Conversation
no ref Adds 11 entries to the root `pnpm.overrides` block to force vulnerable transitive deps forward, without touching any direct deps. All replacement versions are pinned with `^x.y.z` to keep upgrades within the existing major. **Modules:** `@tootallnate/once`, `clean-css`, `debug` (×2 ranges), `diff` (×2 ranges), `handlebars`, `minimatch` (×2 ranges), `qs`, `tmp` **Audit delta:** `pnpm audit` 153 → 123 (−1 crit, −14 high, −4 mod, −11 low) ## Notes - `handlebars` and `tmp` are direct deps in `ghost/core` but already match the override-target version, so this is a no-op for direct deps. - Transitive major-version jumps (`clean-css 3 → 4`, `tmp 0.0.x → 0.2.5`, `diff 1 → 3`, `minimatch 0 → 3`) are confined to the Ember admin dev/build toolchain (`broccoli-clean-css`, `mocha 2.5.3`, `sane`, `external-editor`, `fixturify-project`); none reach production runtime, public apps, or `ghost/core/server/`. - Lockfile shrank by ~110 lines from override deduplication.
closes https://linear.app/ghost/issue/DES-1355/ closes https://linear.app/ghost/issue/DES-1354/ - bumped Koenig dependencies, including core editor app that includes fix for Tailwind V4/V3 conflicts that doubled up on negative translate positioning styles
no ref Adds a single override to root `pnpm.overrides`: ```json "tar@<7.5.11": "^7.5.11" ``` Forces `sqlite3`'s internal `node-gyp 8` chain — which previously pulled the deprecated `tar@6.2.1` — onto `tar@7.5.13`. After the override, all `tar` versions in the tree collapse to a single `7.5.13`. ## On the 6 → 7 major jump This crosses a major boundary. Two mitigations apply: - The actual consumer in this chain is `node-gyp`'s prebuild-extraction step. It calls `tar.x()` (and the streaming variants), which haven't changed across 6 → 7. - The version-engine bump in tar 7 (Node 10+ → Node 18+) is satisfied — `ghost/core` requires `node ^22.13.1`. The 6.x line of `tar` has no fixed version (publisher marked it deprecated), so an in-major fix isn't possible. The override is removable when `sqlite3` is bumped to a release that ships with `node-gyp >= 11`. ## Audit delta `pnpm audit`: 123 → 117 (`−6 high`).
no ref Bumps `multer` in `ghost/core` from `2.0.2` to `2.1.1` to clear three high-severity advisories. Minor version within the 2.x major — no API changes; `multer()`, `upload.single()`, `upload.fields()`, and `multer.MulterError` behave identically. ## Advisories cleared | CVE | severity | fixed in | |---|---|---| | CVE-2026-3304 | high | 2.1.0 | | CVE-2026-2359 | high | 2.1.0 | | CVE-2026-3520 | high | 2.1.1 | `pnpm audit` total: 123 → 120 (`−3 high`).
no ref `hbs.cachePartials` is async, but we weren't waiting for it. Let's start doing that, which should make this test more reliable.
…7576) no ref Adds a single override to root `pnpm.overrides`: ```json "@xmldom/xmldom@<0.8.13": "^0.8.13" ``` `@xmldom/xmldom` is transitive only — pulled in by `ghost/admin > testem`. Resolved version after the override is `0.8.13`, a patch-level bump within the 0.8.x line; no API surface change. The override is removable when `testem` is bumped to a version that declares `@xmldom/xmldom >= 0.8.13` directly. ## Audit delta `pnpm audit`: 123 → 118 (`−5 high`). ## Test plan - [x] `pnpm install` clean; `@xmldom/xmldom@0.8.13` resolved (single version, no major drift) - [x] `ghost/admin` Ember test suite (testem is the consumer) — 1065 / 1065 passing - [ ] CI green
no ref _I recommend reviewing this with whitespace changes disabled._ This is a test-only change.
no ref This is a test-only change. I think it's useful on its own, but will make upcoming changes (like migrating to Vitest) a bit easier.
ref #27421 (comment) `emailAddressService.init()` was put in a `Promise.all` unnecessarily. Now it's just a regular function call.
no ref Adds a single override to root `pnpm.overrides`: ```json "undici@<6.24.0": "^6.24.0" ``` The vulnerable `undici@5.29.0` was being pulled in via: ``` ghost/core > @tryghost/metrics > @tryghost/elasticsearch > @elastic/transport > undici@5.29.0 ``` After the override, the chain resolves to `undici@6.24.1` (caret-pinned within the 6.x major). Other undici versions in the tree (`6.24.1` from `@actions/http-client`, `7.x` from `jsdom`) are unaffected — those consumers were already on safe ranges. ## On the 5 → 6 major bump This forces `@elastic/transport@8.4.1` to use undici 6 instead of 5. `@elastic/transport` is a **runtime path** — it executes when `@tryghost/metrics` ships log/metric data to elasticsearch. - `@elastic/transport` loads cleanly under undici 6 in unit tests (no require-time / load-time errors surfaced). - The undici 5 → 6 changes that affect consumers are mostly the removal of deprecated APIs and a Node-version bump (10+ → 18+); `ghost/core` requires Node 22+ so the engine constraint is satisfied. - `@elastic/transport` uses standard request/response APIs that haven't changed across the bump. The residual unknown is **actual elasticsearch traffic in production**. Local tests don't exercise live ES requests; staging / CI integration coverage is the place to catch this. The override is removable when `@tryghost/metrics` or `@elastic/transport` ships a release that declares `undici >= 6.24.0` directly. ## Audit delta `pnpm audit`: 114 → 109 (`−2 high`, `−3 moderate`).
no ref Two apps (`apps/announcement-bar`, `apps/sodo-search`) reference `concurrently` in their own `dev` scripts but never declared it as a `devDependency`.
ref 30ab483 This test-only cleanup should have no user impact.
no ref Two changes work together to clear all 3 lingering `lodash` advisories: 1. `ghost/core` direct dep: `lodash` `4.17.23` → `4.18.1` 2. Root `pnpm.overrides`: `"lodash@<4.18.0": "^4.18.0"` The direct edit alone was not enough — transitive consumers `@tryghost/limit-service` (in `admin-x-settings`) and `@testing-library/jest-dom` (in `admin-x-framework`) still pulled `lodash@4.17.x`, keeping the high and moderate advisories alive. The override forces every `lodash` consumer in the tree to `>=4.18.0`, collapsing the resolved tree to a single `lodash@4.18.1` instance. `lodash` 4.17 → 4.18 is a minor bump within the 4.x major; the API and function signatures are unchanged. The override is removable when `@tryghost/limit-service` and `@testing-library/jest-dom` each ship a release that declares `lodash >=4.18.0` directly.
) ## Summary Bumps `dompurify` from a vulnerable `3.3.x` release to `3.4.1` (current latest) in the three workspaces that depend on it directly: - `ghost/core`: `3.3.0` → `3.4.1` - `apps/activitypub`: `3.3.1` → `3.4.1` - `apps/portal`: `3.3.1` → `3.4.1` Patch and minor versions within the dompurify 3.x line are backward-compatible; the `sanitize()` API and option shape are unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )