Ghost Release: 3.12.0

TL;DR

Ghost 3.12.0 introduces externally verifiable identity tokens, improves error handling for file permissions and theme translations, and fixes several bugs including YouTube video embeds in AMP pages and missing publication icons in newsletter emails. This release enhances security, reliability, and user experience while maintaining compatibility with existing installations.

Highlight of the Release

• Added externally verifiable identity tokens with new endpoints for domain verification
• Fixed YouTube video embeds not displaying in AMP pages
• Improved error handling for file permissions and theme translations
• Fixed missing publication icon in newsletter emails for subdirectory setups
• Enhanced HTML to Mobiledoc conversion with multiple bug fixes

Migration Guide

Migration Notes

This release includes database migrations that will run automatically when upgrading:

• Added migration for read:identity permission to ensure it exists in version 3.12
• Renamed migration in 3.12 to follow numerical sequence (migrations within a minor have numbered prefixes like 01-, 02-, 03-)

No manual intervention is required when upgrading from Ghost 3.11.0.

Upgrade Recommendations

This release is recommended for all Ghost installations as it includes important bug fixes, security enhancements, and new features.

Standard upgrade process:

1. Back up your database and content
2. Update Ghost-CLI to the latest version: npm install -g ghost-cli@latest
3. Run ghost update in your Ghost installation directory

For manual installations, follow the upgrade guide in the Ghost documentation.

The update is backward compatible with Ghost 3.11.0 and should not cause any disruption to your site's functionality.

Bug Fixes

Fixed YouTube Video Embeds in AMP Pages

• Added amp-youtube to the allowed AMP components list
• Adjusted {{amp_components}} output to include the amp-youtube script when YouTube iframes are detected in content

Fixed Missing Publication Icon in Newsletter Emails

• Corrected the URL generation for publication icons in newsletter emails
• Now properly handles subdirectory setups to ensure the logo appears correctly

Improved HTML to Mobiledoc Conversion

Several fixes for HTML to Mobiledoc conversion:

• Fixed multiple spaces appearing in text content when source content is indented with newlines
• Fixed crashes when source content has <li> elements containing headers
• Fixed crashes when source content has non-<li> top-level elements inside a list
• Fixed blockquote>p markup in source content losing blockquote styling

Better Error Handling

• Fixed file permission errors in storage adapter that previously caused 500 errors
• Improved error handling for invalid JSON in theme translations
• Now logs an error when parsing fails and falls back as if the locale doesn't exist

New Features

Externally Verifiable Identity Tokens

Ghost now provides a mechanism for domain verification with external services through JWT tokens:

• Added new endpoints:

  • /ghost/.well-known/jwks.json for exposing a public key
  • /identities on the canary API for Owner users to fetch a JWT

• Added ghost_public_key and ghost_private_key settings for generating tokens to communicate with external services

Theme Internationalization Improvements

• Refactored theme i18n implementation:
  • Introduced an I18n base class for shared logic
  • Created ThemeI18n class that extends the base functionality
  • Better encapsulation of logic with clearer separation of concerns

Enhanced Testing Framework

• Added frontend acceptance tests to verify default behavior
• Added acceptance tests for private blogging
• Improved CI configuration to only run MySQL container on MySQL tests
• Added timer for Start Ghost test utility to help debug slow tests

Security Updates

Security Enhancements

• Added externally verifiable identity tokens system with public/private key infrastructure
• Updated sanitize-html dependency to v1.22.1 with security improvements
• Updated Sentry Node dependency to v5.15.0 with security patches

Performance Improvements

CI Performance Improvements

• Configured CI to only run MySQL container on MySQL tests, saving approximately 50 seconds on SQLite tests
• Improved GitHub Actions workflow organization

Dependency Updates

• Updated several dependencies to newer versions with performance improvements:
  • Updated sharp to v0.25.2 for improved image processing
  • Updated fs-extra to v9 for better file system operations
  • Updated various Ghost packages with performance optimizations

Impact Summary

Ghost 3.12.0 brings significant improvements to security, reliability, and user experience. The addition of externally verifiable identity tokens enhances Ghost's ability to integrate securely with third-party services. Bug fixes for YouTube embeds in AMP pages and newsletter email icons improve content delivery across platforms. Developers will benefit from better error handling and refactored theme internationalization code, making custom theme development more robust. The release maintains backward compatibility while adding valuable features and fixing important issues, making it a recommended upgrade for all Ghost installations.

Full Release Notes