Skip to content

Bump craftcms/cms from 5.1.2 to 5.9.22#83

Open
dependabot[bot] wants to merge 1 commit into
craft-5from
dependabot/composer/craftcms/cms-5.9.22
Open

Bump craftcms/cms from 5.1.2 to 5.9.22#83
dependabot[bot] wants to merge 1 commit into
craft-5from
dependabot/composer/craftcms/cms-5.9.22

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Copy link
Copy Markdown

Bumps craftcms/cms from 5.1.2 to 5.9.22.

Release notes

Sourced from craftcms/cms's releases.

5.9.22

  • Fixed a bug where dependencies required by composer.json were getting updated when installing/updating plugins. (#18755)
  • Fixed a bug where element thumbnails weren’t always getting loaded when they became visible.
  • Fixed a bug where two-step verification setup was working even if the user failed to re-authenticate, if they already had an elevated session. (#18753)
  • Fixed a bug where changes to Table fields’ “Table Columns” settings would cause existing data to be lost, if the “Static Rows” setting was enabled. (#18764)
  • Fixed a moderate-severity authorization bypass vulnerability. (GHSA-7h62-6v23-v8fm)

5.9.21

  • Fixed a bug where entries weren’t redirecting back to their section’s page’s URL by default.
  • Fixed a bug where the resourceBasePath and resourceBaseUrl config settings weren’t being respected for console requests. (#18685)
  • Fixed a bug where eager-loadable GraphQL fields could be populated with the wrong field’s results, if they followed a fragment with a *Interface type condition. (#18708)
  • Fixed a bug where users with permission to edit entries, but not view peer entries in a section, weren’t allowed to edit the authors for entries in the section. (#18717)
  • Fixed a bug where reference tags weren’t working with generated fields. (#18692)
  • Fixed errors that could occur when applying project config changes. (#18720)
  • Fixed a bug where it wasn’t always possible to sign into a user account that had the same email address as an inactive user. (#18723)
  • Fixed a bug where relational fields’ element query results weren’t always limited to the selected relations if the id param was overridden. (#15570)
  • Fixed an error that could occur when executing a queue job. (#18739)
  • Fixed high-severity authorization bypass vulnerabilities. (GHSA-x5m4-g2cq-52pq, GHSA-3w32-23wj-rxg3, GHSA-qh45-9g5p-m2v4)
  • Fixed moderate-severity permission escalation vulnerabilities. (GHSA-qq2c-2q8j-jh27, GHSA-43cq-c2gq-pfpw)

5.9.20

  • Fixed an issue that prevented Craft from being installed. (#18700)
  • Fixed a bug where nested element cards weren’t showing validation errors. (#18690)
  • Fixed a bug where read-only Matrix fields in Index mode weren’t respecting the Default Table Columns setting. (#18684)
  • Fixed a bug where nested entries could be lost when reverting content from a revision. (#18691)
  • Fixed a bug where nested entries weren’t getting loaded when previewing a revision, if queried with eagerly(). (#18693)

5.9.19

  • Most classes can now be instantiated via the create() Twig function. (#18376)
  • Added craft\helpers\ProjectConfig::pathDepth().
  • craft\services\Fields::deleteLayout() and deleteLayoutById() now have $hardDelete arguments.
  • Deprecated craft\services\ProjectConfig::getPendingChangeSummary().
  • Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
  • Fixed a bug where disabled sites weren’t getting loaded when running Codeception tests. (#18638)
  • Fixed a bug where custom entry index page icons weren’t getting stored properly if the source name contained periods. (#18631)
  • Fixed a bug where copying nested entries on a revision wasn’t working. (#18648)
  • Fixed a bug where Matrix fields in Blocks view could have “Duplicate selected blocks” and “Delete selected blocks” field-level actions. (#18652)
  • Fixed a bug where the submit button within Live Preview was labelled “Save” rather than “Create entry” when editing an unpublished draft. (#18579)
  • Fixed a bug where recent changes could be lost when creating an element or applying a draft, if there were validation errors. (#18657)
  • Fixed a bug where nested elements would get soft-deleted after running the entrify/global-set command. (#18650)
  • Fixed a bug where the “Max Authors” section setting was visible for Single sections.
  • Fixed an exception that would be thrown when attempting to access undefined keys within craft\fields\data\JsonData objects from Twig. (#18656)
  • Fixed a bug where address cards could be missing their address preview. (#18632)
  • Fixed a bug where the Save button’s spinner wouldn’t appear right away when saving a nested element in a slideout. (#18664)
  • Fixed a bug where the server check script wasn’t treating GD as a requirement. (craftcms/server-check#30)
  • Fixed a bug where tooltips could be instantiated multiple times within Link fields. (#18666)
  • Fixed a bug where localized nested element content could be overwritten when the owner element was propagated to a new site. (#18659)

5.9.18

  • Improved error logging when logging in with passkeys. (#18627)

... (truncated)

Changelog

Sourced from craftcms/cms's changelog.

5.9.22 - 2026-04-29

  • Fixed a bug where dependencies required by composer.json were getting updated when installing/updating plugins. (#18755)
  • Fixed a bug where element thumbnails weren’t always getting loaded when they became visible.
  • Fixed a bug where two-step verification setup was working even if the user failed to re-authenticate, if they already had an elevated session. (#18753)
  • Fixed a bug where changes to Table fields’ “Table Columns” settings would cause existing data to be lost, if the “Static Rows” setting was enabled. (#18764)
  • Fixed a moderate-severity authorization bypass vulnerability. (GHSA-7h62-6v23-v8fm)

5.9.21 - 2026-04-23

  • Fixed a bug where entries weren’t redirecting back to their section’s page’s URL by default.
  • Fixed a bug where the resourceBasePath and resourceBaseUrl config settings weren’t being respected for console requests. (#18685)
  • Fixed a bug where eager-loadable GraphQL fields could be populated with the wrong field’s results, if they followed a fragment with a *Interface type condition. (#18708)
  • Fixed a bug where users with permission to edit entries, but not view peer entries in a section, weren’t allowed to edit the authors for entries in the section. (#18717)
  • Fixed a bug where reference tags weren’t working with generated fields. (#18692)
  • Fixed errors that could occur when applying project config changes. (#18720)
  • Fixed a bug where it wasn’t always possible to sign into a user account that had the same email address as an inactive user. (#18723)
  • Fixed a bug where relational fields’ element query results weren’t always limited to the selected relations if the id param was overridden. (#15570)
  • Fixed an error that could occur when executing a queue job. (#18739)
  • Fixed high-severity authorization bypass vulnerabilities. (GHSA-x5m4-g2cq-52pq)
  • Fixed moderate-severity authorization bypass vulnerabilities. (GHSA-3w32-23wj-rxg3, GHSA-qh45-9g5p-m2v4)
  • Fixed moderate-severity permission escalation vulnerabilities. (GHSA-qq2c-2q8j-jh27, GHSA-43cq-c2gq-pfpw)

5.9.20 - 2026-04-14

  • Fixed an issue that prevented Craft from being installed. (#18700)
  • Fixed a bug where nested element cards weren’t showing validation errors. (#18690)
  • Fixed a bug where read-only Matrix fields in Index mode weren’t respecting the Default Table Columns setting. (#18684)
  • Fixed a bug where nested entries could be lost when reverting content from a revision. (#18691)
  • Fixed a bug where nested entries weren’t getting loaded when previewing a revision, if queried with eagerly(). (#18693)

5.9.19 - 2026-04-07

  • Most classes can now be instantiated via the create() Twig function. (#18376)
  • Added craft\helpers\ProjectConfig::pathDepth().
  • craft\services\Fields::deleteLayout() and deleteLayoutById() now have $hardDelete arguments.
  • Deprecated craft\services\ProjectConfig::getPendingChangeSummary().
  • Fixed a bug where element search query caches weren’t getting invalidated when elements’ search keywords were indexed. (#18275)
  • Fixed a bug where disabled sites weren’t getting loaded when running Codeception tests. (#18638)
  • Fixed a bug where custom entry index page icons weren’t getting stored properly if the source name contained periods. (#18631)
  • Fixed a bug where copying nested entries on a revision wasn’t working. (#18648)
  • Fixed a bug where Matrix fields in Blocks view could have “Duplicate selected blocks” and “Delete selected blocks” field-level actions. (#18652)
  • Fixed a bug where the submit button within Live Preview was labelled “Save” rather than “Create entry” when editing an unpublished draft. (#18579)
  • Fixed a bug where recent changes could be lost when creating an element or applying a draft, if there were validation errors. (#18657)
  • Fixed a bug where nested elements would get soft-deleted after running the entrify/global-set command. (#18650)
  • Fixed a bug where the “Max Authors” section setting was visible for Single sections.
  • Fixed an exception that would be thrown when attempting to access undefined keys within craft\fields\data\JsonData objects from Twig. (#18656)
  • Fixed a bug where address cards could be missing their address preview. (#18632)
  • Fixed a bug where the Save button’s spinner wouldn’t appear right away when saving a nested element in a slideout. (#18664)
  • Fixed a bug where the server check script wasn’t treating GD as a requirement. (craftcms/server-check#30)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump craftcms/cms from 5.1.2 to 5.9.22
f0e8f1c 
Bumps [craftcms/cms](https://github.com/craftcms/cms) from 5.1.2 to 5.9.22.
- [Release notes](https://github.com/craftcms/cms/releases)
- [Changelog](https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md)
- [Commits](craftcms/cms@5.1.2...5.9.22)

---
updated-dependencies:
- dependency-name: craftcms/cms
  dependency-version: 5.9.22
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 8, 2026
@dependabot dependabot Bot mentioned this pull request May 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants