From 64a0b060a82b566476644d6ac04206bf8511f5e3 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 6 Nov 2025 14:58:24 +0100 Subject: [PATCH 1/6] Update security policy for 4.3 (#36755) --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 19f431fac5..385c946512 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,6 +16,6 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through | Version | Supported | | ------- | ---------------- | | 4.4.x | Yes | -| 4.3.x | Yes | +| 4.3.x | Until 2026-05-06 | | 4.2.x | Until 2026-01-08 | | < 4.2 | No | From 16ee628d2450a5529458d45ba2e7c7151fd39025 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 12 Nov 2025 12:09:51 +0100 Subject: [PATCH 2/6] Fix filters not being applied to quotes in detailed view (#36843) --- .../mastodon/features/status/components/detailed_status.tsx | 1 + 1 file changed, 1 insertion(+) diff --git a/app/javascript/mastodon/features/status/components/detailed_status.tsx b/app/javascript/mastodon/features/status/components/detailed_status.tsx index 3922ab5617..ca7ea9a19b 100644 --- a/app/javascript/mastodon/features/status/components/detailed_status.tsx +++ b/app/javascript/mastodon/features/status/components/detailed_status.tsx @@ -384,6 +384,7 @@ export const DetailedStatus: React.FC<{ )} From 8f5e95a159d02aff0c5a11d9467b65123c69f8d9 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 12 Nov 2025 17:09:00 +0100 Subject: [PATCH 3/6] Fix `Update` importing old previously-unknown activities and treating them as recent ones (#36848) --- app/lib/activitypub/activity/update.rb | 12 ++++++++++++ spec/lib/activitypub/activity_spec.rb | 6 ++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/lib/activitypub/activity/update.rb b/app/lib/activitypub/activity/update.rb index 15025ca5e7..5185507bdc 100644 --- a/app/lib/activitypub/activity/update.rb +++ b/app/lib/activitypub/activity/update.rb @@ -1,6 +1,9 @@ # frozen_string_literal: true class ActivityPub::Activity::Update < ActivityPub::Activity + # Updates to unknown objects older than that are ignored + OBJECT_AGE_THRESHOLD = 1.day + def perform @account.schedule_refresh_if_stale! @@ -28,6 +31,9 @@ class ActivityPub::Activity::Update < ActivityPub::Activity @status = Status.find_by(uri: object_uri, account_id: @account.id) + # Ignore updates for old unknown objects, since those are updates we are not interested in + return if @status.nil? && object_too_old? + # We may be getting `Create` and `Update` out of order @status ||= ActivityPub::Activity::Create.new(@json, @account, **@options).perform @@ -35,4 +41,10 @@ class ActivityPub::Activity::Update < ActivityPub::Activity ActivityPub::ProcessStatusUpdateService.new.call(@status, @json, @object, request_id: @options[:request_id]) end + + def object_too_old? + @object['published'].present? && @object['published'].to_datetime < OBJECT_AGE_THRESHOLD.ago + rescue Date::Error + false + end end diff --git a/spec/lib/activitypub/activity_spec.rb b/spec/lib/activitypub/activity_spec.rb index 218da04d9b..d7d0700dc6 100644 --- a/spec/lib/activitypub/activity_spec.rb +++ b/spec/lib/activitypub/activity_spec.rb @@ -34,6 +34,8 @@ RSpec.describe ActivityPub::Activity do } end + let(:publication_date) { 1.hour.ago.utc } + let(:create_json) do { '@context': [ @@ -52,7 +54,7 @@ RSpec.describe ActivityPub::Activity do 'https://www.w3.org/ns/activitystreams#Public', ], content: 'foo', - published: '2025-05-24T11:03:10Z', + published: publication_date.iso8601, quote: ActivityPub::TagManager.instance.uri_for(quoted_status), }, }.deep_stringify_keys @@ -77,7 +79,7 @@ RSpec.describe ActivityPub::Activity do 'https://www.w3.org/ns/activitystreams#Public', ], content: 'foo', - published: '2025-05-24T11:03:10Z', + published: publication_date.iso8601, quote: ActivityPub::TagManager.instance.uri_for(quoted_status), quoteAuthorization: approval_uri, }, From ff3701105741269f00df64b7d0984463cf83dee5 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 19 Nov 2025 13:54:58 +0100 Subject: [PATCH 4/6] update dependency js-yaml to v4.1.1 --- package.json | 2 +- yarn.lock | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 5fe07e947f..3b4532c72b 100644 --- a/package.json +++ b/package.json @@ -73,7 +73,7 @@ "http-link-header": "^1.1.1", "immutable": "^4.3.0", "intl-messageformat": "^10.7.16", - "js-yaml": "^4.1.0", + "js-yaml": "^4.1.1", "lande": "^1.0.10", "lodash": "^4.17.21", "marky": "^1.2.5", diff --git a/yarn.lock b/yarn.lock index 1212b42039..7b45ad6dbb 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2686,7 +2686,7 @@ __metadata: husky: "npm:^9.0.11" immutable: "npm:^4.3.0" intl-messageformat: "npm:^10.7.16" - js-yaml: "npm:^4.1.0" + js-yaml: "npm:^4.1.1" lande: "npm:^1.0.10" lint-staged: "npm:^16.0.0" lodash: "npm:^4.17.21" @@ -8745,6 +8745,17 @@ __metadata: languageName: node linkType: hard +"js-yaml@npm:^4.1.1": + version: 4.1.1 + resolution: "js-yaml@npm:4.1.1" + dependencies: + argparse: "npm:^2.0.1" + bin: + js-yaml: bin/js-yaml.js + checksum: 10c0/561c7d7088c40a9bb53cc75becbfb1df6ae49b34b5e6e5a81744b14ae8667ec564ad2527709d1a6e7d5e5fa6d483aa0f373a50ad98d42fde368ec4a190d4fae7 + languageName: node + linkType: hard + "jsdoc-type-pratt-parser@npm:~4.1.0": version: 4.1.0 resolution: "jsdoc-type-pratt-parser@npm:4.1.0" From 915bcb267fdaf4ec5ca0712571ec144aa034781d Mon Sep 17 00:00:00 2001 From: Shugo Maeda Date: Mon, 17 Nov 2025 22:34:20 +0900 Subject: [PATCH 5/6] Fix ArgumentError of tootctl upgrade storage-schema (#36914) --- lib/mastodon/cli/upgrade.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/mastodon/cli/upgrade.rb b/lib/mastodon/cli/upgrade.rb index 2cb5105794..d5822cacc0 100644 --- a/lib/mastodon/cli/upgrade.rb +++ b/lib/mastodon/cli/upgrade.rb @@ -123,12 +123,12 @@ module Mastodon::CLI progress.log("Moving #{previous_path} to #{upgraded_path}") if options[:verbose] begin - move_previous_to_upgraded + move_previous_to_upgraded(previous_path, upgraded_path) rescue => e progress.log(pastel.red("Error processing #{previous_path}: #{e}")) success = false - remove_directory + remove_directory(upgraded_path) end end From c49e261ad07d46515af50cdf103524ecf554b2f8 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 19 Nov 2025 16:29:45 +0100 Subject: [PATCH 6/6] Update dependency `glob` (#36942) --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 7b45ad6dbb..90077bf3b1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7752,8 +7752,8 @@ __metadata: linkType: hard "glob@npm:^10.0.0, glob@npm:^10.2.2, glob@npm:^10.3.10, glob@npm:^10.4.1": - version: 10.4.5 - resolution: "glob@npm:10.4.5" + version: 10.5.0 + resolution: "glob@npm:10.5.0" dependencies: foreground-child: "npm:^3.1.0" jackspeak: "npm:^3.1.2" @@ -7763,7 +7763,7 @@ __metadata: path-scurry: "npm:^1.11.1" bin: glob: dist/esm/bin.mjs - checksum: 10c0/19a9759ea77b8e3ca0a43c2f07ecddc2ad46216b786bb8f993c445aee80d345925a21e5280c7b7c6c59e860a0154b84e4b2b60321fea92cd3c56b4a7489f160e + checksum: 10c0/100705eddbde6323e7b35e1d1ac28bcb58322095bd8e63a7d0bef1a2cdafe0d0f7922a981b2b48369a4f8c1b077be5c171804534c3509dfe950dde15fbe6d828 languageName: node linkType: hard