Release: v26.04.21-01 → v26.04.22-01

Features & Enhancements

• UVE: Default device controls (desktop/tablet/mobile + orientation toggle) are now a dedicated pill component in the browser toolbar; the device selector menu is reduced to custom devices, social media, and search engines only. (#35419)

Fixes and Known Issues

• Database Migration: Fixed Task250604UpdateFolderInodes hanging indefinitely on large databases by replacing a per-row N×M query storm with a single HashSet pre-load, and releasing idle Hibernate transactions before ALTER TABLE DDL to prevent lock deadlock. (#35393)
• Feature Flags: Restored original behavior where the absence of a flag leaves a feature enabled, preventing features from being incorrectly disabled by default. (#35411)
• URL Map: Fixed a 404 error when a URL-mapped contentlet lives on a different site than the one receiving the request by adding a cross-site fallback query when the host-restricted lookup returns no results. (#35345)
• Edit Content: Fixed a race condition that could silently blank Category fields on contentlets with multiple Category fields after a lock/unlock cycle or form rebuild. (#35388)
• Key-Value Field: null values imported via CSV are now displayed as the string "null" in both legacy and new Edit Content UIs instead of being silently dropped. (#35401)
• OpenSearch: Fixed OSBulkHelper.getIndexName() always returning the hardcoded fallback "dotcms_content" due to a silent null return from an incorrect index type lookup; it now queries the active working index directly. (#35390)
• OpenSearch: Made shadow-write failure log verbosity configurable via DOTCMS_SHADOW_WRITE_LOG_LEVEL (default WARN) to reduce noise during OS migrations. (#35389)
• UI: Fixed container list right-click context menu, corrected warning toast severity mapping (WARNING → warn), fixed bundle upload dialog to restrict file picker to .tar.gz/.gz/.tgz and display the selected filename, and corrected container copy() from PUT to POST (was returning 405). (#35380)
• URL Title: Replaced inline HTML string manipulation in url-title_old.vtl with safe DOM methods for slug suggestion links, eliminating an XSS risk. (#35406)
• Localization: Added missing tag-select-host translation key for the host selection label in the UI. (#35405)

Infrastructure & Security

• Reindex: Converted ReindexEntry from a mutable POJO to an @Value.Immutable value object, preserving original equals/hashCode semantics. (#35391)
• Tooling: Removed the dotcms-frontend-review Claude skill and its exclusive agents; added .venv/ to .gitignore. (#35400)

Changelog

• 0a25373 🏁 Publishing dotCLI release version [26.04.22-01]

Contributors

We'd like to thank the following people for their contributions:

• dotCMS-Machine-User

Changelog

• 82cbf51 🏁 Publishing dotCLI release version [26.04.21-01]

Contributors

We'd like to thank the following people for their contributions:

• dotCMS-Machine-User

Release: v26.04.11-02 → v26.04.20-01

Features & Enhancements

• Identifier: Adds base_type column and idx_identifier_base_type index to the identifier table, backfilled in batches via PopulateIdentifierBaseTypeJob — enables faster content-type-aware queries without joins to structure. (#35164)
• Content Indexing: Migrates ContentletIndexAPIImpl to a vendor-neutral phase-aware router, enabling dual-write to both Elasticsearch and OpenSearch backends during the ES→OS migration. (#35289)
• Edit Content: Workflow command bar now renders all actions as individual inline buttons (with an overflow menu for 4+), replacing the split-button pattern so all actions are immediately discoverable. (#35290)
• File Browser: Uploaded files are now automatically selected and the Add button immediately enabled after a successful upload, eliminating the extra click. (#35301)
• UVE: Same-page navigation (hash-only or query-only URL changes) no longer triggers a full page reload in the editor canvas. (#35326)
• UVE: Quick-edit panel gains a Cancel button that restores the last saved snapshot; container labels in the row-reorder palette now show a tooltip for truncated titles. (#35374)
• Content Drive: Adds an Edit Permissions option to the folder context menu, opening the existing permissions portlet in a dialog (shown only when the user holds EDIT_PERMISSIONS). (#35327)
• Content Drive / Edit Content: Pre-fills the Host/Folder field when creating a contentlet from a folder context in the legacy browser. (#35322)
• Bundle Management: New REST endpoints POST /api/v1/bundles/assets and DELETE /api/v1/bundles/{bundleId}/assets replace the legacy JSP-based bundle asset management with partial-success semantics and in-progress bundle guards. (#35024)
• Maintenance Portlet: New REST endpoints GET /api/v1/caches, GET /api/v1/caches/stats, and DELETE /api/v1/caches/region/{regionName} replace JSP-based cache management; also fixes missing resetAllPermissionReferences() side-effect on the existing provider flush endpoint. (#35218)
• Portlets: Adds push publish action to the Plugins portlet context menu (requires enterprise license and configured environments); standardizes UI across Locales, Tags, and other portlets. (#35311)
• UVE: Visual polish pass across UVE 2.0 — responsive sidebar widths, palette thumbnail and hover improvements, style editor form consistency, and row-reorder hover fill. (#35343)

Fixes and Known Issues

• Edit Content: Block editor field now correctly parses JSON strings returned by the API during content translation, preventing raw JSON from displaying as plain text. (#35247)
• Edit Content: Switching to an untranslated locale now clears inode and resets the workflow step, so default workflow actions (e.g. "Save as Draft") are shown instead of the original contentlet's actions. (#35309)
• Tasks Portlet: Task Detail dialog now opens correctly for content types using the new edit mode, since the edit-task handler always uses the legacy task detail path. (#35312)
• GraphQL: Anonymous queries traversing relationship fields no longer return Internal Server Error — denied access now surfaces as PERMISSION_DENIED in the errors array. (#35038)
• Content Types API: The ensure parameter no longer causes the ensured item to appear twice or permanently omit a displaced item from paginated results. (#35300)
• Vanity URLs: Restores the trailing slash on /c/ in BACKEND_FILTERED_COLLECTION, preventing the prefix from incorrectly matching all URLs starting with the letter "c". (#35346)
• Push Publish: Fixes NPE, missing content, and "Conflicts between Folders" errors when push-publishing a renamed folder by bumping version_ts on contained assets and re-keying child subfolder identifiers. (#35298)
• Reindex: Eliminates a TOCTOU race in ReindexThread by creating a fresh BulkProcessorListener and IndexBulkProcessor per batch, preventing silent record loss from concurrent rebuild signals. (#35323)
• OpenSearch: OSIndexAPIImpl now loads os-content-settings.json (the file that actually exists) so indices are always created with my_analyzer, fixing HTTP 400 errors from addCustomMapping on OS 3.4.0. (#35349)
• OpenSearch: Phase 3 (OPENSEARCH_ONLY) no longer queries the decommissioned ES cluster or recreates ES indices on checkAndInitializeIndex() cycles. (#35356)
• OpenSearch: OSIndexAPIImpl.getClosedIndexes() is now implemented, fixing HTTP 404 on all subsequent operations after closing an OS index. (#35352)
• Feature Flags: DotPropertiesService.getFeatureFlag() now correctly handles native JSON boolean values from the config endpoint, fixing the Style Editor tab being hidden despite the flag being enabled. (#35332)
• UVE: Workflow actions in the UVE toolbar are restored to the p-splitButton grouped layout; the inline-buttons behavior introduced in #35290 is preserved for Edit Content. (#35361)
• Rules Engine: /api/portlet/rules/include now returns HTTP 400 for missing/malformed IDs and HTTP 404 for unmatched IDs, replacing a JasperException HTML error page; also fixes an XSS vector in the JSP script block. (#35337)
• Security: Upgrades commons-beanutils (CVE-2025-48734), commons-io (CVE-2024-47554), guava (CVE-2023-2976), bouncy-castle (CVE-2023-33202), and commons-lang3 (CVE-2025-48924); adds OWASP suppressions for 21 Elasticsearch client false positives. (#35236)
• Database: Fixes a connection leak visible in logs approximately 30 minutes after dotCMS startup. (#35120)
• Next.js SDK Example: Restores @dotcms/react, @dotcms/types, and @dotcms/uve dependencies to latest published versions, fixing broken installs for anyone cloning the example. (#35357)
• Portlets UI: Standardizes search box widths, fixes the content compare version dropdown not showing a selected value on first load, and corrects Categories import dialog layout overflow. (#35341)

Infrastructure & Security

• UVE Store: Refactors UVE store to a single-source-of-truth model via computed signals ($page(), $site(), etc.), removing duplicated state fields and renaming GraphQL-specific properties to implementation-agnostic names. (#34173)
• Dependencies: Removes the com.dotcms.lib:dot.guava repackaged artifact and migrates all 240 com.dotcms.repackage.com.google.common.* imports to standard com.google.common.*. (#35315)
• OWASP: Wires owasp-suppressions.xml to the dependency-check Maven plugin — the suppression file existed since 2024 but was never referenced, causing 21 false-positive CVEs to appear in every scan. (#35340)
• SDK Publishing: Introduces a single VERSION file as the source of truth for all SDK package versions, fixing @next publish collisions caused by per-package version drift. (#35110)
• OpenSearch Tests: Adds 20 integration tests for ContentFactoryIndexOperationsOS against a live OS 3.x container, and fixes cache key stability, sort unmappedType, scroll track_total_hits, and missing SearchHit.index bugs discovered during testing. (#35317)
• CI: Upgrades the Claude orchestrator to v2.1.0, adding a pre-flight Anthropic API availability check so PR pipelines skip gracefully during service outages instead of failing. (#35336)
• Starter: Bumps the empty starter deploy version to empty_20260331, ensuring fresh installs include the correct Plugins portlet layout configuration. (#35364)
  ...

Changelog

• ff3e837 🏁 Publishing dotCLI release version [26.04.20-01]

Contributors

We'd like to thank the following people for their contributions:

• dotCMS-Machine-User

Release: v26.04.11-02 → v26.04.11-02

No user-facing changes in this release.