Ghost Release: 5.105.0

TL;DR

Ghost 5.105.0 brings significant improvements to the comments system, enhanced security for uploaded files, and better mobile experience in the admin interface. The update includes a comprehensive overhaul of the comments UI with improved notification grouping, better profile interactions, and fixes for various edge cases. Security has been tightened by limiting file permissions to 0644, preventing uploaded files from being executable. Mobile usability gets a boost with fixes for navigation and filter display issues. The release also includes important bug fixes for subscription attribution and internationalization improvements with added Catalan and Turkish translations.

Highlight of the Release

• Comprehensive improvements to the comments system with better notification grouping and profile interactions
• Enhanced security by limiting uploaded file permissions to 0644, preventing files from being executable
• Fixed mobile navigation and responsive issues with post filters in the Admin interface
• Fixed subscription attribution tracking when members upgrade from free to paid plans
• Improved ActivityPub reader view with customization options and reading time indicators
• Added internationalization improvements with Catalan and Turkish translations

Migration Guide

No significant migration steps are required for this update. The release primarily consists of enhancements and bug fixes that should work seamlessly after updating.

If you've built custom integrations with the comments system, note that each comment now includes a data-member-uuid attribute which you can leverage for external scripts.

For developers working with the storage adapters, be aware that the saveRaw method has been moved from LocalImagesStorage to the LocalStorageBase class, making it available to all storage adapter subclasses.

If you're using link click tracking in a high-traffic environment, you may want to explore the new caching configuration options to optimize performance.

Upgrade Recommendations

This update is recommended for all Ghost users, particularly those who:

1. Use the comments feature extensively
2. Manage their Ghost site from mobile devices
3. Are concerned about security best practices for uploaded files
4. Have international audiences using Catalan or Turkish languages
5. Process a high volume of link clicks from newsletters

The update contains no breaking changes and includes important security improvements, UI enhancements, and bug fixes that will benefit most installations. The upgrade process should be straightforward with no special steps required.

For self-hosted Ghost installations, follow the standard upgrade procedure. For Ghost(Pro) users, the update will be automatically applied to your site.

Bug Fixes

Admin Interface Fixes

• Fixed mobile navigation - Previously, the only way to close the navigation on mobile was to tap outside the menu; now users can also tap the 'More' button or navigate to any other menu item
• Fixed responsive issues with Posts filters - Filters no longer fall off the screen on mobile devices and are now properly scrollable horizontally
• Fixed deleted member styling in post analytics - Deleted members now display with a placeholder avatar and "Deleted member" name instead of empty fields
• Fixed creating unverified session for reset password - Resolved an issue where users with 2FA enabled would get stuck on the reset password page

Comments UI Fixes

• Fixed flash of reply button when publishing a post
• Fixed comment count when logged in as admin
• Fixed comment likes being incorrect when logged in as an Admin
• Fixed replies line showing after all replies have been deleted
• Fixed incorrect pagination after deleting comments
• Fixed potential for duplicate comments when fetching pages
• Changed replies line color to be more visible in dark mode
• Fixed "Edit expertise" button often not working on main comment form

Other Fixes

• Fixed missing subscription attribution on free to paid upgrade - Resolved an issue where subscription attribution data was sometimes not captured when free members upgraded to paid
• Fixed excerpt display in post history modal - The excerpt was not in line with the rest of the content and the divider was visible even when there was no excerpt

New Features

Comments System Enhancements

The comments system received a major upgrade with numerous improvements:

• Improved notification grouping for follows and likes with better handling of notification clicks for different types
• Enhanced profile interactions with improved hover and click states for profile names, usernames, and avatars
• Better comment management with proper handling of deleted comments and replies
• Added data-member-uuid attribute to each comment for easier external script integration
• Fixed various edge cases in pagination and comment loading

ActivityPub Reader View Improvements

• Added customization options for typefaces, font sizes, and line height
• Added estimated reading time and a simple text-based progress indicator
• Improved typography, spacing, and alignment for better readability
• Added reset button for reader view customization settings
• Added preview to typeface selection for easier font choice

Shade Design System Foundations

• Added fundamentals for a new React-based design system called Shade
• Built on ShadCN/UI with React best practices
• Added support for custom icons with Storybook integration

Security Updates

File Permission Security Improvement

• Limited permissions for uploaded files to 0644 (read/write for owner, read-only for group and others)
• Previously uploaded files retained their original permissions, which could leave them executable
• This change prevents files from being inadvertently executable, improving overall security

Authentication Security

• Fixed creating unverified session for reset password flow in case of 2FA
• Improved the reset password flow to properly handle two-factor authentication

Performance Improvements

Link Click Tracking Optimizations

• Added configuration for caching member lookup for link clicks
• Added config flag to disable link click tracking for load testing
• Memoized member UUID lookup to improve throughput by reducing database contention

Job Queue Improvements

• Added node event support to the job queue
• Enhanced job completion handling with event emission on the primary process

File Storage Improvements

• Changed location of built public content to temporary directory to circumvent file writing issues in some environments
• Moved saveRaw method from LocalImagesStorage to LocalStorageBase class for better reuse across storage adapters

Impact Summary

Ghost 5.105.0 delivers a substantial improvement to the comments system with better notification handling, profile interactions, and fixes for various edge cases. This update significantly enhances the user experience for both content creators and readers engaging with comments.

Security is strengthened by limiting uploaded file permissions to 0644, preventing potential security risks from executable files. This is an important security best practice that all Ghost installations should adopt.

Mobile usability gets a major boost with fixes for navigation and filter display issues in the Admin interface, making it much easier to manage content on mobile devices. The ActivityPub reader view also receives significant enhancements with customization options and reading time indicators.

For developers, the addition of data attributes to comments, improvements to the job queue, and optimizations for link click tracking provide new capabilities and better performance. The foundations of the new Shade design system also lay groundwork for future UI improvements.

Internationalization is improved with additional Catalan and Turkish translations, making Ghost more accessible to global audiences.

Overall, this is a well-rounded update that improves security, usability, and performance across multiple aspects of the Ghost platform.

Full Release Notes