Ghost Release: 5.5.0

TL;DR

Ghost 5.5.0 introduces significant improvements to the Members API, including better handling of newsletter subscriptions, enhanced activity tracking, and improved comment functionality. The release also updates the default CDN from unpkg to jsDelivr for better reliability and updates Casper to v5.2.2. This update focuses on enhancing the member experience and improving the platform's stability.

Highlight of the Release

• Switched default CDN from unpkg to jsDelivr for better reliability
• Added comment reporting functionality with email notifications
• Enhanced member activity tracking with last_seen_at and last_commented_at updates
• Improved newsletter subscription management for members
• Fixed JWT/JWKS token verification for better security
• Updated Casper theme to v5.2.2

Migration Guide

CDN Changes

If you've customized the CDN URLs for frontend apps (portal, comments, search), you'll need to update your configuration to match the new format. The default CDN has been switched from unpkg to jsDelivr for better reliability.

Newsletter Subscription Changes

The newsletter subscription system has been updated to handle multiple newsletters and member preferences better. If you're using custom code that interacts with member newsletter subscriptions, you may need to update it to work with the new system.

Comments API Changes

If you're using the Comments API directly in custom code, note that there have been security improvements:

• member_id is now derived solely from authentication
• Replies to replies are no longer allowed
• parent_id cannot be modified on edit

Stripe Integration

If you've experienced issues with Stripe disconnection not being properly recognized, this has been fixed. No action is required, but you may notice improved behavior when disconnecting and reconnecting Stripe.

Upgrade Recommendations

Recommendation

This is a minor version update (5.4.1 → 5.5.0) that includes several improvements to the Members API, newsletter subscription handling, and comment functionality. It also fixes several bugs and security issues.

Upgrade Priority: Medium

• For sites using comments: High priority due to security improvements and new reporting functionality
• For sites with newsletter subscriptions: Medium priority for improved subscription handling
• For sites with custom frontend integrations: Medium priority due to CDN changes

How to Upgrade

1. Back up your database before upgrading
2. Update Ghost using the Ghost CLI:

   ghost update
   

3. If you're using a custom theme, ensure it's compatible with Ghost 5.5.0
4. If you've customized frontend app URLs, review the new configuration format

No database schema changes requiring manual intervention are included in this release.

Bug Fixes

Security and Authentication

• JWT/JWKS Token Verification: Fixed signing key mismatching in JWT/JWKS by adding the keyid parameter to allow client libraries to match the signing key correctly.

• Stripe API Disconnection: Fixed an issue where the _configured flag stayed as true after disconnecting Stripe API, causing behaviors as if Stripe was still connected.

Member Management

• Member Updates: Fixed an issue where updating a non-existing member would throw an internal error instead of a 'not found' error.

• Newsletter Subscriptions: Fixed an issue where new members were always subscribing to default newsletters regardless of their preferences.

• Member Response: Fixed member responses not including complimentary subscriptions when canceled subscriptions exist.

Comments

• Comment Security: Improved comments API security by ensuring member_id is not writable, preventing replies to replies, and ensuring parent_id is not writable on edit.

• Comment Email Content: Fixed TXT content of report emails that still had placeholder text by converting HTML comments to TXT for inclusion in the email.

New Features

Member Experience Improvements

• Comment Reporting: Added a new API endpoint (POST /members/api/comments/{id}/report/) for members to report inappropriate comments. When a comment is reported, an email notification is sent to the site owner.

• Enhanced Activity Feed: Added comment events to the member activity feed, showing both comments and replies. The activity feed now includes member, post, and parent comment relations by default.

• Newsletter Subscription Management: Improved handling of newsletter preferences for members, allowing them to choose specific newsletters during signup and manage their preferences afterward.

• Comment Notifications: Added support for members to update their comment notification preferences through the enable_comment_notifications field.

Infrastructure Improvements

• CDN Update: Switched the default CDN from unpkg to jsDelivr for better reliability of frontend apps.

• Frontend App Configuration: Extended configuration to include URL needed for loading styles for frontend apps instead of hardcoded URLs, making it easier to switch CDNs.

• Member Activity Tracking: Added automatic updates to last_commented_at and last_seen_at fields when members comment on posts.

Security Updates

Authentication and Authorization

• JWT/JWKS Security: Fixed signing key mismatching in JWT/JWKS by adding the keyid parameter, which allows client libraries to correctly match the signing key for verification.

• Comments API Security: Enhanced security in the comments API by:

  • Ensuring member_id is not writable and comes only from authentication
  • Preventing replies to replies
  • Ensuring parent_id is not writable on edit
  • Refactoring comments BREAD into a service for better security control

Data Protection

• Foreign Key Constraints: Added proper SET NULL/CASCADE foreign keys for comments-related tables:
  • When a member is deleted, their reports are kept (SET NULL)
  • When a member is deleted, their likes are removed (CASCADE)
  • When a member is deleted, their comments are kept (SET NULL)

Performance Improvements

API Performance

• Bulk Operations: Improved bulk unsubscribe operation to use member_id column, returning the count of members instead of newsletter relations that were deleted.

• Query Optimization: Optimized when to fetch the initialMember in member update operations.

• Comment Fetching: Optimized comment fetching by only limiting comments to root comments when not authenticated as a user.

Frontend Performance

• CDN Reliability: Switched from unpkg to jsDelivr CDN for better reliability and performance of frontend apps.

• Resource Loading: Improved stylesheet URL handling for frontend apps by using configurable stylesheet URLs instead of hardcoded values.

Impact Summary

Ghost 5.5.0 brings significant improvements to the member experience, particularly around newsletter subscriptions, comment functionality, and activity tracking. The switch from unpkg to jsDelivr as the default CDN improves reliability for frontend applications.

For administrators, the release offers better member management tools, including improved newsletter subscription handling and comment moderation with a new reporting system. Developers will benefit from enhanced error handling, better token verification, and improved Stripe integration.

Content creators will appreciate the improved comment functionality with better security and moderation tools, as well as enhanced member activity tracking in the activity feed. Members themselves will enjoy a better comment experience, more granular newsletter subscription preferences, and improved activity tracking.

The security improvements to the comments API and JWT/JWKS token verification make this a recommended upgrade for all Ghost installations, especially those using the comments feature. The bug fixes for Stripe integration and newsletter subscription handling also make this a valuable update for sites using these features.

Full Release Notes