Bump craftcms/cms from 5.8.15 to 5.9.12

[dependabot]

Bumps craftcms/cms from 5.8.15 to 5.9.12.

Release notes

Sourced from craftcms/cms's releases.

5.9.12

• Added craft\services\Tokens::getRemainingTokenUsages().
• Added craft\web\Request::getTokenRoute().
• Fixed a JavaScript error that could occur when opening or submitting a slideout.
• Fixed a high-severity permission escalation vulnerability. (GHSA-cc7p-2j3x-x7xf)

5.9.11

• The nb locale is now treated as a fallback for no on environments where no isn’t supported. (#18431)
• Element indexes now show “Paste” buttons alongside bulk element action buttons. (#18427)
• Boolean environment variables now universally support truthy/falsy values, including on/off and yes/no. (#18441)
• Impoved the performance of craft\helpers\Typecast. (#18426)
• Added App::normalizeBooleanValue().
• Added craft\events\ExecuteGqlQueryEvent::$cacheDuration. (#18442)
• Added craft\events\ExecuteGqlQueryEvent::$cacheTags. (#18442)
• Added craft\web\Request::getWantsImage().
• Added craft\web\Request::getWantsJson().
• Added craft\web\Request::wants().
• Fixed a bug where 404 responses could be set to an image based on the brokenImagePath config setting for Chrome. (#18438)
• Fixed a bug where some Matrix bulk action labels weren’t getting translated.
• Fixed a bug where global nav items weren’t showing an icon if the icon was set to 0.
• Fixed moderate-severity RCE vulnerabilities. (GHSA-4484-8v2f-5748, GHSA-qx2q-q59v-wf3j)
• Fixed a low-severity XSS vulnerability. (GHSA-3x4w-mxpf-fhqq)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

5.9.10

• slug columns referenced in element queries’ select, where, or orderBy expressions now explicitly resolve to elements_sites.slug. (#18416)
• Fixed a bug where the control panel requests could trigger an infinite browser redirect loop. (#18420)
• Fixed a bug where craft\helpers\App::parseBooleanEnv() wasn’t handling false values properly. (#18418)
• Fixed a bug where DECIMAL field values with 0 precision weren’t gettnig typecasted properly in element queries.

5.9.9

[!WARNING]
Relational condition rules’ element ID templates are now rendered in a sandboxed Twig environment, when enableTwigSandbox is enabled.

• Added craft\helpers\ElementHelper::cleanseQueryCriteria().
• Fixed an error that could occur when editing an element with a Table field. (#18408)
• Fixed an error that occurred when editing a Table field with no default rows. (#18407)
• Fixed a high-severity RCE vulnerability. (GHSA-fp5j-j7j4-mcxc)
• Fixed a high-severity SQL injection vulnerability. (GHSA-g7j6-fmwx-7vp8)

5.9.8

• Element edit pages no longer redirect to their referral URL on save. (#18404)
• Fixed a bug where the Entries index page could trigger an infinite browser redirect loop. (#18400)
• Fixed a styling issue with slideouts within Live Preview. (#18383)

5.9.7

• Nested entries’ edit screens now have a “Field settings” action menu item.
• GraphQL API requests no longer get cache response headers; only no-cache headers, and only if the request had a X-Craft-Gql-Cache: no-cache header, or if the request contained any mutations. (#18348)
• Legacy entry index URLs now redirect content/<page-name>.
• The create() Twig function now allows craft\helpers\ classes to be created. (#18376)

... (truncated)

Changelog

Sourced from craftcms/cms's changelog.

5.9.12 - 2026-02-18

• Added craft\services\Tokens::getRemainingTokenUsages().
• Added craft\web\Request::getTokenRoute().
• Fixed a JavaScript error that could occur when opening or submitting a slideout.
• Fixed a high-severity permission escalation vulnerability. (GHSA-cc7p-2j3x-x7xf)

5.9.11 - 2026-02-17

• The nb locale is now treated as a fallback for no on environments where no isn’t supported. (#18431)
• Element indexes now show “Paste” buttons alongside bulk element action buttons. (#18427)
• Boolean environment variables now universally support truthy/falsy values, including on/off and yes/no. (#18441)
• Impoved the performance of craft\helpers\Typecast. (#18426)
• Added App::normalizeBooleanValue().
• Added craft\events\ExecuteGqlQueryEvent::$cacheDuration. (#18442)
• Added craft\events\ExecuteGqlQueryEvent::$cacheTags. (#18442)
• Added craft\web\Request::getWantsImage().
• Added craft\web\Request::getWantsJson().
• Added craft\web\Request::wants().
• Fixed a bug where 404 responses could be set to an image based on the brokenImagePath config setting for Chrome. (#18438)
• Fixed a bug where some Matrix bulk action labels weren’t getting translated.
• Fixed a bug where global nav items weren’t showing an icon if the icon was set to 0.
• Fixed moderate-severity RCE vulnerabilities. (GHSA-4484-8v2f-5748, GHSA-qx2q-q59v-wf3j)
• Fixed a moderate-severity XSS vulnerability. (GHSA-3x4w-mxpf-fhqq)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

5.9.10 - 2026-02-12

• slug columns referenced in element queries’ select, where, or orderBy expressions now explicitly resolve to elements_sites.slug. (#18416)
• Fixed a bug where the control panel requests could trigger an infinite browser redirect loop. (#18420)
• Fixed a bug where craft\helpers\App::parseBooleanEnv() wasn’t handling false values properly. (#18418)
• Fixed a bug where DECIMAL field values with 0 precision weren’t gettnig typecasted properly in element queries.

5.9.9 - 2026-02-11

[!WARNING]
Relational condition rules’ element ID templates are now rendered in a sandboxed Twig environment, when enableTwigSandbox is enabled.

• Added craft\helpers\ElementHelper::cleanseQueryCriteria().
• Fixed an error that could occur when editing an element with a Table field. (#18408)
• Fixed an error that occurred when editing a Table field with no default rows. (#18407)
• Fixed a high-severity RCE vulnerability. (GHSA-fp5j-j7j4-mcxc)
• Fixed a high-severity SQL injection vulnerability. (GHSA-g7j6-fmwx-7vp8)

5.9.8 - 2026-02-10

• Element edit pages no longer redirect to their referral URL on save. (#18404)
• Fixed a bug where the Entries index page could trigger an infinite browser redirect loop. (#18400)
• Fixed a styling issue with slideouts within Live Preview. (#18383)

... (truncated)

Commits

• b38439a Finish 5.9.12
• 79da2a1 Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
• 0a650c4 Finish 4.17.6
• 5296c56 Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
• a2378c9 Fixed test
• a1363ff Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
• 6301e21 Fixed GHSA-cc7p-2j3x-x7xf
• e181516 Change GHSA-3x4w-mxpf-fhqq from low-severity to moderate-severity
• 02912b2 Fixed a JS error
• 7882526 Finish 5.9.11
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.