173 KiB
Changelog
All notable changes to this project will be documented in this file.
[4.3.0] - 2024-10-08
The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
Security
- Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared. - Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
- Change
form-action
Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire) - Update dependencies
Added
-
Add server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610, #31929, #32089, #32085, #32243, #32179 and #32254 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)
Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
As part of this, the visual design of the entire notifications feature has been revamped.
This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.
The API is not final yet, but it consists of:- a new
group_key
attribute toNotification
entities GET /api/v2/notifications
: https://docs.joinmastodon.org/methods/grouped_notifications/#get-groupedGET /api/v2/notifications/:group_key
: https://docs.joinmastodon.org/methods/grouped_notifications/#get-notification-groupGET /api/v2/notifications/:group_key/accounts
: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accountsPOST /api/v2/notifications/:group_key/dimsiss
: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-groupGET /api/v2/notifications/:unread_count
: https://docs.joinmastodon.org/methods/grouped_notifications/#unread-group-count
- a new
-
Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, #31723, #32062 and #32281 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)
The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.
You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.
Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.
This adds the following REST API endpoints:GET /api/v2/notifications/policy
: https://docs.joinmastodon.org/methods/notifications/#get-policyPATCH /api/v2/notifications/policy
: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notificationsGET /api/v1/notifications/requests
: https://docs.joinmastodon.org/methods/notifications/#get-requestsGET /api/v1/notifications/requests/:id
: https://docs.joinmastodon.org/methods/notifications/#get-one-requestPOST /api/v1/notifications/requests/:id/accept
: https://docs.joinmastodon.org/methods/notifications/#accept-requestPOST /api/v1/notifications/requests/:id/dismiss
: https://docs.joinmastodon.org/methods/notifications/#dismiss-requestPOST /api/v1/notifications/requests/accept
: https://docs.joinmastodon.org/methods/notifications/#accept-multiple-requestsPOST /api/v1/notifications/requests/dismiss
: https://docs.joinmastodon.org/methods/notifications/#dismiss-multiple-requestsGET /api/v1/notifications/requests/merged
: https://docs.joinmastodon.org/methods/notifications/#requests-merged
In addition, accepting one or more notification requests generates a new streaming event:
notifications_merged
: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed
-
Add notifications of severed relationships (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)
Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.
Note that this does not notify remote users.
This adds thesevered_relationships
notification type to the REST API and streaming, with a newrelationship_severance_event
attribute. -
Add hover cards in web UI (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)
Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.
This can be disabled in the “Animations and accessibility” section of the preferences. -
Add "system" theme setting (light/dark theme depending on user system preference) (#29748, #29553, #29795, #29918, #30839, and #30861 by @nshki, @ErikUden, @mjankowski, @renchap, and @vmstan)
Add a “system” theme that automatically switch between default dark and light themes depending on the user's system preferences.
Also changes the default server theme to this new “system” theme so that automatic theme selection happens even when logged out. -
Add timeline of public posts about a trending link (#30381 and #30840 by @Gargron)
You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.
This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link -
Add author highlight for news articles whose authors are on the fediverse (#30398, #30670, #30521, #30846, #31819, #31900 and #32188 by @Gargron, @mjankowski and @oneiros)
This adds a mechanism to highlight the author of news articles shared on Mastodon.
Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:<meta name="fediverse:creator" content="username@domain" />
On the API side, this is represented by a new
authors
attribute to thePreviewCard
entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors
Users can allow arbitrary domains to usefediverse:creator
to credit them by visiting/settings/verification
.
This is federated as a newattributionDomains
property in thehttp://joinmastodon.org/ns
namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1 -
Add in-app notifications for moderation actions and warnings (#30065, #30082, and #30081 by @ClearlyClaire)
In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.
This adds themoderation_warning
notification type to the REST API and streaming, with a newmoderation_warning
attribute. -
Add domain information to profiles in web UI (#29602 by @Gargron)
Clicking the domain of a user in their profile will now open a tooltip with a short explanation about servers and federation. -
Add support for Redis sentinel (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)
See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel -
Add ability to reorder uploaded media before posting in web UI (#28456 and #32093 by @Gargron)
-
Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
-
Add ability to view alt text by clicking the ALT badge in web UI (#32058 by @Gargron)
-
Add preview of followers removed in domain block modal in web UI (#32032 and #32105 by @ClearlyClaire and @Gargron)
-
Add reblogs and favourites counts to statuses in ActivityPub (#32007 by @Gargron)
-
Add moderation interface for searching hashtags (#30880 by @ThisIsMissEm)
-
Add ability for admins to configure instance favicon and logo (#30040, #30208, #30259, #30375, #30734, #31016, and #30205 by @ClearlyClaire, @FawazFarid, @JasonPunyon, @mgmn, and @renchap)
This is also exposed through the REST API: https://docs.joinmastodon.org/entities/Instance/#icon -
Add
api_versions
to/api/v2/instance
(#31354 by @ClearlyClaire)
Add API version number to make it easier for clients to detect compatible features going forward.
See API documentation at https://docs.joinmastodon.org/entities/Instance/#api-versions -
Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm)
-
Add link to
/admin/roles
in moderation interface when changing someone's role (#31791 by @ClearlyClaire) -
Add recent audit log entries in federation moderation interface (#27386 by @ThisIsMissEm)
-
Add profile setup to onboarding in web UI (#27829, #27876, and #28453 by @Gargron)
-
Add prominent share/copy button on profiles in web UI (#27865 and #27889 by @ClearlyClaire and @Gargron)
-
Add optional hints for server rules (#29539 and #29758 by @ClearlyClaire and @Gargron)
Server rules can now be broken into a short rule name and a longer explanation of the rule.
This adds a newhint
attribute toRule
entities in the REST API. -
Add support for PKCE in OAuth flow (#31129 by @ThisIsMissEm)
-
Add CDN cache busting on media deletion (#31353 and #31414 by @ClearlyClaire and @tribela)
-
Add the OAuth application used in local reports (#30539 by @ThisIsMissEm)
-
Add hint to user that other remote statuses may be missing (#26910, #31387, and #31516 by @Gargron, @audiodude, and @renchap)
-
Add lang attribute on preview card title (#31303 by @c960657)
-
Add check for
Content-Length
inResponseWithLimitAdapter
(#31285 by @c960657) -
Add
Accept-Language
header to fetch preview cards in the server's default language (#31232 by @c960657) -
Add support for PKCE Extension in OmniAuth OIDC through the
OIDC_USE_PKCE
environment variable (#31131 by @ThisIsMissEm) -
Add API endpoints for unread notifications count (#31191 by @ClearlyClaire)
This adds the following REST API endpoints:GET /api/v1/notifications/unread_count
: https://docs.joinmastodon.org/methods/notifications/#unread-count
-
Add
/
keyboard shortcut to focus the search field (#29921 by @ClearlyClaire) -
Add button to view the Hashtag on the instance from Hashtags in Moderation UI (#31533 by @ThisIsMissEm)
-
Add list of pending releases directly in mail notifications for version updates (#29436 and #30035 by @ClearlyClaire)
-
Add “Appeals” link under “Moderation” navigation category in moderation interface (#31071 by @ThisIsMissEm)
-
Add badge on account card in report moderation interface when account is already suspended (#29592 by @ClearlyClaire)
-
Add admin comments directly to the
admin/instances
page (#29240 by @tribela) -
Add ability to require approval when users sign up using specific email domains (#28468, #28732, #28607, and #28608 by @ClearlyClaire)
-
Add banner for forwarded reports made by remote users about remote content (#27549 by @ClearlyClaire)
-
Add support HTML ruby tags in remote posts for east-asian languages (#30897 by @ThisIsMissEm)
-
Add link to manage warning presets in admin navigation (#26199 by @vmstan)
-
Add volume saving/reuse to video player (#27488 by @thehydrogen)
-
Add Elasticsearch index size, ffmpeg and ImageMagick versions to the admin dashboard (#27301, #30710, #31130, and #30845 by @vmstan)
-
Add
MASTODON_SIDEKIQ_READY_FILENAME
environment variable to use a file for Sidekiq to signal it is ready to process jobs (#30971 and #30988 by @renchap)
In the official Docker image, this is set tosidekiq_process_has_started_and_will_begin_processing_jobs
so that Sidekiq will touchtmp/sidekiq_process_has_started_and_will_begin_processing_jobs
to signal readiness. -
Add
S3_RETRY_LIMIT
environment variable to make S3 retries configurable (#23215 by @smiba) -
Add
S3_KEY_PREFIX
environment variable (#30181 by @S0yKaf) -
Add support for multiple
redirect_uris
when creating OAuth 2.0 Applications (#29192 by @ThisIsMissEm) -
Add Interlingue and Interlingua to interface languages (#28630 and #30828 by @Dhghomon and @renchap)
-
Add Kashubian, Pennsylvania Dutch, Vai, Jawi Malay, Mohawk and Low German to posting languages (#26024, #26634, #27136, #29098, #27115, and #27434 by @EngineerDali, @HelgeKrueger, and @gunchleoc)
-
Add option to use native Ruby driver for Redis through
REDIS_DRIVER=ruby
(#30717 by @vmstan) -
Add support for libvips in addition to ImageMagick (#30090, #30590, #30597, #30632, #30857, #30869, #30858 and #32104 by @ClearlyClaire, @Gargron, and @mjankowski)
Server admins can now use libvips as a faster and lighter alternative to ImageMagick for processing user-uploaded images.
This requires libvips 8.13 or newer, and needs to be enabled withMASTODON_USE_LIBVIPS=true
.
This is enabled by default in the official Docker images, and is intended to completely replace ImageMagick in the future. -
Add validations to
Web::PushSubscription
(#30540 and #30542 by @ThisIsMissEm) -
Add anchors to each authorized application in
/oauth/authorized_applications
(#31677 by @fowl2) -
Add active animation to header settings button (#30221, #30307, and #30388 by @daudix)
-
Add OpenTelemetry instrumentation (#30130, #30322, #30353, #30350 and #31998 by @julianocosta89, @renchap, @robbkidd and @timetinytim)
See https://docs.joinmastodon.org/admin/config/#otel for documentation -
Add API to get multiple accounts and statuses (#27871 and #30465 by @ClearlyClaire)
This addsGET /api/v1/accounts
andGET /api/v1/statuses
to the REST API, see https://docs.joinmastodon.org/methods/accounts/#index and https://docs.joinmastodon.org/methods/statuses/#index -
Add support for CORS to
POST /oauth/revoke
(#31743 by @ClearlyClaire) -
Add redirection back to previous page after site upload deletion (#30141 by @FawazFarid)
-
Add RFC8414 OAuth 2.0 server metadata (#29191 by @ThisIsMissEm)
-
Add loading indicator and empty result message to advanced interface search (#30085 by @ClearlyClaire)
-
Add
profile
OAuth 2.0 scope, allowing more limited access to user data (#29087 and #30357 by @ThisIsMissEm) -
Add the role ID to the badge component (#29707 by @renchap)
-
Add diagnostic message for failure during CLI search deploy (#29462 by @mjankowski)
-
Add pagination
Link
headers on API accounts/statuses when pinned true (#29442 by @mjankowski) -
Add support for specifying custom CA cert for Elasticsearch through
ES_CA_FILE
(#29122 and #29147 by @ClearlyClaire) -
Add groundwork for annual reports for accounts (#28693 by @Gargron)
This lays the groundwork for a “year-in-review”/“wrapped” style report for local users, but is currently not in use. -
Add notification email on invalid second authenticator (#28822 by @ClearlyClaire)
-
Add date of account deletion in list of accounts in the admin interface (#25640 by @tribela)
-
Add new emojis from
jdecked/twemoji
15.0 (#28404 by @TheEssem) -
Add configurable error handling in attachment batch deletion (#28184 by @vmstan)
This makes the S3 batch size configurable through theS3_BATCH_DELETE_LIMIT
environment variable (defaults to 1000), and adds some retry logic, configurable through theS3_BATCH_DELETE_RETRY
environment variable (defaults to 3). -
Add VAPID public key to instance serializer (#28006 by @ThisIsMissEm)
-
Add support for serving JRD
/.well-known/host-meta.json
in addition to XRD host-meta (#32206 by @c960657) -
Add
nodeName
andnodeDescription
to nodeinfometadata
(#28079 by @6543) -
Add Thai diacritics and tone marks in
HASHTAG_INVALID_CHARS_RE
(#26576 by @ppnplus) -
Add variable delay before link verification of remote account links (#27774 by @ClearlyClaire)
-
Add support for invite codes in the registration API (#27805 by @ClearlyClaire)
-
Add HTML lang attribute to preview card descriptions (#27503 by @srapilly)
-
Add display of relevant account warnings to report action logs (#27425 by @ClearlyClaire)
-
Add validation of allowed schemes on preview card URLs (#27485 by @mjankowski)
-
Add token introspection without read scope to
/api/v1/apps/verify_credentials
(#27142 by @ThisIsMissEm) -
Add support for cross-origin request to
/nodeinfo/2.0
(#27413 by @palant) -
Add variable delay before link verification of remote account links (#27351 by @ClearlyClaire)
-
Add PWA shortcut to
/explore
page (#27235 by @jake-anto)
Changed
- Change icons throughout the web interface (#27385, #27539, #27555, #27579, #27700, #27817, #28519, #28709, #28064, #28775, #28780, #27924, #29294, #29395, #29537, #29569, #29610, #29612, #29649, #29844, #27780, #30974, #30963, #30962, #30961, #31362, #31363, #31359, #31371, #31360, #31512, #31511, #31525, #32153, and #32201 by @ClearlyClaire, @Gargron, @arbolitoloco1, @mjankowski, @nclm, @renchap, @ronilaukkarinen, and @zunda)
This changes all the interface icons from FontAwesome to Material Symbols for a more modern look, consistent with the official Mastodon Android app.
In addition, better care is given to pixel alignment, and icon variants are used to better highlight active/inactive state. - Change design of compose form in web UI (#28119, #29059, #29248, #29372, #29384, #29417, #29456, #29406, #29651, #29659, #31889 and #32033 by @ClearlyClaire, @Gargron, @eai04191, @hinaloe, and @ronilaukkarinen)
The compose form has been completely redesigned for a more modern and consistent look, as well as spelling out the chosen privacy setting and language name at all times.
As part of this, the “Unlisted” privacy setting has been renamed to “Quiet public”. - Change design of modals in the web UI (#29576, #29614, #29640, #29644, #30131, #30884, #31399, #31555, #31752, #31801, #31883, #31844, #31864, and #31943 by @ClearlyClaire, @Gargron, @tribela and @vmstan)
The mute, block, and domain block confirmation modals have been completely redesigned to be clearer and include more detailed information on the action to be performed.
They also have a more modern and consistent design, along with other confirmation modals in the application. - Change colors throughout the web UI (#29522, #29584, #29653, #29779, #29803, #29809, #29808, #29828, #31034, #31168, #31266, #31348, #31349, #31361, #31510 and #32128 by @ClearlyClaire, @Gargron, @mjankowski, @renchap, and @vmstan)
- Change onboarding prompt to follow suggestions carousel in web UI (#28878, #29272, and #31912 by @Gargron)
- Change email templates (#28416, #28755, #28814, #29064, #28883, #29470, #29607, #29761, #29760, #29879, #32073 and #32132 by @c960657, @ClearlyClaire, @Gargron, @hteumeuleu, and @mjankowski)
All emails to end-users have been completely redesigned with a fresh new look, providing more information while making them easier to read and keeping maximum compatibility across mail clients. - Change follow recommendations algorithm (#28314, #28433, #29017, #29108, #29306, #29550, #29619, and #31474 by @ClearlyClaire, @Gargron, @kernal053, @mjankowski, and @wheatear-dev)
This replaces the “past interactions” recommendation algorithm with a “friends of friends” algorithm that suggests accounts followed by people you follow, and a “similar profiles” algorithm that suggests accounts with a profile similar to your most recent follows.
In addition, the implementation has been significantly reworked, and all follow recommendations are now dismissable.
This change deprecates thesource
attribute inSuggestion
entities in the REST API, and replaces it with the newsources
attribute. - Change account search algorithm (#30803 by @Gargron)
- Change streaming server to use its own dependencies and its own docker image (#24702, #27967, #26850, #28112, #28115, #28137, #28138, #28497, #28548, #30795, #31612, and #31615 by @TheEssem, @ThisIsMissEm, @jippi, @renchap, @timetinytim, and @vmstan)
In order to reduce the amount of runtime dependencies, the streaming server has been moved into a separate package and Docker image.
Themastodon
image does not contain the streaming server anymore, as it has been moved to its ownmastodon-streaming
image.
Administrators may need to update their setup accordingly. - Change how content warnings and filters are displayed in web UI (#31365, and #31761 by @Gargron)
- Change preview card processing to ignore
undefined
as canonical url (#31882 by @oneiros) - Change embedded posts to use web UI (#31766, #32135 and #32271 by @Gargron)
- Change inner borders in media galleries in web UI (#31852 by @Gargron)
- Change design of media attachments and profile media tab in web UI (#31807, #32048, #31967, #32217, #32224 and #32257 by @ClearlyClaire and @Gargron)
- Change labels on thread indicators in web UI (#31806 by @Gargron)
- Change label of "Data export" menu item in settings interface (#32099 by @c960657)
- Change responsive break points on navigation panel in web UI (#32034 by @Gargron)
- Change cursor to
not-allowed
on disabled buttons (#32076 by @mjankowski) - Change OAuth authorization prompt to not refer to apps as “third-party” (#32005 by @Gargron)
- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
- Change zoom icon in web UI (#29683 by @Gargron)
- Change directory page to use URL query strings for options (#31980, #31977 and #31984 by @ClearlyClaire and @renchap)
- Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm)
- Change width of columns in advanced web UI (#31762 by @Gargron)
- Change design of unread conversations in web UI (#31763 by @Gargron)
- Change Web UI to allow viewing and severing relationships with suspended accounts (#27667 by @ClearlyClaire)
This also adds awith_suspended
parameter toGET /api/v1/accounts/relationships
in the REST API. - Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire)
- Change avatars border radius (#31390 by @renchap)
- Change counters to be displayed on profile timelines in web UI (#30525 by @Gargron)
- Change disabled buttons color in light mode to make the difference more visible (#30998 by @renchap)
- Change design of people tab on explore in web UI (#30059 by @Gargron)
- Change sidebar text in web UI (#30696 by @Gargron)
- Change "Follow" to "Follow back" and "Mutual" when appropriate in web UI (#28452, #28465, and #31934 by @ClearlyClaire, @Gargron and @renchap)
- Change media to be hidden/blurred by default in report modal (#28522 by @ClearlyClaire)
- Change order of the "muting" and "blocking" list options in “Data Exports” (#26088 by @fixermark)
- Change admin and moderation notes character limit from 500 to 2000 characters (#30288 by @ThisIsMissEm)
- Change mute options to be in dropdown on muted users list in web UI (#30049 and #31315 by @ClearlyClaire and @Gargron)
- Change out-of-band hashtags design in web UI (#29732 by @Gargron)
- Change design of metadata underneath detailed posts in web UI (#29585, #29605, and #29648 by @ClearlyClaire and @Gargron)
- Change action button to be last on profiles in web UI (#29533 and #29923 by @ClearlyClaire and @Gargron)
- Change confirmation prompts in trending moderation interface to be more specific (#19626 by @tribela)
- Change “Trends” moderation menu to “Recommendations & Trends” and move follow recommendations there (#31292 by @ThisIsMissEm)
- Change irrelevant fields in account cleanup settings to be disabled unless automatic cleanup is enabled (#26562 by @c960657)
- Change dropdown menu icon to not be replaced by close icon when open in web UI (#29532 by @Gargron)
- Change back button to always appear in advanced web UI (#29551 and #29669 by @Gargron)
- Change border of active compose field search inputs (#29832 and #29839 by @vmstan)
- Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones)
- Change link detection to allow
@
at the end of an URL (#31124 by @adamniedzielski) - Change User-Agent to use Mastodon as the product, and http.rb as platform details (#31192 by @ClearlyClaire)
- Change layout and wording of the Content Retention server settings page (#27733 by @vmstan)
- Change unconfirmed users to be kept for one week instead of two days (#30285 by @renchap)
- Change maximum page size for Admin Domain Management APIs from 200 to 500 (#31253 by @ThisIsMissEm)
- Change database pool size to default to Sidekiq concurrency settings in Sidekiq processes (#26488 by @sinoru)
- Change alt text to empty string for avatars (#21875 by @jasminjohal)
- Change Docker images to use custom-built libvips and ffmpeg (#30571, #30569, and #31498 by @vmstan)
- Change external links in the admin audit log to plain text or local administration pages (#27139 and #27150 by @ClearlyClaire and @ThisIsMissEm)
- Change YJIT to be enabled when available (#30310 and #27283 by @ClearlyClaire and @mjankowski)
Enable Ruby's built-in just-in-time compiler. This improves performances substantially, at the cost of a slightly increased memory usage. - Change
.env
file loading from deprecateddotenv-rails
gem todotenv
gem (#29173 and #30121 by @mjankowski)
This should have no effect except in the unlikely case an environment variable included a newline. - Change “Panjabi” language name to the more common spelling “Punjabi” (#27117 by @gunchleoc)
- Change encryption of OTP secrets to use ActiveRecord Encryption (#29831, #28325, #30151, #30202, #30340, and #30344 by @ClearlyClaire and @mjankowski)
This requires a manual step from administrators of existing servers. Indeed, they need to generate new secrets, which can be done usingbundle exec rails db:encryption:init
.
Furthermore, there is a risk that the introduced migration fails if the server was misconfigured in the past. If that happens, the migration error will include the relevant information. - Change
/api/v1/announcements
to return regularStatus
entities (#26736 by @ClearlyClaire) - Change imports to convert case-insensitive fields to lowercase (#29739 and #29740 by @ThisIsMissEm)
- Change stats in the admin interface to be inclusive of the full selected range, from beginning of day to end of day (#29416 and #29841 by @mjankowski)
- Change materialized views to be refreshed concurrently to avoid locks (#29015 by @Gargron)
- Change compose form to use server-provided post character and poll options limits (#28928 and #29490 by @ClearlyClaire and @renchap)
- Change streaming server logging from
npmlog
topino
andpino-http
(#27828 by @ThisIsMissEm)
This changes the Mastodon streaming server log format, so this might be considered a breaking change if you were parsing the logs. - Change media “ALT” label to use a specific CSS class (#28777 by @ClearlyClaire)
- Change streaming API host to not be overridden to localhost in development mode (#28557 by @ClearlyClaire)
- Change cookie rotator to use SHA1 digest for new cookies (#27392 by @ClearlyClaire)
Note that this requires that no pre-4.2.0 Mastodon web server is running when this code is deployed, as those would not understand the new cookies.
Therefore, zero-downtime updates are only supported if you're coming from 4.2.0 or newer. If you want to skip Mastodon 4.2, you will need to completely stop Mastodon services before updating. - Change preview card deletes to be done using batch method (#28183 by @vmstan)
- Change
img-src
andmedia-src
CSP directives to not includehttps:
(#28025 and #28561 by @ClearlyClaire) - Change self-destruct procedure (#26439, #29049, and #29420 by @ClearlyClaire and @zunda)
Instead of enqueuing deletion jobs immediately,tootctl self-destruct
now outputs a value for theSELF_DESTRUCT
environment variable, which puts a server in self-destruct mode, processing deletions in the background, while giving users access to their export archives.
Removed
- Remove unused E2EE messaging code and related
crypto
OAuth scope (#31193, #31945, #31963, and #31964 by @ClearlyClaire and @mjankowski) - Remove StatsD integration (replaced by OpenTelemetry) (#30240 by @mjankowski)
- Remove
CacheBuster
default options (#30718 by @mjankowski) - Remove home marker updates from the Web UI (#22721 by @davbeck)
The web interface was unconditionally updating the home marker to the most recent received post, discarding any value set by other clients, thus making the feature unreliable. - Remove support for Ruby 3.0 (reaching EOL) (#29702 by @mjankowski)
- Remove setting for unfollow confirmation modal (#29373 by @ClearlyClaire)
Instead, the unfollow confirmation modal will always be displayed. - Remove support for Capistrano (#27295 and #30009 by @mjankowski and @renchap)
Fixed
- Fix link preview cards not always preserving the original URL from the status (#27312 by @Gargron)
- Fix log out from user menu not working on Safari (#31402 by @renchap)
- Fix various issues when in link preview card generation (#28748, #30017, #30362, #30173, #30853, #30929, #30933, #30957, #30987, and #31144 by @adamniedzielski, @oneiros, @phocks, @timothyjrogers, and @tribela)
- Fix handling of missing links in Webfinger responses (#31030 by @adamniedzielski)
- Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
- Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
- Fix unresolvable mentions sometimes preventing processing incoming posts (#29215 by @tribela and @ClearlyClaire)
- Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
- Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
- Fix the appearance of avatars when they do not load (#31966 and #32270 by @Gargron and @renchap)
- Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)
- Fix HTTP 500 error in
/api/v1/polls/:id/votes
when requiredchoices
parameter is missing (#25598 by @danielmbrasil) - Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix cross-origin loading of
inert.css
polyfill (#30687 by @louis77) - Fix wrapping in dashboard quick access buttons (#32043 by @renchap)
- Fix recently used tags hint being displayed in profile edition page when there is none (#32120 by @mjankowski)
- Fix checkbox lists on narrow screens in the settings interface (#32112 by @mjankowski)
- Fix the position of status action buttons being affected by interaction counters (#32084 by @renchap)
- Fix the summary of converted ActivityPub object types to be treated as HTML (#28629 by @Menrath)
- Fix cutoff of instance name in sign-up form (#30598 by @oneiros)
- Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
- Fix invalid
visibility
values inPOST /api/v1/statuses
returning 500 errors (#31571 by @c960657) - Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
- Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
- Fix email language when recipient has no selected locale (#31747 by @ClearlyClaire)
- Fix frequently-used languages not correctly updating in the web UI (#31386 by @c960657)
- Fix
POST /api/v1/statuses
silently ignoring invalidmedia_ids
parameter (#31681 by @c960657) - Fix handling of the
BIND
environment variable in the streaming server (#31624 by @ThisIsMissEm) - Fix empty
aria-hidden
attribute value in logo resources area (#30570 by @mjankowski) - Fix “Redirect URI” field not being marked as required in “New application” form (#30311 by @ThisIsMissEm)
- Fix right-to-left text in preview cards (#30930 by @ClearlyClaire)
- Fix rack attack
match_type
value typo in logging config (#30514 by @mjankowski) - Fix various cases of duplicate, missing, or inconsistent borders or scrollbar styles (#31068, #31286, #31268, #31275, #31284, #31305, #31346, #31372, #31373, #31389, #31432, #31391, #31445, #32091, #32147 and #32137 by @ClearlyClaire, @mjankowski, @valtlai and @vmstan)
- Fix editing description of media uploads with custom thumbnails (#32221 by @ClearlyClaire)
- Fix race condition in
POST /api/v1/push/subscription
(#30166 by @ClearlyClaire) - Fix post deletion not being delayed when those are part of an account warning (#30163 by @ClearlyClaire)
- Fix rendering error on
/start
when not logged in (#30023 by @timothyjrogers) - Fix unneeded requests to blocked domains when receiving relayed signed activities from them (#31161 by @ClearlyClaire)
- Fix logo pushing header buttons out of view on certain conditions in mobile layout (#29787 by @ClearlyClaire)
- Fix notification-related records not being reattributed when merging accounts (#29694 by @ClearlyClaire)
- Fix results/query in
api/v1/featured_tags/suggestions
(#29597 by @mjankowski) - Fix distracting and confusing always-showing scrollbar track in boost confirmation modal (#31524 by @ClearlyClaire)
- Fix being able to upload more than 4 media attachments in some cases (#29183 by @mashirozx)
- Fix preview card player getting embedded when clicking on the external link button (#29457 by @ClearlyClaire)
- Fix full date display not respecting the locale 12/24h format (#29448 by @renchap)
- Fix filters title and keywords overflow (#29396 by @GeopJr)
- Fix incorrect date format in “Follows and followers” (#29390 by @JasonPunyon)
- Fix navigation item active highlight for some paths (#32159 by @mjankowski)
- Fix “Edit media” modal sizing and layout when space-constrained (#27095 by @ronilaukkarinen)
- Fix modal container bounds (#29185 by @nico3333fr)
- Fix inefficient HTTP signature parsing using regexps and
StringScanner
(#29133 by @ClearlyClaire) - Fix moderation report updates through
PUT /api/v1/admin/reports/:id
not being logged in the audit log (#29044, #30342, and #31033 by @mjankowski, @tribela, and @vmstan) - Fix moderation interface allowing to select rule violation when there are no server rules (#31458 by @ThisIsMissEm)
- Fix redirection from paths with url-encoded
@
to their decoded form (#31184 by @timothyjrogers) - Fix Trending Tags pending review having an unstable sort order (#31473 by @ThisIsMissEm)
- Fix the emoji dropdown button always opening the dropdown instead of behaving like a toggle (#29012 by @jh97uk)
- Fix processing of incoming posts with bearcaps (#26527 by @kmycode)
- Fix support for IPv6 redis connections in streaming (#31229 by @ThisIsMissEm)
- Fix search form re-rendering spuriously in web UI (#28876 by @Gargron)
- Fix
RedownloadMediaWorker
not being called on transient S3 failure (#28714 by @ClearlyClaire) - Fix ISO code for Canadian French from incorrect
fr-QC
tofr-CA
(#26015 by @gunchleoc) - Fix
.opus
file uploads being misidentified by Paperclip (#28580 by @vmstan) - Fix loading local accounts with extraneous domain part in WebUI (#28559 by @ClearlyClaire)
- Fix destructive actions in dropdowns not using error color in light theme (#28484 by @logicalmoody)
- Fix call to inefficient
delete_matched
cache method in domain blocks (#28374 by @ClearlyClaire) - Fix status edits not always being streamed to mentioned users (#28324 by @ClearlyClaire)
- Fix onboarding step descriptions being truncated on narrow screens (#28021 by @ClearlyClaire)
- Fix duplicate IDs in relationships and familiar_followers APIs (#27982 by @KevinBongart)
- Fix modal content not being selectable (#27813 by @pajowu)
- Fix Web UI not displaying appropriate explanation when a user hides their follows/followers (#27791 by @ClearlyClaire)
- Fix format-dependent redirects being cached regardless of requested format (#27632 by @ClearlyClaire)
- Fix confusing screen when visiting a confirmation link for an already-confirmed email (#27368 by @ClearlyClaire)
- Fix explore page reloading when you navigate back to it in web UI (#27489 by @Gargron)
- Fix missing redirection from
/home
to/deck/home
in the advanced interface (#27378 by @Signez) - Fix empty environment variables not using default nil value (#27400 by @renchap)
- Fix language sorting in settings (#27158 by @gunchleoc)
|4.2.11] - 2024-08-16
Added
- Add support for incoming
<s>
tag (mediaformat)
Changed
- Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)
Fixed
- Fix incorrect rate limit on PUT requests (ClearlyClaire)
- Fix presence of
ß
in adjacent word preventing mention and hashtag matching (adamniedzielski) - Fix processing of webfinger responses with multiple
self
links (adamniedzielski) - Fix duplicate
orderedItems
in user archive'soutbox.json
(ClearlyClaire) - Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
- Fix status processing failing halfway when a remote post has a malformed
replies
attribute (ClearlyClaire) - Fix
--verbose
option oftootctl media remove
, which was previously erroneously removed (mjankowski) - Fix division by zero on some video/GIF files (ClearlyClaire)
- Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
- Fix hashtag regexp matching some link anchors (ClearlyClaire)
- Fix local account search on LDAP login being case-sensitive (raucao)
- Fix development environment admin account not being auto-approved (ClearlyClaire)
- Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
- Fix already-invalid reports failing to resolve (ClearlyClaire)
- Fix OCR when using S3/CDN for assets (vmstan)
- Fix error when encountering malformed
Tag
objects from Kbin (ShadowJonathan) - Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
- Fix search popout listing unusable search options when logged out (ClearlyClaire)
- Fix processing of featured collections lacking an
items
attribute (tribela) - Fix
mastodon:stats
decoration of stats rake task (mjankowski)
[4.2.10] - 2024-07-04
Security
- Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
- Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
- Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
- Update dependencies
Added
- Add yarn version specification to avoid confusion with Yarn 3 and Yarn 4
Changed
- Change preview cards generation to skip unusually long URLs (oneiros)
- Change search modifiers to be case-insensitive (Gargron)
- Change
STATSD_ADDR
handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers) - Change PWA start URL from
/home
to/
(ClearlyClaire)
Removed
- Removed dependency on
posix-spawn
(ClearlyClaire)
Fixed
- Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
- Fix encoding detection for link cards (oneiros)
- Fix
/admin/accounts/:account_id/statuses/:id
for edited posts with media attachments (ClearlyClaire) - Fix duplicate
@context
attribute in user archive export (ClearlyClaire)
[4.2.9] - 2024-05-30
Security
- Update dependencies
- Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
- Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
- Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)
Added
- Add rate-limit on OAuth application registration (ThisIsMissEm)
- Add fallback redirection when getting a webfinger query
WEB_DOMAIN@WEB_DOMAIN
(ClearlyClaire) - Add
digest
attribute toAdmin::DomainBlock
entity in REST API (ThisIsMissEm)
Removed
- Remove superfluous application-level caching in some controllers (ClearlyClaire)
- Remove aggressive OAuth application vacuuming (ThisIsMissEm)
Fixed
- Fix leaking Elasticsearch connections in Sidekiq processes (ClearlyClaire)
- Fix language of remote posts not being recognized when using unusual casing (ClearlyClaire)
- Fix off-by-one in
tootctl media
commands (ClearlyClaire) - Fix removal of allowed domains (in
LIMITED_FEDERATION_MODE
) not being recorded in the audit log (ThisIsMissEm) - Fix not being able to block a subdomain of an already-blocked domain through the API (ClearlyClaire)
- Fix
Idempotency-Key
being ignored when scheduling a post (ClearlyClaire) - Fix crash when supplying the
FFMPEG_BINARY
environment variable (timothyjrogers) - Fix improper email address validation (ClearlyClaire)
- Fix results/query in
api/v1/featured_tags/suggestions
(mjankowski) - Fix unblocking internationalized domain names under certain conditions (tribela)
- Fix admin account created by
mastodon:setup
not being auto-approved (ClearlyClaire) - Fix reference to non-existent var in CLI maintenance command (mjankowski)
[4.2.8] - 2024-02-23
Added
- Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
When this happens, users with the permission to change server settings will receive an email notification.
This feature is disabled when
EMAIL_DOMAIN_ALLOWLIST
is used, and can also be disabled withDISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true
.
Changed
- Change registrations to be closed by default on new installations (ClearlyClaire)
If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
Simply re-enable them through the administration interface or using
tootctl settings registrations open
if you want to enable them again.
Fixed
- Fix processing of remote ActivityPub actors making use of
Link
objects asImage
url
(ClearlyClaire) - Fix link verifications when page size exceeds 1MB (ClearlyClaire)
[4.2.7] - 2024-02-16
Fixed
- Fix OmniAuth tests and edge cases in error handling (ClearlyClaire, ClearlyClaire)
- Fix new installs by upgrading to the latest release of the
nsa
gem, instead of a no longer existing commit (mjankowski)
Security
- Fix insufficient checking of remote posts (GHSA-jhrq-qvrm-qr36)
[4.2.6] - 2024-02-14
Security
- Update the
sidekiq-unique-jobs
dependency (see GHSA-cmh9-rx85-xj38) In addition, we have disabled the web interface forsidekiq-unique-jobs
out of caution. If you need it, you can re-enable it by settingENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true
. If you only need to clear all locks, you can now usebundle exec rake sidekiq_unique_jobs:delete_all_locks
. - Update the
nokogiri
dependency (see GHSA-xc9x-jj77-9p9j) - Disable administrative Doorkeeper routes (ThisIsMissEm)
- Fix ongoing streaming sessions not being invalidated when applications get deleted in some cases (GHSA-7w3c-p9j8-mq3x) In some rare cases, the streaming server was not notified of access tokens revocation on application deletion.
- Change external authentication behavior to never reattach a new identity to an existing user by default (GHSA-vm39-j3vx-pch3)
Up until now, Mastodon has allowed new identities from external authentication providers to attach to an existing local user based on their verified e-mail address.
This allowed upgrading users from a database-stored password to an external authentication provider, or move from one authentication provider to another.
However, this behavior may be unexpected, and means that when multiple authentication providers are configured, the overall security would be that of the least secure authentication provider.
For these reasons, this behavior is now locked under the
ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH
environment variable. In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.
[4.2.5] - 2024-02-01
Security
- Fix insufficient origin validation (CVE-2024-23832, GHSA-3fjr-858r-92rw)
[4.2.4] - 2024-01-24
Fixed
- Fix error when processing remote files with unusually long names (ClearlyClaire)
- Fix processing of compacted single-item JSON-LD collections (ClearlyClaire)
- Retry 401 errors on replies fetching (ShadowJonathan)
- Fix
RecordNotUnique
errors in LinkCrawlWorker (tribela) - Fix Mastodon not correctly processing HTTP Signatures with query strings (ClearlyClaire, ClearlyClaire)
- Fix potential redirection loop of streaming endpoint (ClearlyClaire)
- Fix streaming API redirection ignoring the port of
streaming_api_base_url
(ClearlyClaire) - Fix error when processing link preview with an array as
inLanguage
(ClearlyClaire) - Fix unsupported time zone or locale preventing sign-up (Gargron)
- Fix "Hide these posts from home" list setting not refreshing when switching lists (brianholley)
- Fix missing background behind dismissable banner in web UI (Gargron)
- Fix line wrapping of language selection button with long locale codes (gunchleoc, ClearlyClaire)
- Fix
Undo Announce
activity not being sent to non-follower authors (MitarashiDango) - Fix N+1s because of association preloaders not actually getting called (ClearlyClaire)
- Fix empty column explainer getting cropped under certain conditions (ClearlyClaire)
- Fix
LinkCrawlWorker
error when encountering empty OEmbed response (ClearlyClaire) - Fix call to inefficient
delete_matched
cache method in domain blocks (ClearlyClaire)
Security
- Add rate-limit of TOTP authentication attempts at controller level (ClearlyClaire)
[4.2.3] - 2023-12-05
Fixed
- Fix dependency on
json-canonicalization
version that has been made unavailable since last release
[4.2.2] - 2023-12-04
Changed
- Change dismissed banners to be stored server-side (ClearlyClaire)
- Change GIF max matrix size error to explicitly mention GIF files (ClearlyClaire)
- Change
Follow
activities delivery to bypass availability check (ShadowJonathan) - Change single-column navigation notice to be displayed outside of the logo container (renchap, renchap)
- Change Content-Security-Policy to be tighter on media paths (ClearlyClaire)
- Change post language code to include country code when relevant (gunchleoc, ClearlyClaire)
Fixed
- Fix upper border radius of onboarding columns (ClearlyClaire)
- Fix incoming status creation date not being restricted to standard ISO8601 (ClearlyClaire, ClearlyClaire)
- Fix some posts from threads received out-of-order sometimes not being inserted into timelines (ClearlyClaire)
- Fix posts from force-sensitized accounts being able to trend (ClearlyClaire)
- Fix error when trying to delete already-deleted file with OpenStack Swift (ClearlyClaire)
- Fix batch attachment deletion when using OpenStack Swift (ClearlyClaire)
- Fix processing LDSigned activities from actors with unknown public keys (ClearlyClaire)
- Fix error and incorrect URLs in
/api/v1/accounts/:id/featured_tags
for remote accounts (ClearlyClaire) - Fix report processing notice not mentioning the report number when performing a custom action (ClearlyClaire)
- Fix handling of
inLanguage
attribute in preview card processing (ClearlyClaire) - Fix own posts being removed from home timeline when unfollowing a used hashtag (kmycode)
- Fix some link anchors being recognized as hashtags (ClearlyClaire, ClearlyClaire)
- Fix format-dependent redirects being cached regardless of requested format (ClearlyClaire)
[4.2.1] - 2023-10-10
Added
- Add redirection on
/deck
URLs for logged-out users (ClearlyClaire) - Add support for v4.2.0 migrations to
tootctl maintenance fix-duplicates
(ClearlyClaire)
Changed
- Change some worker lock TTLs to be shorter-lived (ClearlyClaire)
- Change user archive export allowed period from 7 days to 6 days (suddjian)
Fixed
- Fix duplicate reports being sent when reporting some remote posts (ClearlyClaire)
- Fix clicking on already-opened thread post scrolling to the top of the thread (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Fix some remote posts getting truncated (ClearlyClaire)
- Fix some cases of infinite scroll code trying to fetch inaccessible posts in a loop (ClearlyClaire)
- Fix
Vary
headers not being set on some redirects (ClearlyClaire) - Fix mentions being matched in some URL query strings (mjankowski)
- Fix unexpected linebreak in version string in the Web UI (vmstan)
- Fix double scroll bars in some columns in advanced interface (ClearlyClaire)
- Fix boosts of local users being filtered in account timelines (ClearlyClaire)
- Fix multiple instances of the trend refresh scheduler sometimes running at once (ClearlyClaire)
- Fix importer returning negative row estimates (jgillich)
- Fix incorrectly keeping outdated update notices absent from the API endpoint (ClearlyClaire)
- Fix import progress not updating on certain failures (ClearlyClaire)
- Fix websocket connections being incorrectly decremented twice on errors (ThisIsMissEm)
- Fix explore prompt appearing because of posts being received out of order (ClearlyClaire)
- Fix explore prompt sometimes showing up when the home TL is loading (ClearlyClaire)
- Fix link handling of mentions in user profiles when logged out (ClearlyClaire)
- Fix filtering audit log for entries about disabling 2FA (ClearlyClaire)
- Fix notification toasts not respecting reduce-motion (c960657)
- Fix retention dashboard not displaying correct month (vmstan)
- Fix tIME chunk not being properly removed from PNG uploads (TheEssem)
- Fix division by zero in video in bitrate computation code (ClearlyClaire)
- Fix inefficient queries in “Follows and followers” as well as several admin pages (ClearlyClaire, ClearlyClaire)
- Fix ActiveRecord using two connection pools when no replica is defined (ClearlyClaire)
- Fix the search documentation URL in system checks (renchap)
[4.2.0] - 2023-09-21
The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @danielmbrasil, @mjankowski, @nschonni, @renchap, and @takayamaki.
Added
- Add full-text search of opted-in public posts and rework search operators (Gargron, jsgoldstein, ClearlyClaire, ClearlyClaire, jsgoldstein, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, ClearlyClaire, Gargron, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire, Gargron, Gargron, Gargron, ClearlyClaire, Gargron, Gargron, Gargron, Gargron, Gargron, arbolitoloco1, tribela, ClearlyClaire, ClearlyClaire, ClearlyClaire)
This introduces a new
public_statuses
Elasticsearch index for public posts by users who have opted in to their posts being searchable (toot#indexable
flag). This also revisits the other indexes to provide more useful indexing, and adds new search operators such asfrom:me
,before:2022-11-01
,after:2022-11-01
,during:2022-11-01
,language:fr
,has:poll
, orin:library
(for searching only in posts you have written or interacted with). Results are now ordered chronologically. - Add admin notifications for new Mastodon versions (ClearlyClaire)
This is done by querying
https://api.joinmastodon.org/update-check
every 30 minutes in a background job. That URL can be changed using theUPDATE_CHECK_URL
environment variable, and the feature outright disabled by setting that variable to an empty string (UPDATE_CHECK_URL=
). - Add “Privacy and reach” tab in profile settings (Gargron, ClearlyClaire) This reorganized scattered privacy and reach settings to a single place, as well as improve their wording.
- Add display of out-of-band hashtags in the web interface (Gargron, arbolitoloco1, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire)
- Add role badges to the web interface (ClearlyClaire, Gargron)
- Add ability to pick domains to forward reports to using the
forward_to_domains
parameter inPOST /api/v1/reports
(ClearlyClaire, ClearlyClaire) Theforward_to_domains
REST API parameter is a list of strings. If it is empty or omitted, the previous behavior is maintained. Theforward
parameter still needs to be set forforward_to_domains
to be taken into account. The forwarded-to domains can only include that of the original author and people being replied to. - Add forwarding of reported replies to servers being replied to (Gargron, ClearlyClaire)
- Add
ONE_CLICK_SSO_LOGIN
environment variable to directly link to the Single-Sign On provider if there is only one sign up method available (CSDUMMI, ClearlyClaire, CSDUMMI, ClearlyClaire) - Add webhook templating (Gargron)
- Add webhooks for local
status.created
,status.updated
,account.updated
andreport.updated
(VyrCossont, VyrCossont, VyrCossont) - Add exclusive lists (dariusk, necropolina, ClearlyClaire)
- Add a confirmation screen when suspending a domain (ClearlyClaire, ClearlyClaire)
- Add support for importing lists (ClearlyClaire, mgmn, ClearlyClaire)
- Add optional hCaptcha support (ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire)
- Add lines to threads in web UI (Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, teeerevor, renchap)
- Add new onboarding flow to web UI (Gargron, Gargron, Gargron, ClearlyClaire, ThisIsMissEm, Gargron, stevenjlm, ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire)
- Add auto-refresh of accounts we get new messages/edits of (ClearlyClaire)
- Add Elasticsearch cluster health check and indexes mismatch check to dashboard (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Add
hide_collections
,discoverable
andindexable
attributes to credentials API (ClearlyClaire) - Add
S3_ENABLE_CHECKSUM_MODE
environment variable to enable checksum verification on compatible S3-providers (ClearlyClaire) - Add admin API for managing tags (rrgeorge)
- Add a link to hashtag timelines from the Trending hashtags moderation interface (gunchleoc)
- Add timezone to datetimes in e-mails (ClearlyClaire)
- Add
authorized_fetch
server setting in addition to env var (ClearlyClaire, ClearlyClaire) - Add avatar image to webfinger responses (tvler)
- Add debug logging on signature verification failure (ClearlyClaire, ClearlyClaire)
- Add explicit error messages when DeepL quota is exceeded (lutoma)
- Add Elasticsearch/OpenSearch version to “Software” in admin dashboard (ClearlyClaire)
- Add
data-nosnippet
attribute to remote posts and local posts withnoindex
(ClearlyClaire) - Add support for federating
memorial
attribute (rrgeorge) - Add Cherokee and Kalmyk to languages dropdown (gunchleoc, gunchleoc)
- Add
DELETE /api/v1/profile/avatar
andDELETE /api/v1/profile/header
to the REST API (danielmbrasil, ClearlyClaire) - Add
ES_PRESET
option to customize numbers of shards and replicas (Gargron, ClearlyClaire) This can have a value ofsingle_node_cluster
(default),small_cluster
(uses one replica) orlarge_cluster
(uses one replica and a higher number of shards). - Add
CACHE_BUSTER_HTTP_METHOD
environment variable (renchap, ClearlyClaire) - Add support for
DB_PASS
when usingDATABASE_URL
(ThisIsMissEm) - Add
GET /api/v1/instance/languages
to REST API (danielmbrasil) - Add primary key to
preview_cards_statuses
join table (ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire) - Add client-side timeout on resend confirmation button (Gargron)
- Add published date and author to news on the explore screen in web UI (Gargron)
- Add
lang
attribute to various UI components (c960657, c960657, c960657, c960657) - Add stricter protocol fields validation for accounts (ClearlyClaire)
- Add support for Azure blob storage (mistydemeo, mistydemeo)
- Add toast with option to open post after publishing in web UI (Gargron, Signez, Gargron)
- Add canonical link tags in web UI (Gargron)
- Add button to see results for polls in web UI (Gargron)
- Add at-symbol prepended to mention span title (forsamori)
- Add users index on
unconfirmed_email
(ClearlyClaire, ClearlyClaire) - Add superapp index on
oauth_applications
(ClearlyClaire) - Add index to backups on
user_id
column (mjankowski) - Add onboarding prompt when home feed too slow in web UI (Gargron, ClearlyClaire, Gargron, renchap, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire)
- Add
POST /api/v1/conversations/:id/unread
API endpoint to mark a conversation as unread (ClearlyClaire) - Add
translate="no"
to outgoing mentions and links (ClearlyClaire) - Add unsubscribe link and headers to e-mails (Gargron, c960657)
- Add logging of websocket send errors (ThisIsMissEm)
- Add time zone preference (Gargron, ClearlyClaire)
- Add
legal
as report category (Gargron, renchap, ClearlyClaire) - Add
data-nosnippet
so Google doesn't use trending posts in snippets for/
(ClearlyClaire) - Add card with who invited you to join when displaying rules on sign-up (ClearlyClaire)
- Add missing primary keys to
accounts_tags
andstatuses_tags
(ClearlyClaire) - Add support for custom sign-up URLs (ClearlyClaire, renchap, ClearlyClaire, mgmn)
This is set using
SSO_ACCOUNT_SIGN_UP
and reflected in the REST API by addingregistrations.sign_up_url
to the/api/v2/instance
endpoint. - Add polling and automatic redirection to
/start
on email confirmation (ClearlyClaire) - Add ability to block sign-ups from IP using the CLI (danielmbrasil)
- Add ALT badges to media that has alternative text in web UI (Gargron, c960657
- Add ability to include accounts with pending follow requests in lists (ClearlyClaire, ClearlyClaire)
- Add trend management to admin API (rrgeorge)
POST /api/v1/admin/trends/statuses/:id/approve
POST /api/v1/admin/trends/statuses/:id/reject
POST /api/v1/admin/trends/links/:id/approve
POST /api/v1/admin/trends/links/:id/reject
POST /api/v1/admin/trends/tags/:id/approve
POST /api/v1/admin/trends/tags/:id/reject
GET /api/v1/admin/trends/links/publishers
POST /api/v1/admin/trends/links/publishers/:id/approve
POST /api/v1/admin/trends/links/publishers/:id/reject
- Add user handle to notification mail recipient address (HeitorMC)
- Add progress indicator to sign-up flow (Gargron)
- Add client-side validation for taken username in sign-up form (Gargron)
- Add
--approve
option totootctl accounts create
(danielmbrasil) - Add “In Memoriam” banner back to profiles (ClearlyClaire, ClearlyClaire)
This adds the
memorial
attribute to theAccount
REST API entity. - Add colour to follow button when hashtag is being followed (c960657)
- Add further explanations to the profile link verification instructions (drzax)
- Add a link to Identity provider's account settings from the account settings (CSDUMMI, ClearlyClaire)
- Add support for streaming server to connect to postgres with self-signed certs through the
sslmode
URL parameter (ramuuns) - Add support for specifying S3 storage classes through the
S3_STORAGE_CLASS
environment variable (hyl) - Add support for incoming rich text (ClearlyClaire)
- Add support for Ruby 3.2 (tenderlove, casperisfine, ClearlyClaire, ClearlyClaire)
- Add API parameter to safeguard unexpected mentions in new posts (ClearlyClaire)
Changed
- Change hashtags to be displayed separately when they are the last line of a post (renchap, renchap, renchap)
- Change reblogs to be excluded from "Posts and replies" tab in web UI (Gargron)
- Change interaction modal in web interface (Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, mgmn, tribela, ClearlyClaire, ClearlyClaire)
- Change design of link previews in web UI (Gargron, ClearlyClaire, Gargron, Gargron, Gargron, Gargron, c960657)
- Change "direct message" nomenclature to "private mention" in web UI (Gargron)
- Change translation feature to cover Content Warnings, poll options and media descriptions (c960657, S-H-GAMELINKS, c960657, ClearlyClaire)
- Change account search to match by text when opted-in (jsgoldstein, Gargron)
- Change import feature to be clearer, less error-prone and more reliable (ClearlyClaire, mgmn)
- Change local and federated timelines to be tabs of a single “Live feeds” column (ClearlyClaire, Gargron, mgmn, Plastikmensch, ClearlyClaire)
- Change user archive export to be faster and more reliable, and export
.zip
archives instead of.tar.gz
ones (ClearlyClaire, TheEssem) - Change
mastodon-streaming
systemd unit files to be templated (e-nomem) - Change
statsd
integration to disable sidekiq metrics by default (mjankowski, mjankowski, ClearlyClaire) This deprecatesstatsd
support and disables the sidekiq integration unlessSTATSD_SIDEKIQ
is set totrue
. This is because thensa
gem is unmaintained, and its sidekiq integration is known to add very significant overhead. Later versions of Mastodon will have other ways to get the same metrics. - Change replica support to native Rails adapter (krainboltgreene, Gargron, Gargron, Gargron, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire)
This is a breaking change, dropping
makara
support, and requiring you to update your database configuration if you are using replicas. To tell Mastodon to use a read replica, you can either set theREPLICA_DB_NAME
environment variable (along withREPLICA_DB_USER
,REPLICA_DB_PASS
,REPLICA_DB_HOST
, andREPLICA_DB_PORT
, if they differ from the primary database), or theREPLICA_DATABASE_URL
environment variable if your configuration is based onDATABASE_URL
. - Change DCT method used for JPEG encoding to float (electroCutie)
- Change from
node-redis
toioredis
for streaming (gmemstr) - Change private statuses index to index without crutches (ClearlyClaire)
- Change video compression parameters (Gargron, Gargron, Gargron, Gargron)
- Change admin e-mail notification settings to be their own settings group (ClearlyClaire)
- Change opacity of the delete icon in the search field to be more visible (AntoninDelFabbro)
- Change Account Search to prioritize username over display name (jsgoldstein)
- Change follow recommendation materialized view to be faster in most cases (renchap, ClearlyClaire)
- Change
robots.txt
to block GPTBot (Foritus) - Change header of hashtag timelines in web UI (Gargron, ClearlyClaire)
- Change streaming
/metrics
to include additional metrics (ThisIsMissEm, ThisIsMissEm) - Change indexing frequency from 5 minutes to 1 minute, add locks to schedulers (Gargron)
- Change column link to add a better keyboard focus indicator (teeerevor)
- Change poll form element colors to fit with the rest of the ui (teeerevor, teeerevor, ClearlyClaire)
- Change 'favourite' to 'favorite' for American English (marekr, gunchleoc, nabijaczleweli)
- Change ActivityStreams representation of suspended accounts to not use a blank
name
(ClearlyClaire) - Change focus UI for keyboard only input (teeerevor, Gargron, Gargron)
- Change thread view to scroll to the selected post rather than the post being replied to (ClearlyClaire)
- Change links in multi-column mode so tabs are open in single-column mode (Signez, Signez, ClearlyClaire, Signez, Signez)
- Change searching with
#
to include account index (jsgoldstein) - Change label and design of sensitive and unavailable media in web UI (Gargron, Gargron, Gargron)
- Change button colors to increase hover/focus contrast and consistency (teeerevor, Gargron)
- Change dropdown icon above compose form from ellipsis to bars in web UI (Gargron)
- Change header backgrounds to use fewer different colors in web UI (Gargron)
- Change files to be deleted in batches instead of one-by-one (Gargron, S-H-GAMELINKS, ClearlyClaire)
- Change emoji picker icon (iparr)
- Change edit profile page (Gargron, c960657)
- Change "bot" label to "automated" (Gargron)
- Change design of dropdowns in web UI (Gargron)
- Change wording of “Content cache retention period” setting to highlight destructive implications (ClearlyClaire)
- Change autolinking to allow carets in URL search params (renchap)
- Change share action from being in action bar to being in dropdown in web UI (Gargron)
- Change sessions to be ordered from most-recent to least-recently updated (frankieroberto)
- Change vacuum scheduler to also delete expired tokens and unused application records (ClearlyClaire, ClearlyClaire)
- Change "Sign in" to "Login" (Gargron)
- Change domain suspensions to also be checked before trying to fetch unknown remote resources (ClearlyClaire)
- Change media components to use aspect-ratio rather than compute height themselves (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Change logo version in header based on screen size in web UI (Gargron)
- Change label from "For you" to "People" on explore screen in web UI (Gargron)
- Change logged-out WebUI HTML pages to be cached for a few seconds (ClearlyClaire)
- Change unauthenticated responses to be cached in REST API (Gargron, ClearlyClaire, ClearlyClaire)
- Change HTTP caching logic (Gargron, ClearlyClaire)
- Change hashtags and mentions in bios to open in-app in web UI (Gargron)
- Change styling of the recommended accounts to allow bio to be more visible (chike00)
- Change account search in moderation interface to allow searching by username including the leading
@
(HeitorMC) - Change all components to use the same error page in web UI (Gargron)
- Change search pop-out in web UI (Gargron)
- Change user settings to be stored in a more optimal way (Gargron, c960657, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, Gargron, ClearlyClaire, jsgoldstein, ClearlyClaire, ClearlyClaire)
- Change media upload limits and remove client-side resizing (Gargron)
- Change design of account rows in web UI (Gargron, Gargron, Gargron, ClearlyClaire)
- Change log-out to use Single Logout when using external log-in through OIDC (CSDUMMI)
- Change sidekiq-bulk's batch size from 10,000 to 1,000 jobs in one Redis call (ClearlyClaire)
- Change translation to only be offered for supported languages (c960657, c960657)
This adds the
/api/v1/instance/translation_languages
REST API endpoint that returns an object with the supported translation language pairs in the form:
(where{ "fr": ["en", "de"] }
fr
is a supported source language anden
andde
or supported output language when translating afr
string) - Change compose form checkbox to native input with
appearance: none
(ClearlyClaire) - Change posts' clickable area to be larger (c960657)
- Change
followed_by
link tolocation=all
if account is local on /admin/accounts/:id page (tribela)
Removed
- Remove support for Node.js 14 (renchap)
- Remove support for Ruby 2.7 (nschonni)
- Remove clustering from streaming API (ThisIsMissEm)
- Remove anonymous access to the streaming API (ClearlyClaire)
- Remove obfuscation of reply count in web UI (Gargron)
- Remove
kmr
from language selection, as it was a duplicate forku
(gunchleoc, ClearlyClaire) - Remove 16:9 cropping from web UI (Gargron)
- Remove back button from bookmarks, favourites and lists screens in web UI (Gargron)
- Remove display name input from sign-up form (Gargron)
- Remove
tai
locale (c960657) - Remove empty Kushubian (csb) local files (nschonni)
- Remove
Permissions-Policy
header from all responses (Gargron)
Fixed
- Fix filters not being applying in the explore page (ClearlyClaire)
- Fix being unable to load past a full page of filtered posts in Home timeline (ClearlyClaire)
- Fix log-in flow when involving both OAuth and external authentication (CSDUMMI)
- Fix broken links in account gallery (c960657)
- Fix migration handler not updating lists (ClearlyClaire)
- Fix crash when viewing a moderation appeal and the moderator account has been deleted (xrobau)
- Fix error in Web UI when server rules cannot be fetched (ClearlyClaire)
- Fix paragraph margins resulting in irregular read-more cut-off in web UI (Gargron)
- Fix notification permissions being requested immediately after login (ClearlyClaire)
- Fix performances of profile directory (ClearlyClaire, ClearlyClaire)
- Fix mute button and volume slider feeling disconnected in web UI (Gargron, ClearlyClaire)
- Fix “Scoped order is ignored, it's forced to be batch order.” warnings (ClearlyClaire)
- Fix blocked domain appearing in account feeds (ClearlyClaire)
- Fix invalid
Content-Type
header for WebP images (c960657) - Fix minor inefficiencies in
tootctl search deploy
(ClearlyClaire) - Fix filter form in profiles directory overflowing instead of wrapping (arbolitoloco1)
- Fix sign up steps progress layout in right-to-left locales (ClearlyClaire)
- Fix bug with “favorited by” and “reblogged by“ view on posts only showing up to 40 items (timothyjrogers, timothyjrogers)
- Fix bad search type heuristic (Gargron)
- Fix not being able to negate prefix clauses in search (Gargron)
- Fix timeout on invalid set of exclusionary parameters in
/api/v1/timelines/public
(danielmbrasil) - Fix adding column with default value taking longer on Postgres >= 11 (Gargron)
- Fix light theme select option for hashtags (teeerevor)
- Fix AVIF attachments (c960657)
- Fix incorrect URL normalization when fetching remote resources (c960657, c960657)
- Fix being unable to filter posts for individual Chinese languages (gunchleoc)
- Fix preview card sometimes linking to 4xx error pages (c960657)
- Fix emoji picker button scrolling with textarea content in single-column view (ClearlyClaire)
- Fix missing border on error screen in light theme in web UI (Gargron)
- Fix UI overlap with the loupe icon in the Explore Tab (gol-cha)
- Fix unexpected redirection to
/explore
after sign-in (ClearlyClaire) - Fix
/api/v1/statuses/:id/unfavourite
and/api/v1/statuses/:id/unreblog
returning non-updated counts (c960657) - Fix clicking the “Back” button sometimes leading out of Mastodon (c960657, CSFlorin, S-H-GAMELINKS, ClearlyClaire)
- Fix processing of
null
ActivityPub activities (tribela) - Fix hashtag posts not being removed from home feed on hashtag unfollow (ClearlyClaire)
- Fix for "follows you" indicator in light web UI not readable (vmstan)
- Fix incorrect line break between icon and number of reposts & favourites (edent)
- Fix sounds not being loaded from assets host (Signez)
- Fix buttons showing inconsistent styles (teeerevor, ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Fix trend calculation working on too many items at a time (Gargron)
- Fix dropdowns being disabled for logged out users in web UI (Gargron, ClearlyClaire)
- Fix explore page being inaccessible when opted-out of trends in web UI (Gargron)
- Fix re-activated accounts possibly getting deleted by
AccountDeletionWorker
(ClearlyClaire) - Fix
/api/v2/search
not working with following query param (danielmbrasil) - Fix inefficient query when requesting a new confirmation email from a logged-in account (ClearlyClaire)
- Fix unnecessary concurrent calls to
/api/*/instance
in web UI (mgmn) - Fix resolving local URL for remote content (ClearlyClaire)
- Fix search not being easily findable on smaller screens in web UI (Gargron, ClearlyClaire)
- Fix j/k keyboard shortcuts on some status lists (ClearlyClaire)
- Fix missing validation on
default_privacy
setting (ClearlyClaire) - Fix incorrect pagination headers in
/api/v2/admin/accounts
(danielmbrasil) - Fix non-interactive upload container being given a
button
role and tabIndex (ClearlyClaire) - Fix always redirecting to onboarding in web UI (Gargron)
- Fix inconsistent use of middle dot (·) instead of bullet (•) to separate items (j-f1)
- Fix spacing of middle dots in the detailed status meta section (j-f1)
- Fix prev/next buttons color in media viewer (renchap)
- Fix email addresses not being properly updated in
tootctl maintenance fix-duplicates
(mjankowski) - Fix unicode surrogate pairs sometimes being broken in page title (eai04191)
- Fix various inefficient queries against account domains (ClearlyClaire)
- Fix video player offering to expand in a lightbox when it's in an
iframe
(ClearlyClaire) - Fix post embed previews (ClearlyClaire)
- Fix inadequate error handling in several API controllers when given invalid parameters (danielmbrasil, danielmbrasil, danielmbrasil, danielmbrasil, danielmbrasil, danielmbrasil)
- Fix uncaught
ActiveRecord::StatementInvalid
in Mastodon::IpBlocksCLI (danielmbrasil) - Fix various edge cases with local moves (ClearlyClaire)
- Fix
tootctl accounts cull
crashing when encountering a domain resolving to a private address (ClearlyClaire) - Fix
tootctl accounts approve --number N
not aproving the N earliest registrations (danielmbrasil) - Fix being unable to clear media description when editing posts (c960657)
- Fix unavailable translations not falling back to English (mgmn)
- Fix anonymous visitors getting a session cookie on first visit (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Fix cutting off first letter of hashtag links sometimes in web UI (Gargron)
- Fix crash in
tootctl accounts create --reattach --force
(ClearlyClaire, danielmbrasil) - Fix characters being emojified even when using Variation Selector 15 (text) (ClearlyClaire, ClearlyClaire)
- Fix uncaught ActiveRecord::StatementInvalid exception in
Mastodon::AccountsCLI#approve
(danielmbrasil) - Fix email confirmation skip option in
tootctl accounts modify USERNAME --email EMAIL --confirm
(danielmbrasil) - Fix tooltip for dates without time (c960657)
- Fix missing loading spinner and loading more on scroll in Private Mentions column (c960657)
- Fix account header image missing from
/settings/profile
on narrow screens (c960657) - Fix height of announcements not being updated when using reduced animations (c960657)
- Fix inconsistent radius in advanced interface drawer (thislight)
- Fix loading more trending posts on scroll in the advanced interface (OmmyZhang)
- Fix poll ending notification for edited polls (c960657)
- Fix max width of media in
/about
and/privacy-policy
(mgmn) - Fix streaming API not being usable without
DATABASE_URL
(Gargron) - Fix external authentication not running onboarding code for new users (ClearlyClaire)
[4.1.8] - 2023-09-19
Fixed
- Fix post edits not being forwarded as expected (ClearlyClaire)
- Fix moderator rights inconsistencies (ClearlyClaire)
- Fix crash when encountering invalid URL (ClearlyClaire)
- Fix cached posts including stale stats (ClearlyClaire)
- Fix uploading of video files for which
ffprobe
reports0/0
average framerate (NicolaiSoeborg) - Fix unexpected audio stream transcoding when uploaded video is eligible to passthrough (yufushiro)
Security
- Fix missing HTML sanitization in translation API (CVE-2023-42452, GHSA-2693-xr3m-jhqr)
- Fix incorrect domain name normalization (CVE-2023-42451, GHSA-v3xf-c9qf-j667)
[4.1.7] - 2023-09-05
Changed
- Change remote report processing to accept reports with long comments, but truncate them (ThisIsMissEm)
Fixed
- Fix blocking subdomains of an already-blocked domain (ClearlyClaire)
- Fix
/api/v1/timelines/tag/:hashtag
allowing for unauthenticated access when public preview is disabled (danielmbrasil) - Fix inefficiencies in
PlainTextFormatter
(ClearlyClaire)
[4.1.6] - 2023-07-31
Fixed
- Fix memory leak in streaming server (ThisIsMissEm)
- Fix wrong filters sometimes applying in streaming (ClearlyClaire, ThisIsMissEm, renchap)
- Fix incorrect connect timeout in outgoing requests (ClearlyClaire)
[4.1.5] - 2023-07-21
Added
- Add check preventing Sidekiq workers from running with Makara configured (ClearlyClaire)
Changed
- Change request timeout handling to use a longer deadline (ClearlyClaire)
Fixed
- Fix moderation interface for remote instances with a .zip TLD (ClearlyClaire)
- Fix remote accounts being possibly persisted to database with incomplete protocol values (ClearlyClaire)
- Fix trending publishers table not rendering correctly on narrow screens (vmstan)
Security
- Fix CSP headers being unintentionally wide (ClearlyClaire)
[4.1.4] - 2023-07-07
Fixed
- Fix branding:generate_app_icons failing because of disallowed ICO coder (ClearlyClaire)
- Fix crash in admin interface when viewing a remote user with verified links (ClearlyClaire)
- Fix processing of media files with unusual names (ClearlyClaire)
[4.1.3] - 2023-07-06
Added
- Add fallback redirection when getting a webfinger query
LOCAL_DOMAIN@LOCAL_DOMAIN
(ClearlyClaire)
Changed
- Change OpenGraph-based embeds to allow fullscreen (ClearlyClaire)
- Change AccessTokensVacuum to also delete expired tokens (ClearlyClaire)
- Change profile updates to be sent to recently-mentioned servers (ClearlyClaire)
- Change automatic post deletion thresholds and load detection (ClearlyClaire)
- Change
/api/v1/statuses/:id/history
to always return at least one item (ClearlyClaire) - Change auto-linking to allow carets in URL query params (renchap)
Removed
- Remove invalid
X-Frame-Options: ALLOWALL
(ClearlyClaire)
Fixed
- Fix wrong view being displayed when a webhook fails validation (ClearlyClaire)
- Fix soft-deleted post cleanup scheduler overwhelming the streaming server (ThisIsMissEm)
- Fix incorrect pagination headers in
/api/v2/admin/accounts
(danielmbrasil) - Fix multiple inefficiencies in automatic post cleanup worker (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Fix performance of streaming by parsing message JSON once (ThisIsMissEm, ThisIsMissEm)
- Fix CSP headers when
S3_ALIAS_HOST
includes a path component (ClearlyClaire) - Fix
tootctl accounts approve --number N
not approving N earliest registrations (danielmbrasil) - Fix reports not being closed when performing batch suspensions (ClearlyClaire)
- Fix being able to vote on your own polls (ClearlyClaire)
- Fix race condition when reblogging a status (ClearlyClaire)
- Fix “Authorized applications” inefficiently and incorrectly getting last use date (ClearlyClaire)
- Fix “Authorized applications” crashing when listing apps with certain admin API scopes (ClearlyClaire)
- Fix multiple N+1s in ConversationsController (ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Fix user archive takeouts when using OpenStack Swift (ClearlyClaire)
- Fix searching for remote content by URL not working under certain conditions (ClearlyClaire)
- Fix inefficiencies in indexing content for search (VyrCossont, VyrCossont)
Security
- Add finer permission requirements for managing webhooks (ClearlyClaire)
- Update dependencies
- Add hardening headers for user-uploaded files (ClearlyClaire)
- Fix verified links possibly hiding important parts of the URL (CVE-2023-36462)
- Fix timeout handling of outbound HTTP requests (CVE-2023-36461)
- Fix arbitrary file creation through media processing (CVE-2023-36460)
- Fix possible XSS in preview cards (CVE-2023-36459)
[4.1.2] - 2023-04-04
Fixed
- Fix crash in
tootctl
commands making use of parallelization when Elasticsearch is enabled (ClearlyClaire, ClearlyClaire) - Fix crash in
db:setup
when Elasticsearch is enabled (rrgeorge) - Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support (ClearlyClaire)
- Fix invalid/expired invites being processed on sign-up (ClearlyClaire)
Security
- Update Ruby to 3.0.6 due to ReDoS vulnerabilities (saizai)
- Fix unescaped user input in LDAP query (ClearlyClaire)
[4.1.1] - 2023-03-16
Added
- Add redirection from paths with url-encoded
@
to their decoded form (thijskh) - Add
lang
attribute to native language names in language picker in Web UI (ClearlyClaire) - Add headers to outgoing mails to avoid auto-replies (ClearlyClaire)
- Add support for refreshing many accounts at once with
tootctl accounts refresh
(9p4) - Add confirmation modal when clicking to edit a post with a non-empty compose form (PauloVilarinho)
- Add support for the HAproxy PROXY protocol through the
PROXY_PROTO_V1
environment variable (CSDUMMI) - Add
SENDFILE_HEADER
environment variable (Gargron) - Add cache headers to static files served through Rails (Gargron)
Changed
- Increase contrast of upload progress bar background (toolmantim)
- Change post auto-deletion throttling constants to better scale with server size (ClearlyClaire)
- Change order of bookmark and favourite sidebar entries in single-column UI for consistency (TerryGarcia)
- Change
ActivityPub::DeliveryWorker
retries to be spread out more (ClearlyClaire)
Fixed
- Fix “Remove all followers from the selected domains” also removing follows and notifications (ClearlyClaire)
- Fix streaming metrics format (emilweth, emilweth)
- Fix case-sensitive check for previously used hashtags in hashtag autocompletion (deanveloper)
- Fix focus point of already-attached media not saving after edit (ClearlyClaire)
- Fix sidebar behavior in settings/admin UI on mobile (wxt2005)
- Fix inefficiency when searching accounts per username in admin interface (ClearlyClaire)
- Fix duplicate “Publish” button on mobile (ClearlyClaire)
- Fix server error when failing to follow back followers from
/relationships
(ClearlyClaire) - Fix server error when attempting to display the edit history of a trendable post in the admin interface (ClearlyClaire)
- Fix
tootctl accounts migrate
crashing because of a typo (ClearlyClaire) - Fix original account being unfollowed on migration before the follow request to the new account could be sent (ClearlyClaire)
- Fix the “Back” button in column headers sometimes leaving Mastodon (c960657)
- Fix pgBouncer resetting application name on every transaction (Gargron)
- Fix unconfirmed accounts being counted as active users (ClearlyClaire)
- Fix
/api/v1/streaming
sub-paths not being redirected (ClearlyClaire) - Fix drag'n'drop upload area text that spans multiple lines not being centered (vintprox)
- Fix sidekiq jobs not triggering Elasticsearch index updates (ClearlyClaire)
- Fix tags being unnecessarily stripped from plain-text short site description (c960657)
- Fix HTML entities not being un-escaped in extracted plain-text from remote posts (c960657)
- Fix dashboard crash on ElasticSearch server error (ClearlyClaire)
- Fix incorrect post links in strikes when the account is remote (ClearlyClaire)
- Fix misleading error code when receiving invalid WebAuthn credentials (ClearlyClaire)
- Fix duplicate mails being sent when the SMTP server is too slow to close the connection (ClearlyClaire)
Security
- Change user backups to use expiring URLs for download when possible (Gargron)
- Add warning for object storage misconfiguration (ClearlyClaire)
[4.1.0] - 2023-02-10
Added
- Add support for importing/exporting server-wide domain blocks (enbylenore, ClearlyClaire, dariusk, ClearlyClaire)
- Add listing of followed hashtags (connorshea)
- Add support for editing media description and focus point of already-sent posts (ClearlyClaire)
- Previously, you could add and remove attachments, but not edit media description of already-attached media
- REST API changes:
PUT /api/v1/statuses/:id
now takes an extramedia_attributes[]
array parameter with theid
of the updated media and their updateddescription
,focus
, andthumbnail
- Add follow request banner on account header (ClearlyClaire)
- REST API changes:
Relationship
entities have an extrarequested_by
boolean attribute representing whether the represented user has requested to follow you
- REST API changes:
- Add confirmation screen when handling reports (ClearlyClaire, Gargron, tribela)
- Add option to make the landing page be
/about
even when trends are enabled (ClearlyClaire) - Add
noindex
setting back to the admin interface (prplecake) - Add instance peers API endpoint toggle back to the admin interface (dariusk)
- Add instance activity API endpoint toggle back to the admin interface (dariusk)
- Add setting for status page URL (Gargron, ClearlyClaire)
- REST API changes:
- Add
configuration.urls.status
attribute to the object returned byGET /api/v2/instance
- Add
- REST API changes:
- Add
account.approved
webhook (Saiv46) - Add 12 hours option to polls (Pleclown)
- Add dropdown menu item to open admin interface for remote domains (ClearlyClaire)
- Add
--remove-headers
,--prune-profiles
and--include-follows
flags totootctl media remove
(evanphilip) - Add
--email
and--dry-run
options totootctl accounts delete
(ClearlyClaire) - Add
tootctl accounts migrate
(ClearlyClaire) - Add
tootctl accounts prune
(tribela) - Add
tootctl domains purge
(ClearlyClaire) - Add
SIDEKIQ_CONCURRENCY
environment variable (muffinista) - Add
DB_POOL
environment variable support for streaming server (Gargron) - Add
MIN_THREADS
environment variable to set minimum Puma threads (jimeh) - Add explanation text to log-in page (ClearlyClaire)
- Add user profile OpenGraph tag on post pages (bramus)
- Add maskable icon support for Android (workeffortwaste)
- Add Belarusian to supported languages (Mixaill)
- Add Western Frisian to supported languages (ykzts)
- Add Montenegrin to the language picker (ayefries)
- Add Southern Sami and Lule Sami to the language picker (Jullan-M)
- Add logging for Rails cache timeouts (ClearlyClaire)
- Add color highlight for active hashtag “follow” button (MFTabriz)
- Add brotli compression to
assets:precompile
(Izorkin) - Add “disabled” account filter to the
/admin/accounts
UI (tribela) - Add transparency to modal background for accessibility (edent)
- Add
lang
attribute to image description textarea and poll option field (c960657) - Add
spellcheck
attribute to Content Warning and poll option input fields (c960657) - Add
title
attribute to video elements in media attachments (bramus) - Add left and right margins to emojis (dsblank)
- Add
roles
attribute toAccount
entities in REST API (ClearlyClaire, tribela) - Add
reading:autoplay:gifs
to/api/v1/preferences
(j-f1) - Add
hide_collections
parameter to/api/v1/accounts/credentials
(CarlSchwan) - Add
policy
attribute to web push subscription objects in REST API at/api/v1/push/subscriptions
(ClearlyClaire) - Add metrics endpoint to streaming API (Gargron, Gargron)
- Add more specific error messages to HTTP signature verification (ClearlyClaire)
- Add Storj DCS to cloud object storage options in the
mastodon:setup
rake task (jtolio) - Add checkmark symbol in the checkbox for sensitive media (sidp)
- Add missing accessibility attributes to logout link in modals (kytta)
- Add missing accessibility attributes to “Hide image” button in
MediaGallery
(hs4man21) - Add missing accessibility attributes to hide content warning field when disabled (hs4man21)
- Add
aria-hidden
to footer circle dividers to improve accessibility (hs4man21) - Add
lang
attribute to compose form inputs (ClearlyClaire)
Changed
- Ensure exact match is the first result in hashtag searches (ClearlyClaire)
- Change account search to return followed accounts first (dariusk)
- Change batch account suspension to create a strike (ClearlyClaire)
- Change default reply language to match the default language when replying to a translated post (ClearlyClaire)
- Change misleading wording about waitlists (ClearlyClaire)
- Increase width of the unread notification border (connorshea)
- Change new post notification button on profiles to make it more apparent when it is enabled (tribela)
- Change trending tags admin interface to always show batch action controls (ClearlyClaire)
- Change wording of some OAuth scope descriptions (ClearlyClaire)
- Change wording of admin report handling actions (ClearlyClaire)
- Change confirm prompts for relationships management (tribela)
- Change language surrounding disability in prompts for media descriptions (hs4man21)
- Change confusing wording in the sign in banner (ClearlyClaire)
- Change
POST /settings/applications/:id
to regenerate token on scopes change (ClearlyClaire) - Change account moderation notes to make links clickable (ClearlyClaire)
- Change link previews for statuses to never use avatar as fallback (Gargron)
- Change email address input to be read-only for logged-in users when requesting a new confirmation e-mail (ClearlyClaire)
- Change notifications per page from 15 to 40 in REST API (Gargron)
- Change number of stored items in home feed from 400 to 800 (Gargron)
- Change API rate limits from 300/5min per user to 1500/5min per user, 300/5min per app (Gargron)
- Save avatar or header correctly even if the other one fails (tribela)
- Change
referrer-policy
tosame-origin
application-wide (ClearlyClaire, ClearlyClaire) - Add 'private' to
Cache-Control
, match Rails expectations (daxtens) - Make the button that expands the compose form differentiable from the button that publishes a post (Tak)
- Change automatic post deletion configuration to be accessible to moved users (ClearlyClaire)
- Make tag following idempotent (trwnh, ClearlyClaire)
- Use buildx functions for faster builds (inductor)
- Split off Dockerfile components for faster builds (moritzheiber, ineffyble, BtbN)
- Change last occurrence of “silence” to “limit” in UI text (cincodenada)
- Change “hide toot” to “hide post” (seanthegeek)
- Don't allow URLs that contain non-normalized paths to be verified (dgl)
- Change the “Trending now” header to be a link to the Explore page (connorshea)
- Change PostgreSQL connection timeout from 2 minutes to 15 seconds (ClearlyClaire)
- Make handle more easily selectable on profile page (cadars)
- Allow admins to refresh remotely-suspended accounts (ClearlyClaire)
- Change dropdown menu to contain “Copy link to post” even for non-public posts (ClearlyClaire)
- Allow adding relays in secure mode and limited federation mode (ineffyble)
- Change timestamps to be displayed using the user's timezone throughout the moderation interface (FrancisMurillo, ClearlyClaire)
- Change CSP directives on API to be tight and concise (ClearlyClaire)
- Change web UI to not autofocus the compose form (raboof, Akkiesoft)
- Change idempotency key handling for posting when database access is slow (lambda)
- Change remote media files to be downloaded outside of transactions (ClearlyClaire)
- Improve contrast of charts in “poll has ended” notifications (j-f1)
- Change OEmbed detection and validation to be somewhat more lenient (ineffyble)
- Widen ElasticSearch version detection to not display a warning for OpenSearch (VyrCossont, ClearlyClaire)
- Change link verification to allow pages larger than 1MB as long as the link is in the first 1MB (untitaker)
- Update default Node.js version to Node.js 16 (ineffyble, ClearlyClaire)
Removed
- Officially remove support for Ruby 2.6 (ClearlyClaire)
- Remove
object-fit
polyfill used for old versions of Microsoft Edge (shuuji3) - Remove
intersection-observer
polyfill for old Safari support (shuuji3) - Remove empty
title
tag from mailer layout (nametoolong) - Remove post count and last posts from ActivityPub representation of hashtag collections (ClearlyClaire)
Fixed
- Fix changing domain block severity not undoing individual account effects (ClearlyClaire)
- Fix suspension worker crashing on S3-compatible setups without ACL support (ClearlyClaire)
- Fix possible race conditions when suspending/unsuspending accounts (ClearlyClaire)
- Fix being stuck in edit mode when deleting the edited posts (ClearlyClaire)
- Fix attached media uploads not being cleared when replying to a post (ClearlyClaire)
- Fix filters not being applied to some notification types (ClearlyClaire)
- Fix incorrect link in push notifications for some event types (elizabeth-dev)
- Fix some performance issues with
/admin/instances
(ClearlyClaire) - Fix some pre-4.0 admin audit logs (ClearlyClaire)
- Fix moderation audit log items for warnings having incorrect links (ClearlyClaire)
- Fix account activation being sometimes triggered before email confirmation (ClearlyClaire)
- Fix missing OAuth scopes for admin APIs (trwnh, trwnh)
- Fix voter count not being cleared when a poll is reset (afontenot)
- Fix attachments of edited posts not being fetched (ClearlyClaire)
- Fix irreversible and whole_word parameters handling in
/api/v1/filters
(ClearlyClaire) - Fix 500 error when marking posts as sensitive while some of them are deleted (ClearlyClaire)
- Fix expanded posts not always being scrolled into view (ClearlyClaire)
- Fix not being able to scroll the remote interaction modal on small screens (xendke)
- Fix not being able to scroll in post history modal (cadars)
- Fix audio player volume control on Safari (minacle)
- Fix disappearing “Explore” tabs on Safari (nyura, ykzts)
- Fix wrong padding in RTL layout (Gargron)
- Fix drag & drop upload area display in single-column mode (ClearlyClaire)
- Fix being unable to get a single EmailDomainBlock from the admin API (trwnh)
- Fix admin-set follow recommandations being case-sensitive (ClearlyClaire)
- Fix unserialized
role
on account entities in admin API (Gargron) - Fix pagination of followed tags (trwnh)
- Fix dropdown menu positions when scrolling (sidp, ClearlyClaire)
- Fix email with empty domain name labels passing validation (ClearlyClaire)
- Fix mysterious registration failure when “Require a reason to join” is set with open registrations (ClearlyClaire)
- Fix attachment rendering of edited posts in OpenGraph (ClearlyClaire)
- Fix invalid/empty RSS feed link on account pages (ClearlyClaire)
- Fix error in
VerifyLinkService
when processing links with no href (joshuap) - Fix error in
VerifyLinkService
when processing links with invalid URLs (untitaker) - Fix media uploads with FFmpeg 5 (dead10ck)
- Fix sensitive flag not being set when replying to a post with a content warning under certain conditions (kedamaDQ)
- Fix misleading message briefly showing up when loading follow requests under some conditions (c960657)
- Fix “Share @:user's profile” profile menu item not working (ClearlyClaire)
- Fix crash and incorrect behavior in
tootctl domains crawl
(ClearlyClaire) - Fix autoplay on iOS (jamesadney)
- Fix user clean-up scheduler crash when an unconfirmed account has a moderation note (ClearlyClaire)
- Fix spaces not being stripped in admin account search (ClearlyClaire)
- Fix spaces not being stripped when adding relays (ClearlyClaire)
- Fix infinite loading spinner instead of soft 404 for non-existing remote accounts (ClearlyClaire)
- Fix minor visual issue with the top border of verified account fields (j-f1)
- Fix pending account approval and rejection not being recorded in the admin audit log (FrancisMurillo)
- Fix “Sign up” button with closed registrations not opening modal on mobile (ClearlyClaire)
- Fix UI header overflowing on mobile (ClearlyClaire)
- Fix 500 error when trying to migrate to an invalid address (ClearlyClaire)
- Fix crash when trying to fetch unobtainable avatar of user using external authentication (lochiiconnectivity)
- Fix processing error on incoming malformed JSON-LD under some situations (ClearlyClaire)
- Fix potential duplicate posts in Explore tab (ClearlyClaire)
- Fix deprecation warning in
tootctl accounts rotate
(ClearlyClaire) - Fix styling of featured tags in light theme (ClearlyClaire)
- Fix missing style in warning and strike cards (AtelierSnek, ClearlyClaire)
- Fix wasteful request to
/api/v1/custom_emojis
when not logged in (ClearlyClaire) - Fix replies sometimes being delivered to user-blocked domains (tribela)
- Fix admin dashboard crash when using some ElasticSearch replacements (cortices)
- Fix profile avatar being slightly offset into left border (RiedleroD)
- Fix N+1 queries in
NotificationsController
(nametoolong) - Fix being unable to react to announcements with the keycap number sign emoji (kescherCode)
- Fix height computation of post embeds (hodgesmr)
- Fix accessibility issue of the search bar due to hidden placeholder (alexstine)
- Fix layout change handler not being removed due to a typo (nschonni)
- Fix typo in the default
S3_HOSTNAME
used in themastodon:setup
rake task (danp) - Fix the top action bar appearing in the multi-column layout (ClearlyClaire)
- Fix inability to use local LibreTranslate without setting
ALLOWED_PRIVATE_ADDRESSES
(ClearlyClaire) - Fix punycoded local domains not being prettified in initial state (Tritlo)
- Fix CSP violation warning by removing inline CSS from SVG logo (luxiaba)
- Fix margin for search field on medium window size (minacle)
- Fix search popout scrolling with the page in single-column mode (rgroothuijsen)
- Fix minor post cache hydration discrepancy (ClearlyClaire)
- Fix
・
detection in hashtags (parthoghosh24) - Fix hashtag follows bypassing user blocks (tribela)
- Fix moved accounts being incorrectly redirected to account settings when trying to view a remote profile (ClearlyClaire)
- Fix site upload validations (ClearlyClaire)
- Fix “Add new domain block” button using last submitted search value instead of the current one (ClearlyClaire)
- Fix misleading hashtag warning when posting with “Followers only” or “Mentioned people only” visibility (n0toose)
- Fix embedded posts with videos grabbing focus (Akkiesoft)
- Fix
$
not being escaped in.env.production
files generated by themastodon:setup
rake task (ClearlyClaire, ClearlyClaire) - Fix sanitizer parsing link text as HTML when stripping unsupported links (ClearlyClaire)
- Fix
scheduled_at
input not usingdatetime-local
when editing announcements (ClearlyClaire) - Fix REST API serializer for
Account
not includingmoved
when the moved account has itself moved (ClearlyClaire) - Fix
/api/v1/admin/trends/tags
using wrong serializer (ClearlyClaire) - Fix situations in which instance actor can be set to a Mastodon-incompatible name (ClearlyClaire)
Security
- Add
form-action
CSP directive (ClearlyClaire, ClearlyClaire, ClearlyClaire) - Fix unbounded recursion in account discovery (ClearlyClaire)
- Revoke all authorized applications on password reset (FrancisMurillo)
- Fix unbounded recursion in post discovery (ClearlyClaire,nametoolong)
[4.0.2] - 2022-11-15
Fixed
- Fix wrong color on mentions hidden behind content warning in web UI (Gargron)
- Fix filters from other users being used in the streaming service (ClearlyClaire)
- Fix
unsafe-eval
being used whenwasm-unsafe-eval
is enough in Content Security Policy (Gargron, prplecake)
[4.0.1] - 2022-11-14
Fixed
- Fix nodes order being sometimes mangled when rewriting emoji (ClearlyClaire)
[4.0.0] - 2022-11-14
Some of the features in this release have been funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.
Added
- Add ability to filter followed accounts' posts by language (Gargron, ClearlyClaire)
- Add ability to follow hashtags (Gargron, Gargron, Gargron, noellabo)
- Add ability to filter individual posts (ClearlyClaire)
- Add ability to translate posts (Gargron, ClearlyClaire, Gargron, ClearlyClaire, Gargron, ykzts, Gargron)
- Add featured tags to web UI (noellabo, noellabo, noellabo, noellabo, Gargron, ykzts, noellabo, noellabo, Gargron, Gargron, ClearlyClaire)
- Add support for language preferences for trending statuses and links (Gargron, Gargron, ykzts)
- Previously, you could only see trends in your current language
- For less popular languages, that meant empty trends
- Now, trends in your preferred languages' are shown on top, with others beneath
- Add server rules to sign-up flow (Gargron)
- Add privacy icons to report modal in web UI (ClearlyClaire)
- Add
noopener
to links to remote profiles in web UI (shleeable) - Add option to open original page in dropdowns of remote content in web UI (Gargron)
- Add warning for sensitive audio posts in web UI (rgroothuijsen)
- Add language attribute to posts in web UI (tribela)
- Add support for uploading WebP files (Saiv46)
- Add support for uploading
audio/vnd.wave
files (tribela) - Add support for uploading AVIF files (txt-file)
- Add support for uploading HEIC files (Gargron)
- Add more debug information when processing remote accounts (ClearlyClaire, ClearlyClaire)
- Add retention policy for cached content and media (Gargron, zunda, Gargron, Gargron)
- Set for how long remote posts or media should be cached on your server
- Hands-off alternative to
tootctl
commands
- Add customizable user roles (Gargron, ClearlyClaire, Gargron, tribela, tribela, ClearlyClaire, ClearlyClaire, unextro, tribela, ClearlyClaire)
- Previously, there were 3 hard-coded roles, user, moderator, and admin
- Create your own roles and decide which permissions they should have
- Add notifications for new reports (Gargron, Gargron)
- Add ability to select all accounts matching search for batch actions in admin UI (Gargron, Gargron)
- Add ability to view previous edits of a status in admin UI (Gargron)
- Add ability to block sign-ups from IP (Gargron)
- Add webhooks to admin UI (Gargron)
- Add admin API for managing domain allows (ClearlyClaire)
- Add admin API for managing domain blocks (ClearlyClaire)
- Add admin API for managing e-mail domain blocks (Gargron)
- Add admin API for managing canonical e-mail blocks (Gargron)
- Add admin API for managing IP blocks (Gargron, trwnh)
- Add
sensitized
attribute to accounts in admin REST API (trwnh) - Add
services
andmetadata
to the NodeInfo endpoint (MFTabriz) - Add
--remove-role
option totootctl accounts modify
(Gargron) - Add
--days
option totootctl media refresh
(tribela) - Add
EMAIL_DOMAIN_LISTS_APPLY_AFTER_CONFIRMATION
environment variable (ClearlyClaire) - Add
IP_RETENTION_PERIOD
andSESSION_RETENTION_PERIOD
environment variables (kescherCode) - Add
http_hidden_proxy
environment variable (tribela) - Add
ENABLE_STARTTLS
environment variable (erbridge) - Add caching for payload serialization during fan-out (ClearlyClaire, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Add assets from Twemoji 14.0 (Gargron)
- Add reputation and followers score boost to SQL-only account search (Gargron)
- Add Scots, Balaibalan, Láadan, Lingua Franca Nova, Lojban, Toki Pona to languages list (VyrCossont)
- Set autocomplete hints for e-mail, password and OTP fields (rcombs, offbyone, ClearlyClaire)
- Add support for DigitalOcean Spaces in setup wizard (v-aisac)
Changed
- Change brand color and logotypes (Gargron, Gargron, Gargron, ClearlyClaire, Gargron, mayaeh)
- Change post editing to be enabled in web UI (Gargron)
- Change web UI to work for logged-out users (Gargron, Gargron, Gargron, Gargron, Gargron, ykzts, Gargron, ClearlyClaire, ClearlyClaire, Gargron, Gargron, Gargron, ClearlyClaire, Gargron, Gargron, Gargron, Gargron, Gargron, ykzts, ykzts, ykzts, ykzts, ykzts, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, ykzts, ykzts, Gargron, Gargron, Gargron, Gargron, trwnh, ykzts, Gargron, Gargron, ClearlyClaire, Gargron, ClearlyClaire, Gargron, Gargron, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, cutls)
- The web app can now be accessed without being logged in
- No more
/web
prefix on web app paths - Profiles, posts, and other public pages now use the same interface for logged in and logged out users
- The web app displays a server information banner
- Pop-up windows for remote interaction have been replaced with a modal window
- No need to type in your username for remote interaction, copy-paste-to-search method explained
- Various hints throughout the app explain what the different timelines are
- New about page design
- New privacy policy page design shows when the policy was last updated
- All sections of the web app now have appropriate window titles
- The layout of the interface has been streamlined between different screen sizes
- Posts now use more horizontal space
- Change label of publish button to be "Publish" again in web UI (Gargron)
- Change language to be carried over on reply in web UI (ClearlyClaire)
- Change "Unfollow" to "Cancel follow request" when request still pending in web UI (prplecake)
- Change post filtering system (ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, noellabo, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire)
- Filtered keywords and phrases can now be grouped into named categories
- Filtered posts show which exact filter was hit
- Individual posts can be added to a filter
- You can peek inside filtered posts anyway
- Change path of privacy policy page from
/terms
to/privacy-policy
(Gargron) - Change how hashtags are normalized (Gargron, Gargron, ClearlyClaire)
- Change settings area to be separated into categories in admin UI (Gargron, Gargron)
- Change "No accounts selected" errors to use the appropriate noun in admin UI (prplecake)
- Change e-mail domain blocks to match subdomains of blocked domains (Gargron)
- Change custom emoji file size limit from 50 KB to 256 KB (Gargron)
- Change "Allow trends without prior review" setting to also work for trending posts (Gargron)
- Change admin announcements form to use single inputs for date and time in admin UI (ClearlyClaire)
- Change search API to be accessible without being logged in (Gargron, Gargron)
- Change following and followers API to be accessible without being logged in (Gargron)
- Change
AUTHORIZED_FETCH
to not block unauthenticated REST API access (Gargron) - Change Helm configuration (deepy, jgsmith, deepy)
- Change mentions of blocked users to not be processed (ClearlyClaire)
- Change max. thumbnail dimensions to 640x360px (360p) (Gargron)
- Change post-processing to be deferred only for large media types (Gargron)
- Change link verification to only work for https links without unicode (Gargron, Gargron)
- Change account deletion requests to spread out over time (ClearlyClaire)
- Change larger reblogs/favourites numbers to be shortened in web UI (Gargron)
- Change incoming activity processing to happen in
ingress
queue (Gargron) - Change notifications to not link show preview cards in web UI (ClearlyClaire)
- Change amount of replies returned for logged out users in REST API (ClearlyClaire)
- Change in-app links to keep you in-app in web UI (trwnh, Gargron)
- Change table header to be sticky in admin UI (sk22)
Removed
- Remove setting that disables account deletes (Gargron)
- Remove digest e-mails (Gargron)
- Remove unnecessary sections from welcome e-mail (Gargron)
- Remove item titles from RSS feeds (Gargron)
- Remove volume number from hashtags in web UI (Gargron)
- Remove Nanobox configuration (tonyjiang)
Fixed
- Fix rules with same priority being sorted non-deterministically (Gargron)
- Fix error when invalid domain name is submitted (Gargron)
- Fix icons having an image role (Gargron)
- Fix connections to IPv6-only servers (ClearlyClaire)
- Fix unnecessary service worker registration and preloading when logged out in web UI (ClearlyClaire)
- Fix unnecessary and slow regex construction (raggi)
- Fix
mailers
queue not being used for mailers (Gargron) - Fix error in webfinger redirect handling (ClearlyClaire)
- Fix report category not being set to
violation
if rule IDs are provided (trwnh) - Fix nodeinfo metadata attribute being an array instead of an object (ClearlyClaire)
- Fix account endorsements not being idempotent (trwnh)
- Fix status and rule IDs not being strings in admin reports REST API (trwnh)
- Fix error on invalid
replies_policy
in REST API (trwnh) - Fix redrafting a currently-editing post not leaving edit mode in web UI (ClearlyClaire)
- Fix performance by avoiding method cache busts (raggi)
- Fix opening the language picker scrolling the single-column view to the top in web UI (ClearlyClaire)
- Fix content warning button missing
aria-expanded
attribute in web UI (ClearlyClaire) - Fix redundant
aria-pressed
attributes in web UI (Brawaru) - Fix crash when external auth provider has no display name set (ClearlyClaire)
- Fix followers count not being updated when migrating follows (ClearlyClaire)
- Fix double button to clear emoji search input in web UI (sunny)
- Fix missing null check on applications on strike disputes (kescherCode)
- Fix featured tags not saving preferred casing (Gargron)
- Fix language not being saved when editing status (Gargron)
- Fix not being able to input featured tag with hash symbol (Gargron)
- Fix user clean-up scheduler crash when an unconfirmed account has a moderation note (ClearlyClaire)
- Fix being unable to withdraw follow request when confirmation modal is disabled in web UI (ClearlyClaire)
- Fix inaccurate admin log entry for re-sending confirmation e-mails (ClearlyClaire)
- Fix edits not being immediately reflected (ClearlyClaire)
- Fix bookmark import stopping at the first failure (ClearlyClaire)
- Fix account action type validation (Gargron)
- Fix upload progress not communicating processing phase in web UI (Gargron)
- Fix wrong host being used for custom.css when asset host configured (Gargron)
- Fix account migration form ever using outdated account data (Gargron, nightpool)
- Fix error when uploading malformed CSV import (Gargron)
- Fix avatars not using image tags in web UI (Gargron)
- Fix handling of duplicate and out-of-order notifications in web UI (ClearlyClaire)
- Fix reblogs being discarded after the reblogged status (ClearlyClaire)
- Fix indexing scheduler trying to index when Elasticsearch is disabled (Gargron)
- Fix n+1 queries when rendering initial state JSON (Gargron)
- Fix n+1 query during status removal (Gargron)
- Fix OCR not working due to Content Security Policy in web UI (prplecake)
- Fix
nofollow
rel being removed in web UI (Gargron) - Fix language dropdown causing zoom on mobile devices in web UI (Gargron)
- Fix button to dismiss suggestions not showing up in search results in web UI (ClearlyClaire)
- Fix language dropdown sometimes not appearing in web UI (Gargron)
- Fix quickly switching notification filters resulting in empty or incorrect list in web UI (ClearlyClaire, ClearlyClaire)
- Fix media modal link button in web UI (ClearlyClaire)
- Fix error upon successful account migration (Gargron)
- Fix negatives values in search index causing queries to fail (Gargron, Gargron)
- Fix error when searching for invalid URL (ClearlyClaire)
- Fix IP blocks not having a unique index (Gargron)
- Fix remote account in contact account setting not being used (Gargron)
- Fix swallowing mentions of unconfirmed/unapproved users (ClearlyClaire)
- Fix incorrect and slow cache invalidation when blocking domain and removing media attachments (ClearlyClaire)
- Fix HTTPs redirect behaviour when running as I2P service (gi-yt)
- Fix deleted pinned posts potentially counting towards the pinned posts limit (ClearlyClaire)
- Fix compatibility with OpenSSL 3.0 (ClearlyClaire)
- Fix error when a remote report includes a private post the server has no access to (ClearlyClaire)
- Fix suspicious sign-in mails never being sent (ClearlyClaire)
- Fix fallback locale when somehow user's locale is an empty string (tribela)
- Fix avatar/header not being deleted locally when deleted on remote account (tribela)
- Fix missing
,
in Blurhash validation (noellabo) - Fix order by most recent not working for relationships page in admin UI (tribela)
- Fix uncaught error when invalid date is supplied to API (Gargron)
- Fix REST API sometimes returning HTML on error (ClearlyClaire)
- Fix ambiguous column names in
tootctl media refresh
(tribela) - Fix ambiguous column names in
tootctl search deploy
(mashirozx) - Fix
CDN_HOST
not being used in some asset URLs (tribela) - Fix
CAS_DISPLAY_NAME
,SAML_DISPLAY_NAME
andOIDC_DISPLAY_NAME
being ignored (ClearlyClaire) - Fix various typos in comments throughout the codebase (luzpaz)
- Fix CSV import error when rows include unicode characters (HamptonMakes)
Security
- Fix being able to spoof link verification (Gargron)
- Fix emoji substitution not applying only to text nodes in backend code (ClearlyClaire)
- Fix emoji substitution not applying only to text nodes in web UI (ClearlyClaire)
- Fix rate limiting for paths with formats (Gargron)
- Fix out-of-bound reads in blurhash transcoder (delroth)
For previous changes, review the stable-3.5 branch