v4.3.0-beta.1

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

• Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
  This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

• Add experimental server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)
  Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
  This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
  As part of this, the visual design of the entire notifications feature has been revamped.
  This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.
  The API is not final yet, but it consists of:

  • a new group_key attribute to Notification entities
  • GET /api/v2_alpha/notifications: https://docs.joinmastodon.org/methods/notifications_alpha/#get-grouped
  • GET /api/v2_alpha/notifications/:group_key: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-group
  • POST /api/v2_alpha/notifications/:group_key/dimsiss: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-group
  • GET /api/v2_alpha/notifications/:unread_count: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count

• Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, and #31541 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)
  The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.
  You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.
  Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.
  This adds the following REST API endpoints:

  • GET /api/v2/notifications/policy: https://docs.joinmastodon.org/methods/notifications/#get-policy
  • PATCH /api/v2/notifications/policy: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notifications
  • GET /api/v1/notifications/requests: https://docs.joinmastodon.org/methods/notifications/#get-requests
  • GET /api/v1/notifications/requests/:id: https://docs.joinmastodon.org/methods/notifications/#get-one-request
  • POST /api/v1/notifications/requests/:id/accept: https://docs.joinmastodon.org/methods/notifications/#accept-request
  • POST /api/v1/notifications/requests/:id/dismiss: https://docs.joinmastodon.org/methods/notifications/#dismiss-request
  • POST /api/v1/notifications/requests/accept: https://docs.joinmastodon.org/methods/notifications/#accept-multiple-requests
  • POST /api/v1/notifications/requests/dismiss: https://docs.joinmastodon.org/methods/notifications/#dismiss-multiple-requests
  • GET /api/v1/notifications/requests/merged: https://docs.joinmastodon.org/methods/notifications/#requests-merged

  In addition, accepting one or more notification requests generates a new streaming event:

  • notifications_merged: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed

• Add notifications of severed relationships (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)
  Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.
  Note that this does not notify remote users.
  This adds the severed_relationships notification type to the REST API and streaming, with a new relationship_severance_event attribute.

• Add hover cards in web UI (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)
  Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.
  This can be disabled in the “Animations and accessibility” section of the preferences.

• Add "system" theme setting (light/dark theme depending on user system preference) (#29748, #29553, #29795, #29918, #30839, and #30861 by @nshki, @ErikUden, @mjankowski, @renchap, and @vmstan)
  Add a “system” theme that automatically switch between default dark and light themes depending on the user's system preferences.
  Also changes the default server theme to this new “system” theme so that automatic theme selection happens even when logged out.

• Add timeline of public posts about a trending link (#30381 and #30840 by @Gargron)
  You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.
  This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link

• Add author highlight for news articles whose authors are on the fediverse (#30398, #30670, #30521, and #30846 by @Gargron)
  This adds a mechanism to highlight the author of news articles shared on Mastodon.
  Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:

  <meta name="fediverse:creator" content="username@domain" />

  On the API side, this is represented by a new authors attribute to the PreviewCard entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\
  Note that this feature is still work in progress and the tagging format and verification mechanisms may change in future releases.

• Add in-app notifications for moderation actions and warnings (#30065, #30082, and #30081 by @ClearlyClaire)
  In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.
  This adds the moderation_warning notification type to the REST API and streaming, with a new moderation_warning attribute.

• Add domain information to profiles in web UI (#29602 by @Gargron)
  Clicking the domain of a user in their profile will now open a tooltip with a short explanation about servers and federation.

• Add ability to reorder upload...

v4.2.12

Note

This is a hotfix release for an issue introduced in 4.2.11.

Changelog (v4.2.12)

Fixed

• Fix broken notifications for mentions from local moderators (ClearlyClaire)

Changelog (v4.2.11)

Added

• Add support for incoming <s> tag (mediaformat)

Changed

• Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

• Fix incorrect rate limit on PUT requests (ClearlyClaire)
• Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
• Fix processing of webfinger responses with multiple self links (adamniedzielski)
• Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
• Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
• Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
• Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
• Fix division by zero on some video/GIF files (ClearlyClaire)
• Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
• Fix hashtag regexp matching some link anchors (ClearlyClaire)
• Fix local account search on LDAP login being case-sensitive (raucao)
• Fix development environment admin account not being auto-approved (ClearlyClaire)
• Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
• Fix already-invalid reports failing to resolve (ClearlyClaire)
• Fix OCR when using S3/CDN for assets (vmstan)
• Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
• Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
• Fix search popout listing unusable search options when logged out (ClearlyClaire)
• Fix processing of featured collections lacking an items attribute (tribela)
• Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.12, use git fetch && git checkout v4.2.12.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10 or 4.2.11.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
3. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.2.11

Warning

This release has a known issue, causing mentions from local users with elevated roles failing to generate notifications.

Changelog

Added

• Add support for incoming <s> tag (mediaformat)

Changed

• Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

• Fix incorrect rate limit on PUT requests (ClearlyClaire)
• Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
• Fix processing of webfinger responses with multiple self links (adamniedzielski)
• Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
• Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
• Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
• Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
• Fix division by zero on some video/GIF files (ClearlyClaire)
• Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
• Fix hashtag regexp matching some link anchors (ClearlyClaire)
• Fix local account search on LDAP login being case-sensitive (raucao)
• Fix development environment admin account not being auto-approved (ClearlyClaire)
• Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
• Fix already-invalid reports failing to resolve (ClearlyClaire)
• Fix OCR when using S3/CDN for assets (vmstan)
• Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
• Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
• Fix search popout listing unusable search options when logged out (ClearlyClaire)
• Fix processing of featured collections lacking an items attribute (tribela)
• Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.11, use git fetch && git checkout v4.2.11.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
3. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.1.19

Changelog

Fixed

• Fix incorrect rate limit on PUT requests (ClearlyClaire)
• Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
• Fix processing of webfinger responses with multiple self links (adamniedzielski)
• Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
• Fix division by zero on some video/GIF files (ClearlyClaire)
• Fix hashtag regexp matching some link anchors (ClearlyClaire)
• Fix local account search on LDAP login being case-sensitive (raucao)
• Fix development environment admin account not being auto-approved (ClearlyClaire)
• Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
• Fix already-invalid reports failing to resolve (ClearlyClaire)
• Fix OCR when using S3/CDN for assets (vmstan)
• Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
• Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)

Upgrade notes

To get the code for v4.1.19, use git fetch && git checkout v4.1.19.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 7.x
• Redis: 4 or newer
• Node: >= 14, < 18
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.18.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile

Both Docker and non-Docker:

1. Restart all Mastodon processes

v4.2.10

Warning

This release is an important security release fixing a major security issue.

A corresponding security release is available for the 4.1.x branch.

Note

If you are using nightly builds, do not use this release but update to nightly.2024-07-05-security or newer instead. If you are on the main branch, update to the latest commit.

Changelog

Security

• Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
• Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
• Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
• Update dependencies

Added

• Add yarn version specification to avoid confusion with Yarn 3 and Yarn 4

Changed

• Change preview cards generation to skip unusually long URLs (oneiros)
• Change search modifiers to be case-insensitive (Gargron)
• Change STATSD_ADDR handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers)
• Change PWA start URL from /home to / (ClearlyClaire)

Removed

• Removed dependency on posix-spawn (ClearlyClaire)

Fixed

• Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
• Fix encoding detection for link cards (oneiros)
• Fix /admin/accounts/:account_id/statuses/:id for edited posts with media attachments (ClearlyClaire)
• Fix duplicate @context attribute in user archive export (ClearlyClaire)

Upgrade notes

To get the code for v4.2.10, use git fetch && git checkout v4.2.10.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.9.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.1.18

Warning

This release is an important security release fixing a major security issue.

A corresponding security release is available for the 4.2.x branch.

Changelog

Security

• Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
• Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
• Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
• Update dependencies

Changed

• Change preview cards generation to skip unusually long URLs (oneiros)
• Change search modifiers to be case-insensitive (Gargron)
• Change STATSD_ADDR handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers)
• Change PWA start URL from /home to / (ClearlyClaire)

Fixed

• Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
• Fix encoding detection for link cards (oneiros)
• Fix /admin/accounts/:account_id/statuses/:id for edited posts with media attachments (ClearlyClaire)

Upgrade notes

To get the code for v4.1.18, use git fetch && git checkout v4.1.18.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 7.x
• Redis: 4 or newer
• Node: >= 14, < 18
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.17.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

1. Restart all Mastodon processes

v4.2.9

Changelog

Security

• Update dependencies
• Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
• Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
• Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)

Added

• Add rate-limit on OAuth application registration (ThisIsMissEm)
• Add fallback redirection when getting a webfinger query WEB_DOMAIN@WEB_DOMAIN (ClearlyClaire)
• Add digest attribute to Admin::DomainBlock entity in REST API (ThisIsMissEm)

Removed

• Remove superfluous application-level caching in some controllers (ClearlyClaire)
• Remove aggressive OAuth application vacuuming (ThisIsMissEm)

Fixed

• Fix leaking Elasticsearch connections in Sidekiq processes (ClearlyClaire)
• Fix language of remote posts not being recognized when using unusual casing (ClearlyClaire)
• Fix off-by-one in tootctl media commands (ClearlyClaire)
• Fix removal of allowed domains (in LIMITED_FEDERATION_MODE) not being recorded in the audit log (ThisIsMissEm)
• Fix not being able to block a subdomain of an already-blocked domain through the API (ClearlyClaire)
• Fix Idempotency-Key being ignored when scheduling a post (ClearlyClaire)
• Fix crash when supplying the FFMPEG_BINARY environment variable (timothyjrogers)
• Fix improper email address validation (ClearlyClaire)
• Fix results/query in api/v1/featured_tags/suggestions (mjankowski)
• Fix unblocking internationalized domain names under certain conditions (tribela)
• Fix admin account created by mastodon:setup not being auto-approved (ClearlyClaire)
• Fix reference to non-existent var in CLI maintenance command (mjankowski)

Upgrade notes

To get the code for v4.2.9, use git fetch && git checkout v4.2.9.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.2.8.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.1.17

Changelog

Security

• Update dependencies
• Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
• Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
• Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)

Added

• Add fallback redirection when getting a webfinger query WEB_DOMAIN@WEB_DOMAIN (ClearlyClaire)
• Add digest attribute to Admin::DomainBlock entity in REST API (ThisIsMissEm)

Removed

• Remove superfluous application-level caching in some controllers (ClearlyClaire)

Fixed

• Fix leaking Elasticsearch connections in Sidekiq processes (ClearlyClaire)
• Fix language of remote posts not being recognized when using unusual casing (ClearlyClaire)
• Fix off-by-one in tootctl media commands (ClearlyClaire)
• Fix removal of allowed domains (in LIMITED_FEDERATION_MODE) not being recorded in the audit log (ThisIsMissEm)
• Fix not being able to block a subdomain of an already-blocked domain through the API (ClearlyClaire)
• Fix Idempotency-Key being ignored when scheduling a post (ClearlyClaire)
• Fix crash when supplying the FFMPEG_BINARY environment variable (timothyjrogers)
• Fix improper email address validation (ClearlyClaire)
• Fix results/query in api/v1/featured_tags/suggestions (mjankowski)
• Fix unblocking internationalized domain names under certain conditions (tribela)
• Fix admin account created by mastodon:setup not being auto-approved (ClearlyClaire)
• Fix reference to non-existent var in CLI maintenance command (mjankowski)

Upgrade notes

To get the code for v4.1.17, use git fetch && git checkout v4.1.17.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 7.x
• Redis: 4 or newer
• Node: >= 14, < 18
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.16.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

1. Restart all Mastodon processes

v4.2.8

Warning

We recently released important security updates fixing major security updates. If you are using Mastodon v4.2.6 or below, v4.1.14 or below, or any older version, please update as soon as possible.

See updates for the 4.1.x branch, the 4.0.x branch and the 3.5.x branch.

Changelog

Important

This update changes registrations to be closed by default.

Running a social media platform where anyone can sign up without active moderation is dangerous.

We are changing the default, so that opening registrations is always a conscious choice. If you have never changed or saved the registrations mode yourself, this update will switch your server to not accepting new users. Simply change the setting again after the update if you wish to restore the old behaviour.

Added

• Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
  In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
  When this happens, users with the permission to change server settings will receive an email notification.
  This feature is disabled when EMAIL_DOMAIN_ALLOWLIST is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true.

Changed

• Change registrations to be closed by default on new installations (ClearlyClaire)
  If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
  Simply re-enable them through the administration interface or using tootctl settings registrations open if you want to enable them again.

Fixed

• Fix processing of remote ActivityPub actors making use of Link objects as Image url (ClearlyClaire)
• Fix link verifications when page size exceeds 1MB (ClearlyClaire)

Moderation tooling

While we work on better tools to fight spam and abuse, we want to draw your attention to the tools already at your disposal:

• Manual review for new user registrations
• Blocking disposable/temporary e-mail providers (such as any.pink being used in the current wave)
• Setting up hCaptcha

Known issues

When setting up a new server, the admin account created by the mastodon:setup task will not be automatically approved. You will need to approve it from the command-line interface with RAILS_ENV=production bin/tootctl accounts modify <username> --approve.

Upgrade notes

To get the code for v4.2.8, use git fetch && git checkout v4.2.8.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.2.7.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
3. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.1.16

Warning

We recently released important security updates fixing major security updates. If you are using Mastodon v4.2.6 or below, v4.1.14 or below, or any older version, please update as soon as possible.

See updates for the 4.2.x branch, the 4.0.x branch and the 3.5.x branch.

Changelog

Important

This update changes registrations to be closed by default.

Running a social media platform where anyone can sign up without active moderation is dangerous.

We are changing the default, so that opening registrations is always a conscious choice. If you have never changed or saved the registrations mode yourself, this update will switch your server to not accepting new users. Simply change the setting again after the update if you wish to restore the old behaviour.

Added

• Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
  In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
  When this happens, users with the permission to change server settings will receive an email notification.
  This feature is disabled when EMAIL_DOMAIN_ALLOWLIST is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true.

Changed

• Change registrations to be closed by default on new installations (ClearlyClaire)
  If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
  Simply re-enable them through the administration interface or using tootctl settings registrations open if you want to enable them again.

Fixed

• Fix processing of remote ActivityPub actors making use of Link objects as Image url (ClearlyClaire)
• Fix link verifications when page size exceeds 1MB (ClearlyClaire)

Moderation tooling

While we work on better tools to fight spam and abuse, we want to draw your attention to the tools already at your disposal:

• Manual review for new user registrations
• Blocking disposable/temporary e-mail providers (such as any.pink being used in the current wave)
• Setting up hCaptcha

Known issues

When setting up a new server, the admin account created by the mastodon:setup task will not be automatically approved. You will need to approve it from the command-line interface with tootctl modify <username> --approved.

Upgrade notes

To get the code for v4.1.16, use git fetch && git checkout v4.1.16.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 7.x
• Redis: 4 or newer
• Node: >= 14, < 18
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.15.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

1. Restart all Mastodon processes