Bumped moment override to 2.30.1

[9larsons]

Why

The existing root override pinned moment at 2.24.0, which is itself flagged by two high-severity advisories — path traversal in moment.locale (GHSA-8hfj-j24r-96c4, fixed in 2.29.2) and ReDoS (GHSA-wc69-rhjr-hc9g, fixed in 2.29.4). The override was therefore actively masking a regression we'd already accepted.

2.30.1 matches what apps/comments-ui already declares as a direct dep; pinning the override there means one of our public-app callers gets the version it asked for instead of being force-downgraded. ghost/core (~110 import sites) and ghost/admin (~7 import sites) both remain on the same 2.x API surface, so call-site behavior is unchanged.

Test plan

• pnpm install — lockfile updates cleanly
• pnpm audit — 61 → 59 findings, 49 → 47 unique GHSAs; both moment advisories cleared
• pnpm test — 6283/6283 ghost/core unit tests pass (one pre-existing comments-ui editor markdown flake reproduces on clean main, unrelated)
• pnpm --filter ghost-admin run build — exit 0
• pnpm --filter ghost-admin run test — 1079/1079 Ember acceptance/integration tests pass
• CI confirms the same delta against the canonical environment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b68aa2c1-69fc-4380-aefa-967610040e05

📥 Commits

Reviewing files that changed from the base of the PR and between 5ed8c1b and ec2ad8c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

Walkthrough

This pull request updates the pinned version of the moment package in the pnpm.overrides configuration from version 2.24.0 to version 2.30.1 in package.json. This change affects dependency resolution to use the newer version of the moment library when it is installed as a dependency in the project.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Bumped moment override to 2.30.1' clearly and concisely describes the main change in the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing context about security vulnerabilities, justification for the update, and comprehensive test results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/moment-override-bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.19%. Comparing base (4703b16) to head (ec2ad8c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27674   +/-   ##
=======================================
  Coverage   73.19%   73.19%           
=======================================
  Files        1561     1561           
  Lines      127072   127072           
  Branches    15397    15396    -1     
=======================================
  Hits        93011    93011           
- Misses      33082    33102   +20     
+ Partials      979      959   -20     

Flag	Coverage Δ
admin-tests	49.86% <ø> (ø)
e2e-tests	73.19% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.