Skip to content

docs: add Ghost case study and example lockfiles #372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sonukapoor merged 2 commits into from
May 19, 2026
Merged

docs: add Ghost case study and example lockfiles #372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2629094
docs: add Ghost case study with prisma and strapi example lockfiles
sonukapoor May 18, 2026
54f80f9
docs: add Renovate context to Ghost case study
sonukapoor May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
- [OWASP Juice Shop](https://owasp.org/cve-lite-cli/docs/case-studies/owasp-juice-shop) — scanning a deliberately vulnerable application with known dependency issues
- [NestJS](https://owasp.org/cve-lite-cli/docs/case-studies/nestjs) — working through a real transitive dependency remediation sequence across a widely-used Node.js framework
- [Analog](https://owasp.org/cve-lite-cli/docs/case-studies/analog) — scanning a modern pnpm v9 Angular monorepo (3,367 packages) with unexpected toolchain vulnerabilities
- [Ghost](https://owasp.org/cve-lite-cli/docs/case-studies/ghost) — 26 vulnerable packages across 4,447 resolved in a professionally maintained CMS — every one transitive, including a critical XSS in the library responsible for making user content safe

These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.

Expand Down
207 changes: 207 additions & 0 deletions examples/ghost/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
{
"name": "ghost-monorepo",
"version": "0.0.0-private",
"description": "The professional publishing platform",
"private": true,
"packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
"repository": "https://github.com/TryGhost/Ghost",
"author": "Ghost Foundation",
"license": "MIT",
"monorepo": {
"public": false,
"internalPackages": true,
"repo": "https://github.com/TryGhost/Ghost",
"scope": "@tryghost"
},
"eslintIgnore": [
"**/node_modules/**"
],
"scripts": {
"archive": "pnpm nx run ghost:archive",
"build:production": "pnpm nx run ghost:build:tsc && pnpm nx run ghost:build:assets && pnpm nx run @tryghost/admin:build",
"build": "pnpm nx run-many -t build",
"build:clean": "nx reset && rimraf -g 'ghost/*/build' && rimraf -g 'ghost/*/tsconfig.tsbuildinfo'",
"clean:hard": "node ./.github/scripts/clean.js",
"dev": "pnpm nx run ghost-monorepo:docker:dev",
"dev:sqlite": "DEV_COMPOSE_FILES='-f compose.dev.sqlite.yaml' pnpm nx run ghost-monorepo:docker:dev",
"dev:mailgun": "DEV_COMPOSE_FILES='-f compose.dev.mailgun.yaml' pnpm nx run ghost-monorepo:docker:dev",
"dev:lexical": "EDITOR_URL=http://localhost:2368/ghost/assets/koenig-lexical/ pnpm dev",
"dev:analytics": "DEV_COMPOSE_FILES='-f compose.dev.analytics.yaml' pnpm nx run ghost-monorepo:docker:dev",
"dev:storage": "DEV_COMPOSE_FILES='-f compose.dev.storage.yaml' pnpm nx run ghost-monorepo:docker:dev",
"dev:stripe": "./docker/stripe/with-stripe.sh pnpm nx run ghost-monorepo:docker:dev",
"dev:all": "DEV_COMPOSE_FILES='-f compose.dev.analytics.yaml -f compose.dev.storage.yaml' ./docker/stripe/with-stripe.sh pnpm nx run ghost-monorepo:docker:dev",
"fix": "pnpm store prune && rimraf -g '**/node_modules' && pnpm install && pnpm nx reset",
"knex-migrator": "pnpm --filter ghost run knex-migrator",
"setup": "pnpm install && git submodule update --init --recursive",
"reset:data": "docker exec ghost-dev bash -c 'cd /home/ghost/ghost/core && node index.js generate-data --clear-database --quantities members:1000,posts:100 --seed 123'",
"reset:data:empty": "docker exec ghost-dev bash -c 'cd /home/ghost/ghost/core && node index.js generate-data --clear-database --quantities members:0,posts:0 --seed 123'",
"reset:data:xxl": "docker exec ghost-dev bash -c 'cd /home/ghost/ghost/core && node index.js generate-data --clear-database --quantities members:2000000,posts:0,emails:0,members_stripe_customers:0,members_login_events:0,members_status_events:0 --seed 123'",
"docker:build": "docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} build",
"docker:clean": "docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} --profile all down -v --remove-orphans --rmi local",
"docker:down": "docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} down",
"docker:rebase": "git fetch ${GHOST_UPSTREAM:-origin} main && git rebase ${GHOST_UPSTREAM:-origin}/main && pnpm install && pnpm nx run-many -t build --projects=@tryghost/shade,@tryghost/admin-x-design-system,@tryghost/admin-x-framework && docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} up -d --build --force-recreate ghost-dev",
"knip": "knip",
"knip:fix": "knip --fix --allow-remove-files=false",
"lint": "pnpm nx run-many -t lint",
"test": "pnpm nx run-many -t test --exclude @tryghost/e2e --exclude ghost-admin",
"test:unit": "pnpm nx run-many -t test:unit",
"test:e2e": "pnpm --filter @tryghost/e2e test",
"test:e2e:analytics": "pnpm --filter @tryghost/e2e test:analytics",
"test:e2e:all": "pnpm --filter @tryghost/e2e test:all",
"test:e2e:debug": "DEBUG=@tryghost/e2e:* pnpm test:e2e",
"main": "pnpm main:monorepo && pnpm main:submodules",
"main:monorepo": "git checkout main && git pull ${GHOST_UPSTREAM:-origin} main && pnpm install",
"main:submodules": "git submodule sync && git submodule update && git submodule foreach \"git checkout main && git pull ${GHOST_UPSTREAM:-origin} main\"",
"preinstall": "node ./.github/scripts/enforce-package-manager.js",
"prepare": "husky .github/hooks",
"tb": "tb local start && cd ghost/core/core/server/data/tinybird && tb dev",
"tb:install": "curl https://tinybird.co | sh",
"data:analytics:generate": "node ghost/core/core/server/data/tinybird/scripts/docker-analytics-manager.js generate",
"data:analytics:clear": "node ghost/core/core/server/data/tinybird/scripts/docker-analytics-manager.js clear",
"release": "node scripts/release.js",
"test:release": "node --test 'scripts/test/*.js'"
},
"pnpm": {
"overrides": {
"@tryghost/errors": "^1.3.7",
"@tryghost/logging": "catalog:",
"jackspeak": "2.3.6",
"moment": "2.30.1",
"moment-timezone": "0.5.45",
"nwsapi": "2.2.23",
"broccoli-persistent-filter": "^2.3.1",
"juice": "9.1.0",
"ember-basic-dropdown": "6.0.2",
"ember-in-viewport": "4.1.0",
"eslint-plugin-ghost>@typescript-eslint/eslint-plugin": "8.49.0",
"eslint-plugin-ghost>@typescript-eslint/utils": "8.49.0",
"ember-svg-jar>cheerio": "1.0.0-rc.12",
"juice>cheerio": "0.22.0",
"lodash.template": "4.5.0",
"@babel/runtime@<7.26.10": "^7.26.10",
"@tootallnate/once@<3.0.1": "^3.0.1",
"ansi-html@<0.0.8": "^0.0.8",
"axios@<1.15.2": "^1.15.2",
"braces@<3.0.3": "^3.0.3",
"clean-css@<4.1.11": "^4.1.11",
"codemirror@<5.58.2": "^5.58.2",
"debug@>=4.0.0 <4.3.1": "^4.3.1",
"debug@<2.6.9": "^2.6.9",
"diff@<3.5.1": "^3.5.1",
"diff@>=6.0.0 <8.0.3": "^8.0.3",
"fast-xml-parser@<5.7.0": "^5.7.0",
"follow-redirects@<1.16.0": "^1.16.0",
"form-data@<2.5.4": "^2.5.4",
"growl@<1.10.0": "^1.10.0",
"handlebars@>=4.0.0 <=4.7.8": "^4.7.9",
"ip-address@<=10.1.0": "^10.2.0",
"js-yaml@>=4.0.0 <4.1.1": "^4.1.1",
"json5@<1.0.2": "^1.0.2",
"lodash@<4.18.0": "^4.18.0",
"lodash-es@<4.18.0": "^4.18.0",
"merge@<2.1.1": "^2.1.1",
"micromatch@<4.0.8": "^4.0.8",
"minimatch@<3.1.4": "^3.1.4",
"minimatch@>=9.0.0 <9.0.7": "^9.0.7",
"minimist@<0.2.4": "^0.2.4",
"nth-check@<2.0.1": "^2.0.1",
"path-to-regexp@<0.1.13": "^0.1.13",
"protobufjs@<7.5.5": "^7.5.5",
"qs@<6.14.1": "^6.14.2",
"tar@<7.5.11": "^7.5.11",
"tmp@<=0.2.3": "^0.2.4",
"tough-cookie@<4.1.3": "^4.1.3",
"trim@<0.0.3": "^0.0.3",
"undici@<6.24.0": "^6.24.0",
"underscore@>=1.3.2 <1.12.1": "^1.12.1",
"@xmldom/xmldom@<0.8.13": "^0.8.13"
},
"packageExtensions": {
"@doist/react-interpolate@2.2.1": {
"dependencies": {
"@babel/runtime": "^7.26.10"
}
}
},
"onlyBuiltDependencies": [
"@swc/core",
"core-js",
"cpu-features",
"dtrace-provider",
"esbuild",
"fsevents",
"msw",
"nx",
"protobufjs",
"re2",
"sharp",
"sqlite3",
"ssh2"
]
},
"devDependencies": {
"@playwright/test": "catalog:",
"@secretlint/secretlint-rule-pattern": "12.3.1",
"@secretlint/secretlint-rule-preset-recommend": "12.3.1",
"eslint": "catalog:",
"eslint-plugin-ghost": "3.5.0",
"eslint-plugin-react": "7.37.5",
"husky": "9.1.7",
"jsonc-parser": "catalog:",
"knip": "6.12.0",
"lint-staged": "16.4.0",
"nx": "22.0.4",
"rimraf": "6.1.3",
"secretlint": "12.3.1",
"semver": "7.7.4",
"typescript": "catalog:"
},
"nx": {
"includedScripts": [],
"targets": {
"docker:up": {
"executor": "nx:run-commands",
"options": {
"command": "docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} up -d --force-recreate --wait"
},
"dependsOn": [
"docker:build"
]
},
"docker:down": {
"executor": "nx:run-commands",
"options": {
"command": "docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} down"
}
},
"docker:build": {
"executor": "nx:run-commands",
"options": {
"command": "docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} build"
}
},
"docker:dev": {
"continuous": true,
"executor": "nx:run-commands",
"options": {
"command": "trap 'docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} down' EXIT; docker compose -f compose.dev.yaml ${DEV_COMPOSE_FILES} logs -f"
},
"dependsOn": [
"docker:up",
{
"target": "dev",
"projects": [
"@tryghost/admin",
"@tryghost/portal",
"@tryghost/comments-ui",
"@tryghost/signup-form",
"@tryghost/sodo-search",
"@tryghost/announcement-bar",
"@tryghost/parse-email-address"
]
}
]
}
}
}
}
Loading