From 592ac2dcb79798f60f332d8cfbd7d0d614d7e7ee Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 22 Sep 2021 15:13:04 +0000 Subject: [PATCH 1/5] Update dependency @tryghost/update-check-service to v0.2.2 --- package.json | 2 +- yarn.lock | 38 +++++++++++--------------------------- 2 files changed, 12 insertions(+), 28 deletions(-) diff --git a/package.json b/package.json index b5b4fabde5..aad69b1c4f 100644 --- a/package.json +++ b/package.json @@ -89,7 +89,7 @@ "@tryghost/social-urls": "0.1.26", "@tryghost/string": "0.1.20", "@tryghost/tpl": "0.1.3", - "@tryghost/update-check-service": "0.2.0", + "@tryghost/update-check-service": "0.2.2", "@tryghost/url-utils": "2.0.2", "@tryghost/validator": "0.1.5", "@tryghost/version": "0.1.4", diff --git a/yarn.lock b/yarn.lock index 7c33616bdb..a90244c0f3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1479,7 +1479,7 @@ lodash "^4.17.21" luxon "^1.26.0" -"@tryghost/logging@0.1.7": +"@tryghost/logging@0.1.7", "@tryghost/logging@^0.1.7": version "0.1.7" resolved "https://registry.yarnpkg.com/@tryghost/logging/-/logging-0.1.7.tgz#22fbff99bc880402691e8836f550348df1c797d8" integrity sha512-8EM2lCT9E7zt6SlGwlAlQQ7Nwoq2vXgU9C5KFBV/2rbMgnsVsNOwdPGgixozxNNczxYFkTHF5mpQg/+3oV2GjQ== @@ -1496,23 +1496,6 @@ moment "^2.29.1" prettyjson "^1.2.1" -"@tryghost/logging@^0.1.3": - version "0.1.6" - resolved "https://registry.yarnpkg.com/@tryghost/logging/-/logging-0.1.6.tgz#9efe5d789f2f3bbf40b38bc4d5b8da42b9d784e6" - integrity sha512-kVE3d8hmsx3VI6RjUTt3aaYevVl7gh4zqTE49BmVpoBnXhCyw0Y7Iki425GvO9UgyGP5EMe8NOZM4aVk5uMhEg== - dependencies: - "@tryghost/bunyan-rotating-filestream" "^0.0.7" - "@tryghost/elasticsearch-bunyan" "^0.1.1" - "@tryghost/root-utils" "^0.3.3" - bunyan "^1.8.15" - bunyan-loggly "^1.4.2" - fs-extra "^9.1.0" - gelf-stream "^1.1.1" - json-stringify-safe "^5.0.1" - lodash "^4.17.21" - moment "^2.29.1" - prettyjson "^1.2.1" - "@tryghost/magic-link@1.0.11", "@tryghost/magic-link@^1.0.11": version "1.0.11" resolved "https://registry.yarnpkg.com/@tryghost/magic-link/-/magic-link-1.0.11.tgz#4ced33826051fcbfae2e26f576efee4a8b42912a" @@ -1700,17 +1683,18 @@ dependencies: lodash.template "^4.5.0" -"@tryghost/update-check-service@0.2.0": - version "0.2.0" - resolved "https://registry.yarnpkg.com/@tryghost/update-check-service/-/update-check-service-0.2.0.tgz#3c473faf380cda4b34d106b1109222d4fd8ca942" - integrity sha512-RN6roj5f6CqPVEEbBYPLkqRKGuPaOA7NrBZBIpTB5MEFQRKpeh3hwSb65KsViFfUKLkshV1haYVe1ggx+0KP5A== +"@tryghost/update-check-service@0.2.2": + version "0.2.2" + resolved "https://registry.yarnpkg.com/@tryghost/update-check-service/-/update-check-service-0.2.2.tgz#0de3bee6501305f3ffeeeae80f0d5068687ff847" + integrity sha512-6itDvtzKx+5IZ4Mr8cBIKBlDjFsLNKTpYWFb5xW38OBHpfHQbXloGw0A5z6b7cqjfjI6tDiWxxrYD7mJJnVt9w== dependencies: + "@tryghost/debug" "^0.1.5" "@tryghost/errors" "^0.2.11" - "@tryghost/logging" "^0.1.3" + "@tryghost/logging" "^0.1.7" "@tryghost/tpl" "^0.1.3" - bluebird "3.7.2" - lodash "4.17.21" - moment "2.24.0" + bluebird "^3.7.2" + lodash "^4.17.21" + moment "^2.24.0" "@tryghost/url-utils@2.0.2", "@tryghost/url-utils@^2.0.0": version "2.0.2" @@ -7572,7 +7556,7 @@ moment-timezone@0.5.23, moment-timezone@^0.5.31, moment-timezone@^0.5.33: dependencies: moment ">= 2.9.0" -moment@2.24.0, moment@2.27.0, "moment@>= 2.9.0", moment@^2.18.1, moment@^2.19.3, moment@^2.27.0, moment@^2.29.1: +moment@2.24.0, moment@2.27.0, "moment@>= 2.9.0", moment@^2.18.1, moment@^2.19.3, moment@^2.24.0, moment@^2.27.0, moment@^2.29.1: version "2.24.0" resolved "https://registry.yarnpkg.com/moment/-/moment-2.24.0.tgz#0d055d53f5052aa653c9f6eb68bb5d12bf5c2b5b" integrity sha512-bV7f+6l2QigeBBZSM/6yTNq4P2fNpSWj/0e7jQcy87A8e7o2nAfP/34/2ky5Vw4B9S446EtIhodAzkFCcR4dQg== From 20870aa2faaef57526daa3eb15e429fef3739cf6 Mon Sep 17 00:00:00 2001 From: Daniel Lockyer Date: Mon, 20 Sep 2021 15:03:04 +0100 Subject: [PATCH 2/5] =?UTF-8?q?=F0=9F=90=9B=20Fixed=20sending=20emails=20v?= =?UTF-8?q?ia=20SES=20or=20non-standard=20SMTP=20config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixes https://linear.app/tryghost/issue/CORE-45/ - this commit fixes two email related issues: - SES transport: the auth mechanism was set up wrong and so none of the requests would go through. This now follows the docs on https://nodemailer.com/transports/ses/ - SMTP transport: the latest versions of Nodemailer don't seem to allow overriding of options if a service is present. I've filed https://github.com/nodemailer/nodemailer/issues/1327 but in the mean time, I assign the options back to the transporter object to ensure they always get applied - I've fixed this in our `@trghost/nodemailer` package and so this commit bumps that here --- package.json | 2 +- yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index aad69b1c4f..d28731a74e 100644 --- a/package.json +++ b/package.json @@ -79,7 +79,7 @@ "@tryghost/members-importer": "0.3.2", "@tryghost/members-ssr": "1.0.12", "@tryghost/mw-session-from-token": "0.1.22", - "@tryghost/nodemailer": "0.3.1", + "@tryghost/nodemailer": "0.3.2", "@tryghost/package-json": "1.0.2", "@tryghost/promise": "0.1.9", "@tryghost/request": "0.1.5", diff --git a/yarn.lock b/yarn.lock index a90244c0f3..5a0a339a79 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1575,10 +1575,10 @@ resolved "https://registry.yarnpkg.com/@tryghost/mw-session-from-token/-/mw-session-from-token-0.1.22.tgz#eb060cca7c80e87b96a6b6f2e6e68a2660f2b36e" integrity sha512-9emJs6b+3/YLE2jlZ8+gZRmtTohUMS6d4lX9Gw/u3eABbGcoYOsaxc2/kqD6+xdizsFHQ93Qp7Jkw5knfI7XLA== -"@tryghost/nodemailer@0.3.1": - version "0.3.1" - resolved "https://registry.yarnpkg.com/@tryghost/nodemailer/-/nodemailer-0.3.1.tgz#7d8bddab1c8223c48f1e453a006e852770ecf92e" - integrity sha512-ewaSciSJkmJhgIH93f5H2dsREkYQH5T2F7ZYrUbX3RGhcvg9zBYQ1C1Xr5M/sHS6xzYXgz4IN/zBR9iTbH6kRw== +"@tryghost/nodemailer@0.3.2": + version "0.3.2" + resolved "https://registry.yarnpkg.com/@tryghost/nodemailer/-/nodemailer-0.3.2.tgz#983e6fe5cd46ecb9e419f673bb8bfefdc4282bfc" + integrity sha512-z5YPwncK6Gkr8SVL5JpS3XevkMZ1qT6ZQr6XWX4OkVPX2YozjEkyQBCriWw1ize9yzdZoFBvTA7G+z1EIRTvGg== dependencies: "@aws-sdk/client-ses" "^3.31.0" "@tryghost/errors" "^0.2.13" From 944c2cc9afbb31ed29d3b08066e9f05bdc7ac167 Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Wed, 22 Sep 2021 14:11:31 +0200 Subject: [PATCH 3/5] =?UTF-8?q?=F0=9F=94=92=20Fixed=20member=20email=20cha?= =?UTF-8?q?nge=20vulnerability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr This updates the signup/signin flow for members to no longer support the email address change flow - which had missing authentication. It has been replaced with a dedicated email change flow, and Portal has been updated to use it. --- core/server/web/members/app.js | 1 + core/shared/config/defaults.json | 4 ++-- package.json | 2 +- yarn.lock | 8 ++++---- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/core/server/web/members/app.js b/core/server/web/members/app.js index b01b43e32b..1b80d63e20 100644 --- a/core/server/web/members/app.js +++ b/core/server/web/members/app.js @@ -34,6 +34,7 @@ module.exports = function setupMembersApp() { // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`. membersApp.get('/api/member', middleware.getMemberData); membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData); + membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res)); membersApp.get('/api/session', middleware.getIdentityToken); membersApp.delete('/api/session', middleware.deleteSession); membersApp.get('/api/site', middleware.getMemberSiteData); diff --git a/core/shared/config/defaults.json b/core/shared/config/defaults.json index d8e7e693a4..7667145aca 100644 --- a/core/shared/config/defaults.json +++ b/core/shared/config/defaults.json @@ -121,7 +121,7 @@ "emailAnalytics": true }, "portal": { - "url": "https://unpkg.com/@tryghost/portal@~1.9.0/umd/portal.min.js", - "version": "1.9" + "url": "https://unpkg.com/@tryghost/portal@~1.10.0/umd/portal.min.js", + "version": "1.10" } } diff --git a/package.json b/package.json index d28731a74e..c8f49c6256 100644 --- a/package.json +++ b/package.json @@ -74,7 +74,7 @@ "@tryghost/limit-service": "0.6.1", "@tryghost/logging": "0.1.7", "@tryghost/magic-link": "1.0.11", - "@tryghost/members-api": "1.32.1", + "@tryghost/members-api": "1.32.3", "@tryghost/members-csv": "1.1.6", "@tryghost/members-importer": "0.3.2", "@tryghost/members-ssr": "1.0.12", diff --git a/yarn.lock b/yarn.lock index 5a0a339a79..3aea9afade 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1505,10 +1505,10 @@ jsonwebtoken "^8.5.1" lodash "^4.17.15" -"@tryghost/members-api@1.32.1": - version "1.32.1" - resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-1.32.1.tgz#a890c8f2f2ae92d7d43437e52cb14dd6ae194732" - integrity sha512-1ox59JG6RCa+BZpuJQtfPjddIMQnodAfD2/nm8MvMsEVrUMtiu9BeH6yihJATroCwoqCvNJWGhG2/1t/FubGkw== +"@tryghost/members-api@1.32.3": + version "1.32.3" + resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-1.32.3.tgz#ecf0948db251edcbd5aa4efd5b12db25ceb87da4" + integrity sha512-p5rimYXj35fTQBtDuoSLDzuKEmofd4Ot3rokUDAmaa8Lj4Tsoh3TnrTESSUc7PkCwDYts4PDX5+cLPhkc3LpTg== dependencies: "@tryghost/debug" "^0.1.2" "@tryghost/errors" "^0.2.9" From 92533b2de7dc1dc55cf135a3072b6f17bbb895b3 Mon Sep 17 00:00:00 2001 From: Daniel Lockyer Date: Thu, 23 Sep 2021 10:51:30 +0100 Subject: [PATCH 4/5] Updated Admin to v4.15.1 --- core/client | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/client b/core/client index 2a06f299a8..f9f212d610 160000 --- a/core/client +++ b/core/client @@ -1 +1 @@ -Subproject commit 2a06f299a8ee05c29629507bd89ea44814ca9a23 +Subproject commit f9f212d6102d176faf71fb1e203669a8f8bd6c23 From 94d3f556e698dbf56cf79ae241857a47e2a7b744 Mon Sep 17 00:00:00 2001 From: Daniel Lockyer Date: Thu, 23 Sep 2021 10:51:30 +0100 Subject: [PATCH 5/5] v4.15.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c8f49c6256..0827cc47fd 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ghost", - "version": "4.15.0", + "version": "4.15.1", "description": "The professional publishing platform", "author": "Ghost Foundation", "homepage": "https://ghost.org",