiya @Dhruv-Maradiya
• jayesh70599 @jayesh70599
• mathildeleg @mathildeleg
• Niceplugin @niceplugin
• Nico André
• Schero D. @Schero94

5.34.0 (2026-01-28)

🚀 New feature

• update german translations for various components (#24143)
• upload: add retroactive ai metadata generation (#25066)

🔥 Bug fix

• add missing labels to IT locale (#25217)
• form elements mobile adjustments (#25202)
• responsive cm header (#25203)
• run orphan removal for the 'related_type' column (#24833)
• adjust padding for cm subnav (#25253)
• admin: format input error message with values (#23932)
• i18n: ai translation losing unsupported fields (#25247)
• menu: render external links as anchors (#25269)

📚 Documentation Changes

• clarify strapi installation instructions in README (#25016)
• CONTRIBUTING: set link to latest version of .commitlintrc.ts (#25224)

⚙️ Chore

• update pinned elliptic (#25206)
• remove unused imports from react and @strapi/design-system (#25222)
• update pinned dependencies express, qs, body-parser (#25209)
• remove in-app marketplace (#24958)
• update lodash to 4.17.23 (#25244)
• deps: bump lodash-es from 4.17.21 to 4.17.23 (#25239)
• upload: setup future flag for media lib redesign work (#25229)
• ‎.github/workflows: bump outdated GitHub Actions versions (#25233)

💅 Enhancement

• responsiveness consistency for subnav (#25107)

🚨 Security

• update pinned mdast-utils (#25227)
• update pinned js-yaml, node-forge, tmp, and more (#25228)

❤️ Thank You

• Adrien L
• Ben Irvin
• Boaz Poolman
• Jair Ortiz @JairOrtizGutierrez
• Jamie Howard @jhoward1994
• Leonid Vinogradov @leon-win
• Lukas Eipert
• markkaylor
• mathildeleg @mathildeleg
• Nidhi Sharma @Nidhisharma4399
• Pádraic Slattery @pgoslatara
• Ziyi @butcherZ

Changelog

Bug fixes

• 95d722b: fix: test udp (@seriousm4x)

Others

• 8d461e0: add note for DEVICE_IP and DEVICE_MAC availability in cmds (#1716) (@invario)
• 49d4109: gh-actions: remove go and npm, will update manually (@seriousm4x)
• 59b1723: send additional 2 magic packets via IP address for routed WOL (#1718) (@invario)

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

Full List of Changes

• Updated user creation to only use validated input from registration.
• Updated PHP package versions.
• Updated translations with latest Crowdin changes. (#6064)
• Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
• Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• #1351 add .hidden support (thx @NecRaul!) beb634d 134e378
  • cosmetic filter to exclude specific files from directory listings by adding their filenames to a textfile named .hidden similar to many linux desktop file managers
  • the files are still easily available from various APIs; this is not a security feature, just a way to keep things neat and tidy
• #1381 thumbnail pregeneration 7d6b037
  • usually/generally not a good idea; readme explains it
• shares: now possible to grant the . permission to see dotfiles 66f9c95

🩹 bugfixes

• #1372 #1333 no thumbnails if the server OS was too old to have JXL support and the webbrowser was asking for JXL 1afe48b
• #1363 new-version alert would only appear if the visitor had the Admin permission in the webroot specifically; now A in any volume is sufficient 6eb4f0a
• 66f1ef6 should have blocked mkdir too and now it does (thx @restriction!) ac60a1d
• setting the nohtml or noscript volflags on the webroot would break the web-UI eb028c9
• shares: the -ed global-option did not make dotfiles visible in shares 66f9c95
  • the dots volflag still doesn't, but that one is intentional

🔧 other changes

• tried to stop libvips from gobbling up ram while creating jxl thumbnails; didn't really work abdbd69
  • jxl support in libvips is now default-disabled unless the libc is musl and the allocator is mallocng, which means alpine linux
    • in other words, libvips is still fully enabled in the iv and dj docker images if you do not enable mimalloc
  • all other deployments will now have slightly slower jxl thumbnail generation by using ffmpeg instead (it's fine really)
    • new global-option --th-vips-jxl lets you force-enable it if you dare
• volflags nohtml and noscript now available as global-options --no-html and --no-script 5f3b76c
  • and the -ss paranoia option now also enables --no-html --no-readme --no-logues
• --flo 2 now removes colors from logfiles even if -q is not set 8c6d8a3
• update dompurify to 3.3.3 6a9e6da
• docs:
  • #1360 versus.md: more readable headers (thx @eugenesvk!) e71e190
  • #1367 mention --shr-who in the readme (thx @TWhiteShadow!) 4688410

🌠 fun facts

• it is easter soon edc2017

💾 what to download?

• except for u2c.exe, all of the options above are mostly equivalent
• the zip and tar.gz files below are just source code
• python packages are available at PyPI