5.9.19

• Most classes can now be instantiated via the create() Twig function. (#18376)
• Added craft\helpers\ProjectConfig::pathDepth().
• craft\services\Fields::deleteLayout() and deleteLayoutById() now have $hardDelete arguments.
• Deprecated craft\services\ProjectConfig::getPendingChangeSummary().
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
• Fixed a bug where disabled sites weren’t getting loaded when running Codeception tests. (#18638)
• Fixed a bug where custom entry index page icons weren’t getting stored properly if the source name contained periods. (#18631)
• Fixed a bug where copying nested entries on a revision wasn’t working. (#18648)
• Fixed a bug where Matrix fields in Blocks view could have “Duplicate selected blocks” and “Delete selected blocks” field-level actions. (#18652)
• Fixed a bug where the submit button within Live Preview was labelled “Save” rather than “Create entry” when editing an unpublished draft. (#18579)
• Fixed a bug where recent changes could be lost when creating an element or applying a draft, if there were validation errors. (#18657)
• Fixed a bug where nested elements would get soft-deleted after running the entrify/global-set command. (#18650)
• Fixed a bug where the “Max Authors” section setting was visible for Single sections.
• Fixed an exception that would be thrown when attempting to access undefined keys within craft\fields\data\JsonData objects from Twig. (#18656)
• Fixed a bug where address cards could be missing their address preview. (#18632)
• Fixed a bug where the Save button’s spinner wouldn’t appear right away when saving a nested element in a slideout. (#18664)
• Fixed a bug where the server check script wasn’t treating GD as a requirement. (craftcms/server-check#30)
• Fixed a bug where tooltips could be instantiated multiple times within Link fields. (#18666)
• Fixed a bug where localized nested element content could be overwritten when the owner element was propagated to a new site. (#18659)

4.17.13

• Most classes can now be instantiated via the create() Twig function. (#18376)
• Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)

5.9.18

• Improved error logging when logging in with passkeys. (#18627)
• Added craft\controllers\ElementIndexesController::$fieldLayouts.
• craft\services\ElementSources::getTableAttributes() now has a $fieldLayouts argument.
• Fixed a bug where GraphQL results were getting cached even if they contained transform generation URLs. (#18581)
• Fixed a bug where aria-activedescendant, aria-flowto, and aria-owns attributes weren’t getting namespaced by {% namespace %} tags. (#18577)
• Fixed a bug where sites with missing enabled values were being treated as enabled. (#18572)
• Fixed a bug where GraphQL fields within fragments weren’t getting eager-loaded if the fragment’s type condition referenced an interface (e.g. on EntryInterface) rather than a specific type name. (#18588)
• Fixed a bug where relation fields were getting marked as translatable if they used a custom translation method, even if the rendered translation key was blank. (#18580)
• Fixed a bug where section and field chips in the “Used by” column of the Entry Types index page weren’t getting hyperlinked. (#18589)
• Fixed a bug where exceptions thrown when sending emails weren’t getting handled properly. (#18597)
• Fixed a bug where unordered lists weren’t getting styled correctly within Tip/Warning/Markdown field layout UI elements. (#18598)
• Fixed an error that could occur when upgrading to Craft 5. (#18576)
• Fixed a bug where nested Matrix entries’ Title fields were getting validation errors if blank, even if the nested entry was disabled. (#18611)
• Fixed an infinite recursion bug that could occur if the loginPath, logoutPath, setPasswordPath, or verifyEmailPath config settings were set to a callable that called the sites service. (#18605)
• Fixed a bug where Matrix fields in Index view mode could be missing custom field columns. (#18590)
• Fixed a JavaScript error that could occur when opening a modal. (#18612)
• Fixed a bug where element chips and cards weren’t getting refreshed when a provisional draft’s changes were discarded in a different tab.
• Fixed a bug where element attributes weren’t always updating when content changes were made.
• Fixed a bug where successive edits to nested elements were forgotten. (#18624)
• Fixed a bug where nested elements weren’t getting duplicated when a new site was added to the owner element. (#18621)
• Fixed a bug where nested entries were getting assigned new IDs if they were edited multiple times for the same owner element draft. (#18461)
• Fixed a SQL error that could occur when editing an element draft that had upstream changes. (#18626)
• Fixed a bug where custom sources’ labels weren’t being translated within the document title. (#18629)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-gj2p-p9m4-c8gw, GHSA-33m5-hqp9-97pw)
• Fixed a moderate-severity RCE vulnerability. (GHSA-qrgm-p9w5-rrfw)

4.17.12

• Fixed a bug where GraphQL results were getting cached even if they contained transform generation URLs. (#18581)
• Fixed a bug where aria-activedescendant, aria-flowto, and aria-owns attributes weren’t getting namespaced by {% namespace %} tags. (#18577)
• Fixed a moderate-severity information disclosure vulnerability. (GHSA-gj2p-p9m4-c8gw)
• Fixed a moderate-severity RCE vulnerability. (GHSA-qrgm-p9w5-rrfw)

5.9.17

• Added craft\helpers\DateTimeHelper::testTimeToSeconds().
• Fixed an error that could occur after running the utils/fix-field-layout-uids command. (#18516)
• Fixed a JavaScript error that could occur if any field layout elements were configured with unsupported widths. (#18552)
• Fixed an error that could occur when user impersonation failed. (#18569)
• Fixed a bug where deeply-nested elements could be deleted unexpectedly. (#18537)
• Fixed a warning that was getting logged when using craft\filters\SiteFilterTrait.
• Fixed a bug where prefixing entry queries’ authorGroup params with and or not operators wasn’t working properly. (#18551)
• Fixed an error that could occur when running the gc command, if a Matrix field had been converted to an Addresses or Content Block field. (#18549)
• Fixed a styling issue. (#18566)
• Fixed a JavaScript error that could occur when Time fields’ Min/Max Time settings were set.

4.17.11

• Fixed an error that could occur after running the utils/fix-field-layout-uids command. (#18516)
• Fixed a JavaScript error that could occur if any field layout elements were configured with unsupported widths. (#18552)
• Fixed an error that could occur when user impersonation failed. (#18569)

5.9.16

• Updated @simplewebauthn/browser to 13.3.0. (#18545)
• Updated web-auth/webauthn-lib to 5.2.4. (#18545)
• Fixed an error that occurred when loading some control panel resources on environments with craft\web\AssetManager::$cacheSourcePaths disabled. (#18536)
• Fixed a bug where craft\fields\data\LinkData::getUrl() was returning the URL suffix rather than an empty string, if the rendered base URL was an empty string.

4.17.10

• Fixed an error that occurred when loading some control panel resources on environments with craft\web\AssetManager::$cacheSourcePaths disabled. (#18536)

5.9.15

• Element edit pages once again redirect to their referral URL on save. (#18483)
• Added craft\filters\IpRateLimitIdentity. (#18510)
• Added craft\helpers\App::resourcePathByUri().
• Removed thamtech/yii2-ratelimiter-advanced. (#18510)
• Fixed a bug where global set GraphQL query caches weren’t getting invalidated when global sets were updated. (#18479)
• Fixed a bug where users/suspend-user and users/unsuspend-user actions required that the logged-in user have control panel access. (#18485)
• Fixed a bug where flipping an image within the Image Editor didn’t always work. (#18486)
• Fixed a bug where SVG files missing their width and height attributes weren’t getting them set as expected.
• Fixed an error that occurred if a template referenced a preloaded Single entry followed by a null coalescing operator. (#18503)
• Fixed a bug where links within Redactor fields were getting target="_blank" added to them. (#18500)
• Fixed an error that could occur when applying project config changes, or editing entries with an invalid entry type. (#18477, #18505)
• Fixed a bug where Content Block fields’ nested values weren’t always getting set correctly via resave commands. (#18453)
• Fixed a bug where addresses without labels weren’t getting chip labels. (#18481)
• Fixed a JavaScript error that could occur on element edit pages.
• Fixed a bug where cross-site validation errors weren’t preventing elements from getting saved. (#18292)
• Fixed a bug where failure messages when pasting elements weren’t getting displayed properly.
• Fixed a bug where craft\helpers\UrlHelper::cpReferralUrl() was returning the referrer URL even if it had the same URI as the current page. (#18483)
• Fixed a bug where Matrix field’ grouped entry type menu labels weren’t translatable. (#18528)
• Fixed moderate-severity SSRF vulnerabilities. (GHSA-3m9m-24vh-39wx, GHSA-95wr-3f2v-v2wh)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-jq2f-59pj-p3m3)

4.17.9

• Added craft\filters\IpRateLimitIdentity. (#18510)
• Added craft\helpers\App::resourcePathByUri().
• Removed thamtech/yii2-ratelimiter-advanced. (#18510)
• Fixed a bug where global set GraphQL query caches weren’t getting invalidated when global sets were updated. (#18479)
• Fixed a bug where users/suspend-user and users/unsuspend-user actions required that the logged-in user have control panel access. (#18485)
• Fixed a bug where flipping an image within the Image Editor didn’t always work. (#18486)
• Fixed a bug where SVG files missing their width and height attributes weren’t getting them set as expected.
• Fixed an error that occurred if a template referenced a preloaded Single entry followed by a null coalescing operator. (#18503)
• Fixed a bug where links within Redactor fields were getting target="_blank" added to them. (#18500)
• Fixed moderate-severity SSRF vulnerabilities. (GHSA-3m9m-24vh-39wx, GHSA-95wr-3f2v-v2wh)