Ghost Release: 3.13.2

TL;DR

Ghost 3.13.2: Private Site Access Fix & Package Updates

This minor release fixes a critical issue with private site access when using separate admin domains, addressing cross-origin cookie restrictions in modern browsers. It also includes numerous dependency updates and internal code refactoring to improve maintainability and prepare for future architecture changes.

Highlight of the Release

• Fixed cross-origin cookie issues for private sites with separate admin domains
• Improved error handling for resource deletion operations
• Significant internal code refactoring for better maintainability
• Multiple dependency updates for security and performance

Migration Guide

No migration steps are required for this release. The changes are primarily bug fixes and internal refactoring that don't affect the public API or require any action from users.

Upgrade Recommendations

This release is recommended for all users, especially those running private Ghost sites with separate admin domains. The fix for cross-origin cookie handling is important for maintaining proper functionality with modern browsers.

The upgrade process should be straightforward with no breaking changes or migration steps required.

Bug Fixes

• Fixed "View site" functionality for private sites with separate admin domains

  • Modern browsers block cross-origin cookies unless explicitly set with SameSite=none and Secure=true
  • Added explicit SameSite=none option to private site session cookies
  • Note: This fix only works when the front-end site is served over HTTPS

• Fixed 500 error when deleting non-existent resources

  • Properly catches NotFoundError when attempting to delete invites, labels, tags, or webhooks that don't exist
  • Returns appropriate error responses instead of server errors

• Fixed error handling when importing LTS exports

  • Changed from InternalServerError to more appropriate IncorrectUsageError
  • Updated code comments and error messages

• Fixed typos in code

  • Corrected "tempalte" to "template" in test files
  • Fixed typo in migration file

New Features

No significant new features were added in this minor release. The focus was on bug fixes, dependency updates, and internal code refactoring.

Security Updates

• Updated express-jwt to v5.3.3 to address security vulnerabilities
• Updated multiple dependencies to their latest versions, including security patches:
  • sanitize-html to v1.23.0
  • jwks-rsa to v1.8.0
  • Various other dependencies with security improvements

Performance Improvements

No specific performance improvements were highlighted in this release. The focus was on bug fixes, dependency updates, and code refactoring.

Impact Summary

Ghost 3.13.2 addresses an important issue with private site access when using separate admin domains. Modern browsers have implemented stricter cross-origin cookie policies, which were preventing the "View site" functionality from working properly. This release adds the necessary SameSite=none and Secure=true cookie options to ensure compatibility.

The release also includes numerous internal code improvements, including better error handling for resource deletion operations and significant refactoring to prepare for future architecture changes. Multiple packages have been extracted to the Ghost monorepo, improving maintainability.

Several dependency updates address security vulnerabilities and bring components up to date. While this is a minor release, it's recommended for all users, especially those running private Ghost sites with separate admin domains.

Full Release Notes