chore(deps): update dependency wagtail to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
wagtail (source, changelog)	==2.12.5 -> ==4.1.9

GitHub Vulnerability Alerts

CVE-2023-28836

Impact

A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

• For page, the vulnerability is in the "Choose a parent page" ModelAdmin view (ChooseParentView), available when managing pages via ModelAdmin.
• For documents, the vulnerability is in the ModelAdmin Inspect view (InspectView) when displaying document fields.

Patches

Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).

Workarounds

Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.

ChooseParentView

For ChooseParentView:

• Disable ModelAdmin for all page models.
• Or provide a custom view via choose_parent_view_class, with the custom view overriding the get_form method.

One of those steps need to be applied for every ModelAdmin class hooked into Wagtail where the model is a Wagtail Page or sub-class. Here is an example of implementing the custom ChooseParentView with patched HTML escaping:

from django import forms
from django.utils.translation import gettext as _
from wagtail.contrib.modeladmin.views import ChooseParentView
from wagtail.contrib.modeladmin.forms import ParentChooserForm

class PatchedPageChoiceField(forms.ModelChoiceField):
    """PageChoiceField with plain-text breadcrumbs to patch stored XSS."""
    def label_from_instance(self, obj):
        bits = []
        for ancestor in (
            obj.get_ancestors(inclusive=True).exclude(depth=1).specific(defer=True)
        ):
            bits.append(ancestor.get_admin_display_title())
        return ' | '.join(bits)

class PatchedParentChooserForm(ParentChooserForm):
    """ParentChooserForm with custom parent_page to patch stored XSS."""
    parent_page = PatchedPageChoiceField(
        label=_("Parent page"),
        required=True,
        empty_label=None,
        queryset=Page.objects.none(),
        widget=forms.RadioSelect(),
    )

class PatchedChooseParentView(ChooseParentView):
    """ChooseParentView with custom get_form patch stored XSS."""
    def get_form(self, request):
        parents = self.permission_helper.get_valid_parent_pages(request.user)
        return PatchedParentChooserForm(parents, request.POST or None)

InspectView

For InspectView:

• Remove inspect_view_enabled=True or set it to False to disable the view.
• Or use inspect_view_fields or inspect_view_fields_exclude to prevent displaying document fields in the views.
• Or provide a custom view via inspect_view_class, with the custom view overriding the get_document_field_display method.

One of those steps need to be applied for every ModelAdmin class hooked into Wagtail where inspect_view_enabled=True. Here is an example of implementing the custom InspectView with patched HTML escaping:

from django.template.defaultfilters import filesizeformat
from django.utils.html import format_html
from wagtail.contrib.modeladmin.views import InspectView

class PatchedInspectView(InspectView):
    """InspectView with override to patch stored XSS vulnerability."""
    def get_document_field_display(self, field_name, field):
        """Render a link to a document"""
        document = getattr(self.instance, field_name)
        if document:
            return format_html(
                '<a href="{}">{} <span class="meta">({}, {})</span></a>',
                document.url,
                document.title,
                document.file_extension.upper(),
                filesizeformat(document.file.size),
            )
        return self.model_admin.get_empty_value_display(field_name)

CVE-2023-28837

Impact

A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

Patches

Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).

Workarounds

Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files. Exactly how this is done will vary based on your hosting environment, but here are a few references for common setups:

• Nginx: client_max_body_size
• Apache: LimitRequestBody
• Cloudflare: Already imposes a limit of 100MB - 500MB depending on plan
• CloudFront: SizeConstraint
• Traefik: traefik.http.middlewares.limit.buffering.maxRequestBodyBytes

The changes themselves are deep inside Wagtail, making patching incredibly difficult.

CVE-2023-45809

Impact

A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.

Workarounds

None.

Acknowledgements

Many thanks to @​quyenheu for reporting this issue.

For more information

If you have any questions or comments about this advisory:

• Visit Wagtail's support channels
• Email us at [email protected] (view our security policy for more information).

---

Release Notes

wagtail/wagtail (wagtail)

v4.1.9: 4.1.9

Compare Source

• Fix: CVE-2023-45809: Disclosure of user names via admin bulk action views (Matt Westcott)

v4.1.8: 4.1.8

Compare Source

• Maintenance: Additionally update Pillow dependency to allow use of versions with security fixes (Dan Braghis)

v4.1.7: 4.1.7

Compare Source

• Maintenance: Relax Willow dependency to allow use of current Pillow versions with security fixes (Dan Braghis)

v4.1.6: 4.1.6

Compare Source

• Fix: Rectify previous fix for TableBlock becoming uneditable after save (Sage Abdullah)
• Fix: Ensure that copying page correctly picks up the latest revision (Matt Westcott)
• Fix: Adjust collection field alignment in multi-upload forms (LB (Ben) Johnston)
• Fix: Prevent lowercase conversions of IndexView column headers (Virag Jain)
• Docs: Update documentation for log_action parameter on RevisionMixin.save_revision (Christer Jensen)

v4.1.5: 4.1.5

Compare Source

• Fix: Prevent TableBlock from becoming uneditable after save (Sage Abdullah)

v4.1.4: 4.1.4

Compare Source

• Fix: CVE-2023-28836 - Stored XSS attack via ModelAdmin views (Thibaud Colas)
• Fix: CVE-2023-28837 - Denial-of-service via memory exhaustion when uploading large files (Jake Howard)
• Fix: Fix radio and checkbox elements shrinking when using a long label (Sage Abdullah)
• Fix: Fix select elements expanding beyond their container when using a long option label (Sage Abdullah)
• Fix: Fix timezone handling of TemplateResponses for users with a custom timezone (Stefan Hammer, Sage Abdullah)
• Fix: Ensure TableBlock initialisation correctly runs after load and its width is aligned with the parent panel (Dan Braghis)
• Fix: Ensure that the JavaScript media files are loaded by default in Snippet index listings for date fields (Sage Abdullah)
• Fix: Fix server-side caching of the icons sprite (Thibaud Colas)
• Fix: Always show Add buttons, guide lines, Move up/down, Duplicate, Delete; in StreamField and Inline Panel (Thibaud Colas)
• Fix: Ensure datetimepicker widget overlay shows over modals & drop-downs (LB (Ben) Johnston)
• Maintenance: Render large image renditions to disk (Jake Howard)

v4.1.3: 4.1.3

Compare Source

• Fix: Add right-to-left (RTL) support for the following form components: Switch, Minimap, live preview (Thibaud Colas)
• Fix: Improve right-to-left (RTL) positioning for the following components: Page explorer, Sidebar sub-menu, rich text tooltips, rich text toolbar trigger, editor section headers (Thibaud Colas)
• Fix: Ensure links within help blocks meet colour contrast guidelines for accessibility (Theresa Okoro)
• Fix: Support creating StructValue copies (Tidiane Dia)
• Fix: Fix "Edit this page" missing from userbar (Satvik Vashisht)
• Fix: Prevent audit log report from failing on missing models (Andy Chosak)
• Fix: Add missing log information for wagtail.schedule.cancel (Stefan Hammer)
• Fix: Fix timezone activation leaking into subsequent requests in require_admin_access() (Stefan Hammer)
• Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
• Docs: Clarify ClusterableModel requirements for using relations with RevisionMixin-enabled models (Sage Abdullah)
• Maintenance: Update Algolia DocSearch to use new application and correct versioning setup (Thibaud Colas)

v4.1.2: 4.1.2

Compare Source

• Fix: Make "Cancel scheduled publish" button correctly redirect back to the edit view (Sage Abdullah)
• Fix: Prevent crash when reverting revisions on a snippet with PreviewableMixin applied (Sage Abdullah)
• Fix: Use consistent heading styles on top-level fields in the page editor (Sage Abdullah)
• Fix: Allow button labels to wrap onto two lines in dropdown buttons (Coen van der Kamp)
• Fix: Move DateField, DateTimeField, TimeField comment buttons to be right next to the fields (Theresa Okoro)
• Fix: Support text resizing in workflow steps cards (Ivy Jeptoo)
• Fix: Use the correct padding for autocomplete block picker (Umar Farouk Yunusa)
• Fix: Fix horizontal positioning of rich text inline toolbar (Thibaud Colas)
• Fix: Close the userbar when clicking its toggle (Albina Starykova)
• Fix: Do not show bulk actions checkbox in page type usage view (Sage Abdullah)
• Fix: Prevent account name from overflowing the sidebar (Aman Pandey)
• Fix: Ensure edit form is displayed as unlocked immediately after cancelling a workflow (Sage Abdullah)
• Fix: Prevent latest_revision pointer from being copied over when copying translatable snippets for translation (Sage Abdullah)
• Docs: Document potential data loss for BaseLogEntry migration in 3.0 (Sage Abdullah)
• Docs: Add documentation for the reference index mechanism (Daniel Kirkham)

v4.1.1: 4.1.1

Compare Source

• Fix: Fix issue where lock/unlock buttons would not work on the Dashboard (home) page or the page index listing via the status sidebar (Stefan Hammer)
• Fix: Fix disabled style on StreamField add button (Matt Westcott)
• Fix: Ensure models are fully loaded before registering snippets, to avoid circular import issues (Matt Westcott)
• Fix: Prevent fields without a verbose_name property from breaking usage report views (Matt Westcott)
• Fix: Exclude tags from the reference index (Matt Westcott)
• Fix: Fix errors in handling generic foreign keys when populating the reference index (Matt Westcott)
• Fix: Prevent error in handling null ParentalKeys when populating the reference index (Matt Westcott)
• Fix: Make sure minimap error indicators follow the minimap scrolling (Thibaud Colas)
• Fix: Ensure background HTTP request to clear stale preview data correctly respects the CSRF_HEADER_NAME setting (Sage Abdullah)
• Fix: Prevent error on aging pages report when "Last published by" user has been deleted (Joshua Munn)

v4.1: 4.1

Compare Source

• New scheduled publishing UI, available from the Status side panel (Sage Abdullah)
• Allow snippet admin views to be customised via SnippetViewSet (Sage Abdullah)
• Implement scheduled publishing for snippets inheriting from DraftStateMixin (Sage Abdullah)
• Add reference index and usage reports for images, documents and snippets (Karl Hobley, Matt Westcott)
• Formalised support for Python 3.11 (Matt Westcott)
• Add basic keyboard control and screen reader support for page listing re-ordering (Paarth Agarwal, Thomas van der Hoeven)
• Add PageQuerySet.private method as an alias of not_public (Mehrdad Moradizadeh)
• Most images in the admin will now only load once they are visible on screen (Jake Howard)
• Allow setting default attributes on image tags (Jake Howard)
• Optimise the performance of the Wagtail userbar to remove duplicated queries, improving page loads when viewing live pages while signed in (Jake Howard)
• Remove legacy styling classes for buttons (unbutton, button-neutral, button-strokeonhover, hover-no, yes) and refactor button styles to be more maintainable (Paarth Agarwal, LB (Ben Johnston))
• Add button variations to the pattern library (Paarth Agarwal)
• Provide a more accessible page title where the unique information is shown first and the CMS name is shown last (Mehrdad Moradizadeh)
• Pull out behaviour from AbstractFormField to FormMixin and AbstractEmailForm to EmailFormMixin to allow use with subclasses of Page (Mehrdad Moradizadeh, Kurt Wall)
• Add a docs.wagtail.org/.well-known/security.txt so that the security policy is available as per the specification on https://securitytxt.org/ (Jake Howard)
• Add unit tests for the classnames Wagtail admin template tag (Mehrdad Moradizadeh)
• Show an inverse locked indicator when the page has been locked by the current user in reports and dashboard listings (Vaibhav Shukla, LB (Ben Johnston))
• Add clarity to the development documentation that admonition should not be used and titles for note are not supported, including clean up of some existing incorrect usage (LB (Ben Johnston))
• Unify the styling of delete/destructive button styles across the admin interface (Paarth Agarwal)
• Adopt new designs and unify the styling styles for .button-secondary buttons across the admin interface (Paarth Agarwal)
• Refine designs for disabled buttons throughout the admin interface (Paarth Agarwal)
• Update expanding formset add buttons to use button not link for behaviour (LB (Ben) Johnston)
• Add robust unit testing for authentication scenarios across the user management admin pages (Mehrdad Moradizadeh)
• Avoid assuming an integer PK named 'id' on multiple upload views (Matt Westcott)
• Add a toggle to collapse/expand all page panels at once (Helen Chapman)
• Improve the GitHub Workflows (CI) security (Alex (sashashura))
• Use search type input in documentation search (LB (Ben) Johnston)
• Render help_text when set on FieldPanel, MultiFieldPanel, FieldRowPanel, and other panel APIs where it previously worked without official support (Matt Westcott)
• Consolidate usage of Excel libraries to a single library openpyxl, removing usage of XlsxWriter, tablib, xlrd and xlwt (Jaap Roes)
• Adopt wagtail.admin.views.generic.IndexView for the Users index listing and search results (Mehrdad Moradizadeh)
• Adopt wagtail.admin.views.generic.CreateView for the User creation view (Mehrdad Moradizadeh)
• Adopt wagtail.admin.views.generic.DeleteView for the User delete view (Mehrdad Moradizadeh)
• Adopt wagtail.admin.views.generic.EditView for the User edit view (Mehrdad Moradizadeh)
• Add button-secondary bicolor variants to the pattern library and styleguide (Adinapunyo Banerjee)
• Add better support for non-integer / non-id primary keys into Wagtail's generic views, including for Snippets and custom User models (Mehrdad Moradizadeh)
• Upgrade jQuery UI to version 1.13.2 (LB (Ben) Johnston)
• Update pattern library background & text examples (Albina Starykova)
• Switch StreamField blocks to use a <section> element so screen reader users can bypass them more easily (Thibaud Colas)
• Add anchor links to StreamField blocks so users can navigate straight to a given block (Thibaud Colas)
• Support "Ctrl + f" in-page search within collapsed StreamField blocks (Thibaud Colas)
• Remember the last opened side panel in the page editor, activating it on page load (Sage Abdullah)
• Ensure that the update_index command can run without console output if called with --verbosity 0 (Ben Sturmfels, Oliver Parker)
• Improve side panels’ resizing in page editor and listings (Steven Steinwand)
• Adjust breadcrumb text alignment and size in page listings & page editor (Steven Steinwand)
• Improvements to getting started tutorial aimed at developers who are very new to Python and have no Django experience (Damilola Oladele)
• Update documentation dependencies; Sphinx Wagtail Theme to v5.3.2, MyST Parser to v0.18.1, add Sphinx Copy Button (LB (Ben) Johnston)
• Add "What's New" dashboard banner and "Help" menu in sidebar (Sage Abdullah)
• Implement new "minimap" component for the page editor (Thibaud Colas)
• The image_url template tag, when using the serve view to redirect rather than serve directly, will now use temporary redirects with a cache header instead of permanent redirects (Jake Howard)
• Add new test assertions to WagtailPageTestCase - assertPageIsRoutable, assertPageIsRenderable, assertPageIsEditable, assertPageIsPreviewable (Andy Babic)
• Add documentation to the performance section about how to better create image URLs when not used directly on the page (Jake Howard)
• Add ability to provide a required permission to PanelGroup, used by TabbedInterface, ObjectList, FieldRowPanel and MultiFieldPanel (Oliver Parker)
• Update documentation screenshots of the admin interface to align with changes in this release (Thibaud Colas)
• Fix: Prevent PageQuerySet.not_public from returning all pages when no page restrictions exist (Mehrdad Moradizadeh)
• Fix: Ensure that duplicate block ids are unique when duplicating stream blocks in the page editor (Joshua Munn)
• Fix: Revise colour usage so that privacy & locked indicators can be seen in Windows High Contrast mode (LB (Ben Johnston))
• Fix: Ensure that disabled buttons have a consistent presentation on hover to indicate no interaction is available (Paarth Agarwal)
• Fix: Update the 'Locked pages' report menu title so that it is consistent with other pages reports and its own title on viewing (Nicholas Johnson)
• Fix: Support formfield_callback handling on ModelForm.Meta for future Django 4.2 release (Matt Westcott)
• Fix: Ensure that ModelAdmin correctly supports filters in combination with subsequent searches without clearing the applied filters (Stefan Hammer)
• Fix: Add missing translated values to site settings' headers plus models presented in listings and audit report filtering labels (Stefan Hammer)
• Fix: Remove capitalize() calls to avoid issues with other languages or incorrectly presented model names for reporting and parts of site settings (Stefan Hammer)
• Fix: Add back rendering of help_text for InlinePanel (Matt Westcott)
• Fix: Ensure for_user argument is passed to the form class when previewing pages (Matt Westcott)
• Fix: Ensure the capitalisation of the timesince_simple tag is consistently added in the template based on usage in context (Stefan Hammer)
• Fix: Add missing translation usage for the timesince_last_update and ensure the translated labels can be easier to work with in Transifex (Stefan Hammer)
• Fix: Add additional checks for duplicate form field clean_name values in the Form Builder validation and increase performance of checks (Dan Bentley)
• Fix: Use correct color for labels of radio and checkbox fields (Steven Steinwand)
• Fix: Adjust spacing of fields’ error messages and position in tables (Steven Steinwand)
• Fix: Update dead or redirected links throughout the documentation (LB (Ben) Johnston)
• Fix: Use different icons for workflow timeline component, so the steps can be distinguished with other means than color (Sam Moran)
• Fix: Use the correct custom font for the Wagtail userbar (Umar Farouk Yunusa)
• Fix: StreamField blocks are now collapsible with the keyboard (Thibaud Colas)
• Fix: StreamField block headings now have a label for screen reader users (Thibaud Colas)
• Fix: Display the "*" required field indicator for StreamField blocks (Thibaud Colas)
• Fix: Resolve inconsistency in action button positions in InlinePanel (Thibaud Colas)
• Fix: Use h3 elements with a counter in InlinePanel so screen reader users can navigate by heading (Thibaud Colas)
• Fix: Ensure that buttons on custom chooser widgets are correctly shown on hover (Thibaud Colas)
• Fix: Add missing asterisk to title field placeholder (Seremba Patrick, Stefan Hammer)
• Fix: Avoid creating an extra rich text block when inserting a new block at the end of the content (Matt Westcott)
• Fix: Removed the extra dot in the Wagtail version shown within the admin settings menu item (Loveth Omokaro)
• Fix: Fully remove the obsolete wagtailsearch_editorspick table that prevents flushing the database (Matt Westcott)
• Fix: Update latest version message on Dashboard to accept dev build version format used on nlightly builds (Sam Moran)
• Fix: references extraction for ChooserBlock (Alex Tomkins)
• Fix: Regression in field width for authentication pages (log in / password reset) (Chisom)
• Fix: Ensure the new minimap correctly pluralises error counts for aria-labels (Matt Westcott)

v4.0.4: 4.0.4

Compare Source

(Reissue of 4.0.3 due to packaging issues)

• Render help_text when set on FieldPanel, MultiFieldPanel, FieldRowPanel, and other panel APIs where it previously worked without official support (Matt Westcott)
• Update special-purpose FieldPanel deprecation message to add clarity for developers (Matt Westcott)
• Fix: Add back rendering of help_text for InlinePanel (Matt Westcott)
• Fix: Ensure that AbstractForm & AbstractEmailForm page models correctly pass the form to the preview context (Dan Bentley)
• Fix: Use the correct custom font for the Wagtail userbar (Umar Farouk Yunusa)
• Fix: Ensure that buttons on custom chooser widgets are correctly shown on hover (Thibaud Colas)

v4.0.3: 4.0.3

Compare Source

• Render help_text when set on FieldPanel, MultiFieldPanel, FieldRowPanel, and other panel APIs where it previously worked without official support (Matt Westcott)
• Update special-purpose FieldPanel deprecation message to add clarity for developers (Matt Westcott)
• Fix: Add back rendering of help_text for InlinePanel (Matt Westcott)
• Fix: Ensure that AbstractForm & AbstractEmailForm page models correctly pass the form to the preview context (Dan Bentley)
• Fix: Use the correct custom font for the Wagtail userbar (Umar Farouk Yunusa)
• Fix: Ensure that buttons on custom chooser widgets are correctly shown on hover (Thibaud Colas)

v4.0.2: 4.0.2

Compare Source

• Update all images and sections of the Wagtail Editor's guide to align with the new admin interface changes from Wagtail 3.0 and 4.0 (Thibaud Colas)
• Ensure all images in the documentation have a suitable alt text (Thibaud Colas)
• Fix: Ensure tag autocompletion dropdown has a solid background (LB (Ben) Johnston)
• Fix: Allow inline panels to be ordered (LB (Ben) Johnston)
• Fix: Only show draft / live status tags on snippets that have DraftStateMixin applied (Sage Abdullah)
• Fix: Prevent JS error when initialising chooser modals with no tabs (LB (Ben) Johnston)
• Fix: Add missing vertical spacing between chooser modal header and body when there are no tabs (LB (Ben) Johnston)
• Fix: Reinstate specific labels for chooser buttons (for example 'Choose another page', 'Edit this page' not 'Change', 'Edit') so that it is clearer for users and non-English translations (Matt Westcott)
• Fix: Resolve issue where searches with a tag and a query param in the image listing would result in an FilterFieldError (Stefan Hammer)
• Fix: Add missing vertical space between header and content in embed chooser modal (LB (Ben) Johnston)
• Fix: Use the correct type scale for heading levels in rich text (Steven Steinwand)
• Fix: Update alignment and reveal logic of fields’ comment buttons (Steven Steinwand)
• Fix: Regression from Markdown conversion in documentation for API configuration - update to correctly use PEP-8 for example code (Storm Heg)
• Fix: Prevent 'Delete' link on page edit view from redirecting back to the deleted page (LB (Ben) Johnston)
• Fix: Prevent JS error on images index view when collections dropdown is omitted (Tidiane Dia)
• Fix: Prevent "Entries per page" dropdown on images index view from reverting to 10 (Tidiane Dia)
• Fix: Set related_name on user revision relation to avoid conflict with django-reversion (Matt Westcott)
• Fix: Ensure the "recent edits" panel on the Dashboard (home) page works when page record is missing (Matt Westcott)
• Fix: Only add Translate buttons when the simple_translation app is installed (Dan Braghis)
• Fix: Ensure that MultiFieldPanel correctly outputs all child classnames in the template (Matt Westcott)
• Fix: Remove over-eager caching on ModelAdmin permission checks (Matt Westcott, Stefan Hammer)

v4.0.1: 4.0.1

Compare Source

• Fix: On the Locked Pages report, limit the "locked by" filter to just users who have locked pages (Stefan Hammer)
• Fix: Prevent JavaScript error when using StreamField on views without commenting support, such as snippets (Jacob Topp-Mugglestone)
• Fix: Modify base template for new projects so that links opened from the preview panel open in a new window (Sage Abdullah)
• Fix: Prevent circular import error between custom document models and document chooser blocks (Matt Westcott)

v4.0: 4.0

Compare Source

• Added support for Django 4.1
• Added a new BaseGenericSetting base model class that allows defining a settings model that applies to all sites rather than just a single site (Kyle Bayliss)
• Add clarity to confirmation when being asked to convert an external link to an internal one (Thijs Kramer)
• Convert the rest of the documentation to Markdown (Khanh Hoang, Vu Pham, Daniel Kirkham, LB (Ben) Johnston, Thiago Costa de Souza, Benedict Faw, Noble Mittal, Sævar Öfjörð Magnússon, Sandeep M A, Stefano Silvestri)
• Add base_url_path to ModelAdmin so that the default URL structure of app_label/model_name can be overridden (Vu Pham, Khanh Hoang)
• Add full_url to the API output of ImageRenditionField (Paarth Agarwal)
• Use InlinePanel's label when available for field comparison label (Sandil Ranasinghe)
• Drop support for Safari 13 by removing left/right positioning in favour of CSS logical properties (Thibaud Colas)
• Use FormData instead of jQuery's form.serialize when editing documents or images just added so that additional fields can be better supported (Stefan Hammer)
• Add informational Codecov status checks for GitHub CI pipelines (Tom Hu)
• Replace PageRevision with generic Revision model (Sage Abdullah)
• Make it possible to reuse and customise Wagtail’s fonts with CSS variables (LB (Ben) Johnston)
• Add better handling and informative developer errors for cross linking URLS (e.g. success after add) in generic views wagtail.admin.views.generic (Matt Westcott)
• Introduce wagtail.admin.widgets.chooser.BaseChooser to make it easier to build custom chooser inputs (Matt Westcott)
• Introduce JavaScript chooser module, including a SearchController class which encapsulates the standard pattern of re-rendering the results panel in response to search queries and pagination (Matt Westcott)
• Migrate Image and Document choosers to new JavaScript chooser module (Matt Westcott)
• Add ability to select multiple items at once within bulk actions selections when holding shift on subsequent clicks (Hitansh Shah)
• Upgrade notification, shown to admins on the dashboard if Wagtail is out of date, will now link to the release notes for the closest minor branch instead of the latest patch (Tibor Leupold)
• Upgrade notification can now be configured to only show updates when there is a new LTS available via WAGTAIL_ENABLE_UPDATE_CHECK = 'lts' (Tibor Leupold)
• Implement redesign of the Workflow Status dialog, fixing accessibility issues (Steven Steinwand)
• Add the ability to change the number of images displayed per page in the image library (Tidiane Dia, with sponsorship from YouGov)
• Allow users to sort by different fields in the image library (Tidiane Dia, with sponsorship from YouGov)
• Add prefetch_renditions method to ImageQueryset for performance optimisation on image listings (Tidiane Dia, Karl Hobley)
• Add ability to define a custom get_field_clean_name method when defining FormField models that extend AbstractFormField (LB (Ben) Johnston)
• Migrate Home (Dashboard) view to use generic Wagtail class based view (LB (Ben) Johnston)
• Combine most of Wagtail’s stylesheets into the global core.css file (Thibaud Colas)
• Add new Breadcrumbs and Tabs to the Wagtail pattern library (Paarth Agarwal)
• Adopt new Page Editor UI tabs in the workflow history report page (Paarth Agarwal)
• Update ReportView to extend from generic wagtail.admin.views.generic.models.IndexView (Sage Abdullah)
• Introduce a wagtail.admin.viewsets.chooser.ChooserViewSet module to serve as a common base implementation for chooser modals (Matt Westcott)
• Add documentation for wagtail.admin.viewsets.model.ModelViewSet (Matt Westcott)
• Enhance new breadcrumbs so they can be added to any header or container element (Paarth Agarwal)
• Adopt new breadcrumbs on the page explorer (listing) view and the page chooser modal, remove legacy breadcrumbs code for move page as no longer used (Paarth Agarwal)
• Added multi-site support to the API (Sævar Öfjörð Magnússon)
• Add add_to_admin_menu option for ModelAdmin (Oliver Parker)
• Implement Fuzzy matching for Elasticsearch (Nick Smith)
• Rename Page.get_latest_revision_as_page to Page.get_latest_revision_as_object (Sage Abdullah)
• Cache model permission codenames in PermissionHelper (Tidiane Dia)
• Selecting a new parent page for moving a page now uses the chooser modal which allows searching (Viggo de Vries)
• Move get_snippet_edit_handler function to wagtail.admin.panels.get_edit_handler (Sage Abdullah)
• Add clarity to the search indexing documentation for how boost works when using Postgres with the database search backend (Tibor Leupold)
• Rename explorer_breadcrumb template tag to breadcrumbs as it is now used in multiple locations (Paarth Agarwal)
• Updated django-filter version to support 23 (Yuekui)
• Use .iterator() in a few more places in the admin, to make it more stable on sites with many pages (Andy Babic)
• Migrate some simple React component files to TypeScript (LB (Ben) Johnston)
• Deprecate the usage and documentation of the wagtail.contrib.modeladmin.menus.SubMenu class, provide a warning if used directing developers to use wagtail.admin.menu.Menu instead (Matt Westcott)
• Remove legacy (non-next) breadcrumbs no longer used, remove ModelAdmin usage of breadcrumbs completely (Paarth Agarwal)
• Replace human-readable-date hover pattern with accessible tooltip variant across all of admin (Bernd de Ridder)
• Added WAGTAILADMIN_USER_PASSWORD_RESET_FORM setting for overriding the admin password reset form (Michael Karamuth)
• Prefetch workflow states in edit page view to to avoid queries in other parts of the view/templates that need it (Tidiane Dia)
• Remove the edit link from edit bird in previews to avoid confusion (Sævar Öfjörð Magnússon)
• Introduce new template fragment and block level enclosure tags for easier template composition (Thibaud Colas)
• Add a classnames template tag to easily build up classes from variables provided to a template (Paarth Agarwal)
• Migrate the dashboard (home) view header to the shared header template and update designs (Paarth Agarwal)
• Switch all report workflow, redirects, form submissions, site settings views to use Wagtail’s reusable header component (Paarth Agarwal)
• Update classes and styles for the shared header templates to align with UI guidelines (Paarth Agarwal)
• Clean up multiple eslint rules usage and configs to align better with the Wagtail coding guidelines (LB (Ben Johnston))
• Add inline toolbar for Draftail, to avoid clashing with the page’s header (Thibaud Colas)
• Add command palette in rich text editor to change text format with the keyboard only (Thibaud Colas)
• Add a live-updating character count to the Draftail rich text editor (Thibaud Colas)
• Add rich text editor paste to auto-create links (Thibaud Colas)
• Add rich text editor text shortcuts undo, to allow typing text normally detected as a shortcut (Thibaud Colas)
• Add support for right-to-left (RTL) languages to the rich text editor (Thibaud Colas)
• Change rich text editor placeholder to follow the user’s focus on empty blocks (Thibaud Colas)
• Add rich text editor empty block highlight by showing their block type (Thibaud Colas)
• Add ability to split a rich text field and insert a StreamField block at the same time (Jacob Topp-Mugglestone)
• Make ModelAdmin InspectView footer actions consistent with other parts of the UI (Thibaud Colas)
• Introduce a new auto-updating preview panel inside the page editor (Sage Abdullah)
• Add support for Twitter and other text-only embeds in Draftail embed previews (Iman Syed, Paarth Agarwal)
• Use new modal dialog component for privacy settings modal (Sage Abdullah)
• Add menu_item_name to modify MenuItem's name for ModelAdmin (Alexander Rogovskyy, Vu Pham)
• Add an extra confirmation prompt when deleting pages with a large number of child pages (Jaspreet Singh)
• Adopt the slim header in page listing views, with buttons moved under the "Actions" dropdown, including addition of translation page in the parent "more" button (Paarth Agarwal)
• Improve help block styles in Windows High Contrast Mode with less reliance on communication via colour alone (Anuja Verma)
• Add a bottom border to top messages so they stand out from the header (Anuja Verma)
• Replace latin abbreviations (i.e. / e.g.) with common English phrases so that documentation is easier to understand (Dominik Lech)
• Add shortcut for accessing StreamField blocks by block name with new blocks_by_name and first_block_by_name methods on StreamValue (Tidiane Dia, Matt Westcott)
• Extend support for custom user interface colours across almost all admin colours (Thibaud Colas)
• Add HTML-aware max_length validation and character count on RichTextField and RichTextBlock (Matt Westcott, Thibaud Colas)
• Remove undocumented SearchableListMixin (Sage Abdullah)
• Extract filtering code from ReportView to generic IndexView (Sage Abdullah)
• Extract unpublish code for pages to generic UnpublishView (Sage Abdullah)
• Retain other query params in header search behaviour (Sage Abdullah)
• Remove is_parent kwarg in various page button hooks as this approach is no longer required (Paarth Agarwal)
• Improve security of redirect imports by adding a file hash (signature) check for so that any tampering of file contents between requests will throw a BadSignature error (Jaap Roes)
• Refresh designs for Home (Dashboard) site summary panels, use theme spacing and colours, add support for RTL layouts and better support for small devices (Paarth Agarwal, LB (Ben) Johnston)
• Include all CSS system colours in allowed values in Stylelint's declaration-strict-value rule (Thibaud Colas)
• Add JavaScript range utility function (LB (Ben) Johnston)
• Allow generic chooser viewsets to support non-model data such as an API endpoint (Matt Wescott)
• Update all widget styles across the admin UI (Thibaud Colas)
• Update field styles across forms, with help text consistently under fields, error messages above, and comment buttons to the side (Thibaud Colas)
• Make all sections of the page editing UI collapsible by default (Thibaud Colas)
• Update the side panels to prevent overlap with form fields unless necessary (Thibaud Colas)
• Remove unused change password page, was not removed when account management view was converted to tabs (Paarth Agarwal)
• Rework layout of login and password reset pages to ensure main id on main element (for skip link) and consistent DOM layout for h1 header (Paarth Agarwal, LB (Ben) Johnston)
• Adopt new design, including logo, for login and password reset pages (Paarth Agarwal, LB (Ben) Johnston)
• Remove usage of inline script to focus on the username field, instead use autofocus (LB (Ben) Johnston)
• Improve organisation of the settings reference page in the documentation (Akash Kumar Sen)
• Added path and re_path decorators to the RoutablePageMixin module which emulate their Django URL utils equivalent, redirect re_path to the original route decorator (Tidiane Dia)
• BaseChooser widget now provides a Telepath adapter that's directly usable for any subclasses that use the chooser widget and modal JS as-is with no customisations (Matt Westcott)
• Implement the new chooser widget styles as part of the page editor redesign (Thibaud Colas)
• Update base Draftail/TextField form designs as part of the page editor redesign (Thibaud Colas)
• Move commenting trigger to inline toolbar and move block splitting to the block toolbar and command palette only in Draftail (Thibaud Colas)
• Pages are now locked when they are scheduled for publishing (Karl Hobley)
• Simplify page chooser views by converting to class-based views (Matt Westcott)
• Add support for previews, revisions and drafts on snippets (Sage Abdullah)
• Add "Translate" button within pages’ Actions dropdown when editing pages (Sage Abdullah)
• Add translated labels to the bulk actions tags and collections bulk update fields (Stefan Hammer)
• Fix: Typo in ResumeWorkflowActionFormatter message (Stefan Hammer)
• Fix: Issue where ModelAdmin index listings with export list enabled would show buttons with an incorrect layout (Josh Woodcock)
• Fix: Throw a meaningful error when saving an image to an unrecognised image format (Christian Franke)
• Fix: Remove extra padding for headers with breadcrumbs on mobile viewport (Steven Steinwand)
• Fix: Ensure that custom document or image models support custom tag models (Matt Westcott)
• Fix: Ensure comments use translated values for their placeholder text (Stefan Hammer)
• Fix: Ensure the upgrade notification, shown to admins on the dashboard if Wagtail is out of date, content is translatable (LB (Ben) Johnston)
• Fix: Show the re-ordering option to users that have permission to publish pages within the page listing (Stefan Hammer)
• Fix: Ensure default sidebar branding (bird logo) is not cropped in RTL mode (Steven Steinwand)
• Fix: Add an accessible label to the image focal point input when editing images (Lucie Le Frapper)
• Fix: Remove unused header search JavaScript on the redirects import page (LB (Ben) Johnston)
• Fix: Ensure non-square avatar images will correctly show throughout the admin (LB (Ben) Johnston)
• Fix: Ignore translations in test files and re-include some translations that were accidentally ignored (Stefan Hammer)
• Fix: Show alternative message when no page types are available to be created (Jaspreet Singh)
• Fix: Prevent error on sending notifications for the legacy moderation process when no user was specified (Yves Serrano)
• Fix: Ensure aria-label is not set on locale selection dropdown within page chooser modal as it was a duplicate of the button contents (LB (Ben Johnston))
• Fix: Revise the ModelAdmin title column behaviour to only link to 'edit' if the user has the correct permissions, fallback to the 'inspect' view or a non-clickable title if needed (Stefan Hammer)
• Fix: Ensure that DecimalBlock preserves the Decimal type when retrieving from the database (Yves Serrano)
• Fix: When no snippets are added, ensure the snippet chooser modal would have the correct URL for creating a new snippet (Matt Westcott)
• Fix: ngettext in Wagtail's internal JavaScript internationalisation utilities now works (LB (Ben) Johnston)
• Fix: Ensure the linting/formatting npm scripts work on Windows (Anuja Verma)
• Fix: Fix display of dates in exported xlsx files on macOS Preview and Numbers (Jaap Roes)
• Fix: Make progress bars’ progress visible in forced colors mode (Anuja Verma)
• Fix: Make checkboxes visible in forced colors mode (Anuja Verma)
• Fix: Display the correct color for icons in forced colors mode (Anuja Verma)
• Fix: Add a border around modal dialogs so they can be identified in forced colors mode (Anuja Verma)
• Fix: Remove outdated reference to 30-character limit on usernames in help text (minusf)
• Fix: Resolve multiple form submissions index listing page layout issues including title not being visible on mobile and interaction with large tables (Paarth Agarwal)
• Fix: Ensure ModelAdmin single selection lists show correctly with Django 4.0 form template changes (Coen van der Kamp)
• Fix: Ensure icons within help blocks have accessible contrasting colours, and links have a darker colour plus underline to indicate they are links (Paarth Agarwal)
• Fix: Ensure consistent sidebar icon position whether expanded or collapsed (Scott Cranfill)
• Fix: Avoid redirects import error if the file had lots of columns (Jaap Roes)
• Fix: Resolve accessibility and styling issues with the expanding status panel (Sage Abdullah)
• Fix: Avoid 503 AttributeError when an empty search param q= is combined with other filters in the Images index view (Paritosh Kabra)
• Fix: Fix error with string representation of FormSubmission not returning a string (LB (Ben) Johnston)
• Fix: Ensure disabled buttons are distinguishable from active buttons in forced colors mode (Anuja Verma)
• Fix: Revise usage of extra_actions in new changes to shared header template to avoid invalid template variable usage (Paarth Agarwal)
• Fix: Ensure that bulk actions correctly support models with non-integer primary keys (id) (LB (Ben) Johnston)
• Fix: Make it possible to toggle collapsible panels in the edit UI with the keyboard (Thibaud Colas)
• Fix: Re-implement checkbox styles so the checked state is visible in forced colors mode (Thibaud Colas)
• Fix: Re-implement switch component styles so the checked state is visible in forced colors mode (Thibaud Colas)
• Fix: Always render select widgets consistently regardless of where they are in the admin (Thibaud Colas)
• Fix: Make sure input labels and always take up the available space (Thibaud Colas)
• Fix: Correctly style BooleanBlock within StructBlock (Thibaud Colas)
• Fix: Make sure comment icons can’t overlap with help text (Thibaud Colas)
• Fix: Make it possible to scroll input fields in admin on safari mobile (Thibaud Colas)
• Fix: Stop rich text fields from overlapping with sidebar (Thibaud Colas)
• Fix: Prevent comment buttons from overlapping with fields (Thibaud Colas)
• Fix: Resolve MySQL search compatibility issue with Django 4.1 (Andy Chosak)
• Fix: Ensure that the fields on login and password reset forms are visible in forced colors mode (Paarth Agarwal)
• Fix: Missing a outline on dropdown content and malformed tooltip arrow in forced colors mode (Anuja Verma, LB (Ben) Johnston)
• Fix: Layout issues with reports (including form submissions listings) on md device widths (Akash Kumar Sen, LB (Ben) Johnston)
• Fix: Layout issue with page explorer's inner header item on small device widths (Akash Kumar Sen)
• Fix: Ensure that BaseSiteSetting / BaseGenericSetting objects can be pickled (Andy Babic)
• Fix: Ensure DocumentChooserBlock can be deconstructed for migrations (Matt Westcott)
• Fix: Resolve frontent console error and unintented console logging issues (Matt Wescott, Paarth Agarwal)
• Fix: Resolve issue with sites that have not yet migrated away from BaseSetting when upgrading to Wagtail 4.0 (Stefan Hammer)
• Fix: Use correct classnames for showing/hiding edit button on chooser widget (Matt Wescott)
• Fix: Render MultiFieldPanel’s heading even when nested (Thibaud Colas)
• Fix: Make sure select widgets render correctly regardless of the Django field and widget type (Thibaud Colas)
• Fix: Consistently display boolean field labels above the widget so they render correctly (Thibaud Colas)
• Fix: Address form field label alignment issues by always displaying labels above the widget (Thibaud Colas)
• Fix: Make sure rich text URL editing tooltip is fully visible when displayed inside InlinePanel blocks (Thibaud Colas)
• Fix: Allow input fields to scroll horizontally in Safari iOS (Thibaud Colas)
• Fix: Ensure screen readers are made aware of page level messages added dynamically to the top of the page (Paarth Agarwal)
• Fix: Fix updatemodulepaths command for Python 3.7 (Matt Westcott)
• Fix: Only show locale filter in choosers when i18n is enabled in settings (Matt Westcott)
• Fix: Ensure that the live preview panel correctly clears the cache when a new page is created (Sage Abdullah)
• Fix: Ensure that there is a larger hoverable area for add block (+) within the Drafttail editor (Steven Steinwand)
• Fix: Resolve multiple header styling issues for modal, alignment on small devices, outside click handling target on medium devices, close button target size and hover styles (Paarth Agarwal)
• Fix: Fix issue where comments could not be added in StreamField that were already already saved (Jacob Topp-Mugglestone)
• Fix: Remove outdated reference to Image.LoaderError (Matt Westcott)

v3.0.3: 3.0.3

Compare Source

• Fix: On the Locked Pages report, limit the "locked by" filter to just users who have locked pages (Stefan Hammer)
• Fix: Prevent JavaScript error when using StreamField on views without commenting support, such as snippets (Jacob Topp-Mugglestone)

v3.0.2: 3.0.2

Compare Source

• Fix: Ensure string representation of FormSubmission returns a string (LB (Ben Johnston))
• Fix: Fix updatemodulepaths command for Python 3.7 (Matt Westcott)
• Fix: Fix issue where comments could not be added in StreamField that were already already saved (Jacob Topp-Mugglestone)
• Fix: Remove outdated reference to Image.LoaderError (Matt Westcott)

v3.0.1: 3.0.1

Compare Source

• Add warning when WAGTAILADMIN_BASE_URL is not configured (Matt Westcott)
• Fix: Ensure TabbedInterface will not show a tab if no panels are visible due to permissions (Paarth Agarwal)
• Fix: Specific snippets list language picker was not properly styled (Sage Abdullah)
• Fix: Ensure the upgrade notification request for the latest release, which can be disabled via the WAGTAIL_ENABLE_UPDATE_CHECK sends the referrer origin with strict-origin-when-cross-origin (Karl Hobley)
• Fix: Fix misaligned spinner icon on page action button (LB (Ben Johnston))
• Fix: Ensure radio buttons / checkboxes display vertically under Django 4.0 (Matt Westcott)
• Fix: Prevent failures when splitting blocks at the start or end of a block, or with highlighted text (Jacob Topp-Mugglestone)
• Fix: Allow scheduled publishing to complete when the initial editor did not have publish permission (Matt Westcott)
• Fix: Stop emails from breaking when WAGTAILADMIN_BASE_URL is absent due to the request object not being available (Matt Westcott)
• Fix: Make try/except on sending email less broad so that legitimate template rendering errors are exposed (Matt Westcott)

v3.0: 3.0

Compare Source

• Phase out special-purpose panel types (StreamFieldPanel, RichTextFieldPanel, ImageChooserPanel, DocumentChooserPanel, PageChooserPanel, SnippetChooserPanel) in favour of FieldPanel (Matt Westcott)
• Implement splitting of rich text blocks within StreamField (Jacob Topp-Mugglestone)
• Add support for image rendition prefetching (Andy Babic)
• Upgrade ESLint and Stylelint configurations to latest shared Wagtail configs (Thibaud Colas, Paarth Agarwal)
• Major updates to frontend tooling; move Node tooling from Gulp to Webpack, upgrade to Node v16 and npm v8, eslint v8, stylelint v14 and others (Thibaud Colas)
• Change comment headers’ date formatting to use browser APIs instead of requiring a library (LB (Ben Johnston))
• Lint with flake8-comprehensions and flake8-assertive, including adding a pre-commit hook for these (Mads Jensen, Dan Braghis)
• Switch the Wagtail branding font to a system font stack (Steven Steinwand, Paarth Agarwal)
• Add black configuration and reformat code using it (Dan Braghis)
• Remove UI code for legacy browser support: polyfills, IE11 workarounds, Modernizr (Thibaud Colas)
• Remove redirect auto-creation recipe from documentation as this feature is now supported in Wagtail core (Andy Babic)
• Remove IE11 warnings (Gianluca De Cola)
• Remove the legacy Hallo rich text editor as it has moved to an external package (LB (Ben Johnston))
• Increase the size of checkboxes throughout the UI, and simplify their alignment (Steven Steinwand)
• Adopt MyST for parsing documentation written in Markdown, replaces recommonmark (LB (Ben Johnston), Thibaud Colas)
• Installing docs extras requirements in CircleCI so issues with the docs requirements are picked up earlier (Thibaud Colas)
• Remove core usage of jinjalint and migrate to curlylint to resolve dependency incompatibility issues (Thibaud Colas)
• Switch focus outlines implementation to :focus-visible for cross-browser consistency (Paarth Agarwal)
• Remove most uppercased text styles from admin UI (Paarth Agarwal)
• Convert all UI code to CSS logical properties for Right-to-Left (RTL) language support (Thibaud Colas)
• Migrate multiple documentation pages from RST to MD - including the editor's guide (Vibhakar Solanki, LB (Ben Johnston), Shwet Khatri)
• Add documentation for defining custom form validation on models used in Wagtail's modelAdmin (Serafeim Papastefanos)
• Update README.md logo to work for GitHub dark mode (Paarth Agarwal)
• Avoid an unnecessary page reload when pressing enter within the header search bar (Images, Pages, Documents) (Riley de Mestre)
• Removed unofficial length parameter on If-Modified-Since header in sendfile_streaming_backend which was only used by IE (Mariusz Felisiak)
• Add Pinterest support to the list of default oEmbed providers (Dharmik Gangani)
• Update Jinja2 template support for Jinja2 3.x (Seb Brown)
• Add ability for StreamField to use JSONField to store data, rather than TextField (Sage Abdullah)
• Replace content_json TextField with content JSONField in PageRevision (Sage Abdullah)
• Remove replace_text management command (Sage Abdullah)
• Replace data_json TextField with data JSONField in BaseLogEntry (Sage Abdullah)
• Split up linting / formatting tasks in Makefile into client and server components (Hitansh Shah)
• Add support for embedding Instagram reels (Luis Nell)
• Use Django’s JavaScript catalog feature to manage translatable strings in JavaScript (Karl Hobley)
• Add a page_description to the Page model, to provide help text for a given page type (Kalob Taulien, Thibaud Colas, Matt Westcott, Stefan Hammer)
• Add trimmed attribute to all blocktrans tags, so spacing is more reliable in translated strings (Harris Lapiroff)
• Add documentation that describes how to use ModelAdmin to manage Tags (Abdulmajeed Isa)
• Rename the setting BASE_URL (undocumented) to WAGTAILADMIN_BASE_URL and add to documentation, BASE_URL will be removed in a future release (Sandil Ranasinghe)
• Validate to and from email addresses within form builder pages when using AbstractEmailForm (Jake Howard)
• Add WAGTAILIMAGES_RENDITION_STORAGE setting to allow an alternative image rendition storage (Heather White)
• Add wagtail_update_image_renditions management command to regenerate image renditions or purge all existing renditions (Hitansh Shah, Onno Timmerman, Damian Moore)
• Fully remove the legacy sidebar, with slim sidebar replacing it for all users (Thibaud Colas)
• Add support for adding custom attributes for link menu items in the slim sidebar (Thibaud Colas)
• Implement new slim page editor header with breadcrumb (Steven Steinwand, Karl Hobley)
• Add the ability for choices to be separated by new lines instead of just commas within the form builder

---

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.