# v4.0.x to v4.1.8 migration guide
The Strapi v4.0.x to v4.1.8 migration guide upgrades versions of v4.0.6 through v4.1.7 to v4.1.8. The minimum configuration for config/admin now includes the API token API_TOKEN_SALT. Strapi no longer populates default values for the admin JWT in config/admin. Initial values are generated and stored in the .env file during project creation. Strapi no longer passes secrets to non-development environments, requiring users to set the secrets purposefully. The migration to v4.1.8 consists of 4 steps:
- upgrading the application dependencies
- adding the API token to config/admin,
- removing the default ADMIN_JWT_SECRET(recommended for improved security),
- configuring JWT_SECRETinconfig/plugins(recommended),
- setting secrets for non-development environments.
# Upgrading the application dependencies to 4.1.8
PREREQUISITES
Stop the server before starting the upgrade.
- Upgrade all of the Strapi packages in the package.jsonto4.1.8:
// path: package.json
{
  // ...
  "dependencies": {
    "@strapi/strapi": "4.1.8",
    "@strapi/plugin-users-permissions": "4.1.8",
    "@strapi/plugin-i18n": "4.1.8",
    "better-sqlite3": "7.4.6"
    // ...
  }
}
- Save the edited - package.jsonfile.
- Run either - yarnor- npm installto install the new version.
💡 TIP
If the operation doesn't work, try removing your yarn.lock or package-lock.json. If that doesn't help, remove the node_modules folder as well and try again.
# Fixing the breaking changes
- Modify the config/adminfile. Strapi, by default, creates the environmental variableAPI_TOKEN_SALTand populates a unique value, stored in/.envat project creation. In order to updateconfig/admin:
- add the apiToken object,
- remove the comma and default value from the ADMIN_JWT_SECRETparenthetical.
- ConfigureJWT_SECRET.JWT_SECRETis used by the Users and Permissions plugin, and populated in/.env. The property should be stored inconfig/plugins.js(orconfig/plugins.tsfor a TypeScript project). Thepluginsfile is not created by default in a Strapi application. If the file does not exist, users should create the file and add the follow code snippet.
# Setting secrets for non-development environments
Users are required to set secrets for each unique environment, such as a prodcution environment deployment on a platform. Strapi no longer passes the following secrets to non-development environments:
- APP_KEYS
- JWT_SECRET
- API_TOKEN_SALT
- ADMIN_JWT_SECRET
There are multiple methods to generate secrets, such as running openssl rand -base64 32 in the terminal (Mac and Linux OS). Generating unique secrets for each environment is recommended for increased security.
✋ CAUTION
The Hosting Provider Guides are being updated to reflect these changes. Community contributions updating the hosting guides are encouraged.
# Reinitializing the application
Rebuild the administration panel and start the application:
