Skip to content

Releases: mastodon/mastodon

v4.3.0-rc.1

30 Sep 11:01
@ClearlyClaire ClearlyClaire
v4.3.0-rc.1
0321008
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.3.0-rc.1 Pre-release
Pre-release

Mastodon

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog (v4.3.0-rc.1)

Security

Added

  • Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
  • Add ability to view alt text by clicking the ALT badge in web UI (#32058 by @Gargron)
  • Add preview of followers removed in domain block modal in web UI (#32032 and #32105 by @ClearlyClaire and @Gargron)
  • Add server-side notification grouping for follow notifications (#32085 by @renchap)
  • Add reblogs and favourites counts to statuses in ActivityPub (#32007 by @Gargron)
  • Add OTEL_SERVICE_NAME_SEPARATOR to further customize OpenTelemetry service names (#31998 by @timetinytim)

Changed

Fixed

  • Fix missing permission on new embeds making them unclickable (#32135 by @Gargron)
  • Fix missing border in some admin UI tables (#32128 by @mjankowski)
  • Fix recently used tags hint being displayed in profile edition page when there is none (#32120 by @mjankowski)
  • Fix checkbox lists on narrow screens in the settings interface (#32112 by @mjankowski)
  • Fix scrollbar width (#32091 by @ClearlyClaire)
  • Fix typo causing incorrect error being raised in blurhash processing failure (#32104 by @ClearlyClaire)
  • Fix the position of status action buttons being affected by interaction counters (#32084 by @renchap)
  • Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
  • Fix wrapping in dashboard quick access buttons (#32043 by @renchap)
  • Fix the summary of converted ActivityPub object types to be treated as HTML (#28629 by @Menrath)
  • Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
  • Fix multiple bugs in notification requests and notification policies (#32062 by @ClearlyClaire)
  • Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
  • Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
  • Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
  • Fix the appearance of avatars when they do not load (#31966 by @renchap)
  • Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)

Removed

Changelog (v4.3.0-beta.2)

Security

Added

Changed

Fixed

Read more

Contributors

mjankowski, flavorjones, and 63 other contributors
Assets 2
Loading

v4.2.13

30 Sep 11:50
@ClearlyClaire ClearlyClaire
v4.2.13
7e47439
Compare
Choose a tag to compare
v4.2.13 Latest
Latest

Mastodon

Changelog

Security

Added

  • Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)

Changed

Fixed

  • Fix replies collection being cached improperly
  • Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
  • Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)

Upgrade notes

To get the code for v4.2.13, use git fetch && git checkout v4.2.13.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.12.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes

Contributors

ClearlyClaire
Assets 2
Loading

v4.1.20

30 Sep 11:47
@ClearlyClaire ClearlyClaire
v4.1.20
9da2711
Compare
Choose a tag to compare
v4.1.20

Mastodon

Changelog

Security

Changed

Fixed

  • Fix replies collection being cached improperly
  • Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
  • Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)

Upgrade notes

To get the code for v4.1.20, use git fetch && git checkout v4.1.20.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.19.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

  1. Restart all Mastodon processes

Contributors

ClearlyClaire
Assets 2
Loading

v4.3.0-beta.2

17 Sep 15:53
@ClearlyClaire ClearlyClaire
v4.3.0-beta.2
3e91c10
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.3.0-beta.2 Pre-release
Pre-release

Mastodon

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog (v4.3.0-beta.2)

Security

Added

Changed

Fixed

Changelog (v4.3.0-beta.1)

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

  • Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
    This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

Read more

Contributors

mjankowski, flavorjones, and 62 other contributors
Assets 2
Loading

v4.3.0-beta.1

23 Aug 16:18
@ClearlyClaire ClearlyClaire
v4.3.0-beta.1
97f6baf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.3.0-beta.1 Pre-release
Pre-release

Mastodon

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

  • Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
    This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

Read more

Contributors

mjankowski, jippi, and 59 other contributors
Assets 2
Loading

v4.2.12

19 Aug 09:18
@ClearlyClaire ClearlyClaire
v4.2.12
f9a929e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.2.12

Mastodon

Note

This is a hotfix release for an issue introduced in 4.2.11.

Changelog (v4.2.12)

Fixed

  • Fix broken notifications for mentions from local moderators (ClearlyClaire)

Changelog (v4.2.11)

Added

Changed

  • Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

  • Fix incorrect rate limit on PUT requests (ClearlyClaire)
  • Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
  • Fix processing of webfinger responses with multiple self links (adamniedzielski)
  • Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
  • Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
  • Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
  • Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
  • Fix division by zero on some video/GIF files (ClearlyClaire)
  • Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
  • Fix hashtag regexp matching some link anchors (ClearlyClaire)
  • Fix local account search on LDAP login being case-sensitive (raucao)
  • Fix development environment admin account not being auto-approved (ClearlyClaire)
  • Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
  • Fix already-invalid reports failing to resolve (ClearlyClaire)
  • Fix OCR when using S3/CDN for assets (vmstan)
  • Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
  • Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
  • Fix search popout listing unusable search options when logged out (ClearlyClaire)
  • Fix processing of featured collections lacking an items attribute (tribela)
  • Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.12, use git fetch && git checkout v4.2.12.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10 or 4.2.11.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
  3. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Assets 2
Loading

v4.2.11

16 Aug 12:39
@ClearlyClaire ClearlyClaire
v4.2.11
a02ff33
Compare
Choose a tag to compare
v4.2.11

Mastodon

Warning

This release has a known issue, causing mentions from local users with elevated roles failing to generate notifications.

Changelog

Added

Changed

  • Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

  • Fix incorrect rate limit on PUT requests (ClearlyClaire)
  • Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
  • Fix processing of webfinger responses with multiple self links (adamniedzielski)
  • Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
  • Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
  • Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
  • Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
  • Fix division by zero on some video/GIF files (ClearlyClaire)
  • Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
  • Fix hashtag regexp matching some link anchors (ClearlyClaire)
  • Fix local account search on LDAP login being case-sensitive (raucao)
  • Fix development environment admin account not being auto-approved (ClearlyClaire)
  • Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
  • Fix already-invalid reports failing to resolve (ClearlyClaire)
  • Fix OCR when using S3/CDN for assets (vmstan)
  • Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
  • Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
  • Fix search popout listing unusable search options when logged out (ClearlyClaire)
  • Fix processing of featured collections lacking an items attribute (tribela)
  • Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.11, use git fetch && git checkout v4.2.11.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
  3. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Assets 2
Loading

v4.1.19

16 Aug 12:39
@ClearlyClaire ClearlyClaire
v4.1.19
33e0745
Compare
Choose a tag to compare
v4.1.19

Mastodon

Changelog

Fixed

  • Fix incorrect rate limit on PUT requests (ClearlyClaire)
  • Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
  • Fix processing of webfinger responses with multiple self links (adamniedzielski)
  • Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
  • Fix division by zero on some video/GIF files (ClearlyClaire)
  • Fix hashtag regexp matching some link anchors (ClearlyClaire)
  • Fix local account search on LDAP login being case-sensitive (raucao)
  • Fix development environment admin account not being auto-approved (ClearlyClaire)
  • Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
  • Fix already-invalid reports failing to resolve (ClearlyClaire)
  • Fix OCR when using S3/CDN for assets (vmstan)
  • Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
  • Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)

Upgrade notes

To get the code for v4.1.19, use git fetch && git checkout v4.1.19.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.18.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile

Both Docker and non-Docker:

  1. Restart all Mastodon processes
Assets 2
Loading

v4.2.10

04 Jul 15:03
@ClearlyClaire ClearlyClaire
v4.2.10
a5b4a2b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.2.10

Mastodon

Warning

This release is an important security release fixing a major security issue.

A corresponding security release is available for the 4.1.x branch.

Note

If you are using nightly builds, do not use this release but update to nightly.2024-07-05-security or newer instead. If you are on the main branch, update to the latest commit.

Changelog

Security

  • Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
  • Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
  • Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
  • Update dependencies

Added

  • Add yarn version specification to avoid confusion with Yarn 3 and Yarn 4

Changed

  • Change preview cards generation to skip unusually long URLs (oneiros)
  • Change search modifiers to be case-insensitive (Gargron)
  • Change STATSD_ADDR handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers)
  • Change PWA start URL from /home to / (ClearlyClaire)

Removed

Fixed

  • Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
  • Fix encoding detection for link cards (oneiros)
  • Fix /admin/accounts/:account_id/statuses/:id for edited posts with media attachments (ClearlyClaire)
  • Fix duplicate @context attribute in user archive export (ClearlyClaire)

Upgrade notes

To get the code for v4.2.10, use git fetch && git checkout v4.2.10.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.9.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Assets 2
Loading

v4.1.18

04 Jul 15:10
@ClearlyClaire ClearlyClaire
v4.1.18
ff90ebf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.1.18

Mastodon

Warning

This release is an important security release fixing a major security issue.

A corresponding security release is available for the 4.2.x branch.

Changelog

Security

  • Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
  • Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
  • Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
  • Update dependencies

Changed

  • Change preview cards generation to skip unusually long URLs (oneiros)
  • Change search modifiers to be case-insensitive (Gargron)
  • Change STATSD_ADDR handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers)
  • Change PWA start URL from /home to / (ClearlyClaire)

Fixed

  • Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
  • Fix encoding detection for link cards (oneiros)
  • Fix /admin/accounts/:account_id/statuses/:id for edited posts with media attachments (ClearlyClaire)

Upgrade notes

To get the code for v4.1.18, use git fetch && git checkout v4.1.18.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.17.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

  1. Restart all Mastodon processes
Assets 2
Loading