Skip to content

Releases: mastodon/mastodon

v4.1.20

30 Sep 11:47
@ClearlyClaire ClearlyClaire
v4.1.20
9da2711
Compare
Choose a tag to compare
v4.1.20

Mastodon

Changelog

Security

Changed

Fixed

  • Fix replies collection being cached improperly
  • Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
  • Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)

Upgrade notes

To get the code for v4.1.20, use git fetch && git checkout v4.1.20.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.19.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

  1. Restart all Mastodon processes

Contributors

ClearlyClaire
Loading

v4.3.0-beta.2

17 Sep 15:53
@ClearlyClaire ClearlyClaire
v4.3.0-beta.2
3e91c10
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.3.0-beta.2 Pre-release
Pre-release

Mastodon

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog (v4.3.0-beta.2)

Security

Added

Changed

Fixed

Changelog (v4.3.0-beta.1)

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

  • Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
    This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

Read more

Contributors

mjankowski, flavorjones, and 62 other contributors
Loading

v4.3.0-beta.1

23 Aug 16:18
@ClearlyClaire ClearlyClaire
v4.3.0-beta.1
97f6baf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.3.0-beta.1 Pre-release
Pre-release

Mastodon

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

  • Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
    This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

Read more

Contributors

mjankowski, jippi, and 59 other contributors
Loading

v4.2.12

19 Aug 09:18
@ClearlyClaire ClearlyClaire
v4.2.12
f9a929e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.2.12

Mastodon

Note

This is a hotfix release for an issue introduced in 4.2.11.

Changelog (v4.2.12)

Fixed

  • Fix broken notifications for mentions from local moderators (ClearlyClaire)

Changelog (v4.2.11)

Added

Changed

  • Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

  • Fix incorrect rate limit on PUT requests (ClearlyClaire)
  • Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
  • Fix processing of webfinger responses with multiple self links (adamniedzielski)
  • Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
  • Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
  • Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
  • Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
  • Fix division by zero on some video/GIF files (ClearlyClaire)
  • Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
  • Fix hashtag regexp matching some link anchors (ClearlyClaire)
  • Fix local account search on LDAP login being case-sensitive (raucao)
  • Fix development environment admin account not being auto-approved (ClearlyClaire)
  • Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
  • Fix already-invalid reports failing to resolve (ClearlyClaire)
  • Fix OCR when using S3/CDN for assets (vmstan)
  • Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
  • Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
  • Fix search popout listing unusable search options when logged out (ClearlyClaire)
  • Fix processing of featured collections lacking an items attribute (tribela)
  • Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.12, use git fetch && git checkout v4.2.12.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10 or 4.2.11.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
  3. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Loading

v4.2.11

16 Aug 12:39
@ClearlyClaire ClearlyClaire
v4.2.11
a02ff33
Compare
Choose a tag to compare
v4.2.11

Mastodon

Warning

This release has a known issue, causing mentions from local users with elevated roles failing to generate notifications.

Changelog

Added

Changed

  • Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

  • Fix incorrect rate limit on PUT requests (ClearlyClaire)
  • Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
  • Fix processing of webfinger responses with multiple self links (adamniedzielski)
  • Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
  • Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
  • Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
  • Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
  • Fix division by zero on some video/GIF files (ClearlyClaire)
  • Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
  • Fix hashtag regexp matching some link anchors (ClearlyClaire)
  • Fix local account search on LDAP login being case-sensitive (raucao)
  • Fix development environment admin account not being auto-approved (ClearlyClaire)
  • Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
  • Fix already-invalid reports failing to resolve (ClearlyClaire)
  • Fix OCR when using S3/CDN for assets (vmstan)
  • Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
  • Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
  • Fix search popout listing unusable search options when logged out (ClearlyClaire)
  • Fix processing of featured collections lacking an items attribute (tribela)
  • Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.11, use git fetch && git checkout v4.2.11.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
  3. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Loading

v4.1.19

16 Aug 12:39
@ClearlyClaire ClearlyClaire
v4.1.19
33e0745
Compare
Choose a tag to compare
v4.1.19

Mastodon

Changelog

Fixed

  • Fix incorrect rate limit on PUT requests (ClearlyClaire)
  • Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
  • Fix processing of webfinger responses with multiple self links (adamniedzielski)
  • Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
  • Fix division by zero on some video/GIF files (ClearlyClaire)
  • Fix hashtag regexp matching some link anchors (ClearlyClaire)
  • Fix local account search on LDAP login being case-sensitive (raucao)
  • Fix development environment admin account not being auto-approved (ClearlyClaire)
  • Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
  • Fix already-invalid reports failing to resolve (ClearlyClaire)
  • Fix OCR when using S3/CDN for assets (vmstan)
  • Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
  • Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)

Upgrade notes

To get the code for v4.1.19, use git fetch && git checkout v4.1.19.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.18.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile

Both Docker and non-Docker:

  1. Restart all Mastodon processes
Loading

v4.2.10

04 Jul 15:03
@ClearlyClaire ClearlyClaire
v4.2.10
a5b4a2b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.2.10

Mastodon

Warning

This release is an important security release fixing a major security issue.

A corresponding security release is available for the 4.1.x branch.

Note

If you are using nightly builds, do not use this release but update to nightly.2024-07-05-security or newer instead. If you are on the main branch, update to the latest commit.

Changelog

Security

  • Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
  • Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
  • Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
  • Update dependencies

Added

  • Add yarn version specification to avoid confusion with Yarn 3 and Yarn 4

Changed

  • Change preview cards generation to skip unusually long URLs (oneiros)
  • Change search modifiers to be case-insensitive (Gargron)
  • Change STATSD_ADDR handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers)
  • Change PWA start URL from /home to / (ClearlyClaire)

Removed

Fixed

  • Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
  • Fix encoding detection for link cards (oneiros)
  • Fix /admin/accounts/:account_id/statuses/:id for edited posts with media attachments (ClearlyClaire)
  • Fix duplicate @context attribute in user archive export (ClearlyClaire)

Upgrade notes

To get the code for v4.2.10, use git fetch && git checkout v4.2.10.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.9.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Loading

v4.1.18

04 Jul 15:10
@ClearlyClaire ClearlyClaire
v4.1.18
ff90ebf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.1.18

Mastodon

Warning

This release is an important security release fixing a major security issue.

A corresponding security release is available for the 4.2.x branch.

Changelog

Security

  • Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
  • Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
  • Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
  • Update dependencies

Changed

  • Change preview cards generation to skip unusually long URLs (oneiros)
  • Change search modifiers to be case-insensitive (Gargron)
  • Change STATSD_ADDR handling to emit a warning rather than crashing if the address is unreachable (timothyjrogers)
  • Change PWA start URL from /home to / (ClearlyClaire)

Fixed

  • Fix scheduled statuses scheduled in less than 5 minutes being immediately published (danielmbrasil)
  • Fix encoding detection for link cards (oneiros)
  • Fix /admin/accounts/:account_id/statuses/:id for edited posts with media attachments (ClearlyClaire)

Upgrade notes

To get the code for v4.1.18, use git fetch && git checkout v4.1.18.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.17.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

  1. Restart all Mastodon processes
Loading

v4.2.9

30 May 13:58
@ClearlyClaire ClearlyClaire
v4.2.9
c93aaca
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.2.9

Mastodon

Changelog

Security

Added

  • Add rate-limit on OAuth application registration (ThisIsMissEm)
  • Add fallback redirection when getting a webfinger query WEB_DOMAIN@WEB_DOMAIN (ClearlyClaire)
  • Add digest attribute to Admin::DomainBlock entity in REST API (ThisIsMissEm)

Removed

  • Remove superfluous application-level caching in some controllers (ClearlyClaire)
  • Remove aggressive OAuth application vacuuming (ThisIsMissEm)

Fixed

  • Fix leaking Elasticsearch connections in Sidekiq processes (ClearlyClaire)
  • Fix language of remote posts not being recognized when using unusual casing (ClearlyClaire)
  • Fix off-by-one in tootctl media commands (ClearlyClaire)
  • Fix removal of allowed domains (in LIMITED_FEDERATION_MODE) not being recorded in the audit log (ThisIsMissEm)
  • Fix not being able to block a subdomain of an already-blocked domain through the API (ClearlyClaire)
  • Fix Idempotency-Key being ignored when scheduling a post (ClearlyClaire)
  • Fix crash when supplying the FFMPEG_BINARY environment variable (timothyjrogers)
  • Fix improper email address validation (ClearlyClaire)
  • Fix results/query in api/v1/featured_tags/suggestions (mjankowski)
  • Fix unblocking internationalized domain names under certain conditions (tribela)
  • Fix admin account created by mastodon:setup not being auto-approved (ClearlyClaire)
  • Fix reference to non-existent var in CLI maintenance command (mjankowski)

Upgrade notes

To get the code for v4.2.9, use git fetch && git checkout v4.2.9.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0 to 3.2
  • PostgreSQL: 10 or newer
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 16 or newer
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.2.8.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile
  2. Restart all Mastodon processes

Using Docker:

  1. Restart all Mastodon processes
Loading

v4.1.17

30 May 13:51
@ClearlyClaire ClearlyClaire
v4.1.17
1cad857
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.1.17

Mastodon

Changelog

Security

Added

  • Add fallback redirection when getting a webfinger query WEB_DOMAIN@WEB_DOMAIN (ClearlyClaire)
  • Add digest attribute to Admin::DomainBlock entity in REST API (ThisIsMissEm)

Removed

  • Remove superfluous application-level caching in some controllers (ClearlyClaire)

Fixed

  • Fix leaking Elasticsearch connections in Sidekiq processes (ClearlyClaire)
  • Fix language of remote posts not being recognized when using unusual casing (ClearlyClaire)
  • Fix off-by-one in tootctl media commands (ClearlyClaire)
  • Fix removal of allowed domains (in LIMITED_FEDERATION_MODE) not being recorded in the audit log (ThisIsMissEm)
  • Fix not being able to block a subdomain of an already-blocked domain through the API (ClearlyClaire)
  • Fix Idempotency-Key being ignored when scheduling a post (ClearlyClaire)
  • Fix crash when supplying the FFMPEG_BINARY environment variable (timothyjrogers)
  • Fix improper email address validation (ClearlyClaire)
  • Fix results/query in api/v1/featured_tags/suggestions (mjankowski)
  • Fix unblocking internationalized domain names under certain conditions (tribela)
  • Fix admin account created by mastodon:setup not being auto-approved (ClearlyClaire)
  • Fix reference to non-existent var in CLI maintenance command (mjankowski)

Upgrade notes

To get the code for v4.1.17, use git fetch && git checkout v4.1.17.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 3.0
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 7.x
  • Redis: 4 or newer
  • Node: >= 14, < 18
  • ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.16.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

  1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

  1. Restart all Mastodon processes
Loading