ghost 5.96.2 → 5.97.1

package/core/built/admin/index.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.96%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%22ee37f0b9eb%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%22eb50ad82db%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%223e886898df%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%2268888cb677%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fnpm%2F%40tryghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.97%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%22ee37f0b9eb%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%2224d6ef8fbd%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%22b1e0cd5a92%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%229368ade858%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fnpm%2F%40tryghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -37,7 +37,7 @@
     </style>
 
     <link integrity="" rel="stylesheet" href="assets/vendor-0ede59da8efb5e28fa929557f7ff7154.css">
-    <link integrity="" rel="stylesheet" href="assets/ghost-c75b9d653495f9cfce528f6e10900b3f.css" title="light">
+    <link integrity="" rel="stylesheet" href="assets/ghost-84fc705038c0ea946e4e5048ccb1fea5.css" title="light">
 
     
 </head>
@@ -57,8 +57,8 @@
     <div id="ember-basic-dropdown-wormhole"></div>
 
     <script src="assets/vendor-88cd9f5cf5eba65221e2d2a636531eaa.js"></script>
-<script src="assets/chunk.874.e1d421507701daac30fb.js"></script>
-<script src="assets/chunk.524.e61cf6deaaec6bf6f9d2.js"></script>
-    <script src="assets/ghost-286f9a114755e8c3c7e9c37550f624a9.js"></script>
+<script src="assets/chunk.874.5eb920d19e75683234c2.js"></script>
+<script src="assets/chunk.524.8daf11dc6681a463afc3.js"></script>
+    <script src="assets/ghost-b7702081322ac2a966ad205b1d07416c.js"></script>
 </body>
 </html>

package/core/frontend/services/assets-minification/AssetsMinificationBase.js

@@ -48,16 +48,16 @@ module.exports = class AssetsMinificationBase {
 
     async minify(globs, options) {
         try {
-            return await this.minifier.minify(globs, options);
+            const result = await this.minifier.minify(globs, options);
+            this.ready = true;
+            return result;
         } catch (error) {
             if (error.code === 'EACCES') {
                 logging.error('Ghost was not able to write asset files due to permissions.');
                 return;
             }
 
-            throw error;
-        } finally {
-            this.ready = true;
+            throw error;           
         }
     }
 

package/core/server/api/endpoints/comments.js

@@ -1,5 +1,17 @@
 const models = require('../../models');
 
+function handleCacheHeaders(model, frame) {
+    if (model) {
+        const postId = model.get('post_id');
+        const parentId = model.get('parent_id');
+        const pathsToInvalidate = [
+            postId ? `/api/members/comments/post/${postId}/` : null,
+            parentId ? `/api/members/comments/${parentId}/replies/` : null
+        ].filter(path => path !== null);
+        frame.setHeader('X-Cache-Invalidate', pathsToInvalidate.join(', '));
+    }
+}
+
 /** @type {import('@tryghost/api-framework').Controller} */
 const controller = {
     docName: 'comments',
@@ -19,11 +31,15 @@ const controller = {
             }
         },
         permissions: true,
-        query(frame) {
-            return models.Comment.edit({
+        async query(frame) {
+            const result = await models.Comment.edit({
                 id: frame.data.comments[0].id,
                 status: frame.data.comments[0].status
             }, frame.options);
+
+            handleCacheHeaders(result, frame);
+
+            return result;
         }
     }
 };

package/core/server/api/endpoints/utils/serializers/input/settings.js

@@ -72,7 +72,9 @@ const EDITABLE_SETTINGS = [
     'pintura_css_url',
     'donations_currency',
     'donations_suggested_amount',
-    'recommendations_enabled'
+    'recommendations_enabled',
+    'body_font',
+    'heading_font'
 ];
 
 module.exports = {

package/core/server/api/endpoints/utils/serializers/output/members.js

@@ -167,7 +167,8 @@ function serializeMember(member, options) {
         email_recipients: json.email_recipients,
         status: json.status,
         last_seen_at: json.last_seen_at,
-        attribution: serializeAttribution(json.attribution)
+        attribution: serializeAttribution(json.attribution),
+        unsubscribe_url: json.unsubscribe_url
     };
 
     if (json.products) {

package/core/server/data/db/DatabaseStateManager.js

@@ -1,6 +1,9 @@
 const KnexMigrator = require('knex-migrator');
 const errors = require('@tryghost/errors');
 const logging = require('@tryghost/logging');
+const metrics = require('@tryghost/metrics');
+
+const sentry = require('../../../shared/sentry');
 
 const states = {
     READY: 0,
@@ -61,9 +64,14 @@ class DatabaseStateManager {
             // CASE: database connection errors, unknown cases
             let errorToThrow = error;
             if (!errors.utils.isGhostError(errorToThrow)) {
-                errorToThrow = new errors.InternalServerError({message: errorToThrow.message, err: errorToThrow});
+                errorToThrow = new errors.InternalServerError({
+                    code: 'DATABASE_ERROR',
+                    message: errorToThrow.message,
+                    err: errorToThrow
+                });
             }
 
+            sentry.captureException(errorToThrow);
             throw errorToThrow;
         }
     }
@@ -79,11 +87,25 @@ class DatabaseStateManager {
             }
 
             if (state === states.NEEDS_INITIALISATION) {
+                const beforeInitializationTime = Date.now();
+                
                 await this.knexMigrator.init();
+
+                metrics.metric('migrations', {
+                    value: Date.now() - beforeInitializationTime,
+                    type: 'initialization'
+                });
             }
 
             if (state === states.NEEDS_MIGRATION) {
+                const beforeMigrationTime = Date.now();
+
                 await this.knexMigrator.migrate();
+
+                metrics.metric('migrations', {
+                    value: Date.now() - beforeMigrationTime,
+                    type: 'migrations'
+                });      
             }
 
             state = await this.getState();
@@ -92,9 +114,14 @@ class DatabaseStateManager {
         } catch (error) {
             let errorToThrow = error;
             if (!errors.utils.isGhostError(error)) {
-                errorToThrow = new errors.InternalServerError({message: errorToThrow.message, err: errorToThrow});
+                errorToThrow = new errors.InternalServerError({
+                    code: 'DATABASE_ERROR',
+                    message: errorToThrow.message,
+                    err: errorToThrow
+                });
             }
 
+            sentry.captureException(errorToThrow);
             throw errorToThrow;
         }
     }

package/core/server/data/migrations/versions/5.97/2024-10-08-14-25-27-added-body-font-settings.js

@@ -0,0 +1,8 @@
+const {addSetting} = require('../../utils');
+
+module.exports = addSetting({
+    key: 'body_font',
+    value: '',
+    type: 'string',
+    group: 'site'
+});

package/core/server/data/migrations/versions/5.97/2024-10-08-14-36-58-added-heading-font-setting.js

@@ -0,0 +1,8 @@
+const {addSetting} = require('../../utils');
+
+module.exports = addSetting({
+    key: 'heading_font',
+    value: '',
+    type: 'string',
+    group: 'site'
+});

package/core/server/data/migrations/versions/5.97/2024-10-10-01-02-03-add-signin-urls-permissions.js

@@ -0,0 +1,6 @@
+const {addPermissionToRole} = require('../../utils');
+
+module.exports = addPermissionToRole({
+    permission: 'Read member signin urls',
+    role: 'Admin Integration'
+});

package/core/server/data/schema/default-settings/default-settings.json

@@ -82,6 +82,14 @@
             "flags": "PUBLIC",
             "type": "string"
         },
+        "heading_font": {
+            "defaultValue": "",
+            "type": "string"
+        },
+        "body_font": {
+            "defaultValue": "",
+            "type": "string"
+        },
         "logo": {
             "defaultValue": "",
             "type": "string"

package/core/server/data/schema/fixtures/fixtures.json

@@ -907,7 +907,8 @@
                     "link": "all",
                     "mention": "browse",
                     "collection": "all",
-                    "recommendation": "all"
+                    "recommendation": "all",
+                    "member_signin_url": "read"
                 },
                 "Editor": {
                     "notification": "all",

package/core/server/models/base/plugins/data-manipulation.js

@@ -26,7 +26,7 @@ module.exports = function (Bookshelf) {
          * before we insert dates into the database, we have to normalize
          * date format is now in each db the same
          */
-        fixDatesWhenSave: function fixDates(attrs) {
+        fixDatesWhenSave: function fixDatesWhenSave(attrs) {
             const self = this;
 
             _.each(attrs, function each(value, key) {
@@ -49,15 +49,12 @@ module.exports = function (Bookshelf) {
          * mysql:
          *   - knex wraps the UTC value into a local JS Date
          */
-        fixDatesWhenFetch: function fixDates(attrs) {
-            const self = this;
-            let dateMoment;
+        fixDatesWhenFetch: function fixDatesWhenFetch(attrs) {
+            const tableDef = schema.tables[this.tableName];
 
-            _.each(attrs, function each(value, key) {
-                if (value !== null
-                && Object.prototype.hasOwnProperty.call(schema.tables[self.tableName], key)
-                && schema.tables[self.tableName][key].type === 'dateTime') {
-                    dateMoment = moment(value);
+            Object.keys(attrs).forEach((key) => {
+                if (attrs[key] && tableDef?.[key]?.type === 'dateTime') {
+                    const dateMoment = moment(attrs[key]);
 
                     // CASE: You are somehow able to store e.g. 0000-00-00 00:00:00
                     // Protect the code base and return the current date time.
@@ -74,12 +71,11 @@ module.exports = function (Bookshelf) {
 
         // Convert integers to real booleans
         fixBools: function fixBools(attrs) {
-            const self = this;
-            _.each(attrs, function each(value, key) {
-                const tableDef = schema.tables[self.tableName];
-                const columnDef = tableDef ? tableDef[key] : null;
-                if (columnDef?.type === 'boolean') {
-                    attrs[key] = value ? true : false;
+            const tableDef = schema.tables[this.tableName];
+
+            Object.keys(attrs).forEach((key) => {
+                if (tableDef?.[key]?.type === 'boolean') {
+                    attrs[key] = !!attrs[key];
                 }
             });
 

package/core/server/models/base/plugins/raw-knex.js

@@ -172,14 +172,14 @@ module.exports = function (Bookshelf) {
                             const relationsToAttach = _.zipObject(_.keys(props), relationsToAttachArray);
 
                             objects = _.map(objects, (object) => {
-                                _.each(Object.keys(relationsToAttach), (relation) => {
+                                for (const relation in relationsToAttach) {
                                     if (!relationsToAttach[relation][object.id]) {
                                         object[relation] = [];
-                                        return;
+                                        continue;
                                     }
 
                                     object[relation] = relationsToAttach[relation][object.id];
-                                });
+                                }
 
                                 object = Bookshelf.registry.models[modelName].prototype.toJSON.bind({
                                     attributes: object,

package/core/server/models/base/plugins/sanitize.js

@@ -35,21 +35,21 @@ module.exports = function (Bookshelf) {
 
             switch (methodName) {
             case 'toJSON':
-                return baseOptions.concat('shallow', 'columns', 'previous');
+                return [...baseOptions, 'shallow', 'columns', 'previous'];
             case 'destroy':
-                return baseOptions.concat(extraOptions, ['id', 'destroyBy', 'require']);
+                return [...baseOptions, ...extraOptions, 'id', 'destroyBy', 'require'];
             case 'add':
-                return baseOptions.concat(extraOptions, ['autoRefresh']);
+                return [...baseOptions, ...extraOptions, 'autoRefresh'];
             case 'edit':
-                return baseOptions.concat(extraOptions, ['id', 'require', 'autoRefresh']);
+                return [...baseOptions, ...extraOptions, 'id', 'require', 'autoRefresh'];
             case 'findOne':
-                return baseOptions.concat(extraOptions, ['columns', 'require', 'mongoTransformer']);
+                return [...baseOptions, ...extraOptions, 'columns', 'require', 'mongoTransformer'];
             case 'findAll':
-                return baseOptions.concat(extraOptions, ['filter', 'columns', 'mongoTransformer']);
+                return [...baseOptions, ...extraOptions, 'filter', 'columns', 'mongoTransformer'];
             case 'findPage':
-                return baseOptions.concat(extraOptions, ['filter', 'order', 'autoOrder', 'page', 'limit', 'columns', 'mongoTransformer']);
+                return [...baseOptions, ...extraOptions, 'filter', 'order', 'autoOrder', 'page', 'limit', 'columns', 'mongoTransformer'];
             default:
-                return baseOptions.concat(extraOptions);
+                return [...baseOptions, ...extraOptions];
             }
         },
 
@@ -164,11 +164,10 @@ module.exports = function (Bookshelf) {
 
             let options = _.cloneDeep(unfilteredOptions);
             const extraAllowedProperties = filterConfig.extraAllowedProperties || [];
-            let permittedOptions;
-
-            permittedOptions = this.permittedOptions(methodName, options);
-            permittedOptions = _.union(permittedOptions, extraAllowedProperties);
-            options = _.pick(options, permittedOptions);
+            const permittedOptions = [...new Set([...this.permittedOptions(methodName, options), ...extraAllowedProperties])];
+            options = Object.fromEntries(
+                Object.entries(options).filter(([key]) => permittedOptions.includes(key))
+            );
 
             if (this.defaultRelations) {
                 options = this.defaultRelations(methodName, options);

package/core/server/models/post.js

@@ -1290,11 +1290,13 @@ Post = ghostBookshelf.Model.extend({
             options.withRelated = _.union(['authors', 'tags', 'post_revisions', 'post_revisions.author'], options.withRelated || []);
         }
 
-        const META_ATTRIBUTES = _.without(ghostBookshelf.model('PostsMeta').prototype.permittedAttributes(), 'id', 'post_id');
-
         // NOTE: only include post_meta relation when requested in 'columns' or by default
         //       optimization is needed to be able to perform .findAll on large SQLite datasets
-        if (!options.columns || (options.columns && _.intersection(META_ATTRIBUTES, options.columns).length)) {
+        if (!options.columns
+        || (
+            options.columns
+            && _.intersection(_.without(ghostBookshelf.model('PostsMeta').prototype.permittedAttributes(), 'id', 'post_id'), options.columns).length)
+        ) {
             options.withRelated = _.union(['posts_meta'], options.withRelated || []);
         }
 

package/core/server/services/members/api.js

@@ -1,5 +1,6 @@
 const stripeService = require('../stripe');
 const settingsCache = require('../../../shared/settings-cache');
+const settingsHelpers = require('../../services/settings-helpers');
 const MembersApi = require('@tryghost/members-api');
 const logging = require('@tryghost/logging');
 const mail = require('../mail');
@@ -236,7 +237,8 @@ function createApiInstance(config) {
         memberAttributionService: memberAttributionService.service,
         emailSuppressionList,
         settingsCache,
-        sentry
+        sentry,
+        settingsHelpers
     });
 
     return membersApiInstance;

package/core/server/services/members/utils.js

@@ -22,6 +22,7 @@ module.exports.formattedMemberResponse = function formattedMemberResponse(member
         firstname: member.name && member.name.split(' ')[0],
         expertise: member.expertise,
         avatar_image: member.avatar_image,
+        unsubscribe_url: member.unsubscribe_url,
         subscribed: !!member.subscribed,
         subscriptions: member.subscriptions || [],
         paid: member.status !== 'free',

package/core/server/services/settings-helpers/SettingsHelpers.js

@@ -2,6 +2,7 @@ const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
 const {EmailAddressParser} = require('@tryghost/email-addresses');
 const logging = require('@tryghost/logging');
+const crypto = require('crypto');
 
 const messages = {
     incorrectKeyType: 'type must be one of "direct" or "connect".'
@@ -179,6 +180,30 @@ class SettingsHelpers {
         return this.#managedEmailEnabled() || this.labs.isSet('newEmailAddresses');
     }
 
+    createUnsubscribeUrl(uuid, options = {}) {
+        const siteUrl = this.urlUtils.urlFor('home', true);
+        const unsubscribeUrl = new URL(siteUrl);
+        const key = this.getMembersValidationKey();
+        unsubscribeUrl.pathname = `${unsubscribeUrl.pathname}/unsubscribe/`.replace('//', '/');
+        if (uuid) {
+            // hash key with member uuid for verification (and to not leak uuid) - it's possible to update member email prefs without logging in
+            // @ts-ignore
+            const hmac = crypto.createHmac('sha256', key).update(`${uuid}`).digest('hex');
+            unsubscribeUrl.searchParams.set('uuid', uuid);
+            unsubscribeUrl.searchParams.set('key', hmac);
+        } else {
+            unsubscribeUrl.searchParams.set('preview', '1');
+        }
+        if (options.newsletterUuid) {
+            unsubscribeUrl.searchParams.set('newsletter', options.newsletterUuid);
+        }
+        if (options.comments) {
+            unsubscribeUrl.searchParams.set('comments', '1');
+        }
+
+        return unsubscribeUrl.href;
+    }
+
     // PRIVATE
 
     #managedEmailEnabled() {

package/core/server/services/url/Resource.js

@@ -13,13 +13,12 @@ class Resource extends EventEmitter {
     constructor(type, obj) {
         super();
 
-        this.data = {};
         this.config = {
             type: type,
             reserved: false
         };
 
-        Object.assign(this.data, obj);
+        this.data = obj;
     }
 
     /**

package/core/server/services/url/Resources.js

@@ -116,7 +116,7 @@ class Resources {
      * @returns {Promise}
      * @private
      */
-    _fetch(resourceConfig, options = {offset: 0, limit: 999}) {
+    async _fetch(resourceConfig, options = {offset: 0, limit: 999}) {
         debug('_fetch', resourceConfig.type, resourceConfig.modelOptions);
 
         let modelOptions = _.cloneDeep(resourceConfig.modelOptions);
@@ -128,19 +128,19 @@ class Resources {
             modelOptions.limit = options.limit;
         }
 
-        return models.Base.Model.raw_knex.fetchAll(modelOptions)
-            .then((objects) => {
-                debug('fetched', resourceConfig.type, objects.length);
+        const objects = await models.Base.Model.raw_knex.fetchAll(modelOptions);
+        debug('fetched', resourceConfig.type, objects.length);
 
-                _.each(objects, (object) => {
-                    this.data[resourceConfig.type].push(new Resource(resourceConfig.type, object));
-                });
+        _.each(objects, (object) => {
+            this.data[resourceConfig.type].push(new Resource(resourceConfig.type, object));
+        });
 
-                if (objects.length && isSQLite) {
-                    options.offset = options.offset + options.limit;
-                    return this._fetch(resourceConfig, {offset: options.offset, limit: options.limit});
-                }
-            });
+        if (objects.length && isSQLite) {
+            options.offset = options.offset + options.limit;
+            return this._fetch(resourceConfig, {offset: options.offset, limit: options.limit});
+        }
+
+        return objects;
     }
 
     /**

package/core/server/services/url/UrlGenerator.js

@@ -170,11 +170,10 @@ class UrlGenerator {
             return false;
         }
 
-        const url = this._generateUrl(resource);
-
         // CASE 1: route has no custom filter, it will own the resource for sure
         // CASE 2: find out if my filter matches the resource
         if ((!this.filter) || (this.nql.queryJSON(resource.data))) {
+            const url = this._generateUrl(resource);
             this.urls.add({
                 url: url,
                 generatorId: this.uid,

package/core/server/services/url/config.js

@@ -3,6 +3,7 @@
  * They contain minimum filters for public accessibility of resources.
  */
 
+// TODO: switch exclude lists to include lists to make this more explicit
 module.exports = [
     {
         type: 'posts',
@@ -32,6 +33,10 @@ module.exports = [
                 'twitter_description',
                 'custom_template',
                 'locale',
+                'newsletter_id',
+                'show_title_and_feature_image',
+                'email_recipient_filter',
+                'comment_id',
                 'tiers'
             ],
             withRelated: ['tags', 'authors'],
@@ -81,6 +86,10 @@ module.exports = [
                 'authors',
                 'primary_tag',
                 'primary_author',
+                'newsletter_id',
+                'show_title_and_feature_image',
+                'email_recipient_filter',
+                'comment_id',
                 'tiers'
             ],
             filter: 'status:published+type:page'

package/core/server/web/api/middleware/upload.js

@@ -6,7 +6,6 @@ const errors = require('@tryghost/errors');
 const config = require('../../../../shared/config');
 const tpl = require('@tryghost/tpl');
 const logging = require('@tryghost/logging');
-const {JSDOM} = require('jsdom');
 
 const messages = {
     db: {
@@ -160,6 +159,8 @@ const checkFileIsValid = (fileData, types, extensions) => {
  *
  */
 const isSvgSafe = (filepath) => {
+    const {JSDOM} = require('jsdom');
+
     const fileContent = fs.readFileSync(filepath, 'utf8');
     const document = new JSDOM(fileContent).window.document;
     document.body.innerHTML = fileContent;