HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Ghost

>

Releases

>

3.5.1

Ghost Release: 3.5.1

Tag Name: 3.5.1

Release Date: 2/10/2020

View Release
Ghost LogoGhost

Open-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.

Open SourceBloggingStatic Site

TL;DR

Ghost 3.5.1: Improved CSV Import Reliability & Fixed Public Asset Serving

This maintenance release focuses on improving the reliability of the member CSV import functionality and fixes a critical issue with serving public image assets. The update adds error logging for CSV imports, implements concurrency limits for member creation to prevent API rate limits, and resolves an issue where binary public files (particularly images) were being incorrectly served, causing them to appear corrupted or trigger downloads instead of displaying properly.

Highlight of the Release

    • Fixed critical issue with serving binary public files that caused images to appear corrupted or trigger downloads
    • Added comprehensive error logging for CSV member imports
    • Implemented concurrency limits for member creation during imports to prevent API rate limits
    • Added backup functionality for the users DELETE endpoint

Migration Guide

No migration steps are required for this release. This is a maintenance release that can be safely installed without any additional configuration or changes to your existing setup.

Upgrade Recommendations

This release fixes a critical issue with serving public image assets and improves the reliability of member CSV imports. We strongly recommend all users upgrade to Ghost 3.5.1 to ensure proper functioning of public assets and to benefit from the improved error handling and performance optimizations.

The upgrade process should be straightforward with no breaking changes or special migration steps required.

Bug Fixes

  • Fixed Binary Public File Serving

    • Resolved an issue where public asset images were being corrupted when served
    • Fixed incorrect handling where binary files were being read as strings, causing data loss
    • Corrected MIME type for PNG files that was causing browsers to trigger downloads instead of displaying images
    • Updated servePublicFile to treat any MIME type starting with image as a binary file
    • Implemented direct file serving using res.sendFile for image files, bypassing in-memory content caching

  • Fixed Stripe Integration Issues

    • Updated @tryghost/members-api to version 0.14.1
    • Fixed an issue where members_stripe_customers_subscriptions couldn't be created due to plan 'nickname' NOT NULL constraint
    • Addressed compatibility with earlier versions of Stripe API where the nickname property could be null

New Features

New Backup Features

  • User Deletion Backups: Added basic backup implementation for the users DELETE endpoint
    • Returns a filename that can be used to fetch the backup on demand
    • Provides a safety net when deleting user data
  • Backup Retrieval System: Implemented functionality to retrieve backups from files
    • Added input sanitization for backup paths to prevent path traversal attacks
    • Proper 404 handling when requested backup files don't exist

Security Updates

  • Path Traversal Protection
    • Added input sanitization for backup file paths
    • Limited allowed filenames accepted by the backup retrieval method
    • Prevents potential path traversal attacks when accessing backup files

Performance Improvements

  • CSV Import Concurrency Limits

    • Added concurrency limits for member creation during CSV imports
    • Prevents connection pool problems by limiting parallel requests
    • Avoids hitting API rate limits (e.g., Stripe API's 100 req/s limit)
    • Results in more reliable imports of large member batches

  • Optimized Public File Serving

    • Improved handling of binary files by skipping in-memory content caching
    • Direct file serving for images using Express's res.sendFile
    • More efficient resource usage when serving image assets

Impact Summary

Ghost 3.5.1 addresses several important issues that impact the reliability and functionality of the platform. The most significant fix resolves how binary files (particularly images) are served, preventing corruption and ensuring proper display in browsers. This affects all Ghost sites that serve public images.

The release also substantially improves the member CSV import process by adding comprehensive error logging and implementing concurrency limits to prevent API rate limits and connection pool issues. This is particularly important for sites that regularly import large batches of members.

Additionally, the new backup functionality for user deletion provides an important safety feature for administrators, allowing them to recover data if needed after deleting users.

Overall, this maintenance release enhances stability, fixes critical functionality, and improves the administrative experience without introducing breaking changes.

Full Release Notes

No user-visible changes in this release.

Statistics:

File Changed14
Line Additions171
Line Deletions84
Line Changes255
Total Commits16

User Affected:

  • More reliable CSV member imports with better error logging
  • Fixed issues when importing large batches of members
  • Ability to retrieve backups when deleting users

Contributors:

nazrenovate-botkevinansfielddaniellockyer