Ghost Release: 2.10.0

TL;DR

Ghost 2.10.0 introduces a significantly improved v2 Content API with cleaner responses, new endpoints, and better security. The theme API now supports {{@site}} as an alias for {{@blog}}, and image handling has been enhanced with better support for GIFs, SVGs, and unoptimized images. This release focuses on API improvements, performance optimizations, and bug fixes to provide a more streamlined experience for developers and content creators.

Highlight of the Release

• New and improved v2 Content API with cleaner responses and standardized field handling
• New Settings endpoint in v2 Content API for accessing public site information
• Aliased {{@blog}} as {{@site}} in the theme API (preparing for Ghost 3.0)
• Better handling of responsive images for GIFs and SVGs
• Added brute force protection to Content API for improved security
• Fixed high CPU usage issue with grunt dev

Migration Guide

Migration Notes

• Theme Developers: Start using {{@site}} instead of {{@blog}} in your themes, as {{@blog}} will be removed in Ghost 3.0
• API Consumers: Be aware that the v2 Content API no longer exposes certain fields:
  • Removed from tags: created_at, updated_at, parent
  • Removed from authors: locale, accessibility, tour
  • Removed from posts: locale, author status, page (temporarily added back)
  • Removed x_by fields (published_by, updated_by, created_by)
• Empty Values: The Content API now returns null instead of empty strings for empty values
• API Validation: Invalid properties in include parameters are now silently removed rather than causing errors

Upgrade Recommendations

This is a recommended upgrade for all Ghost users, especially those utilizing the Content API or developing themes. The improvements to the v2 Content API provide a cleaner, more efficient interface for developers, while the bug fixes and performance improvements benefit all users.

To upgrade:

1. Make a backup of your Ghost installation
2. Follow the standard upgrade process for your installation method
3. If you're using the Content API, test your integrations to ensure compatibility with the cleaner API responses
4. Theme developers should begin transitioning from {{@blog}} to {{@site}} to prepare for Ghost 3.0

No database migrations are required for this update.

Bug Fixes

• Fixed Responsive Images for GIFs & SVGs: Resolved issues with responsive image handling for GIF and SVG formats by redirecting to the original image when appropriate
• Fixed High CPU Usage: Resolved an issue where grunt dev would cause high CPU usage by excluding the core/server/lib/members/static/auth directory from the express reload watch task
• Fixed URL Service: Added ability to notify and update URL service about changes in related resources
• Fixed Site Using API v2: Resolved routing configuration issues for multiple API versions
• Fixed Event Listeners: Fixed issue where event listeners were not being properly removed in test environments

New Features

New & Improved v2 Content API

The v2 Content API has been significantly enhanced with cleaner responses and standardized field handling:

• New Settings Endpoint: Access commonly used, public information from site settings
• Calculated Excerpt Field: Posts now include an automatically generated excerpt field
• Author Model Improvements: Author model now returns only users that have published non-page posts
• Public Tag Controller: Added a dedicated controller for public tags
• Cleaner Responses: Removed unused and deprecated fields for cleaner API responses
• Standardized Empty Values: Empty values now consistently return null instead of empty strings

Theme API Improvements

• {{@site}} Helper: Aliased {{@blog}} as {{@site}} in the theme API (preparing for Ghost 3.0 where {{@blog}} will be removed)
• Dynamic Resource Configuration: Made resource configuration dynamic based on current theme engine

Security Enhancements

• Brute Force Protection: Added spam prevention for content API keys
• Shorter API Keys: Content API keys now have a minimum length of 26 characters (previously longer)

Security Updates

Security Improvements

• Brute Force Protection: Added spam prevention mechanisms for content API keys to protect against brute force attacks
• Request Monitoring: Implemented middleware that monitors request completion and resets spam prevention data for successful requests
• Extended Protection Period: Set maximum wait time for blocked IPs to 24 hours
• API Key Security: Updated ApiKey model to use shorter but still secure secrets for content keys

Performance Improvements

• Optimized Image Handling: Updated middleware for dynamic image sizes to attempt to read the unoptimized image first, taking into account the -n suffix for duplicate image names
• Reduced CPU Usage: Fixed high CPU usage in development mode by excluding large node_modules directories from watch tasks
• Cleaner API Responses: Removed unused fields from API responses, making them leaner and more efficient
• Refactored Routing Config: Implemented cleaner configuration for multiple API versions, improving maintainability and performance

Impact Summary

Ghost 2.10.0 represents a significant step forward in API development, focusing on cleaning up and standardizing the v2 Content API. The changes primarily impact developers working with the API and theme authors, with minimal disruption to end users.

The introduction of brute force protection for the Content API enhances security, while improvements to image handling provide better support for various file formats. The aliasing of {{@blog}} as {{@site}} signals an important transition for theme developers to prepare for Ghost 3.0.

Performance improvements, particularly the fix for high CPU usage in development mode, will benefit developers working on Ghost itself. The cleaner API responses and standardized field handling make the platform more developer-friendly and consistent.

Overall, this release focuses on refinement and preparation for future changes rather than introducing major new user-facing features.

Full Release Notes