Bolt CMS releases

What's Changed

• Upgrade actions to Node24 versions by @bobvandevijver in https://github.com/bolt/core/pull/3706
• Remove @vue/cli-service by @bobvandevijver in https://github.com/bolt/core/pull/3707
• Fix MySQL CAST AS TEXT regression by @kouz75 in https://github.com/bolt/core/pull/3710
• Mysql - Fix field trait item types by @kouz75 in https://github.com/bolt/core/pull/3713

Full Changelog: https://github.com/bolt/core/compare/6.1.1...6.1.2

What's Changed

• Bump basic-ftp from 5.2.1 to 5.2.2 by @dependabot[bot] in https://github.com/bolt/core/pull/3703
• Bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3705
• Disable save button during form submission by @kouz75 in https://github.com/bolt/core/pull/3704

New Contributors

• @kouz75 made their first contribution in https://github.com/bolt/core/pull/3704

Full Changelog: https://github.com/bolt/core/compare/6.1.0...6.1.1

What's Changed

• Upgrade erusev parsedown packages by @bobvandevijver in https://github.com/bolt/core/pull/3702

Full Changelog: https://github.com/bolt/core/compare/6.0.3...6.1.0

What's Changed

• Bump axios from 1.13.5 to 1.15.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3701

Full Changelog: https://github.com/bolt/core/compare/6.0.2...6.0.3

What's Changed

• Bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in https://github.com/bolt/core/pull/3666
• Bump locutus from 2.0.16 to 2.0.39 by @dependabot[bot] in https://github.com/bolt/core/pull/3667
• Bump jsonpath from 1.1.1 to 1.2.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3669
• Bump axios from 1.12.0 to 1.13.5 by @dependabot[bot] in https://github.com/bolt/core/pull/3671
• Bump jsonpath from 1.2.0 to 1.2.1 by @dependabot[bot] in https://github.com/bolt/core/pull/3672
• Bump qs from 6.5.3 to 6.5.4 by @dependabot[bot] in https://github.com/bolt/core/pull/3674
• Bump systeminformation from 5.28.8 to 5.31.1 by @dependabot[bot] in https://github.com/bolt/core/pull/3675
• Bump webpack from 5.89.0 to 5.105.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3670
• Bump qs from 6.5.4 to 6.5.5 by @dependabot[bot] in https://github.com/bolt/core/pull/3676
• Bump ajv from 6.12.6 to 6.14.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3677
• Bump bn.js from 4.12.0 to 4.12.3 by @dependabot[bot] in https://github.com/bolt/core/pull/3678
• Bump rollup from 2.79.1 to 2.80.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3680
• Bump basic-ftp from 5.0.5 to 5.2.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3679
• Bump minimatch by @dependabot[bot] in https://github.com/bolt/core/pull/3681
• Bump immutable from 4.3.4 to 4.3.8 by @dependabot[bot] in https://github.com/bolt/core/pull/3683
• Bump undici from 6.22.0 to 6.24.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3687
• Bump jsonpath from 1.2.1 to 1.3.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3689
• Bump yaml from 1.10.2 to 1.10.3 by @dependabot[bot] in https://github.com/bolt/core/pull/3690
• Bump picomatch from 2.3.1 to 2.3.2 by @dependabot[bot] in https://github.com/bolt/core/pull/3691
• Bump path-to-regexp and express by @dependabot[bot] in https://github.com/bolt/core/pull/3694
• Bump brace-expansion from 1.1.12 to 1.1.13 by @dependabot[bot] in https://github.com/bolt/core/pull/3695
• Bump basic-ftp from 5.2.0 to 5.2.1 by @dependabot[bot] in https://github.com/bolt/core/pull/3698
• Fix: null author locale when saving new content by @MrWeb in https://github.com/bolt/core/pull/3697
• Do not allow erusev/parsedown to fix failing cypress tests by @bobvandevijver in https://github.com/bolt/core/pull/3700

New Contributors

• @MrWeb made their first contribution in https://github.com/bolt/core/pull/3697

Full Changelog: https://github.com/bolt/core/compare/6.0.1...6.0.2

What's Changed

• Fix thumb save location by @bobvandevijver in https://github.com/bolt/core/pull/3665

Full Changelog: https://github.com/bolt/core/compare/6.0.0...6.0.1

What's Changed

• Fix thumb save location by @bobvandevijver in https://github.com/bolt/core/pull/3665

Full Changelog: https://github.com/bolt/core/compare/5.2.4...5.2.5

The first official release of Bolt 6 🎉

It's been some time, but as promised, Bolt 6 is here! Things will not be perfect, and the migration can be painful in certain scenarios. We did our best to document all changes and create automatic migrations for the configuration changes when applicable, but it will not work for everyone. In all cases manual changes are required as big changes have been pushed to update the dependencies!

📖 Make sure to read and understand both the changelog and upgrade notes carefully, you will need them!

• 📝 Changelog
• ⬆️ Upgrade notes

Are you experiencing issues? Let us know, preferably by using a ticket here on Github will all relevant information attached!

ℹ️ Note: there is no updated documentation as of now. Access to the domain has not yet been transferred, so for now we will have to live with that!

What's Changed

• update Issue template by @macintoshplus in https://github.com/bolt/core/pull/3550
• :arrow_up: Require Symfony 5.4 and remove web server bundle by @macintoshplus in https://github.com/bolt/core/pull/3535
• Fix implicitly nullable parameters by @bobvandevijver in https://github.com/bolt/core/pull/3559
• :arrow_up: Bump PHP 8.1 minimal version - issue #3551 by @macintoshplus in https://github.com/bolt/core/pull/3553
• :fire: Remove reference to symfony/webserver-bundle in symfony.lock by @macintoshplus in https://github.com/bolt/core/pull/3560
• :arrow_up: remove unused coduo/php-matcher dependency - issue #3551 by @macintoshplus in https://github.com/bolt/core/pull/3558
• :heavy_minus_sign: remove useless dependency psr/simple-cache by @macintoshplus in https://github.com/bolt/core/pull/3562
• :arrow_up: Update dependency php-translation/symfony-bundle by @macintoshplus in https://github.com/bolt/core/pull/3564
• :arrow_up: update siriusphp/upload by @macintoshplus in https://github.com/bolt/core/pull/3563
• :arrow_up: Update dependency symfony/webpack-encore-bundle by @macintoshplus in https://github.com/bolt/core/pull/3565
• :arrow_up: Update dependency league/glide-symfony by @macintoshplus in https://github.com/bolt/core/pull/3566
• :arrow_up: Update dependency embed/embed by @macintoshplus in https://github.com/bolt/core/pull/3567
• :arrow_up: Upgrade dependency babdev/pagerfanta-bundle - issue #3551 by @macintoshplus in https://github.com/bolt/core/pull/3556
• :heavy_minus_sign: Remove Loco adapter for translation by @macintoshplus in https://github.com/bolt/core/pull/3572
• :fr: Sync French translation from english file by @macintoshplus in https://github.com/bolt/core/pull/3571
• Bump follow-redirects from 1.15.3 to 1.15.4 by @dependabot[bot] in https://github.com/bolt/core/pull/3515
• Bump pbkdf2 from 3.1.2 to 3.1.3 by @dependabot[bot] in https://github.com/bolt/core/pull/3578
• Bump axios from 0.27.2 to 0.30.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3577
• Bump @babel/runtime from 7.23.6 to 7.27.6 by @dependabot[bot] in https://github.com/bolt/core/pull/3580
• Bump @babel/helpers from 7.23.6 to 7.27.6 by @dependabot[bot] in https://github.com/bolt/core/pull/3581
• Bump elliptic from 6.5.4 to 6.6.1 by @dependabot[bot] in https://github.com/bolt/core/pull/3582
• Bump nanoid from 3.3.7 to 3.3.11 by @dependabot[bot] in https://github.com/bolt/core/pull/3583
• Bump path-to-regexp and express by @dependabot[bot] in https://github.com/bolt/core/pull/3584
• :arrow_up: Upgrade dependency nesbot/carbon - issue #3551 by @macintoshplus in https://github.com/bolt/core/pull/3554
• Bump on-headers and compression by @dependabot[bot] in https://github.com/bolt/core/pull/3589
• Fix token parser test by @bobvandevijver in https://github.com/bolt/core/pull/3590
• :arrow_up: update PHPUnit to 9.6, DMA Extension 6.7 and upgrade tests by @macintoshplus in https://github.com/bolt/core/pull/3570
• :arrow_up: Update symplify easy coding standard by @macintoshplus in https://github.com/bolt/core/pull/3568
• :arrow_up: :boom: Replace dependency tightenco/collect by illuminate/collect… by @macintoshplus in https://github.com/bolt/core/pull/3555
• Flip default for allowed file types by @bobvandevijver in https://github.com/bolt/core/pull/3593
• Release 5.2.3 by @bobvandevijver in https://github.com/bolt/core/pull/3594
• Upgrade code quality tooling by @bobvandevijver in https://github.com/bolt/core/pull/3592
• Bump brace-expansion from 1.1.11 to 1.1.12 by @dependabot[bot] in https://github.com/bolt/core/pull/3595
• Bump cross-spawn from 6.0.5 to 6.0.6 by @dependabot[bot] in https://github.com/bolt/core/pull/3597
• Bump sha.js from 2.4.11 to 2.4.12 by @dependabot[bot] in https://github.com/bolt/core/pull/3599
• Bump cipher-base from 1.0.4 to 1.0.6 by @dependabot[bot] in https://github.com/bolt/core/pull/3600
• Fixate rector/phpstan versions to prevent issues building up over time by @bobvandevijver in https://github.com/bolt/core/pull/3603
• Update phpunit namespace by @bobvandevijver in https://github.com/bolt/core/pull/3604
• :arrow_up: Replace bobdenotter/yaml-migrations by bolt/yaml-migrations by @macintoshplus in https://github.com/bolt/core/pull/3586
• :arrow_up: Replace bobdenotter/weatherwidget by bolt/weatherwidget by @macintoshplus in https://github.com/bolt/core/pull/3587
• :arrow_up: Replace bobdenotter/configuration-notices by bolt fork by @macintoshplus in https://github.com/bolt/core/pull/3588
• Bump axios from 0.30.0 to 1.12.0 by @dependabot[bot] in https://github.com/bolt/core/pull/3601
• Fix widget migrations by @bobvandevijver in https://github.com/bolt/core/pull/3605
• Migrate to attributes by @bobvandevijver in https://github.com/bolt/core/pull/3608
• Resolve deprecations by @bobvandevijver in https://github.com/bolt/core/pull/3615
• Resolve deprecations by @bobvandevijver in https://github.com/bolt/core/pull/3616
• Integrate translation behaviour by @bobvandevijver in https://github.com/bolt/core/pull/3617
• Remove migrations by @bobvandevijver in https://github.com/bolt/core/pull/3618
• Upgrade to Symfony 6.4 by @bobvandevijver in https://github.com/bolt/core/pull/3619
• Remove deprecated implementations by @bobvandevijver in https://github.com/bolt/core/pull/3620
• Bump min-document from 2.19.0 to 2.19.1 by @dependabot[bot] in https://github.com/bolt/core/pull/3622
• Upgrade to Monolog 3 by @bobvandevijver in https://github.com/bolt/core/pull/3623
• Require php-http/httplug-bundle ^2 by @bobvandevijver in https://github.com/bolt/core/pull/3624
• Require at least PHP 8.2 by @bobvandevijver in https://github.com/bolt/core/pull/3625
• Fixate composer version by @bobvandevijver in https://github.com/bolt/core/pull/3626
• Fix doctrine prod config and merge configuration files by @bobvandevijver in https://github.com/bolt/core/pull/3629
• Always specify PHP binary when running script by @bobvandevijver in https://github.com/bolt/core/pull/3631
• Add workflow to automatically close old issues/prs by @bobvandevijver in https://github.com/bolt/core/pull/3632
• Bump js-yaml from 3.14.1 to 3.14.2 by @dependabot[bot] in https://github.com/bolt/core/pull/3633
• Upgrade doctrine/dbal to v3 by @bobvandevijver in https://github.com/bolt/core/pull/3634
• Use 2 space indent for yaml files (works best with formatters) by @bobvandevijver in https://github.com/bolt/core/pull/3635
• Upgrade to PHPUnit 11 by @bobvandevijver in https://github.com/bolt/core/pull/3621
• Use controller injected Request object instead of global request stack by @bobvandevijver in https://github.com/bolt/core/pull/3637
• Add Symfony runtime by @bobvandevijver in https://github.com/bolt/core/pull/3638
• Disable annotations by @bobvandevijver in https://github.com/bolt/core/pull/3643
• Fix disabled tests by @bobvandevijver in https://github.com/bolt/core/pull/3639
• Enabled login throttling by default by @bobvandevijver in https://github.com/bolt/core/pull/3644
• API Platform v4 by @bobvandevijver in https://github.com/bolt/core/pull/3642
• Upgrade doctrine dependencies by @bobvandevijver in https://github.com/bolt/core/pull/3636
• Resolve configuration deprecations by @bobvandevijver in https://github.com/bolt/core/pull/3645
• Release/6.0.0 beta.1 by @bobvandevijver in https://github.com/bolt/core/pull/3646
• Fix bolt:setup by running doctrine scripts in new context by @bobvandevijver in https://github.com/bolt/core/pull/3649
• Remove more incorrect requeststack usages by @bobvandevijver in https://github.com/bolt/core/pull/3650
• Fix CAST query function for MariaDB platform by @bobvandevijver in https://github.com/bolt/core/pull/3652
• Add workflow to generate release by @bobvandevijver in https://github.com/bolt/core/pull/3653
• Allow doctrine/doctrine-migrations-bundle v4 by @bobvandevijver in https://github.com/bolt/core/pull/3655
• Bump minimum twig version to 3.21 by @bobvandevijver in https://github.com/bolt/core/pull/3656
• Update used kernel parameters to fix deprecation by @bobvandevijver in https://github.com/bolt/core/pull/3654
• Remove old PHPStan configuration, resolve latest errors by @bobvandevijver in https://github.com/bolt/core/pull/3657
• Fix getContentType return type by @bobvandevijver in https://github.com/bolt/core/pull/3658
• Fix possible path traversal through thumbnail endpoint by @bobvandevijver in https://github.com/bolt/core/pull/3660
• Register controller services by @bobvandevijver in https://github.com/bolt/core/pull/3662
• Fix possible path traversal through thumbnail endpoint by @bobvandevijver in https://github.com/bolt/core/pull/3661
• Bump systeminformation and cypress by @dependabot[bot] in https://github.com/bolt/core/pull/3659

Full Changelog: https://github.com/bolt/core/compare/5.2.2...6.0.0

This release includes a security-related fix. Our thanks for identifying this issue and disclosing it to us responsibly! 👏🙏

🔐 Security related changes

• Fix possible path traversal through thumbnail endpoint by @bobvandevijver in https://github.com/bolt/core/pull/3661

Full Changelog: https://github.com/bolt/core/compare/5.2.3...5.2.4

This release includes a security-related fix for new installations. Our thanks to an anonymous report for identifying this issue and disclosing it to us responsibly! 👏🙏

For existing users, please make sure to check your allowed file types. Every file is uploaded as is to a publicly accessible folder, which can be abused if HTML is allowed and the preview function in the Bolt admin panel is used. We recommend limiting the allowed file types as much as possible!

🔐 Security related changes

• Flip default for allowed file types (bobvandevijver, #3593)

Full Changelog: https://github.com/bolt/core/compare/5.2.2...5.2.3