Ghost Release: 2.2.2

TL;DR

Ghost 2.2.2 is a maintenance release that addresses critical authentication issues affecting users on Node.js v6, blogs running in subdirectories, and those migrating from v1 to 2.2.1. This release also improves error messaging for CSRF protection and enhances the API with roles controller migration to v2.

Highlight of the Release

• Fixed critical authentication issues for Node.js v6 users
• Resolved session authentication for blogs running in subdirectories
• Fixed migration issues from Ghost v1 to 2.2.1
• Improved error messaging for CSRF and unknown origin errors
• Migrated roles controller to API v2

Migration Guide

No specific migration steps are required when upgrading from Ghost 2.2.1 to 2.2.2.

If you're upgrading from Ghost v1 directly to this version, this release fixes previous migration issues, making the process more reliable. However, it's still recommended to follow the standard upgrade path through major versions for the smoothest experience.

Upgrade Recommendations

This is a recommended upgrade for all Ghost users, especially for:

• Users running Ghost on Node.js v6
• Blogs configured to run in a subdirectory
• Anyone experiencing issues when migrating from Ghost v1 to 2.2.1

The release contains important bug fixes that improve authentication reliability and provides better error messaging for troubleshooting.

Bug Fixes

Authentication Fixes

• Fixed session authentication for Node.js v6 by using legacy URL handling instead of the WHATWG URL class that requires Node ≥6.14.4
• Fixed session authentication for blogs running in subdirectories by correctly adding the subdirectory to the path for session cookies
• Resolved migration issues when upgrading from Ghost v1 to 2.2.1, addressing database-related errors

Error Message Improvements

• Enhanced unknown origin error messages with more detailed information to help users diagnose and fix problems
• Included expected and actual origin information in CSRF error messages for better self-diagnosis

New Features

API Improvements

• Migrated roles controller to API v2, continuing the ongoing API modernization effort
• Added simplified validation options by allowing arrays to be passed directly instead of requiring objects with a values key

Security Updates

No specific security fixes were included in this release, though the improvements to CSRF error messaging help users better understand and address potential security configuration issues.

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

Ghost 2.2.2 focuses on fixing critical authentication issues and improving error messaging. The fixes for Node.js v6 compatibility ensure that users on older Node versions can continue to use Ghost without authentication problems. The subdirectory fix resolves a significant issue for users who don't run Ghost at the root of their domain.

The improved error messages for CSRF and unknown origin errors will help administrators diagnose and fix configuration issues more easily, reducing support requests and improving the self-hosting experience.

The migration of the roles controller to API v2 continues Ghost's ongoing API modernization efforts, providing developers with a more consistent API experience. The validation enhancement offers a more streamlined developer experience when working with Ghost's validation system.

Full Release Notes