Conversation
ref https://linear.app/ghost/issue/BER-3505/ ## What changed This reworks comment moderation filters in `apps/posts` to use the same canonical field/codec/NQL pipeline as members instead of the old ad-hoc query-param implementation. It also keeps `id` and `thread` out of filter state: - `filter` is now the only concern of the comment filter-state hook - legacy `?id=is:<commentId>` deep links are handled separately at the page level - single-comment mode still clears back to the full comments view Follow-up work on this branch also tightened the shared value-source behavior so selected author/post filters remain representable when the backing record cannot be hydrated, without allowing synthetic `ID: ...` placeholders to win over real hydrated labels in the combined post/page source. ## Why The previous comments filter implementation had a hand-rolled `buildNqlFilter()` path, custom URL shape, no NQL parsing, and browser-local date handling. That had drifted away from the mainline filter abstractions and made comments harder to reason about and maintain. This brings comments back onto the current shared model while keeping the deep-link behavior that moderation flows still rely on. ## User impact - comment moderation filters now round-trip through canonical `?filter=<NQL>` URLs - filter parsing/serialization is aligned with members - exact-date comment filtering uses site timezone semantics instead of browser-local assumptions - legacy single-comment links via `?id=is:<commentId>` still work - missing selected author/post resources stay visible in filter UI instead of collapsing into a broken state
no ref `rollup-plugin-node-builtins` was declared as a devDep in `apps/admin-x-design-system`, `apps/shade`, and `apps/signup-form` but **never imported** — not in any source file, not in any of the three workspaces' `vite.config.*`, not in the shared `@tryghost/admin-x-framework` vite config. Each `vite.config` only loads `@vitejs/plugin-react` and `vite-plugin-svgr`; nothing references the rollup plugin. It's vestigial — leftover from whatever previously needed it (likely an early build setup for browserifying node builtins for browser bundles), since refactored away. Modern vite handles the node-builtin externalization the plugin used to provide.
…7692) refs https://linear.app/ghost/issue/NY-1265/create-endpoint-for-reading-a-single-automation This adds the scaffolding for the GET `automations/:id` endpoint in the Admin API, with a hardcoded payload. The intent here is simply to unblock development of the frontend, while we iron out the rest of the schema. This will eventually be updated to return automations from the database, once the schema is in place.
no ref Adds [knip](https://knip.dev/) at the workspace root with a minimal config so we can detect unused dependencies, files, and exports across the monorepo. This is wiring only — no source changes, no deletions. A follow-up PR will walk through the baseline report and remove the genuinely vestigial deps.
no ref `fast-xml-parser@5.5.8` was reachable via `ghost/core > @aws-sdk/client-s3 > @aws-sdk/core > @aws-sdk/xml-builder`. The advisory is a moderate XML comment / CDATA injection issue in `XMLBuilder` (the writer-side path), fixed upstream in `5.7.0`. The override forces the resolution up to `5.7.2` (latest 5.x patch). Same major (5.x), minor patch range bump; `@aws-sdk/xml-builder` uses `fast-xml-parser` the same way across 5.5 and 5.7 — no caller API changes.
no ref - `setup-buildx-action` (default `docker-container` driver) bootstraps by pulling `moby/buildkit:buildx-stable-1` from Docker Hub. Intermittent Docker Hub auth timeouts (`auth.docker.io` deadline exceeded) have been taking down e2e shards before any tests run. - The `job_e2e_tests` job already configured `mirror.gcr.io` via the `setup-docker-registry-mirrors` action, but the step ran *after* Buildx — too late to help with the failing pull. The other two Buildx-using jobs (`job_build_artifacts`, `job_build_e2e_image`) had no mirror at all. - This PR moves the mirror step ahead of Buildx in all three jobs so the buildkit pull (and every subsequent Docker Hub pull in the job) is routed through the GCR pull-through cache, taking Docker Hub off the critical path.
no ref First cleanup pass after wiring up knip in #27716. Walked through each unused-dep candidate in the baseline report, grep-verified each one, and removed the genuinely vestigial entries. Net effect: 15 package.json files touched, **~390 lines off the lockfile**.
no ref `i18next-parser@8.13.0` bundles `vue-template-compiler@2.x` as part of its Vue extractor, which carries a moderate client-side XSS advisory (no fix in v2; Vue 2 reached EOL). v9 dropped the Vue extractor from declared deps entirely and also bumped its bundled `esbuild` past the moderate dev-server SSRF advisory range. Cross-major (8 → 9) on a Ghost-owned tooling dep, but `i18next-parser` is a CI/build-time translation extractor — not runtime code, never deployed. The risk surface of bumping it is the build pipeline (`pnpm --filter @tryghost/i18n run translate` and `lint:translations`), not production behavior. ## Behavior change in the lexer v9 replaced its babel-based JS lexer with a TypeScript-compiler-based one. The new lexer is stricter and crashes when fed minified JS bundles — specifically the four `*.min.js` files in `ghost/core/core/frontend/public/` (admin-auth, comment-counts, ghost-stats, member-attribution, private). These are pre-built artifacts that don't contain `t()` calls anyway, so excluding them from `translate:ghost`'s glob with `!../core/core/frontend/public/*.min.js` is safe. This is not a concern given the content of those scripts.
no ref Let's test this middleware without stubbing.
ref 986f78e Let's test this middleware without stubbing.
ref 986f78e Let's test this middleware without stubbing.
no ref I don't think we intend to do this. Let's remove the TODO.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )