umbraco/Umbraco-CMS release-17.4.0-rc on GitHub

Upgrade Notes

Be aware of a change to behaviour for detecting the Umbraco application URL. Previously, ApplicationMainUrl was automatically set from the Host header of incoming HTTP requests. In environments where Umbraco is not behind a reverse proxy that validates the Host header, this could allow a forged Host header to overwrite the URL used in password reset links, user invitations, and other email notifications. While this is normally mitigated by proper hosting configuration and setting UmbracoApplicationUrl explicitly, we felt that the auto-detection behaviour should be hardened up and become an opt-in rather than the default. You can read more about this under "Breaking Changes" below, the linked PR and the documentation.

There are a few updates related to performance in this release that are worth investigating for larger sites. Using output cache in your projects, with intelligent and customisable detection of page invalidation, is now a configuration option for templated websites, with extension points also applied for the Delivery API. We have optimised content cache rebuild after schema updates, with an option for deferred rebuild in the background. If considering a project with significant expected concurrency for member login and registration, and you prefer to use an external service for member management, the new option for lightweight external members will be worth reviewing.

If working with AI tools such as Umbraco MCP, additions to management API endpoints that expose JSON schema for data types and allow for patch updates of specific properties, should improve accuracy and reliability.

As usual please find the full list of PRs that have contributed to Umbraco 17.4 as follows.

What's Changed

🙌 Notable Changes

Management API: Add JSON Schema support for data types and content types by @Migaroez in #21771
Media Picker: Add Cards/Table view switcher (closes #22005) by @madsrasmussen in #22138
Management API: Add document patch endpoint by @Migaroez in #22104
Website Rendering: Add configurable output caching for template rendered pages by @AndyButland in #22338
Basic Authentication: Standalone login page for frontend-only deployments (closes #22144) by @AndyButland in #22168
Icons: extends icon data + improved search by @nielslyngsoe in #22436
Members: Add lightweight external-only members (closes #12741) by @AndyButland in #22162
Cache: Add deferred content type rebuild mode with de-duplication by @AndyButland in #22194

💥 Breaking Changes

Application URL: Add ApplicationUrlDetection setting to control application URL auto-detection by @AndyButland in #22307

📦 Dependencies

Bump lodash from 4.17.23 to 4.18.1 in /src/Umbraco.Web.UI.Login by @dependabot[bot] in #22334
Dependencies: Update minor and patch versions by @AndyButland in #22498
Update npm dependencies for v17.4.0-rc by @NguyenThuyLan in #22464
Bump the npm_and_yarn group across 3 directories with 4 updates by @dependabot[bot] in #22537
Dependencies: Update Microsoft packages to latest patch and fix HybridCache ParseFault with Redis by @AndyButland in #22278
Dependencies: Pin System.Security.Cryptography.Xml to resolve vulnerability warning by @AndyButland in #22514

🚤 Performance

Performance: Batch backoffice media thumbnail URL requests to reduce N+1 API calls by @AndyButland in #22329
Performance: Optimize FullDataSetRepositoryCachePolicy usage across all repositories by @AndyButland in #22264
Performance: Optimize ContentTypeRepository deep-clone on cache reads (closes #22250) by @AndyButland in #22263
Performance: Use GeneratedRegex instead of generating at runtime in string extensions by @Henr1k80 in #22534
Performance: Avoid allocating a string if _publishedContentCache has a cached version in MediaCacheService by @Henr1k80 in #22535
Performance: Micro-optimisation in UdiParser (eliminate closure, fix naming & formatting of exceptions) by @Henr1k80 in #22506
Micro-optimization: Use Array.ConvertAll instead of LINQ .Select .ToArray by @Henr1k80 in #20292
Entity Service: Batch GetAllPaths queries to avoid SQL Server parameter limit (closes #22470) by @AndyButland in #22471
Document URL Service: Batch delete of obsolete URL segment records to avoid SQL Server parameter limit (closes #22339) by @AndyButland in #22340
Content Version Cleanup: Optimize for large datasets (closes #22224) by @AndyButland in #22239
Migrations: Optimise sortable value population for date properties by @AndyButland in #22547
Migrations: Fix potential OptimizeInvariantUrlRecords timeout on SQL Server (closes #22377) by @AndyButland in #22382
Umb-icon color setting optimization by @nielslyngsoe in #22433

🌈 Accessibility Improvements

Accessibility: Fix missing labels on uui-select elements causing console warnings by @andreaslborg in #22385
Accessibility: Include visible initials in name displayed on account menu button (closes #21942) by @andreaslborg in #22117
Accessibility: Add labels to member workspace toggles by @andreaslborg in #22403
Accessibility: Add label and localized placeholder to picker search field by @andreaslborg in #22402
Accessibility: Add label to member type filter dropdown by @andreaslborg in #22397

🚀 New Features

Entity Data Picker: Adds start node support to tree data-sources by @leekelleher in #22172
Rich Text Editor: Filter paste, drag&drop, and media picker to allowed media types (closes #21824) by @iOvergaard in #22267
Tiptap RTE: Add width/height to edit image properties (AB#65981) by @iOvergaard in #22266
Document Blueprints: Add info workspace view by @NguyenThuyLan in #21951
Notifications: Surface ProblemDetails detail in error notifications by @iOvergaard in #22298
General: Add decoding="async" to relevant IMG-tags by @nielslyngsoe in #22428
Backoffice Identity: Add Override method to IBackOfficeSecurityAccessor for background processing by @AndyButland in #22499
Relations: Fire relation notifications for automatic relations (closes #22222) by @AndyButland in #22345
User Groups: Add ability to manage users directly from the group workspace by @NguyenThuyLan in #22215
Block Editor: Create Modal Size Overwrite by @nielslyngsoe in #22386

🐛 Bug Fixes

Management API: Return descriptive 400 for property variance mismatch (closes #22076) by @AndyButland in #22100
Sections: Sort sections by display name in user group assignment (closes #22094) by @AndyButland in #22112
Block Editors: Resolves incorrect "Discard unsaved changes" message when editing blocks with live editing by @marcloveUSN in #22134
Redirect Tracking: Fix segment change detection and optimise descendant traversal (closes #22082) by @AndyButland in #22091
Routing: Resolve URL segment collision for siblings differing only in punctuation (closes #22070) by @0xRozier in #22090
Last Synced: Adding A File System Approach to Subscriber Servers by @NillasKA in #22145
Localization: Added missing for elements by @Lantzify in #22079
Application URLs: Prevent back office hosts being overwritten in a shared database setup (closes #16741) by @matthewcare in #22160
Migrations: Fix property detection for invariant content types with culture-varying compositions (closes #22159) by @AndyButland in #22167
Backoffice: Add tree item children collection views for Partial Views, Stylesheets, Scripts, Templates, and Document Blueprints by @madsrasmussen in #22146
Distributed Locking: Add ROWLOCK hint to prevent cross-row contention on umbracoLock table (closes #22113) by @AndyButland in #22126
EFCore Scoping: Clear stale connection on pooled DbContext before returning to pool (closes #22124) by @AndyButland in #22132
Distributed Background Jobs: Preventing Jobs From Running When Database Is Read-Only by @NillasKA in #22208
EFCore Scoping: Preserve connection string before disposing EFCoreScope database (closes #22211) by @idseefeld in #22212
Blueprints: Allow saving document blueprints with partial variant names (closes #22190) by @AndyButland in #22210
Tree Picker: Fix root item not deselecting in single-selection picker (closes #22073) by @AndyButland in #22099
Management API: Add endpoint to get all member types allowed at root by @AndyButland in #22226
Dynamic Root: Fix current origin resolution for new unsaved content (closes #22213) by @AndyButland in #22216
Backoffice: Migrate Templating, Language, Member Group, and Document Blueprint create entity actions to use entityCreateOptionAction extensions by @madsrasmussen in #22214
Members: Fix Create Members based on Member Types in folders by @madsrasmussen in #22241
Member Authorization: Return correct status codes for unauthenticated members (fixes #21638) by @AndyButland in #22220
Localization: Update "MFA" label to "2FA" in language files by @marcloveUSN in #22236
Examine: Fix DocumentUrlService not initialized during Examine indexing after package upgrade by @AndyButland in #22243
Examine Dashboard: Support content node links from delivery API index (closes #22221) by @AndyButland in #22225
Repositories: Fix Raw Sql Statements without Escaped Table, Column or Alias Names (closes #22259) by @idseefeld in #22261
Cache sync: append SiteName to machine identifier for same-host load balancing by @nikolajlauridsen in #22257
Media: Set width and height for uploaded SVGs by @enkelmedia in #22244
Migrations: Fix NPoco auto-select breaking retrust FK migration by @AndyButland in #22270
Backoffice: Remove token cookie if decryption fails (mitigates #16107) by @Migaroez in #22237
Unattended Upgrades: Rebuild routing caches after background migrations to fix unroutable document URLs by @AndyButland in #22269
Media: Allow duplicating system media types (closes #22282) by @AndyButland in #22284
User management: Show change password validation error (closes #22291) by @JoseMarcenaro in #22292
User Service: Fix WhereIn subquery in PermissionRepository (closes #22288) by @AndyButland in #22289
Install: Ensure media directory exists before creating PhysicalFileProvider (closes #14877, #22355) by @AndyButland in #22281
Templating: Add Production Mode condition to Partial View and Template Collection create actions by @madsrasmussen in #22295
Document Editing: Fix unchanged variants selected in save and publish dialog (closes #22277) by @AndyButland in #22285
BackOffice Document Editing: Fix pending changes status in variant selector (closes #22271) by @AndyButland in #22290
Block Grid: Protect against null columnSpan/rowSpan when rendering blocks (closes #22306) by @AndyButland in #22311
Redirects: Fix crash seen in Redirect URL Management dashboard when the redirect route does not contain '/' (closes #22308) by @VargyasMoniLajos in #22309
Block Editors: Fix preset values for composition properties on non-varying element types (closes #22320) by @AndyButland in #22320
Background Jobs: Fix period drift in RecurringHostedServiceBase by @ronaldbarendse in #22330
Builder Extensions: Make AddWebComponents() idempotent (closes #22344) by @AndyButland in #22347
Search: Show ancestor breadcrumb path in items results (closes #21107) by @engijlr in #22240
Media Picker: Fix folder selection regression for developer-configured media pickers (closes #22349) by @AndyButland in #22350
Relations: Allow saving relation types without parent/child object types (closes #22359) by @AndyButland in #22336
Property Editor Dialog: Set height to 100% for umb-property-editor-ui-picker-modal by @bjarnef in #22354
Cache: Fix published content not immediately routable after PublishBranch (closes #22398) by @AndyButland in #22341
Content type design: Fix tab overflow with scrollable navigation (closes #20876) by @engijlr in #22294
CSP: Add blob: to img-src for media upload previews by @AndyButland in #22343
Slider: Persist value updates on drag-and-drop (closes #22183) by @AndyButland in #22276
User group: Fix issue icons not show when different colour than black (closes #22352) by @NguyenThuyLan in #22372
Added length validation to change password modal element by @Yinzy00 in #21781
Languages: Exclude invariant culture from list of available cultures for language creation (closes #22380) by @hifi-phil in #22381
Templating: Move production mode validation from service layer to Management API by @AndyButland in #22383
Management API: Fix OAuth client registration permanently skipped after transient failure (closes #22356) by @AndyButland in #22368
Content picker: Fix display for list items in content picker when pre-selected items exceed maximum (closes #22129) by @NguyenThuyLan in #22395
Login: Update styles of login screen for better color customizations by @nielslyngsoe in #22389
Block Grid: Apply language fallback to block elements within layouts (closes #22195) by @AndyButland in #22219
Clipboard: Localize property labels when copying to clipboard (closes #21998) by @iOvergaard in #22412
Templates: Fixes modal text styling in when inserting sections (closes #22358) by @Abdjulaziz in #22376
User Service: Prevent fetching all permissions when no IDs are provided by @krebil in #22424
RTE: Block Clipboard label Localization (closes #22412) by @nielslyngsoe in #22417
Migrations: Consistently handle GUID casing when using SQLite by @callumbwhyte in #22406
Migrations: Quote names when creating index (closes #22409) by @idseefeld in #22410
dotnet Templates: Remove legacy Umbraco:CMS:Content:MacroErrors from project template development configuration by @callumbwhyte in #22447
Backoffice: Add explicit controller aliases to observe() calls in tree components by @iOvergaard in #22450
Cache: Invalidate published cache entries when content or media is trashed by @lauraneto in #22451
Member Authentication: Add member sign-in/sign-out notifications (closes #22461) by @mattbrailsford in #22463
Tags Property Editor: Preserve commas in tag values (closes #22413) by @AndyButland in #22432
Media Collection: Display upload notifications in rows rather than in columns (closes #21502) by @Welander1994 in #22467
Document Create Modal: Add loading indicator to Create options (fix #20817) by @Copilot in #20857
Document Editing: Allow removal of template from a document and indicate when the selected template is no longer allowed (closes #20929) by @AndyButland in #22348
Migrations: Fix RetrustForeignKeyAndCheckConstraints failing when data violates a constraint by @AndyButland in #22488
Output Caching: Align Delivery API extensibility with website output caching by @AndyButland in #22456
Parameterise variables in SqliteSyntaxProvider and SqlServerSyntaxProvider by @liamlaverty in #22492
TipTap Code Editor: Fix horizontal overflow in TipTap source code modal (closes #22287) by @andreaslborg in #22474
Background Jobs: Use ApplicationMainUrl as fallback for absolute URL provision (closes #22420) by @AndyButland in #22435
Tiptap RTE: Fix Clear Formatting errors when HTML attribute extensions aren't enabled (closes #22502) by @AndyButland in #22509
adds same drag styling as when dragging item in the content sectin by @Welander1994 in #22460
Media Picker: Use UUI breadcrumbs to prevent modal overflow with deep folder paths (closes #22286) by @engijlr in #22375
Fix: parse hashtag strings for confirm dialog localization by @nielslyngsoe in #22490
Documents: Present blueprint options from collection view Create button (closes #22529) by @AndyButland in #22533
Trees: Respect 'Ignore user start nodes' on expand (closes #22487) by @AndyButland in #22510
Templating: Correct the updated Navigation snippet (closes #22528) by @AndyButland in #22530
Migrations: Await EF Core premigrations for OpenIddict (closes #22200) by @AndyButland in #22205
Attended Upgrades: Detect and display correct "from" version on the upgrade screen (closes #20980) by @AndyButland in #22387
Authorization: Fix publish with descendants returning 403 with granular permissions (closes #22140) by @AndyButland in #22148
User Service: Remove IBackOfficeUserStore service location from read methods (closes #22404) by @AndyButland in #22408
V17/media notification by @Welander1994 in #22484
Removed line clamp for data type picker (closes #22515) by @andreaslborg in #22526
Boot Failed: Add missing BootFailed.html error page (closes #17144) by @AndyButland in #22120
Users: Show success dialog after creating API user (closes #21921) by @AndyButland in #22426
Members: Fix SQL error when combining member type and group filters on filter endpoint by @AndyButland in #22209
Migrations: Fix local link migration losing fragments and query strings (closes #22152) by @AndyButland in #22153
EF Core Scoping: Allow separate database connections for custom DbContexts (closes #22131) by @AndyButland in #22133
Published Content Cache: Defensive hardening against race conditions (closes #22254, #22384) by @AndyButland in #22393
Migrations: Fix Label long-string data type dbType (closes #22553) by @AndyButland in #22557
Cache: Gracefully handle inconsistent published version state (closes #22293) by @AndyButland in #22296
Relations: Swallow exceptions when retrieving references from incompatible property values (closes #22197) by @AndyButland in #22207
Security: Prevent XXE opportunity in OEmbedProviderBase by @liamlaverty in #22550
Backoffice: Stop UI filtering invariant document URLs by display culture (closes #22556) by @AndyButland in #22560
Surface controllers: validate redirect url in public surface controllers by @NguyenThuyLan in #22561
Permissions: Route UI permission retrieval through IContentPermissionService (closes #22351) by @AndyButland in #22400
Document Management: Clear per-culture published flags when copying a document (closes #22540) by @iOvergaard in #22567
Decimal: Allow decimal values when step size is not configured (closes #22127) by @AndyButland in #22128
Frontend: Fix umb-table Firefox rendering when columns change (closes #22411) by @iOvergaard in #22414
Document URL Aliases: De-duplicate repeated aliases to prevent upgrade failure by @AndyButland in #22569
Subscriber Server Role: Skip URL/alias persistence on subscribers with read-only databases (closes #22570) by @AndyButland in #22572
Slider: Add minimumRange configuration for range sliders (partially closes #22067) by @AndyButland in #22078
Segments: Preserve segmented property values after save (closes #22166) by @AndyButland in #22173

🧪 Testing

E2E: QA Added acceptance tests for DisableDeleteWhenReferenced setting by @nhudinh0309 in #22017
E2E: Updated the acceptance tests to match the recent changes by @nhudinh0309 in #22088
E2E: QA Updated acceptance tests for bulk trash content due to UI changes by @nhudinh0309 in #22118
E2E: QA: Added document segemented variant acceptance tests by @andr317c in #21957
Build: Serialize E2E stages and stagger branch schedules to reduce agent usage by @nhudinh0309 in #22164
E2E: QA Added acceptance test for HMAC secret key health check by @nhudinh0309 in #22141
Integration Tests: Avoid hidden BootFailedException in CoreConfigurationHttpTests by @AndyButland in #22188
E2E: QA Added acceptance tests for public access by @nhudinh0309 in #22158
E2E: QA Updated acceptance tests for duplication action due to UI changes by @nhudinh0309 in #22206
E2E: QA: add acceptance tests for compositions by @andr317c in #22180
E2E: QA Added acceptance tests for moving media items by @nhudinh0309 in #22232
E2E: QA Added acceptance tests for validating a mandatory multi URL picker by @nhudinh0309 in #22235
E2E: Reverted npm command for smokeTest by @nhudinh0309 in #22246
E2E: Added acceptance tests for block grid area by @nhudinh0309 in #22181
E2E: QA Added acceptance tests for bulk actions by @nhudinh0309 in #22361
Unit tests: Add test coverage for ContentPermissionService by @AndyButland in #22373
E2E: QA Updated acceptance tests to match the recent UI changes by @nhudinh0309 in #22445
E2E: QA: add member type acceptance tests by @andr317c in #22379
E2E: QA: Added acceptance tests for member authentication by @andr317c in #22466
Integration Tests: Fix raw SQL statements in DocumentUrlTests (closes issue #22360) by @idseefeld in #22365
Tests: Remove dead KeepAlive config remnants by @pijemcolu in #22272
Build: Extract nbgv version step into shared template by @andr317c in #22480
Nightly Pipeline: Skip E2E and Integration stages when Build fails by @andr317c in #22568

🛡️ Code Quality, Documentation and Refactoring

Code Documentation: Add missing XML header documentation to the Umbraco.Cms.Infrastructure project by @readingdancer in #21782
Code Documentation: Add missing XML header documentation to the Umbraco.Cms.Api.Management project by @readingdancer in #21785
Code Quality: Add 'new' keyword to 3 methods hiding inherited members resolving CS0114 warnings by @reabr in #22317
Code Quality: Use array over dictionary in private collection of PublishedContentType by @Henr1k80 in #22476
Code Quality: Use more appropriate types for private fields of Umbraco.Cms.Core.Enum<T> by @Henr1k80 in #22475
Code Quality: Eliminate closure in AppPolicedCacheDictionary by @Henr1k80 in #22482
Code Quality/Logging: Fix 'occured' -> 'occurred' typos in log/error/comment strings by @SAY-5 in #22508
Code Quality: Reduce dictionary lookups within lock by @Henr1k80 in #22504
Code Quality: Use FrozenDictionary and Array instead of Dictionary and List in EntityContainer. by @Henr1k80 in #22505
Backoffice Agent Context: Add design philosophy, developer roles and skills for a few common extensions and infrastructure tasks by @madsrasmussen in #22273
Backoffice: Add Workspace documentation and create-workspace skill for agents by @madsrasmussen in #22300
Backoffice: Add Repository documentation and create-repository skill for agents by @madsrasmussen in #22310
Backoffice: Add client-side model guidance and repo rules for agents by @madsrasmussen in #22321
Agent Review: Prefer documentation over implementations by @madsrasmussen in #22324
Review: Claude Skill for Review of Github PRs by @nielslyngsoe in #22245
Claude: Agent MD files for manifestss by @nielslyngsoe in #22367
Developer Tools: Add umb-bump-version skill for automating version bumps by @AndyButland in #22438
Store: Accept tokens and update MDs for general Context Consumption by @nielslyngsoe in #22458
Management API: Reduce user start node tree filtering code duplication by @lauraneto in #22486

🏠 Internal

Backoffice: Fix Ctrl+C not terminating the example dev server by @madsrasmussen in #22249
CLAUDE.md: OpenAPI.json maintenance by @leekelleher in #22326
Mock Server: Add missing batch handlers for content types by @leekelleher in #22390
Backoffice Mocks: Introduce Mock Sets by @madsrasmussen in #22493
Backoffice Mocks: Add Webhook Mock Services + Kitchen sink mock data by @madsrasmussen in #22507
Backoffice Mocks: Fixes to Kitchen Sink mock data by @leekelleher in #22512
Eslint: Rule for Manifest Aliases by @nielslyngsoe in #22316
security.md Update Sanitize HTML docs to describe Umb-CMS implementation by @liamlaverty in #22552

New Contributors

@marcloveUSN made their first contribution in #22134
@reabr made their first contribution in #22317
@VargyasMoniLajos made their first contribution in #22309
@SAY-5 made their first contribution in #22508

Full Changelog: release-17.3.4...release-17.4.0-rc

umbraco/Umbraco-CMS release-17.4.0-rc 17.4.0-rc on GitHub