Releases: mastodon/mastodon
v4.3.2
Changelog
Added
- Add
tootctl feeds vacuum
(#33065 by @ClearlyClaire) - Add error message when user tries to follow their own account (#31910 by @lenikadali)
- Add client_secret_expires_at to OAuth Applications (#30317 by @ThisIsMissEm)
Changed
- Change design of Content Warnings and filters (#32543 by @ClearlyClaire)
Fixed
- Fix processing incoming post edits with mentions to unresolvable accounts (#33129 by @ClearlyClaire)
- Fix error when including multiple instances of
embed.js
(#33107 by @YKWeyer) - Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
- Fix
TagFollow
records not being correctly handled in account operations (#33063 by @ClearlyClaire) - Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
- Fix duplicate notifications in notification groups when using slow mode (#33014 by @ClearlyClaire)
- Fix posts made in the future being allowed to trend (#32996 by @ClearlyClaire)
- Fix uploading higher-than-wide GIF profile picture with libvips enabled (#32911 by @ClearlyClaire)
- Fix domain attribution field having autocorrect and autocapitalize enabled (#32903 by @ClearlyClaire)
- Fix titles being escaped twice (#32889 by @ClearlyClaire)
- Fix list creation limit check (#32869 by @ClearlyClaire)
- Fix error in
tootctl email_domain_blocks
when supplying--with-dns-records
(#32863 by @mjankowski) - Fix
min_id
andmax_id
causing error in search API (#32857 by @Gargron) - Fix inefficiencies when processing removal of posts that use featured tags (#32787 by @ClearlyClaire)
- Fix alt-text pop-in not using the translated description (#32766 by @ClearlyClaire)
- Fix preview cards with long titles erroneously causing layout changes (#32678 by @ClearlyClaire)
- Fix embed modal layout on mobile (#32641 by @DismalShadowX)
- Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
- Fix blocks not being applied on link timeline (#32625 by @tribela)
- Fix follow counters being incorrectly changed (#32622 by @oneiros)
- Fix 'unknown' media attachment type rendering (#32613 and #32713 by @ThisIsMissEm and @renatolond)
- Fix tl language native name (#32606 by @seav)
Security
- Update dependencies
Upgrade notes
To get the code for v4.3.2, use git fetch && git checkout v4.3.2
.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.3.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.1 or newer
- PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see v4.3.0 release notes)
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 18 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
Update steps
The following instructions are for updating from 4.3.1.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, please read the v4.3.0 release notes, as there have been multiple important changes.
Non-docker
Tip
The charlock_holmes
gem may fail to build on some systems with recent versions of gcc
.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install
.
- Install dependencies with
bundle install
andyarn install --immutable
- Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile
- Restart all Mastodon processes.
When using docker
- Restart all Mastodon processes.
v4.2.14
Changelog
Added
- Add
tootctl feeds vacuum
(#33065 by @ClearlyClaire)
Fixed
- Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
- Fix
TagFollow
records not being correctly handled in account operations (#33063 by @ClearlyClaire) - Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
- Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
- Fix tl language native name (#32606 by @seav)
Upgrade notes
To get the code for v4.2.14, use git fetch && git checkout v4.2.14
.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Important
Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP
accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.
Dependencies
With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.0 to 3.2
- PostgreSQL: 10 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 16 or newer
- ImageMagick: 6.9.7-7 or newer
Update steps
Tip
The charlock_holmes
gem may fail to build on some systems with recent versions of gcc
.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install
.
The following instructions are for updating from 4.2.13.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
- Install dependencies:
bundle install
andyarn install --frozen-lockfile
- Restart all Mastodon processes
Using Docker:
- Restart all Mastodon processes
v4.1.21
Changelog
Fixed
- Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
- Fix tl language native name (#32606 by @seav)
Security
- Update dependencies
Upgrade notes
To get the code for v4.1.21, use git fetch && git checkout v4.1.21
.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Important
Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP
accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.
Dependencies
Warning
The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.
External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.0
- PostgreSQL: 9.5 or newer
- Elasticsearch (optional, for full-text search): 7.x
- Redis: 4 or newer
- Node: >= 14, < 18
- ImageMagick: 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.1.20.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
- Install dependencies:
bundle install
andyarn install --frozen-lockfile
Both Docker and non-Docker:
- Restart all Mastodon processes
v4.3.1
Changelog
Added
- Add more explicit explanations about author attribution and
fediverse:creator
(#32383 by @ClearlyClaire) - Add ability to group follow notifications in WebUI, can be disabled in the column settings (#32520 by @renchap)
- Add back a 6 hours mute duration option (#32522 by @renchap)
- Add note about not changing ActiveRecord encryption secrets once they are set (#32413, #32476, #32512, and #32537 by @ClearlyClaire and @mjankowski)
Changed
- Change translation feature to translate to selected regional variant (e.g. pt-BR) if available (#32428 by @c960657)
Removed
- Remove ability to get embed code for remote posts (#32578 by @ClearlyClaire)
Getting the embed code is only reliable for local posts.
It never worked for non-Mastodon servers, and stopped working correctly with the changes made in 4.3.0.
We have therefore decided to remove the menu entry while we investigate solutions.
Fixed
- Fix follow recommendation moderation page default language when using regional variant (#32580 by @ClearlyClaire)
- Fix column-settings spacing in local timeline in advanced view (#32567 by @lindwurm)
- Fix broken i18n in text welcome mailer tags area (#32571 by @mjankowski)
- Fix missing or incorrect cache-control headers for Streaming server (#32551 by @ThisIsMissEm)
- Fix only the first paragraph being displayed in some notifications (#32348 by @ClearlyClaire)
- Fix reblog icons on account media view (#32506 by @tribela)
- Fix Content-Security-Policy not allowing OpenStack SWIFT object storage URI (#32439 by @kenkiku1021)
- Fix back arrow pointing to the incorrect direction in RTL languages (#32485 by @renchap)
- Fix streaming server using
REDIS_USERNAME
instead ofREDIS_USER
(#32493 by @ThisIsMissEm) - Fix follow recommendation carrousel scrolling on RTL layouts (#32462 and #32505 by @ClearlyClaire)
- Fix follow recommendation suppressions not applying immediately (#32392 by @ClearlyClaire)
- Fix language of push notifications (#32415 by @ClearlyClaire)
- Fix mute duration not being shown in list of muted accounts in web UI (#32388 by @ClearlyClaire)
- Fix “Mark every notification as read” not updating the read marker if scrolled down (#32385 by @ClearlyClaire)
- Fix “Mention” appearing for otherwise filtered posts (#32356 by @ClearlyClaire)
- Fix notification requests from suspended accounts still being listed (#32354 by @ClearlyClaire)
- Fix list edition modal styling (#32358 and #32367 by @ClearlyClaire and @vmstan)
- Fix 4 columns barely not fitting on 1920px screen (#32361 by @ClearlyClaire)
- Fix icon alignment in applications list (#32293 by @mjankowski)
Upgrade notes
To get the code for v4.3.1, use git fetch && git checkout v4.3.1
.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.3.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.1 or newer
- PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see v4.3.0 release notes)
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 18 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
Update steps
The following instructions are for updating from 4.3.0.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, please read the v4.3.0 release notes, as there have been multiple important changes.
Non-docker
Tip
The charlock_holmes
gem may fail to build on some systems with recent versions of gcc
.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install
.
- Install dependencies with
bundle install
andyarn install --immutable
- Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile
- Restart all Mastodon processes.
When using docker
- Restart all Mastodon processes.
v4.3.0
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
Security
- Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared. - Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
- Change
form-action
Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire) - Update dependencies
Added
-
Add server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610, #31929, #32089, #32085, #32243, #32179 and #32254 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)
Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
As part of this, the visual design of the entire notifications feature has been revamped.
The API consists of:- a new
group_key
attribute toNotification
entities GET /api/v2/notifications
: https://docs.joinmastodon.org/methods/grouped_notifications/#get-groupedGET /api/v2/notifications/:group_key
: https://docs.joinmastodon.org/methods/grouped_notifications/#get-notification-groupGET /api/v2/notifications/:group_key/accounts
: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accountsPOST /api/v2/notifications/:group_key/dismiss
: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-groupGET /api/v2/notifications/:unread_count
: https://docs.joinmastodon.org/methods/grouped_notifications/#unread-group-count
- a new
-
Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, #31723, #32062 and #32281 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)
The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.
You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.
Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.
This adds the following REST API endpoints:GET /api/v2/notifications/policy
: https://docs.joinmastodon.org/methods/notifications/#get-policyPATCH /api/v2/notifications/policy
: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notificationsGET /api/v1/notifications/requests
: https://docs.joinmastodon.org/methods/notifications/#get-requestsGET /api/v1/notifications/requests/:id
: https://docs.joinmastodon.org/methods/notifications/#get-one-requestPOST /api/v1/notifications/requests/:id/accept
: https://docs.joinmastodon.org/methods/notifications/#accept-requestPOST /api/v1/notifications/requests/:id/dismiss
: https://docs.joinmastodon.org/methods/notifications/#dismiss-requestPOST /api/v1/notifications/requests/accept
: https://docs.joinmastodon.org/methods/notifications/#accept-multiple-requestsPOST /api/v1/notifications/requests/dismiss
: https://docs.joinmastodon.org/methods/notifications/#dismiss-multiple-requestsGET /api/v1/notifications/requests/merged
: https://docs.joinmastodon.org/methods/notifications/#requests-merged
In addition, accepting one or more notification requests generates a new streaming event:
notifications_merged
: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed
-
Add notifications of severed relationships (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)
Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.
Note that this does not notify remote users.
This adds thesevered_relationships
notification type to the REST API and streaming, with a newrelationship_severance_event
attribute. -
Add hover cards in web UI (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)
Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.
This can be disabled in the “Animations and accessibility” section of the preferences. -
Add "system" theme setting (light/dark theme depending on user system preference) (#29748, #29553, #29795, #29918, #30839, and #30861 by @nshki, @ErikUden, @mjankowski, @renchap, and @vmstan)
Add a “system” theme that automatically switch between default dark and light themes depending on the user's system preferences.
Also changes the default server theme to this new “system” theme so that automatic theme selection happens even when logged out. -
Add timeline of public posts about a trending link (#30381 and #30840 by @Gargron)
You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.
This adds a new REST API endpoint:GET /api/v1/timelines/link?url=:url
: https://docs.joinmastodon.org/methods/timelines/#link
-
Add author highlight for news articles whose authors are on the fediverse (#30398, #30670, #30521, #30846, #31819, #31900 and #32188 by @Gargron, @mjankowski and @oneiros)
This adds a mechanism to highlight the author of news articles shared on Mastodon.
Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:<meta name="fediverse:creator" content="username@domain" />
On the API side, this is represented by a new
authors
attribute to thePreviewCard
entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors
Users can allow arbitrary domains to usefediverse:creator
to credit them by visiting/settings/verification
.
This is federated as a newattributionDomains
property in thehttp://joinmastodon.org/ns
namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1 -
Add in-app notifications for moderation actions and warnings (#30065, #30082, and #30081 by @ClearlyClaire)
In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.
This adds the...
v4.3.0-rc.1
Warning
This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed
For more information, scroll down to the upgrade instructions section.
Changelog (v4.3.0-rc.1)
Security
- Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
Added
- Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
- Add ability to view alt text by clicking the ALT badge in web UI (#32058 by @Gargron)
- Add preview of followers removed in domain block modal in web UI (#32032 and #32105 by @ClearlyClaire and @Gargron)
- Add server-side notification grouping for follow notifications (#32085 by @renchap)
- Add reblogs and favourites counts to statuses in ActivityPub (#32007 by @Gargron)
- Add
OTEL_SERVICE_NAME_SEPARATOR
to further customize OpenTelemetry service names (#31998 by @timetinytim)
Changed
- Change media reordering design in the compose form in web UI (#32093 by @Gargron)
- Change design of media gallery and media tab on profiles in web UI (#31967 by @Gargron)
- Change styling of statuses in email to match that of the web interface (#32073 and #32132 by @c960657)
- Change label of "Data export" menu item in settings interface (#32099 by @c960657)
- Change responsive break points on navigation panel in web UI (#32034 by @Gargron)
- Change cursor to
not-allowed
on disabled buttons (#32076 by @mjankowski) - Change hide media button to be in top right corner in web UI (#32048 by @Gargron)
- Change mobile breakpoint back to old version and allow main column to shrink (#32033 by @ClearlyClaire)
- Change OAuth authorization prompt to not refer to apps as “third-party” (#32005 by @Gargron)
- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
- Change zoom icon in web UI (#29683 by @Gargron)
- Change directory page to use URL query strings for options (#31980, #31977 and #31984 by @ClearlyClaire and @renchap)
Fixed
- Fix missing permission on new embeds making them unclickable (#32135 by @Gargron)
- Fix missing border in some admin UI tables (#32128 by @mjankowski)
- Fix recently used tags hint being displayed in profile edition page when there is none (#32120 by @mjankowski)
- Fix checkbox lists on narrow screens in the settings interface (#32112 by @mjankowski)
- Fix scrollbar width (#32091 by @ClearlyClaire)
- Fix typo causing incorrect error being raised in blurhash processing failure (#32104 by @ClearlyClaire)
- Fix the position of status action buttons being affected by interaction counters (#32084 by @renchap)
- Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
- Fix wrapping in dashboard quick access buttons (#32043 by @renchap)
- Fix the summary of converted ActivityPub object types to be treated as HTML (#28629 by @Menrath)
- Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
- Fix multiple bugs in notification requests and notification policies (#32062 by @ClearlyClaire)
- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
- Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
- Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
- Fix the appearance of avatars when they do not load (#31966 by @renchap)
- Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)
Removed
- Remove global Regexp timeout (#32169 by @ClearlyClaire)
- Remove deprecated
v2_alpha
endpoint for grouped notifications (#32089 by @renchap) - Remove unused E2EE messaging code and related
crypto
OAuth scope (#31193, #31945, #31963, and #31964 by @ClearlyClaire and @mjankowski)
Changelog (v4.3.0-beta.2)
Security
- Update dependencies
- Change
form-action
Content-Security-Policy directive to be more restrictive (#26897 by @ClearlyClaire) - Fix username normalization issue in web interface (GHSA-3m9q-ww7w-qc5j by @Gargron)
Added
- Add global Regexp timeout (#31928 by @ClearlyClaire)
- Add ability to manage which websites can credit you in link previews using
fediverse:creator
(#31819 and #31900 by @Gargron and @oneiros)
In 4.3.0-beta.1,fediverse:creator
was only taken into account for articles published on providers manually approved for trending by moderators.
This change adds a section in/settings/verification
so that users can themselves list which domains are allowed to credit them.
This is federated as a newattributionDomains
property in thehttp://joinmastodon.org/ns
namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1 - Add link to
/admin/roles
in moderation interface when changing someone's role (#31791 by @ClearlyClaire) - Add anchors to each authorized application in
/oauth/authorized_applications
(#31677 by @fowl2) - Add support for Redis sentinel (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)
See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel - Add support for CORS to
POST /oauth/revoke
(#31743 by @ClearlyClaire) - Add
GET /api/v2_alpha/notifications/:group_key/accounts
(#31725 by @ClearlyClaire)
See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts - Add
grouped_types
parameter to allow clients to restrict which notifications types get grouped (#31594 by @ClearlyClaire)
See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped - Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm)
Changed
- Enable grouped notifications unconditionally (#31610 and #31929 by @ClearlyClaire)
- Change grouped notifications API from
/api/v2_alpha/notifications*
to/api/v2/notifications*
(#31840 by @ClearlyClaire)
See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/ - Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire)
- Change design of embed modal in web UI (#31801 by @Gargron)
- Change preview card processing to ignore
undefined
as canonical url (#31882 by @oneiros) - Change embedded posts to use web UI (#31766 by @Gargron)
- Change inner borders in media galleries in web UI (#31852 by @Gargron)
- Change design of hide media button in web UI (#31807 by @Gargron)
- Change labels on thread indicators in web UI (#31806 by @Gargron)
- Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones)
- Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm)
- Change width of columns in advanced web UI (#31762 by @Gargron)
- Change design of unread conversations in web UI (#31763 by @Gargron)
- Change background color of notifications about private messages (#31657 by @ClearlyClaire)
- Change design of boost modal in web UI (#31555 by @Gargron)
Fixed
- Fix single-panel breakpoint being too narrow (#31889 by @ClearlyClaire)
- Fix cancel follow request button sometimes saying “Follow back” (#31934 by @ClearlyClaire)
- Fix horizontal scrollbar on who to follow carousel in web UI (#31912 by @Gargron)
- Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
- Fix invalid
visibility
values inPOST /api/v1/statuses
returning 500 errors (#31571 by @c960657) - Fix the primary button in modals not being auto-focused anymore (#31883 by @ClearlyClaire)
- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
- Fix styling of media edition modal (#31844, #31864, and #31943 by @vmstan)
- Fix use of deprecated Remove vendor prefix from
apple-mobile-web-app-capable
meta tag (#31845 by @mjankowski) - Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
- Fix radio checkbox visibility in Report dialogs (#31752 by @vmstan)
- Fix wrong width on content warnings and filt...
v4.2.13
Changelog
Security
- Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
- Update dependencies
Added
- Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
Changed
- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
Fixed
- Fix replies collection being cached improperly
- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
Upgrade notes
To get the code for v4.2.13, use git fetch && git checkout v4.2.13
.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Important
Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP
accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.
Dependencies
With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.0 to 3.2
- PostgreSQL: 10 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 16 or newer
- ImageMagick: 6.9.7-7 or newer
Update steps
Tip
The charlock_holmes
gem may fail to build on some systems with recent versions of gcc
.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install
.
The following instructions are for updating from 4.2.12.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
- Install dependencies:
bundle install
andyarn install --frozen-lockfile
- Restart all Mastodon processes
Using Docker:
- Restart all Mastodon processes
v4.1.20
Changelog
Security
- Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
- Update dependencies
Changed
- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
Fixed
- Fix replies collection being cached improperly
- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
Upgrade notes
To get the code for v4.1.20, use git fetch && git checkout v4.1.20
.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Important
Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP
accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.
Dependencies
Warning
The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.
External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.0
- PostgreSQL: 9.5 or newer
- Elasticsearch (optional, for full-text search): 7.x
- Redis: 4 or newer
- Node: >= 14, < 18
- ImageMagick: 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.1.19.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
- Install dependencies:
bundle install
andyarn install --frozen-lockfile
Both Docker and non-Docker:
- Restart all Mastodon processes
v4.3.0-beta.2
Warning
This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed
For more information, scroll down to the upgrade instructions section.
Changelog (v4.3.0-beta.2)
Security
- Update dependencies
- Change
form-action
Content-Security-Policy directive to be more restrictive (#26897 by @ClearlyClaire) - Fix username normalization issue in web interface (GHSA-3m9q-ww7w-qc5j by @Gargron)
Added
- Add global Regexp timeout (#31928 by @ClearlyClaire)
- Add ability to manage which websites can credit you in link previews using
fediverse:creator
(#31819 and #31900 by @Gargron and @oneiros)
In 4.3.0-beta.1,fediverse:creator
was only taken into account for articles published on providers manually approved for trending by moderators.
This change adds a section in/settings/verification
so that users can themselves list which domains are allowed to credit them.
This is federated as a newattributionDomains
property in thehttp://joinmastodon.org/ns
namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1 - Add link to
/admin/roles
in moderation interface when changing someone's role (#31791 by @ClearlyClaire) - Add anchors to each authorized application in
/oauth/authorized_applications
(#31677 by @fowl2) - Add support for Redis sentinel (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)
See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel - Add support for CORS to
POST /oauth/revoke
(#31743 by @ClearlyClaire) - Add
GET /api/v2_alpha/notifications/:group_key/accounts
(#31725 by @ClearlyClaire)
See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts - Add
grouped_types
parameter to allow clients to restrict which notifications types get grouped (#31594 by @ClearlyClaire)
See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped - Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm)
Changed
- Enable grouped notifications unconditionally (#31610 and #31929 by @ClearlyClaire)
- Change grouped notifications API from
/api/v2_alpha/notifications*
to/api/v2/notifications*
(#31840 by @ClearlyClaire)
See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/ - Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire)
- Change design of embed modal in web UI (#31801 by @Gargron)
- Change preview card processing to ignore
undefined
as canonical url (#31882 by @oneiros) - Change embedded posts to use web UI (#31766 by @Gargron)
- Change inner borders in media galleries in web UI (#31852 by @Gargron)
- Change design of hide media button in web UI (#31807 by @Gargron)
- Change labels on thread indicators in web UI (#31806 by @Gargron)
- Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones)
- Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm)
- Change width of columns in advanced web UI (#31762 by @Gargron)
- Change design of unread conversations in web UI (#31763 by @Gargron)
- Change background color of notifications about private messages (#31657 by @ClearlyClaire)
- Change design of boost modal in web UI (#31555 by @Gargron)
Fixed
- Fix single-panel breakpoint being too narrow (#31889 by @ClearlyClaire)
- Fix cancel follow request button sometimes saying “Follow back” (#31934 by @ClearlyClaire)
- Fix horizontal scrollbar on who to follow carousel in web UI (#31912 by @Gargron)
- Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
- Fix invalid
visibility
values inPOST /api/v1/statuses
returning 500 errors (#31571 by @c960657) - Fix the primary button in modals not being auto-focused anymore (#31883 by @ClearlyClaire)
- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
- Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
- Fix styling of media edition modal (#31844, #31864, and #31943 by @vmstan)
- Fix use of deprecated Remove vendor prefix from
apple-mobile-web-app-capable
meta tag (#31845 by @mjankowski) - Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
- Fix radio checkbox visibility in Report dialogs (#31752 by @vmstan)
- Fix wrong width on content warnings and filters in web UI (#31761 by @Gargron)
- Fix email language when recipient has no selected locale (#31747 by @ClearlyClaire)
- Fix display name being displayed instead of domain in remote reports (#31613 by @ClearlyClaire)
- Fix all notification types being stored without filtering when polling (#31745 by @ClearlyClaire)
- Fix Corepack prompt on Devcontainer (#31729 by @vmstan)
- Fix Heroku configuration for heroku-24 (#31135 by @zunda)
- Fix frequently-used languages not correctly updating in the web UI (#31386 by @c960657)
- Fix radio buttons styling in web UI (#31723 by @ClearlyClaire)
- Fix not being able to load more notifications after trimming (#31652 and #31709 by @ClearlyClaire and @c960657)
- Fix
POST /api/v1/statuses
silently ignoring invalidmedia_ids
parameter (#31681 by @c960657) - Fix N+1s in grouped notifications (#31638 and #31746 by @ClearlyClaire)
- Fix handling of the
BIND
environment variable in the streaming server (#31624 by @ThisIsMissEm) - Fix multiple issues in
docker-compose
file (#31612 and #31615 by @renchap) - Fix spurious loading bar middleware usage (#31592 by @ClearlyClaire)
Changelog (v4.3.0-beta.1)
The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
Security
- Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.
Added
- Add experimental server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)
Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
As part of this, the visual design of the entire notifications feature has been revamped.
This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.
The API is not final yet, but it consists of:- a new
group_key
attribute toNotification
entities GET /api/v2_alpha/notifications
: https://docs.joinmastodon.org/methods/notifications_alpha/#get-groupedGET /api/v2_alpha/notifications/:group_key
: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-groupPOST /api/v2_alpha/notifications/:group_key/dimsiss
: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-groupGET /api/v2_alpha/notifications/:unread_count
: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count
- a new
- Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #3131...
v4.3.0-beta.1
Warning
This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed
For more information, scroll down to the upgrade instructions section.
Changelog
The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
Security
- Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.
Added
-
Add experimental server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)
Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
As part of this, the visual design of the entire notifications feature has been revamped.
This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.
The API is not final yet, but it consists of:- a new
group_key
attribute toNotification
entities GET /api/v2_alpha/notifications
: https://docs.joinmastodon.org/methods/notifications_alpha/#get-groupedGET /api/v2_alpha/notifications/:group_key
: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-groupPOST /api/v2_alpha/notifications/:group_key/dimsiss
: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-groupGET /api/v2_alpha/notifications/:unread_count
: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count
- a new
-
Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, and #31541 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)
The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.
You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.
Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.
This adds the following REST API endpoints:GET /api/v2/notifications/policy
: https://docs.joinmastodon.org/methods/notifications/#get-policyPATCH /api/v2/notifications/policy
: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notificationsGET /api/v1/notifications/requests
: https://docs.joinmastodon.org/methods/notifications/#get-requestsGET /api/v1/notifications/requests/:id
: https://docs.joinmastodon.org/methods/notifications/#get-one-requestPOST /api/v1/notifications/requests/:id/accept
: https://docs.joinmastodon.org/methods/notifications/#accept-requestPOST /api/v1/notifications/requests/:id/dismiss
: https://docs.joinmastodon.org/methods/notifications/#dismiss-requestPOST /api/v1/notifications/requests/accept
: https://docs.joinmastodon.org/methods/notifications/#accept-multiple-requestsPOST /api/v1/notifications/requests/dismiss
: https://docs.joinmastodon.org/methods/notifications/#dismiss-multiple-requestsGET /api/v1/notifications/requests/merged
: https://docs.joinmastodon.org/methods/notifications/#requests-merged
In addition, accepting one or more notification requests generates a new streaming event:
notifications_merged
: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed
-
Add notifications of severed relationships (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)
Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.
Note that this does not notify remote users.
This adds thesevered_relationships
notification type to the REST API and streaming, with a newrelationship_severance_event
attribute. -
Add hover cards in web UI (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)
Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.
This can be disabled in the “Animations and accessibility” section of the preferences. -
Add "system" theme setting (light/dark theme depending on user system preference) (#29748, #29553, #29795, #29918, #30839, and #30861 by @nshki, @ErikUden, @mjankowski, @renchap, and @vmstan)
Add a “system” theme that automatically switch between default dark and light themes depending on the user's system preferences.
Also changes the default server theme to this new “system” theme so that automatic theme selection happens even when logged out. -
Add timeline of public posts about a trending link (#30381 and #30840 by @Gargron)
You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.
This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link -
Add author highlight for news articles whose authors are on the fediverse (#30398, #30670, #30521, and #30846 by @Gargron)
This adds a mechanism to highlight the author of news articles shared on Mastodon.
Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:<meta name="fediverse:creator" content="username@domain" />
On the API side, this is represented by a new
authors
attribute to thePreviewCard
entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\
Note that this feature is still work in progress and the tagging format and verification mechanisms may change in future releases. -
Add in-app notifications for moderation actions and warnings (#30065, #30082, and #30081 by @ClearlyClaire)
In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.
This adds themoderation_warning
notification type to the REST API and streaming, with a newmoderation_warning
attribute. -
Add domain information to profiles in web UI (#29602 by @Gargron)
Clicking the domain of a user in their profile will now open a tooltip with a short explanation about servers and federation. -
Add ability to reorder upload...