Ghost Release: 5.82.0

TL;DR

Ghost v5.82.0 introduces significant improvements to the onboarding experience, enhances security for member exports, optimizes email analytics performance, and adds new language support. The update includes UI refinements to the onboarding checklist, better sharing options, and critical database optimizations that dramatically improve email analytics query performance. A new spam prevention mechanism for member signups has been added behind a feature flag, and additional payment methods are now available in beta.

Highlight of the Release

• Enhanced onboarding experience with improved UI, animations, and clearer guidance
• Major performance improvements for email analytics with optimized database queries (99ms vs 1.7s)
• Added security protection against CSV injection in member exports
• New spam prevention mechanism for member signups (behind alpha flag)
• Additional payment methods now available as a beta feature
• Added Persian locale and improved Japanese and Spanish translations

Migration Guide

No significant migration steps are required for this update. The new features (additional payment methods and spam prevention for member signups) are behind feature flags and need to be explicitly enabled.

If you want to enable the new features:

• For additional payment methods: Enable the beta feature flag in Labs
• For spam prevention: Enable the alpha feature flag membersSpamPrevention in Labs

Database migrations for email_recipients indexes will run automatically during the update process.

Upgrade Recommendations

This update is recommended for all Ghost users, especially those experiencing:

• Performance issues with email analytics on sites with large subscriber bases
• Spam signups from bots
• Issues with the onboarding experience

The database optimizations for email analytics provide significant performance improvements for sites with large numbers of subscribers. The security fix for CSV exports is important for all users who regularly export member data.

There are no breaking changes in this release, making it a safe upgrade for all installations.

Bug Fixes

UI and Experience Fixes

• Fixed jerky scrolling in Site Design for Safari
• Fixed onboarding checklist video logo autoplay in Chrome and Arc browsers
• Updated icon positions in onboarding checklist to prevent jumping in Safari
• Fixed setup/done screen showing 500 error when not authenticated
• Made Ghost logo background in dark mode match the admin background
• Updated class names for Share modal to align with Ghost's class naming conventions

Other Fixes

• Fixed error message for custom theme settings
• Improved LinkedIn share URL in share modal
• Removed leftover alpha lab for 'newEmailAddresses' feature that was already released to GA

New Features

Enhanced Onboarding Experience

• Added subheading to onboarding checklist for better guidance
• Added background blur to onboarding modals for improved visual hierarchy
• Open Design settings modal directly when clicked from Share modal
• Updated copy throughout the onboarding process for clarity
• Removed confirmation modal when dismissing onboarding for a smoother experience
• Added IDs to facilitate measurement in PostHog

New Payment Options

• Added additional payment methods behind a beta feature flag
• Refactored payment methods into a shared global for easier management

Internationalization Improvements

• Added Persian (fa/fa_IR) locale support
• Added Japanese translations for comment resources
• Updated Spanish translations with more natural wording

Spam Prevention

• Added new member signup flow behind labs flag (membersSpamPrevention)
• Requires form submission after email confirmation to prevent bot signups

Security Updates

CSV Injection Protection

• Added escaping to member export CSV fields to protect against CSV injection attacks
• Prevents formula execution in spreadsheet applications that open the exported CSV files
• Implemented using PapaParse's native escaping options
• Credits to Harvey Spec (phulelouch) for reporting this security issue

Performance Improvements

Email Analytics Optimization

• Fixed email_recipients indexes to match query usage patterns
• Added new indexes covering email_id and respective columns
• Dropped old indexes that weren't being used in query plans
• Dramatically improved query performance from 1.7s to 99ms with ~2M email_recipient rows
• Removed use of subqueries in email analytics queries
• Extracted count queries into separate queries for better performance
• Moved email open rate calculation into JavaScript
• Optimized email stats aggregation query for typical column usage
• Changed from IS NOT NULL to IS NULL queries for better performance on large tables

Impact Summary

Ghost v5.82.0 delivers substantial improvements to the platform's performance, security, and user experience. The email analytics optimizations are particularly impactful, reducing query times by over 94% for sites with large subscriber bases. This will result in faster admin dashboards and more responsive email statistics.

The enhanced onboarding experience makes it easier for new users to get started with Ghost, with clearer guidance and smoother interactions. The addition of Persian locale support and improvements to Japanese and Spanish translations make Ghost more accessible to international users.

Security has been improved with protection against CSV injection attacks in member exports, and the new spam prevention mechanism (behind a feature flag) provides a potential solution for sites experiencing bot signups.

The additional payment methods feature (in beta) lays groundwork for expanded monetization options in future releases. Overall, this update enhances Ghost's performance, security, and usability without introducing breaking changes.

Full Release Notes