Conversation
no refs There should be no user-facing changes in this commit. These configuration files are all leftover from a previous iteration of our containerized development environment, and are currently unused, so we should delete them.
no ref The existing root override pinned `moment` at `2.24.0`, which is itself flagged by two high-severity advisories — path traversal in `moment.locale` (GHSA-8hfj-j24r-96c4, fixed in 2.29.2) and ReDoS (GHSA-wc69-rhjr-hc9g, fixed in 2.29.4). The override was therefore actively masking a regression we'd already accepted. `2.30.1` matches what `apps/comments-ui` already declares as a direct dep; pinning the override there means one of our public-app callers gets the version it asked for instead of being force-downgraded. ghost/core (~110 import sites) and ghost/admin (~7 import sites) both remain on the same 2.x API surface, so call-site behavior is unchanged.
no ref GHSA-w5p7-h5w8-2hfq (high, ReDoS in `trim`'s whitespace pattern, fixed in `0.0.3`) reaches the tree via `remark@11 → remark-parse@7 → trim@0.0.1`. `remark-parse@7` is locked into `trim@0.0.1` by its declared range, so the only way to clear the advisory short of replacing `remark` is a transitive override. It's worth noting that bumping `@tryghost/url-utils` from `5.1.2` to `5.2.3` doesn't help here — both versions transit the same `remark@11 → remark-parse@7` chain to land on the same `trim@0.0.1`. The override is the cleanest fix until a future `@tryghost/url-utils` (or `@tryghost/kg-default-cards`) release adopts a newer `remark` major. `^0.0.3` keeps the override inside the same pre-1.0 line so the `trim()` function signature stays identical for the remark callers consuming it; pinning into `1.x` would technically be available but introduces a major-version boundary for a transitive dependency that doesn't otherwise need to move.
no ref The existing `qs` override pinned `>=6.7.0 <=6.14.1` but missed `qs@6.5.5`, which reaches `ghost/core` via `request@2.88.2 → @tryghost/logging`. That logging chain is consumed by `@tryghost/job-manager`, `@tryghost/prometheus-metrics`, `@tryghost/server`, `gscan`, and `knex-migrator` — all dependencies of `ghost/core`, not just an e2e-only path. GHSA-6rw7-vpxm-498p (moderate, `arrayLimit` bypass causing DoS via memory exhaustion) is fixed in `qs@6.14.1`, so the existing override target (`^6.14.2`) is already correct — only the *range* needed widening to cover pre-6.7.0 resolutions. `qs` follows strict semver and the 6.x line is API-stable, so the deprecated `request@2.88.2` package works identically against `qs@6.14.2` as it did against `6.5.5`.
closes [NY-1245](https://linear.app/ghost/issue/NY-1245/polish-automations-landing-page) ## Summary - Wires the `/ghost/#/automations` page to the live `useBrowseAutomations` API hook, replacing the placeholder sample data the page was rendering before. - Adds a new `useBrowseAutomations` query to `admin-x-framework` and includes the automation `slug` in the Admin API `/automations/` Browse response so the frontend can route on it. - Refines the list UI: name + private-beta description, two columns instead of four (drops Steps and Last run), and a LIVE/OFF status pill. ## Notable details - **Names come from the API; descriptions are local.** `automation.name` drives the title. Descriptions live in a small `AUTOMATION_DESCRIPTIONS` map keyed by slug — appropriate while only two automations exist and copy hasn't been finalised. If a slug isn't in the map, the row renders without a description rather than blank-padding.
no ref The repo already pins `lodash@<4.18.0: ^4.18.0` to clear the prototype-pollution / `_.template` advisories, but its sibling `lodash-es` was missing from the override block and still resolved to `4.17.23` via ghost/core's direct devDep and `@tryghost/helpers`'s transitive. Without the override, those advisories stay in the audit even though the equivalent fix has been applied for unscoped `lodash` for weeks. `yup → cron-validate` was already pulling `lodash-es@4.18.1` independently, so two `lodash-es` versions were resolving in parallel — adding the override consolidates the tree on `4.18.1`.
no ref The Ember admin's dep tree carries seven transitive packages whose only consumers are inside `ghost/admin` (verified per `pnpm audit` finding paths). All seven have upstream-patched versions for known advisories; the chain itself can't be bumped because it lives behind unmaintained tooling (`ember-cli`, `ember-auto-import@1.x`, `webpack@4`) that won't move until Ember admin retirement.
no ref - no user impact - moves the member welcome email constants file to TypeScript and improves the types a bit
no ref `ghost/core` was pinning `@tryghost/nodemailer@0.3.48`, two majors behind the latest published `2.2.0`.
no ref `tough-cookie@2.5.0` was reachable via the deprecated `request@2.88.2` package — `@tryghost/logging > bunyan-loggly > node-loggly-bulk > request > tough-cookie` — which is on the production path through any code that imports `@tryghost/logging` (job-manager, prometheus-metrics, server, gscan, knex-migrator).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )