Skip to content

chore(deps): bump @apostrophecms/import-export from 3.5.2 to 3.5.3#35

Open
dependabot[bot] wants to merge 6 commits into
mainfrom
dependabot/npm_and_yarn/apostrophecms/import-export-3.5.3
Open

chore(deps): bump @apostrophecms/import-export from 3.5.2 to 3.5.3#35
dependabot[bot] wants to merge 6 commits into
mainfrom
dependabot/npm_and_yarn/apostrophecms/import-export-3.5.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 18, 2026

Copy link
Copy Markdown

Bumps @apostrophecms/import-export from 3.5.2 to 3.5.3.

Changelog

Sourced from @​apostrophecms/import-export's changelog.

3.5.3

Security

  • Fixed vulnerability that allowed any user with permission to edit the global settings document, e.g. headers, footers, etc., to potentially deface the site by writing files to the public/ folder or overwrite site code accessible to the same Linux account that runs the server process. This vulnerability was not publicly disclosed prior to the release of this fix. Upgrading immediately is strongly recommended for those using the import-export module. Thanks to 0xEr3n for reporting the vulnerability and providing test cases.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

rudivanhierden and others added 6 commits March 10, 2026 15:01
Replace memoryStorage with databaseStorage backed by Sequelize models
for authorization codes, refresh tokens, and tasks. Access tokens
already used the database. Adds migration for the three new tables.

Also fixes a bug in token.js where non-existent memoryStorage.clients
was called instead of db.Client.
…ffinity

Add USE_KUBERNETES_CRONJOBS env var to disable in-process cron scheduling
and offload to a dedicated K8s CronJob that runs every configurable N
minutes, executing any application crons due within that window.

Add configurable pod anti-affinity (preferred/required) scoped to the
current namespace to spread replicas across nodes.
Move podAntiAffinity config from api-specific to global.podAntiAffinity
with enabled/mode settings. Add reusable helper template and apply to
all 5 deployments (api, admin, auth, cms, image). Each deployment uses
its own app label, scoped to the current namespace.
Add global.autoscaling values with per-service overrides for HPA
configuration including stabilizationWindowSeconds (cooldown) and
scaling policies. When autoscaling is enabled, replicas are omitted
from Deployments so the HPA manages pod count.
Bumps [@apostrophecms/import-export](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/import-export) from 3.5.2 to 3.5.3.
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/import-export/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/@apostrophecms/import-export@3.5.3/packages/import-export)

---
updated-dependencies:
- dependency-name: "@apostrophecms/import-export"
  dependency-version: 3.5.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant