• Composer package constraints in composer.json are now set with caret operators (e.g. ^1.2.3). (#18297)
• The up command now warns about any astray license issues before running migrations. (#18297)
• Added the “Change the author of other users’ entries” permission for channel and structure sections. (#18298)
• Improved the accessibility of user permission lists and GraphQL schema component lists. (#18290)
• config/twig-sandbox.php can now include an allowedClasses array, with class names whose entire collection of properties and methods should be allowed in sandboxed Twig environments.
• craft\fields\data\ColorData, craft\fields\data\IconData, craft\fields\data\JsonData, craft\fields\data\LinkData, craft\fields\data\MultiOptionsFieldData, and craft\fields\data\OptionData are now allowed in their entirety within sandboxed Twig environments.
• Fixed a bug where element index pages weren’t retaining their search query param if present on the initial request.
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed an error that could occur when loading elements with provisional changes.
• Fixed an error that could occur when reverting content from an entry revision.
• Fixed a bug where field layout elements weren’t always getting saved in the correct position, if the layout config referenced custom fields that no longer exist. (#18268)
• Fixed a bug where custom entry index pages weren’t visible when viewing other entry types’ index pages. (#18284)
• Fixed a bug where element index pages could show a spinner indefinitely if there weren’t any visible sources. (#18286)
• Fixed a bug where ineditable fields appeared to be editable via the inline editing mode on element indexes. (#18291)
• Fixed a high-severity user account enumeration vulnerability. (GHSA-234q-vvw3-mrfq)
• Fixed a moderate-severity permission escalation vulnerability.