CHANGELOG.md 127 KB

Changelog

All notable changes to this project will be documented in this file.

[4.2.7] - 2024-02-16

Fixed

  • Fix OmniAuth tests and edge cases in error handling (ClearlyClaire, ClearlyClaire)
  • Fix new installs by upgrading to the latest release of the nsa gem, instead of a no longer existing commit (mjankowski)

Security

[4.2.6] - 2024-02-14

Security

  • Update the sidekiq-unique-jobs dependency (see GHSA-cmh9-rx85-xj38) In addition, we have disabled the web interface for sidekiq-unique-jobs out of caution. If you need it, you can re-enable it by setting ENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true. If you only need to clear all locks, you can now use bundle exec rake sidekiq_unique_jobs:delete_all_locks.
  • Update the nokogiri dependency (see GHSA-xc9x-jj77-9p9j)
  • Disable administrative Doorkeeper routes (ThisIsMissEm)
  • Fix ongoing streaming sessions not being invalidated when applications get deleted in some cases (GHSA-7w3c-p9j8-mq3x) In some rare cases, the streaming server was not notified of access tokens revocation on application deletion.
  • Change external authentication behavior to never reattach a new identity to an existing user by default (GHSA-vm39-j3vx-pch3) Up until now, Mastodon has allowed new identities from external authentication providers to attach to an existing local user based on their verified e-mail address. This allowed upgrading users from a database-stored password to an external authentication provider, or move from one authentication provider to another. However, this behavior may be unexpected, and means that when multiple authentication providers are configured, the overall security would be that of the least secure authentication provider. For these reasons, this behavior is now locked under the ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH environment variable. In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.

[4.2.5] - 2024-02-01

Security

[4.2.4] - 2024-01-24

Fixed

  • Fix error when processing remote files with unusually long names (ClearlyClaire)
  • Fix processing of compacted single-item JSON-LD collections (ClearlyClaire)
  • Retry 401 errors on replies fetching (ShadowJonathan)
  • Fix RecordNotUnique errors in LinkCrawlWorker (tribela)
  • Fix Mastodon not correctly processing HTTP Signatures with query strings (ClearlyClaire, ClearlyClaire)
  • Fix potential redirection loop of streaming endpoint (ClearlyClaire)
  • Fix streaming API redirection ignoring the port of streaming_api_base_url (ClearlyClaire)
  • Fix error when processing link preview with an array as inLanguage (ClearlyClaire)
  • Fix unsupported time zone or locale preventing sign-up (Gargron)
  • Fix "Hide these posts from home" list setting not refreshing when switching lists (brianholley)
  • Fix missing background behind dismissable banner in web UI (Gargron)
  • Fix line wrapping of language selection button with long locale codes (gunchleoc, ClearlyClaire)
  • Fix Undo Announce activity not being sent to non-follower authors (MitarashiDango)
  • Fix N+1s because of association preloaders not actually getting called (ClearlyClaire)
  • Fix empty column explainer getting cropped under certain conditions (ClearlyClaire)
  • Fix LinkCrawlWorker error when encountering empty OEmbed response (ClearlyClaire)
  • Fix call to inefficient delete_matched cache method in domain blocks (ClearlyClaire)

Security

  • Add rate-limit of TOTP authentication attempts at controller level (ClearlyClaire)

[4.2.3] - 2023-12-05

Fixed

  • Fix dependency on json-canonicalization version that has been made unavailable since last release

[4.2.2] - 2023-12-04

Changed

  • Change dismissed banners to be stored server-side (ClearlyClaire)
  • Change GIF max matrix size error to explicitly mention GIF files (ClearlyClaire)
  • Change Follow activities delivery to bypass availability check (ShadowJonathan)
  • Change single-column navigation notice to be displayed outside of the logo container (renchap, renchap)
  • Change Content-Security-Policy to be tighter on media paths (ClearlyClaire)
  • Change post language code to include country code when relevant (gunchleoc, ClearlyClaire)

Fixed

  • Fix upper border radius of onboarding columns (ClearlyClaire)
  • Fix incoming status creation date not being restricted to standard ISO8601 (ClearlyClaire, ClearlyClaire)
  • Fix some posts from threads received out-of-order sometimes not being inserted into timelines (ClearlyClaire)
  • Fix posts from force-sensitized accounts being able to trend (ClearlyClaire)
  • Fix error when trying to delete already-deleted file with OpenStack Swift (ClearlyClaire)
  • Fix batch attachment deletion when using OpenStack Swift (ClearlyClaire)
  • Fix processing LDSigned activities from actors with unknown public keys (ClearlyClaire)
  • Fix error and incorrect URLs in /api/v1/accounts/:id/featured_tags for remote accounts (ClearlyClaire)
  • Fix report processing notice not mentioning the report number when performing a custom action (ClearlyClaire)
  • Fix handling of inLanguage attribute in preview card processing (ClearlyClaire)
  • Fix own posts being removed from home timeline when unfollowing a used hashtag (kmycode)
  • Fix some link anchors being recognized as hashtags (ClearlyClaire, ClearlyClaire)
  • Fix format-dependent redirects being cached regardless of requested format (ClearlyClaire)

[4.2.1] - 2023-10-10

Added

  • Add redirection on /deck URLs for logged-out users (ClearlyClaire)
  • Add support for v4.2.0 migrations to tootctl maintenance fix-duplicates (ClearlyClaire)

Changed

  • Change some worker lock TTLs to be shorter-lived (ClearlyClaire)
  • Change user archive export allowed period from 7 days to 6 days (suddjian)

Fixed

  • Fix duplicate reports being sent when reporting some remote posts (ClearlyClaire)
  • Fix clicking on already-opened thread post scrolling to the top of the thread (ClearlyClaire, ClearlyClaire, ClearlyClaire)
  • Fix some remote posts getting truncated (ClearlyClaire)
  • Fix some cases of infinite scroll code trying to fetch inaccessible posts in a loop (ClearlyClaire)
  • Fix Vary headers not being set on some redirects (ClearlyClaire)
  • Fix mentions being matched in some URL query strings (mjankowski)
  • Fix unexpected linebreak in version string in the Web UI (vmstan)
  • Fix double scroll bars in some columns in advanced interface (ClearlyClaire)
  • Fix boosts of local users being filtered in account timelines (ClearlyClaire)
  • Fix multiple instances of the trend refresh scheduler sometimes running at once (ClearlyClaire)
  • Fix importer returning negative row estimates (jgillich)
  • Fix incorrectly keeping outdated update notices absent from the API endpoint (ClearlyClaire)
  • Fix import progress not updating on certain failures (ClearlyClaire)
  • Fix websocket connections being incorrectly decremented twice on errors (ThisIsMissEm)
  • Fix explore prompt appearing because of posts being received out of order (ClearlyClaire)
  • Fix explore prompt sometimes showing up when the home TL is loading (ClearlyClaire)
  • Fix link handling of mentions in user profiles when logged out (ClearlyClaire)
  • Fix filtering audit log for entries about disabling 2FA (ClearlyClaire)
  • Fix notification toasts not respecting reduce-motion (c960657)
  • Fix retention dashboard not displaying correct month (vmstan)
  • Fix tIME chunk not being properly removed from PNG uploads (TheEssem)
  • Fix division by zero in video in bitrate computation code (ClearlyClaire)
  • Fix inefficient queries in “Follows and followers” as well as several admin pages (ClearlyClaire, ClearlyClaire)
  • Fix ActiveRecord using two connection pools when no replica is defined (ClearlyClaire)
  • Fix the search documentation URL in system checks (renchap)

[4.2.0] - 2023-09-21

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @danielmbrasil, @mjankowski, @nschonni, @renchap, and @takayamaki.

Added

Changed

  • Change hashtags to be displayed separately when they are the last line of a post (renchap, renchap, renchap)
  • Change reblogs to be excluded from "Posts and replies" tab in web UI (Gargron)
  • Change interaction modal in web interface (Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, mgmn, tribela, ClearlyClaire, ClearlyClaire)
  • Change design of link previews in web UI (Gargron, ClearlyClaire, Gargron, Gargron, Gargron, Gargron, c960657)
  • Change "direct message" nomenclature to "private mention" in web UI (Gargron)
  • Change translation feature to cover Content Warnings, poll options and media descriptions (c960657, S-H-GAMELINKS, c960657, ClearlyClaire)
  • Change account search to match by text when opted-in (jsgoldstein, Gargron)
  • Change import feature to be clearer, less error-prone and more reliable (ClearlyClaire, mgmn)
  • Change local and federated timelines to be tabs of a single “Live feeds” column (ClearlyClaire, Gargron, mgmn, Plastikmensch, ClearlyClaire)
  • Change user archive export to be faster and more reliable, and export .zip archives instead of .tar.gz ones (ClearlyClaire, TheEssem)
  • Change mastodon-streaming systemd unit files to be templated (e-nomem)
  • Change statsd integration to disable sidekiq metrics by default (mjankowski, mjankowski, ClearlyClaire) This deprecates statsd support and disables the sidekiq integration unless STATSD_SIDEKIQ is set to true. This is because the nsa gem is unmaintained, and its sidekiq integration is known to add very significant overhead. Later versions of Mastodon will have other ways to get the same metrics.
  • Change replica support to native Rails adapter (krainboltgreene, Gargron, Gargron, Gargron, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire) This is a breaking change, dropping makara support, and requiring you to update your database configuration if you are using replicas. To tell Mastodon to use a read replica, you can either set the REPLICA_DB_NAME environment variable (along with REPLICA_DB_USER, REPLICA_DB_PASS, REPLICA_DB_HOST, and REPLICA_DB_PORT, if they differ from the primary database), or the REPLICA_DATABASE_URL environment variable if your configuration is based on DATABASE_URL.
  • Change DCT method used for JPEG encoding to float (electroCutie)
  • Change from node-redis to ioredis for streaming (gmemstr)
  • Change private statuses index to index without crutches (ClearlyClaire)
  • Change video compression parameters (Gargron, Gargron, Gargron, Gargron)
  • Change admin e-mail notification settings to be their own settings group (ClearlyClaire)
  • Change opacity of the delete icon in the search field to be more visible (AntoninDelFabbro)
  • Change Account Search to prioritize username over display name (jsgoldstein)
  • Change follow recommendation materialized view to be faster in most cases (renchap, ClearlyClaire)
  • Change robots.txt to block GPTBot (Foritus)
  • Change header of hashtag timelines in web UI (Gargron, ClearlyClaire)
  • Change streaming /metrics to include additional metrics (ThisIsMissEm, ThisIsMissEm)
  • Change indexing frequency from 5 minutes to 1 minute, add locks to schedulers (Gargron)
  • Change column link to add a better keyboard focus indicator (teeerevor)
  • Change poll form element colors to fit with the rest of the ui (teeerevor, teeerevor, ClearlyClaire)
  • Change 'favourite' to 'favorite' for American English (marekr, gunchleoc, nabijaczleweli)
  • Change ActivityStreams representation of suspended accounts to not use a blank name (ClearlyClaire)
  • Change focus UI for keyboard only input (teeerevor, Gargron, Gargron)
  • Change thread view to scroll to the selected post rather than the post being replied to (ClearlyClaire)
  • Change links in multi-column mode so tabs are open in single-column mode (Signez, Signez, ClearlyClaire, Signez, Signez)
  • Change searching with # to include account index (jsgoldstein)
  • Change label and design of sensitive and unavailable media in web UI (Gargron, Gargron, Gargron)
  • Change button colors to increase hover/focus contrast and consistency (teeerevor, Gargron)
  • Change dropdown icon above compose form from ellipsis to bars in web UI (Gargron)
  • Change header backgrounds to use fewer different colors in web UI (Gargron)
  • Change files to be deleted in batches instead of one-by-one (Gargron, S-H-GAMELINKS, ClearlyClaire)
  • Change emoji picker icon (iparr)
  • Change edit profile page (Gargron, c960657)
  • Change "bot" label to "automated" (Gargron)
  • Change design of dropdowns in web UI (Gargron)
  • Change wording of “Content cache retention period” setting to highlight destructive implications (ClearlyClaire)
  • Change autolinking to allow carets in URL search params (renchap)
  • Change share action from being in action bar to being in dropdown in web UI (Gargron)
  • Change sessions to be ordered from most-recent to least-recently updated (frankieroberto)
  • Change vacuum scheduler to also delete expired tokens and unused application records (ClearlyClaire, ClearlyClaire)
  • Change "Sign in" to "Login" (Gargron)
  • Change domain suspensions to also be checked before trying to fetch unknown remote resources (ClearlyClaire)
  • Change media components to use aspect-ratio rather than compute height themselves (ClearlyClaire, ClearlyClaire, ClearlyClaire)
  • Change logo version in header based on screen size in web UI (Gargron)
  • Change label from "For you" to "People" on explore screen in web UI (Gargron)
  • Change logged-out WebUI HTML pages to be cached for a few seconds (ClearlyClaire)
  • Change unauthenticated responses to be cached in REST API (Gargron, ClearlyClaire, ClearlyClaire)
  • Change HTTP caching logic (Gargron, ClearlyClaire)
  • Change hashtags and mentions in bios to open in-app in web UI (Gargron)
  • Change styling of the recommended accounts to allow bio to be more visible (chike00)
  • Change account search in moderation interface to allow searching by username including the leading @ (HeitorMC)
  • Change all components to use the same error page in web UI (Gargron)
  • Change search pop-out in web UI (Gargron)
  • Change user settings to be stored in a more optimal way (Gargron, c960657, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, Gargron, ClearlyClaire, jsgoldstein, ClearlyClaire, ClearlyClaire)
  • Change media upload limits and remove client-side resizing (Gargron)
  • Change design of account rows in web UI (Gargron, Gargron, Gargron, ClearlyClaire)
  • Change log-out to use Single Logout when using external log-in through OIDC (CSDUMMI)
  • Change sidekiq-bulk's batch size from 10,000 to 1,000 jobs in one Redis call (ClearlyClaire)
  • Change translation to only be offered for supported languages (c960657, c960657) This adds the /api/v1/instance/translation_languages REST API endpoint that returns an object with the supported translation language pairs in the form:

    {
    "fr": ["en", "de"]
    }
    

    (where fr is a supported source language and en and de or supported output language when translating a fr string)

  • Change compose form checkbox to native input with appearance: none (ClearlyClaire)

  • Change posts' clickable area to be larger (c960657)

  • Change followed_by link to location=all if account is local on /admin/accounts/:id page (tribela)

Removed

  • Remove support for Node.js 14 (renchap)
  • Remove support for Ruby 2.7 (nschonni)
  • Remove clustering from streaming API (ThisIsMissEm)
  • Remove anonymous access to the streaming API (ClearlyClaire)
  • Remove obfuscation of reply count in web UI (Gargron)
  • Remove kmr from language selection, as it was a duplicate for ku (gunchleoc, ClearlyClaire)
  • Remove 16:9 cropping from web UI (Gargron)
  • Remove back button from bookmarks, favourites and lists screens in web UI (Gargron)
  • Remove display name input from sign-up form (Gargron)
  • Remove tai locale (c960657)
  • Remove empty Kushubian (csb) local files (nschonni)
  • Remove Permissions-Policy header from all responses (Gargron)

Fixed

  • Fix filters not being applying in the explore page (ClearlyClaire)
  • Fix being unable to load past a full page of filtered posts in Home timeline (ClearlyClaire)
  • Fix log-in flow when involving both OAuth and external authentication (CSDUMMI)
  • Fix broken links in account gallery (c960657)
  • Fix migration handler not updating lists (ClearlyClaire)
  • Fix crash when viewing a moderation appeal and the moderator account has been deleted (xrobau)
  • Fix error in Web UI when server rules cannot be fetched (ClearlyClaire)
  • Fix paragraph margins resulting in irregular read-more cut-off in web UI (Gargron)
  • Fix notification permissions being requested immediately after login (ClearlyClaire)
  • Fix performances of profile directory (ClearlyClaire, ClearlyClaire)
  • Fix mute button and volume slider feeling disconnected in web UI (Gargron, ClearlyClaire)
  • Fix “Scoped order is ignored, it's forced to be batch order.” warnings (ClearlyClaire)
  • Fix blocked domain appearing in account feeds (ClearlyClaire)
  • Fix invalid Content-Type header for WebP images (c960657)
  • Fix minor inefficiencies in tootctl search deploy (ClearlyClaire)
  • Fix filter form in profiles directory overflowing instead of wrapping (arbolitoloco1)
  • Fix sign up steps progress layout in right-to-left locales (ClearlyClaire)
  • Fix bug with “favorited by” and “reblogged by“ view on posts only showing up to 40 items (timothyjrogers, timothyjrogers)
  • Fix bad search type heuristic (Gargron)
  • Fix not being able to negate prefix clauses in search (Gargron)
  • Fix timeout on invalid set of exclusionary parameters in /api/v1/timelines/public (danielmbrasil)
  • Fix adding column with default value taking longer on Postgres >= 11 (Gargron)
  • Fix light theme select option for hashtags (teeerevor)
  • Fix AVIF attachments (c960657)
  • Fix incorrect URL normalization when fetching remote resources (c960657, c960657)
  • Fix being unable to filter posts for individual Chinese languages (gunchleoc)
  • Fix preview card sometimes linking to 4xx error pages (c960657)
  • Fix emoji picker button scrolling with textarea content in single-column view (ClearlyClaire)
  • Fix missing border on error screen in light theme in web UI (Gargron)
  • Fix UI overlap with the loupe icon in the Explore Tab (gol-cha)
  • Fix unexpected redirection to /explore after sign-in (ClearlyClaire)
  • Fix /api/v1/statuses/:id/unfavourite and /api/v1/statuses/:id/unreblog returning non-updated counts (c960657)
  • Fix clicking the “Back” button sometimes leading out of Mastodon (c960657, CSFlorin, S-H-GAMELINKS, ClearlyClaire)
  • Fix processing of null ActivityPub activities (tribela)
  • Fix hashtag posts not being removed from home feed on hashtag unfollow (ClearlyClaire)
  • Fix for "follows you" indicator in light web UI not readable (vmstan)
  • Fix incorrect line break between icon and number of reposts & favourites (edent)
  • Fix sounds not being loaded from assets host (Signez)
  • Fix buttons showing inconsistent styles (teeerevor, ClearlyClaire, ClearlyClaire, ClearlyClaire)
  • Fix trend calculation working on too many items at a time (Gargron)
  • Fix dropdowns being disabled for logged out users in web UI (Gargron, ClearlyClaire)
  • Fix explore page being inaccessible when opted-out of trends in web UI (Gargron)
  • Fix re-activated accounts possibly getting deleted by AccountDeletionWorker (ClearlyClaire)
  • Fix /api/v2/search not working with following query param (danielmbrasil)
  • Fix inefficient query when requesting a new confirmation email from a logged-in account (ClearlyClaire)
  • Fix unnecessary concurrent calls to /api/*/instance in web UI (mgmn)
  • Fix resolving local URL for remote content (ClearlyClaire)
  • Fix search not being easily findable on smaller screens in web UI (Gargron, ClearlyClaire)
  • Fix j/k keyboard shortcuts on some status lists (ClearlyClaire)
  • Fix missing validation on default_privacy setting (ClearlyClaire)
  • Fix incorrect pagination headers in /api/v2/admin/accounts (danielmbrasil)
  • Fix non-interactive upload container being given a button role and tabIndex (ClearlyClaire)
  • Fix always redirecting to onboarding in web UI (Gargron)
  • Fix inconsistent use of middle dot (·) instead of bullet (•) to separate items (j-f1)
  • Fix spacing of middle dots in the detailed status meta section (j-f1)
  • Fix prev/next buttons color in media viewer (renchap)
  • Fix email addresses not being properly updated in tootctl maintenance fix-duplicates (mjankowski)
  • Fix unicode surrogate pairs sometimes being broken in page title (eai04191)
  • Fix various inefficient queries against account domains (ClearlyClaire)
  • Fix video player offering to expand in a lightbox when it's in an iframe (ClearlyClaire)
  • Fix post embed previews (ClearlyClaire)
  • Fix inadequate error handling in several API controllers when given invalid parameters (danielmbrasil, danielmbrasil, danielmbrasil, danielmbrasil, danielmbrasil, danielmbrasil)
  • Fix uncaught ActiveRecord::StatementInvalid in Mastodon::IpBlocksCLI (danielmbrasil)
  • Fix various edge cases with local moves (ClearlyClaire)
  • Fix tootctl accounts cull crashing when encountering a domain resolving to a private address (ClearlyClaire)
  • Fix tootctl accounts approve --number N not aproving the N earliest registrations (danielmbrasil)
  • Fix being unable to clear media description when editing posts (c960657)
  • Fix unavailable translations not falling back to English (mgmn)
  • Fix anonymous visitors getting a session cookie on first visit (ClearlyClaire, ClearlyClaire, ClearlyClaire)
  • Fix cutting off first letter of hashtag links sometimes in web UI (Gargron)
  • Fix crash in tootctl accounts create --reattach --force (ClearlyClaire, danielmbrasil)
  • Fix characters being emojified even when using Variation Selector 15 (text) (ClearlyClaire, ClearlyClaire)
  • Fix uncaught ActiveRecord::StatementInvalid exception in Mastodon::AccountsCLI#approve (danielmbrasil)
  • Fix email confirmation skip option in tootctl accounts modify USERNAME --email EMAIL --confirm (danielmbrasil)
  • Fix tooltip for dates without time (c960657)
  • Fix missing loading spinner and loading more on scroll in Private Mentions column (c960657)
  • Fix account header image missing from /settings/profile on narrow screens (c960657)
  • Fix height of announcements not being updated when using reduced animations (c960657)
  • Fix inconsistent radius in advanced interface drawer (thislight)
  • Fix loading more trending posts on scroll in the advanced interface (OmmyZhang)
  • Fix poll ending notification for edited polls (c960657)
  • Fix max width of media in /about and /privacy-policy (mgmn)
  • Fix streaming API not being usable without DATABASE_URL (Gargron)
  • Fix external authentication not running onboarding code for new users (ClearlyClaire)

[4.1.8] - 2023-09-19

Fixed

  • Fix post edits not being forwarded as expected (ClearlyClaire)
  • Fix moderator rights inconsistencies (ClearlyClaire)
  • Fix crash when encountering invalid URL (ClearlyClaire)
  • Fix cached posts including stale stats (ClearlyClaire)
  • Fix uploading of video files for which ffprobe reports 0/0 average framerate (NicolaiSoeborg)
  • Fix unexpected audio stream transcoding when uploaded video is eligible to passthrough (yufushiro)

Security

[4.1.7] - 2023-09-05

Changed

  • Change remote report processing to accept reports with long comments, but truncate them (ThisIsMissEm)

Fixed

  • Fix blocking subdomains of an already-blocked domain (ClearlyClaire)
  • Fix /api/v1/timelines/tag/:hashtag allowing for unauthenticated access when public preview is disabled (danielmbrasil)
  • Fix inefficiencies in PlainTextFormatter (ClearlyClaire)

[4.1.6] - 2023-07-31

Fixed

[4.1.5] - 2023-07-21

Added

  • Add check preventing Sidekiq workers from running with Makara configured (ClearlyClaire)

Changed

  • Change request timeout handling to use a longer deadline (ClearlyClaire)

Fixed

  • Fix moderation interface for remote instances with a .zip TLD (ClearlyClaire)
  • Fix remote accounts being possibly persisted to database with incomplete protocol values (ClearlyClaire)
  • Fix trending publishers table not rendering correctly on narrow screens (vmstan)

Security

[4.1.4] - 2023-07-07

Fixed

  • Fix branding:generate_app_icons failing because of disallowed ICO coder (ClearlyClaire)
  • Fix crash in admin interface when viewing a remote user with verified links (ClearlyClaire)
  • Fix processing of media files with unusual names (ClearlyClaire)

[4.1.3] - 2023-07-06

Added

  • Add fallback redirection when getting a webfinger query LOCAL_DOMAIN@LOCAL_DOMAIN (ClearlyClaire)

Changed

  • Change OpenGraph-based embeds to allow fullscreen (ClearlyClaire)
  • Change AccessTokensVacuum to also delete expired tokens (ClearlyClaire)
  • Change profile updates to be sent to recently-mentioned servers (ClearlyClaire)
  • Change automatic post deletion thresholds and load detection (ClearlyClaire)
  • Change /api/v1/statuses/:id/history to always return at least one item (ClearlyClaire)
  • Change auto-linking to allow carets in URL query params (renchap)

Removed

Fixed

Security

  • Add finer permission requirements for managing webhooks (ClearlyClaire)
  • Update dependencies
  • Add hardening headers for user-uploaded files (ClearlyClaire)
  • Fix verified links possibly hiding important parts of the URL (CVE-2023-36462)
  • Fix timeout handling of outbound HTTP requests (CVE-2023-36461)
  • Fix arbitrary file creation through media processing (CVE-2023-36460)
  • Fix possible XSS in preview cards (CVE-2023-36459)

[4.1.2] - 2023-04-04

Fixed

  • Fix crash in tootctl commands making use of parallelization when Elasticsearch is enabled (ClearlyClaire, ClearlyClaire)
  • Fix crash in db:setup when Elasticsearch is enabled (rrgeorge)
  • Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support (ClearlyClaire)
  • Fix invalid/expired invites being processed on sign-up (ClearlyClaire)

Security

  • Update Ruby to 3.0.6 due to ReDoS vulnerabilities (saizai)
  • Fix unescaped user input in LDAP query (ClearlyClaire)

[4.1.1] - 2023-03-16

Added

  • Add redirection from paths with url-encoded @ to their decoded form (thijskh)
  • Add lang attribute to native language names in language picker in Web UI (ClearlyClaire)
  • Add headers to outgoing mails to avoid auto-replies (ClearlyClaire)
  • Add support for refreshing many accounts at once with tootctl accounts refresh (9p4)
  • Add confirmation modal when clicking to edit a post with a non-empty compose form (PauloVilarinho)
  • Add support for the HAproxy PROXY protocol through the PROXY_PROTO_V1 environment variable (CSDUMMI)
  • Add SENDFILE_HEADER environment variable (Gargron)
  • Add cache headers to static files served through Rails (Gargron)

Changed

  • Increase contrast of upload progress bar background (toolmantim)
  • Change post auto-deletion throttling constants to better scale with server size (ClearlyClaire)
  • Change order of bookmark and favourite sidebar entries in single-column UI for consistency (TerryGarcia)
  • Change ActivityPub::DeliveryWorker retries to be spread out more (ClearlyClaire)

Fixed

  • Fix “Remove all followers from the selected domains” also removing follows and notifications (ClearlyClaire)
  • Fix streaming metrics format (emilweth, emilweth)
  • Fix case-sensitive check for previously used hashtags in hashtag autocompletion (deanveloper)
  • Fix focus point of already-attached media not saving after edit (ClearlyClaire)
  • Fix sidebar behavior in settings/admin UI on mobile (wxt2005)
  • Fix inefficiency when searching accounts per username in admin interface (ClearlyClaire)
  • Fix duplicate “Publish” button on mobile (ClearlyClaire)
  • Fix server error when failing to follow back followers from /relationships (ClearlyClaire)
  • Fix server error when attempting to display the edit history of a trendable post in the admin interface (ClearlyClaire)
  • Fix tootctl accounts migrate crashing because of a typo (ClearlyClaire)
  • Fix original account being unfollowed on migration before the follow request to the new account could be sent (ClearlyClaire)
  • Fix the “Back” button in column headers sometimes leaving Mastodon (c960657)
  • Fix pgBouncer resetting application name on every transaction (Gargron)
  • Fix unconfirmed accounts being counted as active users (ClearlyClaire)
  • Fix /api/v1/streaming sub-paths not being redirected (ClearlyClaire)
  • Fix drag'n'drop upload area text that spans multiple lines not being centered (vintprox)
  • Fix sidekiq jobs not triggering Elasticsearch index updates (ClearlyClaire)
  • Fix tags being unnecessarily stripped from plain-text short site description (c960657)
  • Fix HTML entities not being un-escaped in extracted plain-text from remote posts (c960657)
  • Fix dashboard crash on ElasticSearch server error (ClearlyClaire)
  • Fix incorrect post links in strikes when the account is remote (ClearlyClaire)
  • Fix misleading error code when receiving invalid WebAuthn credentials (ClearlyClaire)
  • Fix duplicate mails being sent when the SMTP server is too slow to close the connection (ClearlyClaire)

Security

  • Change user backups to use expiring URLs for download when possible (Gargron)
  • Add warning for object storage misconfiguration (ClearlyClaire)

[4.1.0] - 2023-02-10

Added

  • Add support for importing/exporting server-wide domain blocks (enbylenore, ClearlyClaire, dariusk, ClearlyClaire)
  • Add listing of followed hashtags (connorshea)
  • Add support for editing media description and focus point of already-sent posts (ClearlyClaire)
    • Previously, you could add and remove attachments, but not edit media description of already-attached media
    • REST API changes:
    • PUT /api/v1/statuses/:id now takes an extra media_attributes[] array parameter with the id of the updated media and their updated description, focus, and thumbnail
  • Add follow request banner on account header (ClearlyClaire)
    • REST API changes:
    • Relationship entities have an extra requested_by boolean attribute representing whether the represented user has requested to follow you
  • Add confirmation screen when handling reports (ClearlyClaire, Gargron, tribela)
  • Add option to make the landing page be /about even when trends are enabled (ClearlyClaire)
  • Add noindex setting back to the admin interface (prplecake)
  • Add instance peers API endpoint toggle back to the admin interface (dariusk)
  • Add instance activity API endpoint toggle back to the admin interface (dariusk)
  • Add setting for status page URL (Gargron, ClearlyClaire)
    • REST API changes:
    • Add configuration.urls.status attribute to the object returned by GET /api/v2/instance
  • Add account.approved webhook (Saiv46)
  • Add 12 hours option to polls (Pleclown)
  • Add dropdown menu item to open admin interface for remote domains (ClearlyClaire)
  • Add --remove-headers, --prune-profiles and --include-follows flags to tootctl media remove (evanphilip)
  • Add --email and --dry-run options to tootctl accounts delete (ClearlyClaire)
  • Add tootctl accounts migrate (ClearlyClaire)
  • Add tootctl accounts prune (tribela)
  • Add tootctl domains purge (ClearlyClaire)
  • Add SIDEKIQ_CONCURRENCY environment variable (muffinista)
  • Add DB_POOL environment variable support for streaming server (Gargron)
  • Add MIN_THREADS environment variable to set minimum Puma threads (jimeh)
  • Add explanation text to log-in page (ClearlyClaire)
  • Add user profile OpenGraph tag on post pages (bramus)
  • Add maskable icon support for Android (workeffortwaste)
  • Add Belarusian to supported languages (Mixaill)
  • Add Western Frisian to supported languages (ykzts)
  • Add Montenegrin to the language picker (ayefries)
  • Add Southern Sami and Lule Sami to the language picker (Jullan-M)
  • Add logging for Rails cache timeouts (ClearlyClaire)
  • Add color highlight for active hashtag “follow” button (MFTabriz)
  • Add brotli compression to assets:precompile (Izorkin)
  • Add “disabled” account filter to the /admin/accounts UI (tribela)
  • Add transparency to modal background for accessibility (edent)
  • Add lang attribute to image description textarea and poll option field (c960657)
  • Add spellcheck attribute to Content Warning and poll option input fields (c960657)
  • Add title attribute to video elements in media attachments (bramus)
  • Add left and right margins to emojis (dsblank)
  • Add roles attribute to Account entities in REST API (ClearlyClaire, tribela)
  • Add reading:autoplay:gifs to /api/v1/preferences (j-f1)
  • Add hide_collections parameter to /api/v1/accounts/credentials (CarlSchwan)
  • Add policy attribute to web push subscription objects in REST API at /api/v1/push/subscriptions (ClearlyClaire)
  • Add metrics endpoint to streaming API (Gargron, Gargron)
  • Add more specific error messages to HTTP signature verification (ClearlyClaire)
  • Add Storj DCS to cloud object storage options in the mastodon:setup rake task (jtolio)
  • Add checkmark symbol in the checkbox for sensitive media (sidp)
  • Add missing accessibility attributes to logout link in modals (kytta)
  • Add missing accessibility attributes to “Hide image” button in MediaGallery (hs4man21)
  • Add missing accessibility attributes to hide content warning field when disabled (hs4man21)
  • Add aria-hidden to footer circle dividers to improve accessibility (hs4man21)
  • Add lang attribute to compose form inputs (ClearlyClaire)

Changed

  • Ensure exact match is the first result in hashtag searches (ClearlyClaire)
  • Change account search to return followed accounts first (dariusk)
  • Change batch account suspension to create a strike (ClearlyClaire)
  • Change default reply language to match the default language when replying to a translated post (ClearlyClaire)
  • Change misleading wording about waitlists (ClearlyClaire)
  • Increase width of the unread notification border (connorshea)
  • Change new post notification button on profiles to make it more apparent when it is enabled (tribela)
  • Change trending tags admin interface to always show batch action controls (ClearlyClaire)
  • Change wording of some OAuth scope descriptions (ClearlyClaire)
  • Change wording of admin report handling actions (ClearlyClaire)
  • Change confirm prompts for relationships management (tribela)
  • Change language surrounding disability in prompts for media descriptions (hs4man21)
  • Change confusing wording in the sign in banner (ClearlyClaire)
  • Change POST /settings/applications/:id to regenerate token on scopes change (ClearlyClaire)
  • Change account moderation notes to make links clickable (ClearlyClaire)
  • Change link previews for statuses to never use avatar as fallback (Gargron)
  • Change email address input to be read-only for logged-in users when requesting a new confirmation e-mail (ClearlyClaire)
  • Change notifications per page from 15 to 40 in REST API (Gargron)
  • Change number of stored items in home feed from 400 to 800 (Gargron)
  • Change API rate limits from 300/5min per user to 1500/5min per user, 300/5min per app (Gargron)
  • Save avatar or header correctly even if the other one fails (tribela)
  • Change referrer-policy to same-origin application-wide (ClearlyClaire, ClearlyClaire)
  • Add 'private' to Cache-Control, match Rails expectations (daxtens)
  • Make the button that expands the compose form differentiable from the button that publishes a post (Tak)
  • Change automatic post deletion configuration to be accessible to moved users (ClearlyClaire)
  • Make tag following idempotent (trwnh, ClearlyClaire)
  • Use buildx functions for faster builds (inductor)
  • Split off Dockerfile components for faster builds (moritzheiber, ineffyble, BtbN)
  • Change last occurrence of “silence” to “limit” in UI text (cincodenada)
  • Change “hide toot” to “hide post” (seanthegeek)
  • Don't allow URLs that contain non-normalized paths to be verified (dgl)
  • Change the “Trending now” header to be a link to the Explore page (connorshea)
  • Change PostgreSQL connection timeout from 2 minutes to 15 seconds (ClearlyClaire)
  • Make handle more easily selectable on profile page (cadars)
  • Allow admins to refresh remotely-suspended accounts (ClearlyClaire)
  • Change dropdown menu to contain “Copy link to post” even for non-public posts (ClearlyClaire)
  • Allow adding relays in secure mode and limited federation mode (ineffyble)
  • Change timestamps to be displayed using the user's timezone throughout the moderation interface (FrancisMurillo, ClearlyClaire)
  • Change CSP directives on API to be tight and concise (ClearlyClaire)
  • Change web UI to not autofocus the compose form (raboof, Akkiesoft)
  • Change idempotency key handling for posting when database access is slow (lambda)
  • Change remote media files to be downloaded outside of transactions (ClearlyClaire)
  • Improve contrast of charts in “poll has ended” notifications (j-f1)
  • Change OEmbed detection and validation to be somewhat more lenient (ineffyble)
  • Widen ElasticSearch version detection to not display a warning for OpenSearch (VyrCossont, ClearlyClaire)
  • Change link verification to allow pages larger than 1MB as long as the link is in the first 1MB (untitaker)
  • Update default Node.js version to Node.js 16 (ineffyble, ClearlyClaire)

Removed

  • Officially remove support for Ruby 2.6 (ClearlyClaire)
  • Remove object-fit polyfill used for old versions of Microsoft Edge (shuuji3)
  • Remove intersection-observer polyfill for old Safari support (shuuji3)
  • Remove empty title tag from mailer layout (nametoolong)
  • Remove post count and last posts from ActivityPub representation of hashtag collections (ClearlyClaire)

Fixed

  • Fix changing domain block severity not undoing individual account effects (ClearlyClaire)
  • Fix suspension worker crashing on S3-compatible setups without ACL support (ClearlyClaire)
  • Fix possible race conditions when suspending/unsuspending accounts (ClearlyClaire)
  • Fix being stuck in edit mode when deleting the edited posts (ClearlyClaire)
  • Fix attached media uploads not being cleared when replying to a post (ClearlyClaire)
  • Fix filters not being applied to some notification types (ClearlyClaire)
  • Fix incorrect link in push notifications for some event types (elizabeth-dev)
  • Fix some performance issues with /admin/instances (ClearlyClaire)
  • Fix some pre-4.0 admin audit logs (ClearlyClaire)
  • Fix moderation audit log items for warnings having incorrect links (ClearlyClaire)
  • Fix account activation being sometimes triggered before email confirmation (ClearlyClaire)
  • Fix missing OAuth scopes for admin APIs (trwnh, trwnh)
  • Fix voter count not being cleared when a poll is reset (afontenot)
  • Fix attachments of edited posts not being fetched (ClearlyClaire)
  • Fix irreversible and whole_word parameters handling in /api/v1/filters (ClearlyClaire)
  • Fix 500 error when marking posts as sensitive while some of them are deleted (ClearlyClaire)
  • Fix expanded posts not always being scrolled into view (ClearlyClaire)
  • Fix not being able to scroll the remote interaction modal on small screens (xendke)
  • Fix not being able to scroll in post history modal (cadars)
  • Fix audio player volume control on Safari (minacle)
  • Fix disappearing “Explore” tabs on Safari (nyura, ykzts)
  • Fix wrong padding in RTL layout (Gargron)
  • Fix drag & drop upload area display in single-column mode (ClearlyClaire)
  • Fix being unable to get a single EmailDomainBlock from the admin API (trwnh)
  • Fix admin-set follow recommandations being case-sensitive (ClearlyClaire)
  • Fix unserialized role on account entities in admin API (Gargron)
  • Fix pagination of followed tags (trwnh)
  • Fix dropdown menu positions when scrolling (sidp, ClearlyClaire)
  • Fix email with empty domain name labels passing validation (ClearlyClaire)
  • Fix mysterious registration failure when “Require a reason to join” is set with open registrations (ClearlyClaire)
  • Fix attachment rendering of edited posts in OpenGraph (ClearlyClaire)
  • Fix invalid/empty RSS feed link on account pages (ClearlyClaire)
  • Fix error in VerifyLinkService when processing links with no href (joshuap)
  • Fix error in VerifyLinkService when processing links with invalid URLs (untitaker)
  • Fix media uploads with FFmpeg 5 (dead10ck)
  • Fix sensitive flag not being set when replying to a post with a content warning under certain conditions (kedamaDQ)
  • Fix misleading message briefly showing up when loading follow requests under some conditions (c960657)
  • Fix “Share @:user's profile” profile menu item not working (ClearlyClaire)
  • Fix crash and incorrect behavior in tootctl domains crawl (ClearlyClaire)
  • Fix autoplay on iOS (jamesadney)
  • Fix user clean-up scheduler crash when an unconfirmed account has a moderation note (ClearlyClaire)
  • Fix spaces not being stripped in admin account search (ClearlyClaire)
  • Fix spaces not being stripped when adding relays (ClearlyClaire)
  • Fix infinite loading spinner instead of soft 404 for non-existing remote accounts (ClearlyClaire)
  • Fix minor visual issue with the top border of verified account fields (j-f1)
  • Fix pending account approval and rejection not being recorded in the admin audit log (FrancisMurillo)
  • Fix “Sign up” button with closed registrations not opening modal on mobile (ClearlyClaire)
  • Fix UI header overflowing on mobile (ClearlyClaire)
  • Fix 500 error when trying to migrate to an invalid address (ClearlyClaire)
  • Fix crash when trying to fetch unobtainable avatar of user using external authentication (lochiiconnectivity)
  • Fix processing error on incoming malformed JSON-LD under some situations (ClearlyClaire)
  • Fix potential duplicate posts in Explore tab (ClearlyClaire)
  • Fix deprecation warning in tootctl accounts rotate (ClearlyClaire)
  • Fix styling of featured tags in light theme (ClearlyClaire)
  • Fix missing style in warning and strike cards (AtelierSnek, ClearlyClaire)
  • Fix wasteful request to /api/v1/custom_emojis when not logged in (ClearlyClaire)
  • Fix replies sometimes being delivered to user-blocked domains (tribela)
  • Fix admin dashboard crash when using some ElasticSearch replacements (cortices)
  • Fix profile avatar being slightly offset into left border (RiedleroD)
  • Fix N+1 queries in NotificationsController (nametoolong)
  • Fix being unable to react to announcements with the keycap number sign emoji (kescherCode)
  • Fix height computation of post embeds (hodgesmr)
  • Fix accessibility issue of the search bar due to hidden placeholder (alexstine)
  • Fix layout change handler not being removed due to a typo (nschonni)
  • Fix typo in the default S3_HOSTNAME used in the mastodon:setup rake task (danp)
  • Fix the top action bar appearing in the multi-column layout (ClearlyClaire)
  • Fix inability to use local LibreTranslate without setting ALLOWED_PRIVATE_ADDRESSES (ClearlyClaire)
  • Fix punycoded local domains not being prettified in initial state (Tritlo)
  • Fix CSP violation warning by removing inline CSS from SVG logo (luxiaba)
  • Fix margin for search field on medium window size (minacle)
  • Fix search popout scrolling with the page in single-column mode (rgroothuijsen)
  • Fix minor post cache hydration discrepancy (ClearlyClaire)
  • Fix detection in hashtags (parthoghosh24)
  • Fix hashtag follows bypassing user blocks (tribela)
  • Fix moved accounts being incorrectly redirected to account settings when trying to view a remote profile (ClearlyClaire)
  • Fix site upload validations (ClearlyClaire)
  • Fix “Add new domain block” button using last submitted search value instead of the current one (ClearlyClaire)
  • Fix misleading hashtag warning when posting with “Followers only” or “Mentioned people only” visibility (n0toose)
  • Fix embedded posts with videos grabbing focus (Akkiesoft)
  • Fix $ not being escaped in .env.production files generated by the mastodon:setup rake task (ClearlyClaire, ClearlyClaire)
  • Fix sanitizer parsing link text as HTML when stripping unsupported links (ClearlyClaire)
  • Fix scheduled_at input not using datetime-local when editing announcements (ClearlyClaire)
  • Fix REST API serializer for Account not including moved when the moved account has itself moved (ClearlyClaire)
  • Fix /api/v1/admin/trends/tags using wrong serializer (ClearlyClaire)
  • Fix situations in which instance actor can be set to a Mastodon-incompatible name (ClearlyClaire)

Security

[4.0.2] - 2022-11-15

Fixed

  • Fix wrong color on mentions hidden behind content warning in web UI (Gargron)
  • Fix filters from other users being used in the streaming service (ClearlyClaire)
  • Fix unsafe-eval being used when wasm-unsafe-eval is enough in Content Security Policy (Gargron, prplecake)

[4.0.1] - 2022-11-14

Fixed

  • Fix nodes order being sometimes mangled when rewriting emoji (ClearlyClaire)

[4.0.0] - 2022-11-14

Some of the features in this release have been funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.

Added

Changed

Removed

  • Remove setting that disables account deletes (Gargron)
  • Remove digest e-mails (Gargron)
  • Remove unnecessary sections from welcome e-mail (Gargron)
  • Remove item titles from RSS feeds (Gargron)
  • Remove volume number from hashtags in web UI (Gargron)
  • Remove Nanobox configuration (tonyjiang)

Fixed

  • Fix rules with same priority being sorted non-deterministically (Gargron)
  • Fix error when invalid domain name is submitted (Gargron)
  • Fix icons having an image role (Gargron)
  • Fix connections to IPv6-only servers (ClearlyClaire)
  • Fix unnecessary service worker registration and preloading when logged out in web UI (ClearlyClaire)
  • Fix unnecessary and slow regex construction (raggi)
  • Fix mailers queue not being used for mailers (Gargron)
  • Fix error in webfinger redirect handling (ClearlyClaire)
  • Fix report category not being set to violation if rule IDs are provided (trwnh)
  • Fix nodeinfo metadata attribute being an array instead of an object (ClearlyClaire)
  • Fix account endorsements not being idempotent (trwnh)
  • Fix status and rule IDs not being strings in admin reports REST API (trwnh)
  • Fix error on invalid replies_policy in REST API (trwnh)
  • Fix redrafting a currently-editing post not leaving edit mode in web UI (ClearlyClaire)
  • Fix performance by avoiding method cache busts (raggi)
  • Fix opening the language picker scrolling the single-column view to the top in web UI (ClearlyClaire)
  • Fix content warning button missing aria-expanded attribute in web UI (ClearlyClaire)
  • Fix redundant aria-pressed attributes in web UI (Brawaru)
  • Fix crash when external auth provider has no display name set (ClearlyClaire)
  • Fix followers count not being updated when migrating follows (ClearlyClaire)
  • Fix double button to clear emoji search input in web UI (sunny)
  • Fix missing null check on applications on strike disputes (kescherCode)
  • Fix featured tags not saving preferred casing (Gargron)
  • Fix language not being saved when editing status (Gargron)
  • Fix not being able to input featured tag with hash symbol (Gargron)
  • Fix user clean-up scheduler crash when an unconfirmed account has a moderation note (ClearlyClaire)
  • Fix being unable to withdraw follow request when confirmation modal is disabled in web UI (ClearlyClaire)
  • Fix inaccurate admin log entry for re-sending confirmation e-mails (ClearlyClaire)
  • Fix edits not being immediately reflected (ClearlyClaire)
  • Fix bookmark import stopping at the first failure (ClearlyClaire)
  • Fix account action type validation (Gargron)
  • Fix upload progress not communicating processing phase in web UI (Gargron)
  • Fix wrong host being used for custom.css when asset host configured (Gargron)
  • Fix account migration form ever using outdated account data (Gargron, nightpool)
  • Fix error when uploading malformed CSV import (Gargron)
  • Fix avatars not using image tags in web UI (Gargron)
  • Fix handling of duplicate and out-of-order notifications in web UI (ClearlyClaire)
  • Fix reblogs being discarded after the reblogged status (ClearlyClaire)
  • Fix indexing scheduler trying to index when Elasticsearch is disabled (Gargron)
  • Fix n+1 queries when rendering initial state JSON (Gargron)
  • Fix n+1 query during status removal (Gargron)
  • Fix OCR not working due to Content Security Policy in web UI (prplecake)
  • Fix nofollow rel being removed in web UI (Gargron)
  • Fix language dropdown causing zoom on mobile devices in web UI (Gargron)
  • Fix button to dismiss suggestions not showing up in search results in web UI (ClearlyClaire)
  • Fix language dropdown sometimes not appearing in web UI (Gargron)
  • Fix quickly switching notification filters resulting in empty or incorrect list in web UI (ClearlyClaire, ClearlyClaire)
  • Fix media modal link button in web UI (ClearlyClaire)
  • Fix error upon successful account migration (Gargron)
  • Fix negatives values in search index causing queries to fail (Gargron, Gargron)
  • Fix error when searching for invalid URL (ClearlyClaire)
  • Fix IP blocks not having a unique index (Gargron)
  • Fix remote account in contact account setting not being used (Gargron)
  • Fix swallowing mentions of unconfirmed/unapproved users (ClearlyClaire)
  • Fix incorrect and slow cache invalidation when blocking domain and removing media attachments (ClearlyClaire)
  • Fix HTTPs redirect behaviour when running as I2P service (gi-yt)
  • Fix deleted pinned posts potentially counting towards the pinned posts limit (ClearlyClaire)
  • Fix compatibility with OpenSSL 3.0 (ClearlyClaire)
  • Fix error when a remote report includes a private post the server has no access to (ClearlyClaire)
  • Fix suspicious sign-in mails never being sent (ClearlyClaire)
  • Fix fallback locale when somehow user's locale is an empty string (tribela)
  • Fix avatar/header not being deleted locally when deleted on remote account (tribela)
  • Fix missing , in Blurhash validation (noellabo)
  • Fix order by most recent not working for relationships page in admin UI (tribela)
  • Fix uncaught error when invalid date is supplied to API (Gargron)
  • Fix REST API sometimes returning HTML on error (ClearlyClaire)
  • Fix ambiguous column names in tootctl media refresh (tribela)
  • Fix ambiguous column names in tootctl search deploy (mashirozx)
  • Fix CDN_HOST not being used in some asset URLs (tribela)
  • Fix CAS_DISPLAY_NAME, SAML_DISPLAY_NAME and OIDC_DISPLAY_NAME being ignored (ClearlyClaire)
  • Fix various typos in comments throughout the codebase (luzpaz)
  • Fix CSV import error when rows include unicode characters (HamptonMakes)

Security

  • Fix being able to spoof link verification (Gargron)
  • Fix emoji substitution not applying only to text nodes in backend code (ClearlyClaire)
  • Fix emoji substitution not applying only to text nodes in web UI (ClearlyClaire)
  • Fix rate limiting for paths with formats (Gargron)
  • Fix out-of-bound reads in blurhash transcoder (delroth)

For previous changes, review the stable-3.5 branch