ghost 6.0.0-alpha.1 → 6.0.0-alpha.2

package/core/built/admin/assets/{vendor-c89102f24c3d9502e9db741509767580.js → vendor-aed0068cf9b67d042dd23a6343545b7b.js}

@@ -9553,4 +9553,4 @@ e.default=class{constructor(e){if(this._data=new t.default,e)for(let t=0;t<e.len
 return this}get(e){let t=this._data[e]
 return t===r.UNDEFINED_KEY?void 0:t}set(e,t){return this._data[e]=t,this}delete(e){return this._data[e]=r.UNDEFINED_KEY,!0}}})
 
-//# sourceMappingURL=vendor-1552b6fd843e2f460183ad9424be2a2d.map
+//# sourceMappingURL=vendor-326b46cbc2845d47f1e0af43ba21caec.map

package/core/built/admin/index.html

@@ -6,7 +6,7 @@
     <title>Ghost</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%226.0%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%2237bd1e3e4d%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%222a69308990%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%226d96d71fe8%22%2C%22postsFilename%22%3A%22posts.js%22%2C%22postsHash%22%3A%222e1f1f92c6%22%2C%22statsFilename%22%3A%22stats.js%22%2C%22statsHash%22%3A%22e519dc949c%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%226.0%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%2237bd1e3e4d%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%22d033b6dcc1%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%2235ce5f3180%22%2C%22postsFilename%22%3A%22posts.js%22%2C%22postsHash%22%3A%22be6ec893bf%22%2C%22statsFilename%22%3A%22stats.js%22%2C%22statsHash%22%3A%225ddc4bf3f4%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
 
     <meta name="viewport" content="user-scalable=no, width=device-width, initial-scale=1, maximum-scale=1, minimal-ui, viewport-fit=cover" />
     <meta name="pinterest" content="nopin" />
@@ -47,9 +47,9 @@
 
     <div id="ember-basic-dropdown-wormhole"></div>
 
-    <script src="assets/vendor-c89102f24c3d9502e9db741509767580.js"></script>
+    <script src="assets/vendor-aed0068cf9b67d042dd23a6343545b7b.js"></script>
 <script src="assets/chunk.728.985c45ad584b4b91ca60.js"></script>
-<script src="assets/chunk.524.996c1c4d269fa6a50e90.js"></script>
-    <script src="assets/ghost-5a5b2112df68dfaf6813ce38cad16847.js"></script>
+<script src="assets/chunk.524.0953dd72ae1efbabe0de.js"></script>
+    <script src="assets/ghost-db0f84981913aec8a672c57aa22da07a.js"></script>
 </body>
 </html>

package/core/frontend/web/middleware/frontend-caching.js

@@ -51,6 +51,11 @@ const getMiddleware = async (getFreeTier = async () => {
             return shared.middleware.cacheControl('private')(req, res, next);
         }
 
+        // CASE: Never cache preview routes
+        if (req.path?.startsWith('/p/')) {
+            return shared.middleware.cacheControl('noCache')(req, res, next);
+        }
+
         // CASE: Cache member's content if this feature is enabled
         if (req.member && shouldCacheMembersContent) {
             // Set the 'cache-control' header to 'public'
@@ -74,4 +79,4 @@ const getMiddleware = async (getFreeTier = async () => {
 module.exports = {
     getMiddleware,
     calculateMemberTier // exported for testing
-};
+};

package/core/frontend/web/middleware/static-theme.js

@@ -59,18 +59,35 @@ function forwardToExpressStatic(req, res, next) {
         return next();
     }
 
-    const configMaxAge = config.get('caching:theme:maxAge');
+    // We allow robots.txt to fall through to the next middleware, so that we can return our default robots.txt
+    // We also allow sitemap.xml and sitemap-:resource.xml to fall through so that we can serve our defaults if they're not found in the theme
+    const fallthroughFiles = [
+        '/robots.txt',
+        '/sitemap.xml',
+        '/sitemap-posts.xml',
+        '/sitemap-pages.xml',
+        '/sitemap-tags.xml',
+        '/sitemap-authors.xml',
+        '/sitemap-users.xml',
+        '/sitemap.xsl'
+    ];
+    const fallthrough = fallthroughFiles.includes(req.path) ? true : false;
 
-    // @NOTE: the maxAge config passed below are in milliseconds and the config
-    //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
     express.static(themeEngine.getActive().path, {
-        maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : (365 * 24 * 60 * 60 * 1000) // Default to 1 year in ms
+        // @NOTE: the maxAge config passed below are in milliseconds and the config
+        //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
+        maxAge: config.get('caching:theme:maxAge') * 1000,
+        fallthrough
     }
     )(req, res, next);
 }
 
 function staticTheme() {
     return function denyStatic(req, res, next) {
+        if (!path.extname(req.path)) {
+            return next();
+        }
+
         if (!isAllowedFile(req.path.toLowerCase()) && isDeniedFile(req.path.toLowerCase())) {
             return next();
         }

package/core/server/data/tinybird/ARCHITECTURE.md

@@ -303,10 +303,6 @@ Click Tracking → redirects → members_click_events
 2. MySQL tracks member signup with attribution
 3. MySQL tracks paid conversion with attribution
 
-## API Endpoints
-
-All endpoints require authentication (`mw.authAdminApi`) and are gated behind `labs.isSet('trafficAnalytics')`.
-
 ### Core Stats Endpoints
 
 ```javascript

package/core/server/data/tinybird/DOCS.md

@@ -311,10 +311,6 @@ Click Tracking → redirects → members_click_events
 3. MySQL tracks paid conversion with attribution
 4. Combined view shows complete funnel
 
-## API Endpoints
-
-All endpoints require authentication (`mw.authAdminApi`) and are gated behind `labs.isSet('trafficAnalytics')`.
-
 ### Core Stats Endpoints
 
 ```javascript

package/core/server/services/explore-ping/ExplorePingService.js

@@ -33,7 +33,9 @@ module.exports = class ExplorePingService {
             ghost: this.ghostVersion.full,
             site_uuid: this.settingsCache.get('site_uuid'),
             url: this.config.get('url'),
-            theme: this.settingsCache.get('active_theme')
+            theme: this.settingsCache.get('active_theme'),
+            facebook: this.settingsCache.get('facebook'),
+            twitter: this.settingsCache.get('twitter')
         };
 
         try {

package/core/server/services/members/members-api/controllers/RouterController.js

@@ -4,6 +4,7 @@ const sanitizeHtml = require('sanitize-html');
 const {BadRequestError, NoPermissionError, UnauthorizedError, DisabledFeatureError, NotFoundError} = require('@tryghost/errors');
 const errors = require('@tryghost/errors');
 const {isEmail} = require('@tryghost/validator');
+const normalizeEmail = require('../utils/normalize-email');
 
 const messages = {
     emailRequired: 'Email is required.',
@@ -585,6 +586,23 @@ module.exports = class RouterController {
             });
         }
 
+        // Normalize email to prevent homograph attacks
+        let normalizedEmail;
+
+        try {
+            normalizedEmail = normalizeEmail(email);
+
+            if (normalizedEmail !== email) {
+                logging.info(`Email normalized from ${email} to ${normalizedEmail} for magic link`);
+            }
+        } catch (err) {
+            logging.error(`Failed to normalize [${email}]: ${err.message}`);
+
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidEmail)
+            });
+        }
+
         if (honeypot) {
             logging.warn('Honeypot field filled, this is likely a bot');
 
@@ -606,9 +624,9 @@ module.exports = class RouterController {
 
         try {
             if (emailType === 'signup' || emailType === 'subscribe') {
-                await this._handleSignup(req, referrer);
+                await this._handleSignup(req, normalizedEmail, referrer);
             } else {
-                await this._handleSignin(req, referrer);
+                await this._handleSignin(req, normalizedEmail, referrer);
             }
 
             res.writeHead(201);
@@ -626,7 +644,7 @@ module.exports = class RouterController {
         }
     }
 
-    async _handleSignup(req, referrer = null) {
+    async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
                 throw new errors.BadRequestError({
@@ -640,14 +658,14 @@ module.exports = class RouterController {
         }
 
         const blockedEmailDomains = this._settingsCache.get('all_blocked_email_domains');
-        const emailDomain = req.body.email.split('@')[1]?.toLowerCase();
+        const emailDomain = normalizedEmail.split('@')[1]?.toLowerCase();
         if (emailDomain && blockedEmailDomains.includes(emailDomain)) {
             throw new errors.BadRequestError({
                 message: tpl(messages.blockedEmailDomain)
             });
         }
 
-        const {email, emailType} = req.body;
+        const {emailType} = req.body;
 
         const tokenData = {
             labels: req.body.labels,
@@ -657,13 +675,13 @@ module.exports = class RouterController {
             attribution: await this._memberAttributionService.getAttribution(req.body.urlHistory)
         };
 
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
-    async _handleSignin(req, referrer = null) {
-        const {email, emailType} = req.body;
+    async _handleSignin(req, normalizedEmail, referrer = null) {
+        const {emailType} = req.body;
 
-        const member = await this._memberRepository.get({email});
+        const member = await this._memberRepository.get({email: normalizedEmail});
 
         if (!member) {
             throw new errors.BadRequestError({
@@ -672,7 +690,7 @@ module.exports = class RouterController {
         }
 
         const tokenData = {};
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
     /**

package/core/server/services/members/members-api/utils/normalize-email.js

@@ -0,0 +1,31 @@
+const punycode = require('punycode/');
+
+/**
+ * Normalizes email addresses by converting Unicode domains to ASCII (punycode)
+ * This prevents homograph attacks where Unicode characters are used to spoof
+ * domains
+ *
+ * @param {string} email The email address to normalize
+ * @returns {string} The normalized email address
+ * @throws {Error} When punycode conversion fails
+ */
+function normalizeEmail(email) {
+    if (!email || typeof email !== 'string') {
+        return null;
+    }
+
+    const atIndex = email.lastIndexOf('@');
+
+    if (atIndex === -1) {
+        return email;
+    }
+
+    const localPart = email.substring(0, atIndex);
+    const domainPart = email.substring(atIndex + 1);
+
+    const asciiDomain = punycode.toASCII(domainPart);
+
+    return `${localPart}@${asciiDomain}`;
+}
+
+module.exports = normalizeEmail;

package/core/server/services/public-config/config.js

@@ -29,7 +29,6 @@ module.exports = function getConfigProperties() {
         configProperties.exploreTestimonialsUrl = config.get('explore:testimonials_url');
     }
 
-    // WIP tinybird stats feature - it's entirely config driven instead of using an alpha flag for now
     if (config.get('tinybird') && config.get('tinybird:stats')) {
         const statsConfig = config.get('tinybird:stats');
         const siteUuid = statsConfig.id || settingsCache.get('site_uuid');

package/core/server/services/settings/SettingsBREADService.js

@@ -24,12 +24,14 @@ class SettingsBREADService {
      * @param {Object} options.singleUseTokenProvider
      * @param {Object} options.urlUtils
      * @param {Object} options.labsService - labs service instance
+     * @param {Object} options.limitsService - limits service instance
      * @param {{service: Object}} options.emailAddressService
      */
-    constructor({SettingsModel, settingsCache, labsService, mail, singleUseTokenProvider, urlUtils, emailAddressService}) {
+    constructor({SettingsModel, settingsCache, labsService, limitsService, mail, singleUseTokenProvider, urlUtils, emailAddressService}) {
         this.SettingsModel = SettingsModel;
         this.settingsCache = settingsCache;
         this.labs = labsService;
+        this.limitsService = limitsService;
         this.emailAddressService = emailAddressService;
 
         /* email verification setup */
@@ -194,6 +196,8 @@ class SettingsBREADService {
         }
 
         if (stripeConnectData) {
+            await this.limitsService.errorIfWouldGoOverLimit('limitStripeConnect');
+
             filteredSettings.push({
                 key: 'stripe_connect_publishable_key',
                 value: stripeConnectData.public_key

package/core/server/services/settings/settings-service.js

@@ -5,6 +5,7 @@
 const events = require('../../lib/common/events');
 const models = require('../../models');
 const labs = require('../../../shared/labs');
+const limits = require('../limits');
 const config = require('../../../shared/config');
 const adapterManager = require('../adapter-manager');
 const SettingsCache = require('../../../shared/settings-cache');
@@ -30,6 +31,7 @@ const getSettingsBREADServiceInstance = () => {
         SettingsModel: models.Settings,
         settingsCache: SettingsCache,
         labsService: labs,
+        limitsService: limits,
         mail,
         singleUseTokenProvider: new SingleUseTokenProvider({
             SingleUseTokenModel: models.SingleUseToken,
@@ -110,7 +112,7 @@ module.exports = {
         fields.push(new CalculatedField({key: 'social_web_enabled', type: 'boolean', group: 'social_web', fn: settingsHelpers.isSocialWebEnabled.bind(settingsHelpers), dependents: ['social_web', 'labs']}));
 
         // Web analytics
-        fields.push(new CalculatedField({key: 'web_analytics_enabled', type: 'boolean', group: 'analytics', fn: settingsHelpers.isWebAnalyticsEnabled.bind(settingsHelpers), dependents: ['web_analytics', 'labs']}));
+        fields.push(new CalculatedField({key: 'web_analytics_enabled', type: 'boolean', group: 'analytics', fn: settingsHelpers.isWebAnalyticsEnabled.bind(settingsHelpers), dependents: ['web_analytics']}));
         fields.push(new CalculatedField({key: 'web_analytics_configured', type: 'boolean', group: 'analytics', fn: settingsHelpers.isWebAnalyticsConfigured.bind(settingsHelpers), dependents: ['web_analytics']}));
 
         return fields;

package/core/server/services/settings-helpers/SettingsHelpers.js

@@ -234,12 +234,6 @@ class SettingsHelpers {
             return false;
         }
 
-        // Labs setting
-        if (!this.labs.isSet('ActivityPub')) {
-            debug('Social web is disabled in labs');
-            return false;
-        }
-
         // Ghost (Pro) limits
         if (this.limitService.isDisabled('limitSocialWeb')) {
             debug('Social web is not available for Ghost (Pro) sites without a custom domain, or hosted on a subdirectory');
@@ -279,12 +273,6 @@ class SettingsHelpers {
             return false;
         }
 
-        // Labs setting
-        if (!this.labs.isSet('trafficAnalytics')) {
-            debug('Web analytics is disabled in labs');
-            return false;
-        }
-
         // Check if web analytics can be configured (limit service and required config)
         if (!this.isWebAnalyticsConfigured()) {
             return false;

package/core/server/web/admin/app.js

@@ -19,16 +19,15 @@ module.exports = function setupAdminApp() {
     const adminApp = express('admin');
 
     // Admin assets
-    // @TODO ensure this gets a local 404 error handler
-    const configMaxAge = config.get('caching:admin:maxAge');
     // @NOTE: when we start working on HTTP/3 optimizations the immutable headers
     //        produced below should be split into separate 'Cache-Control' entry.
     //        For reference see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#validation_2
-    // @NOTE: the maxAge config passed below are in milliseconds and the config
-    //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
+
     adminApp.use('/assets', serveStatic(
         path.join(config.get('paths').adminAssets, 'assets'), {
-            maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : (365 * 24 * 60 * 60 * 1000), // Default to 1 year in ms
+            // @NOTE: the maxAge config passed below are in milliseconds and the config
+            //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
+            maxAge: config.get('caching:admin:maxAge') * 1000,
             immutable: true,
             fallthrough: false
         }
@@ -94,4 +93,4 @@ module.exports = function setupAdminApp() {
     debug('Admin setup end');
 
     return adminApp;
-};
+};

package/core/server/web/shared/middleware/cache-control.js

@@ -9,7 +9,7 @@
 const isString = require('lodash/isString');
 
 /**
- * @param {'public'|'private'} profile Use "private" if you do not want caching
+ * @param {'public'|'private'|'noCache'} profile Use "private" if you do not want caching
  * @param {object} [options]
  * @param {number} [options.maxAge] The max-age in seconds to use when profile is "public"
  * @param {number} [options.staleWhileRevalidate] The stale-while-revalidate in seconds to use when profile is "public"
@@ -24,6 +24,7 @@ const cacheControl = (profile, options = {maxAge: 0}) => {
 
     const profiles = {
         public: publicOptions.filter(option => option).join(', '),
+        noCache: 'no-cache, max-age=0, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0',
         private: 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
     };
 

package/core/shared/config/defaults.json

@@ -168,6 +168,12 @@
         },
         "commentsCountAPI": {
             "maxAge": 0
+        },
+        "admin": {
+            "maxAge": 31536000
+        },
+        "theme": {
+            "maxAge": 31536000
         }
     },
     "optimization": {

package/core/shared/labs.js

@@ -27,9 +27,6 @@ const GA_FEATURES = [
     'announcementBar',
     'customFonts',
     'contentVisibility',
-    'ActivityPub',
-    'trafficAnalytics',
-    'ui60',
     'explore'
 ];
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.0.0-alpha.1",
+  "version": "6.0.0-alpha.2",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.0-alpha.1.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.0-alpha.2.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -135,9 +135,9 @@
     "clsx": "2.1.1",
     "cluster-key-slot": "1.1.2",
     "common-tags": "1.8.2",
-    "compression": "1.8.0",
+    "compression": "1.8.1",
     "connect-slashes": "1.4.0",
-    "cookie-session": "2.1.0",
+    "cookie-session": "2.1.1",
     "cookies": "0.9.1",
     "cors": "2.8.5",
     "countries-and-timezones": "3.8.0",
@@ -154,9 +154,9 @@
     "express-lazy-router": "1.0.6",
     "express-query-boolean": "2.0.0",
     "express-queue": "0.0.13",
-    "express-session": "1.18.1",
+    "express-session": "1.18.2",
     "file-type": "16.5.4",
-    "form-data": "4.0.3",
+    "form-data": "4.0.4",
     "fs-extra": "11.3.0",
     "ghost-storage-base": "1.0.0",
     "glob": "8.1.0",
@@ -195,7 +195,7 @@
     "mime-types": "2.1.35",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "multer": "2.0.1",
+    "multer": "2.0.2",
     "mysql2": "3.14.2",
     "nconf": "0.13.0",
     "node-fetch": "2.7.0",
@@ -232,7 +232,7 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.16.4",
+    "@types/node": "22.16.5",
     "@types/node-jose": "1.1.13",
     "@types/nodemailer": "6.4.17",
     "@types/sinon": "17.0.4",
@@ -244,7 +244,7 @@
     "detect-newline": "3.1.0",
     "expect": "29.7.0",
     "find-root": "1.1.0",
-    "form-data": "4.0.3",
+    "form-data": "4.0.4",
     "html-minifier": "4.0.0",
     "html-validate": "8.29.0",
     "inquirer": "8.2.6",
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.0-alpha.1.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.0-alpha.2.tgz"
   },
   "nx": {
     "targets": {