Skip to content

Bump craftcms/cms from 5.9.18 to 5.10.8#108

Open
dependabot[bot] wants to merge 1 commit into
develop-v5from
dependabot/composer/craftcms/cms-5.10.8
Open

Bump craftcms/cms from 5.9.18 to 5.10.8#108
dependabot[bot] wants to merge 1 commit into
develop-v5from
dependabot/composer/craftcms/cms-5.10.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown

Bumps craftcms/cms from 5.9.18 to 5.10.8.

Release notes

Sourced from craftcms/cms's releases.

5.10.8

  • Fixed a bug where element thumbnails could have inconsistent rounded corners. (#19117)
  • Fixed a bug where video file uploads could cause a timeout or exhaust the memory limit. (#19131)
  • Fixed an error that occurred if a custom source had a condition rule that referenced a field instance that no longer existed. (#19132)
  • Fixed a bug where the relation deletion blocker’s messages weren’t always properly capitalized. (#19133)
  • Fixed a bug where the “Delete” button within element deletion blocker modals wasn’t getting translated properly. (#19134)
  • Fixed a bug where the previewTokenDuration config setting was defaulting to 1 day, rather than to the defaultTokenDuration value. (#18550)
  • Fixed a bug where nested elements weren’t showing validation errors. (#19147)
  • Fixed a bug where error summaries weren’t properly linking to their corresponding fields’ error lists. (#19147)
  • Fixed a high-severity XSS vulnerability.
  • Fixed a high-severity authorization bypass vulnerability.

5.10.7

  • Added craft\web\twig\AllowableInSandbox.
  • Fixed a bug where craft\helpers\App::parseEnv() wasn’t resolving aliases for environment variables that referenced an alias (e.g. @root/storage/rebrand). (#19108)
  • Fixed a bug where the “Parent” field on Structure entries’ edit pages wasn’t showing the parent entry if it didn’t exist for the same site being edited, causing the parent relationship to be lost on save. (#19110)
  • Fixed a high-severity RCE vulnerability.

5.10.6

  • Forward slashes in query strings are now encoded. (#19057)
  • Added craft\controllers\EVENT_BEFORE_SAVE_IMAGE. (#19068)
  • Added craft\events\SaveAssetImageEvent. (#19068)
  • Added craft\web\Request::getPreviewParam().
  • Updated Axios to 1.17.0. (#19053)
  • Fixed a bug where no-cache and X-Robots-Tag: none headers weren’t always being sent for requests with x-craft-preview or x-craft-live-preview query string params. (#19060)
  • Fixed a bug where the “Delete” element edit page action wasn’t working properly when editing a provisional draft.
  • Fixed a bug where craft\helpers\App::parseEnv() wasn’t returning boolean values for environment variable names that resolved to true/false values. (#19029)
  • Fixed a bug where the submit button within Live Preview was labelled “Submit” rather than “Save”. (#19056)
  • Fixed a bug where the selected site wasn’t being remembered after saving an element. (#19054)
  • Fixed a bug where transformed SVG images could have two sets of width and height attributes. (#1902w7)
  • Fixed an infinite recursion bug. (#19063)
  • Fixed a JavaScript error that could occur if there was an error rendering an element condition rule’s Twig template.
  • Fixed a bug where relational fields’ element selector modals weren’t showing any results if they were configured to only relate to elements in a specific site, and the author didn’t have permission to access that site. (#19078)
  • Fixed a bug where element cards were showing preview values for conditionally-hidden fields. (#19064)
  • Fixed a bug where some bulk element actions could exhaust the memory limit on large selections. (#19070)
  • Fixed a SQL error that could occur when uploading an asset, if it contained non-UTF-8 alt text in its metadata. (#19069)
  • Fixed an error that could occur when editing an entry if a soft-deleted user had recently edited the same entry. (#19081)
  • Fixed a PHP error that occurred when setting general config settings via config/general.console.php or config/general.web.php. (#19083)
  • Fixed a bug where address cards would show “0, 0” for Longitude/Latitude values when neither field had been populated. (#19093)
  • Fixed a bug where field conditions within Matrix blocks weren’t always working when editing the owner element in a slideout. (#19084)
  • Fixed a bug where verification code inputs weren’t always getting autofilled by password managers. (#19094)
  • Fixed a bug where the “Use defaults” button in element index view menus wasn’t being shown automatically after a column header was pressed on. (#19101)
  • Fixed a styling issue.
  • Fixed high-severity RCE vulnerabilities.
  • Fixed a high-severity information disclosure vulnerability.
  • Fixed a moderate-severity authorization bypass vulnerability.
  • Fixed a low-severity information disclosure vulnerability.
  • Fixed a low-severity potential path traversal vulnerability.

5.10.5

... (truncated)

Changelog

Sourced from craftcms/cms's changelog.

5.10.8 - 2026-06-23

  • Fixed a bug where element thumbnails could have inconsistent rounded corners. (#19117)
  • Fixed a bug where video file uploads could cause a timeout or exhaust the memory limit. (#19131)
  • Fixed an error that occurred if a custom source had a condition rule that referenced a field instance that no longer existed. (#19132)
  • Fixed a bug where the relation deletion blocker’s messages weren’t always properly capitalized. (#19133)
  • Fixed a bug where the “Delete” button within element deletion blocker modals wasn’t getting translated properly. (#19134)
  • Fixed a bug where the previewTokenDuration config setting was defaulting to 1 day, rather than to the defaultTokenDuration value. (#18550)
  • Fixed a bug where nested elements weren’t showing validation errors. (#19147)
  • Fixed a bug where error summaries weren’t properly linking to their corresponding fields’ error lists. (#19147)
  • Fixed a high-severity XSS vulnerability.
  • Fixed a high-severity authorization bypass vulnerability.

5.10.7 - 2026-06-17

  • Added craft\web\twig\AllowableInSandbox.
  • Fixed a bug where craft\helpers\App::parseEnv() wasn’t resolving aliases for environment variables that referenced an alias (e.g. @root/storage/rebrand). (#19108)
  • Fixed a bug where the “Parent” field on Structure entries’ edit pages wasn’t showing the parent entry if it didn’t exist for the same site being edited, causing the parent relationship to be lost on save. (#19110)
  • Fixed a high-severity RCE vulnerability.

5.10.6 - 2026-06-16

  • Forward slashes in query strings are now encoded. (#19057)
  • Added craft\controllers\EVENT_BEFORE_SAVE_IMAGE. (#19068)
  • Added craft\events\SaveAssetImageEvent. (#19068)
  • Added craft\web\Request::getPreviewParam().
  • Updated Axios to 1.17.0. (#19053)
  • Fixed a bug where no-cache and X-Robots-Tag: none headers weren’t always being sent for requests with x-craft-preview or x-craft-live-preview query string params. (#19060)
  • Fixed a bug where the “Delete” element edit page action wasn’t working properly when editing a provisional draft.
  • Fixed a bug where craft\helpers\App::parseEnv() wasn’t returning boolean values for environment variable names that resolved to true/false values. (#19029)
  • Fixed a bug where the submit button within Live Preview was labelled “Submit” rather than “Save”. (#19056)
  • Fixed a bug where the selected site wasn’t being remembered after saving an element. (#19054)
  • Fixed a bug where transformed SVG images could have two sets of width and height attributes. (#1902w7)
  • Fixed an infinite recursion bug. (#19063)
  • Fixed a JavaScript error that could occur if there was an error rendering an element condition rule’s Twig template.
  • Fixed a bug where relational fields’ element selector modals weren’t showing any results if they were configured to only relate to elements in a specific site, and the author didn’t have permission to access that site. (#19078)
  • Fixed a bug where element cards were showing preview values for conditionally-hidden fields. (#19064)
  • Fixed a bug where some bulk element actions could exhaust the memory limit on large selections. (#19070)
  • Fixed a SQL error that could occur when uploading an asset, if it contained non-UTF-8 alt text in its metadata. (#19069)
  • Fixed an error that could occur when editing an entry if a soft-deleted user had recently edited the same entry. (#19081)
  • Fixed a PHP error that occurred when setting general config settings via config/general.console.php or config/general.web.php. (#19083)
  • Fixed a bug where address cards would show “0, 0” for Longitude/Latitude values when neither field had been populated. (#19093)
  • Fixed a bug where field conditions within Matrix blocks weren’t always working when editing the owner element in a slideout. (#19084)
  • Fixed a bug where verification code inputs weren’t always getting autofilled by password managers. (#19094)
  • Fixed a bug where the “Use defaults” button in element index view menus wasn’t being shown automatically after a column header was pressed on. (#19101)
  • Fixed a styling issue.
  • Fixed high-severity RCE vulnerabilities.
  • Fixed a high-severity information disclosure vulnerability.
  • Fixed a moderate-severity authorization bypass vulnerability.
  • Fixed a low-severity information disclosure vulnerability.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [craftcms/cms](https://github.com/craftcms/cms) from 5.9.18 to 5.10.8.
- [Release notes](https://github.com/craftcms/cms/releases)
- [Changelog](https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md)
- [Commits](craftcms/cms@5.9.18...5.10.8)

---
updated-dependencies:
- dependency-name: craftcms/cms
  dependency-version: 5.10.8
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants