Dependency updates

[Kushmanmb]

This pull request updates the moment library to version 2.29.4 across multiple packages and makes improvements to the Docker cache configuration in the CI workflow. These changes enhance security by updating a widely used dependency and optimize build caching for both pull requests and the main branch.

Dependency updates:

• Upgraded the moment package from version 2.24.0 to 2.29.4 in apps/posts/package.json, apps/stats/package.json, ghost/admin/package.json, ghost/core/package.json, and the root package.json to address potential security vulnerabilities and ensure consistency across the codebase. [1] [2] [3] [4] [5] [6]

CI/CD improvements:

• Updated the Docker cache configuration in .github/workflows/ci.yml to use more descriptive cache tags (buildcache-main and buildcache-pr-<number>) and added logic to handle pull request and main branch caching more effectively. [1] [2]Got some code for us? Awesome 🎊!

Please take a minute to explain the change you're making:

• Why are you making it?
• What does it do?
• Why is this something Ghost users or developers need?

Please check your PR against these items:

• I've read and followed the Contributor Guide
• I've explained my change
• I've written an automated test to prove my change works

We appreciate your contribution! 🙏

---

Note

Medium Risk
Bumps a widely used date library across core/admin/apps which could subtly affect date parsing/formatting, and tweaks CI Docker metadata tags which may impact build caching behavior if misconfigured.

Overview
Updates moment from 2.24.0 to 2.29.4 across the monorepo (apps, admin, core) and aligns yarn resolutions/lockfile to enforce the newer version.

Adjusts the CI Docker metadata tagging to add explicit cache tags for PR builds (cache-pr-<number>) and main branch builds (cache-main) to improve/segregate registry build cache usage.

^{Reviewed by Cursor Bugbot for commit af489fd. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Walkthrough

This pull request makes two categories of changes. First, it updates the Docker metadata action configuration in the CI workflow to conditionally append image tags: cache-pr-{PR_NUMBER} on pull request events and cache-main on pushes to the main branch. Second, it upgrades the moment dependency from version 2.24.0 to 2.29.4 across multiple package files, including direct dependencies in apps/posts, apps/stats, and ghost/core, as well as resolution entries in the root package.json, ghost/admin, and ghost/core.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Dependency updates' is partially related to the changeset, as it refers to the moment library version updates, but it omits the significant CI/CD improvements to Docker cache configuration.
Description check	✅ Passed	The pull request description is comprehensive and directly related to the changeset, covering both the moment dependency updates for security and the Docker cache configuration improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is kicking off a free cloud agent to fix this issue. This run is complimentary, but you can enable autofix for all future PRs in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit af489fd. Configure here.}

[cursor]

Image tags collide with cache registry refs

Medium Severity

The new cache-main and cache-pr-{0} tags added to the meta-full metadata step use the same names as the cache-to registry refs in the full image build step. Docker's documentation explicitly warns that the cache ref must not be the same as the image push target. When the image is pushed with tag cache-main and the cache is exported to the same tag, one overwrites the other. This can break layer caching for subsequent builds (causing cache misses and slower builds) or cause failures on registries with tag immutability.

Additional Locations (1)

• .github/workflows/ci.yml#L1009-L1013

 

^{Reviewed by Cursor Bugbot for commit af489fd. Configure here.}

[cursor]

Bugbot Autofix determined this is a false positive.

Current .github/workflows/ci.yml no longer tags images as cache-main/cache-pr-*, so image push tags and cache-to refs are distinct and do not conflict.

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[coderabbitai]

🧹 Nitpick comments (1)

apps/posts/package.json (1)

45-45: Consider upgrading moment to the latest version.

While 2.29.4 maintains consistency across the workspace and patches key vulnerabilities (CVE-2022-31129, CVE-2022-24785), version 2.30.1 is available (released Dec 2023) and is the currently recommended stable release with no known vulnerabilities per Snyk. An upgrade would improve security posture. Note: Moment.js is in maintenance mode; evaluate whether Day.js or Luxon might better suit future project needs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/posts/package.json` at line 45, The package.json currently pins
"moment": "2.29.4" — update that dependency to "2.30.1" in
apps/posts/package.json (replace the version string for "moment") and run your
package manager install to update the lockfile; additionally, add a brief TODO
comment or issue to evaluate migrating to a maintained alternative (e.g., Day.js
or Luxon) since Moment is in maintenance mode so future refactors can be
planned.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/posts/package.json`:
- Line 45: The package.json currently pins "moment": "2.29.4" — update that
dependency to "2.30.1" in apps/posts/package.json (replace the version string
for "moment") and run your package manager install to update the lockfile;
additionally, add a brief TODO comment or issue to evaluate migrating to a
maintained alternative (e.g., Day.js or Luxon) since Moment is in maintenance
mode so future refactors can be planned.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e96841c7-6bdb-42df-8950-a3fe139122d9

📥 Commits

Reviewing files that changed from the base of the PR and between 3c25fea and af489fd.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• apps/posts/package.json
• apps/stats/package.json
• ghost/admin/package.json
• ghost/core/package.json
• package.json