Merge upstream changes up to a86078e8bb into stable-4.3 (#3196)

* Fix getting `Create` and `Update` out of order (#36176)

* Fix processing of out-of-order `Update` as implicit updates (#36190)

* Update dependency `rexml`

* Bump version to v4.3.13

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.13] - 2025-09-23
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix processing of out-of-order `Update` as implicit updates (#36190 by @ClearlyClaire)
+- Fix getting `Create` and `Update` out of order (#36176 by @ClearlyClaire)
+
 ## [4.3.12] - 2025-09-16
 
 ### Security

Gemfile.lock

@@ -702,7 +702,7 @@ GEM
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.3.9)
+    rexml (3.4.4)
     rotp (6.3.0)
     rouge (4.3.0)
     rpam2 (4.0.2)

app/lib/activitypub/activity/update.rb

@@ -28,6 +28,9 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
 
     @status = Status.find_by(uri: object_uri, account_id: @account.id)
 
+    # We may be getting `Create` and `Update` out of order
+    @status ||= ActivityPub::Activity::Create.new(@json, @account, **@options).perform
+
     return if @status.nil?
 
     ActivityPub::ProcessStatusUpdateService.new.call(@status, @json, @object, request_id: @options[:request_id])

app/services/activitypub/process_status_update_service.rb

@@ -23,6 +23,9 @@ class ActivityPub::ProcessStatusUpdateService < BaseService
 
     if @status_parser.edited_at.present? && (@status.edited_at.nil? || @status_parser.edited_at > @status.edited_at)
       handle_explicit_update!
+    elsif @status.edited_at.present? && (@status_parser.edited_at.nil? || @status_parser.edited_at < @status.edited_at)
+      # This is an older update, reject it
+      return @status
     else
       handle_implicit_update!
     end

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/glitch-soc/mastodon:v4.3.12
+    image: ghcr.io/glitch-soc/mastodon:v4.3.13
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/glitch-soc/mastodon-streaming:v4.3.12
+    image: ghcr.io/glitch-soc/mastodon-streaming:v4.3.13
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/glitch-soc/mastodon:v4.3.12
+    image: ghcr.io/glitch-soc/mastodon:v4.3.13
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -13,7 +13,7 @@ module Mastodon
     end
 
     def patch
-      12
+      13
     end
 
     def default_prerelease

spec/lib/activitypub/activity_spec.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ActivityPub::Activity do
+  describe 'processing a Create and an Update' do
+    let(:sender) { Fabricate(:account, followers_url: 'http://example.com/followers', domain: 'example.com', uri: 'https://example.com/actor') }
+
+    let(:create_json) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+        ],
+        id: [ActivityPub::TagManager.instance.uri_for(sender), '#create'].join,
+        type: 'Create',
+        actor: ActivityPub::TagManager.instance.uri_for(sender),
+        object: {
+          id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+          type: 'Note',
+          to: [
+            'https://www.w3.org/ns/activitystreams#Public',
+          ],
+          content: 'foo',
+          published: '2025-05-24T11:03:10Z',
+        },
+      }.deep_stringify_keys
+    end
+
+    let(:update_json) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+        ],
+        id: [ActivityPub::TagManager.instance.uri_for(sender), '#update'].join,
+        type: 'Update',
+        actor: ActivityPub::TagManager.instance.uri_for(sender),
+        object: {
+          id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+          type: 'Note',
+          to: [
+            'https://www.w3.org/ns/activitystreams#Public',
+          ],
+          content: 'bar',
+          updated: '2025-05-25T11:03:10Z',
+        },
+      }.deep_stringify_keys
+    end
+
+    before do
+      sender.update(uri: ActivityPub::TagManager.instance.uri_for(sender))
+    end
+
+    context 'when getting them in order' do
+      it 'creates a status with the edited contents' do
+        described_class.factory(create_json, sender).perform
+        status = described_class.factory(update_json, sender).perform
+
+        expect(status.text).to eq 'bar'
+      end
+    end
+
+    context 'when getting them out of order' do
+      it 'creates a status with the edited contents' do
+        described_class.factory(update_json, sender).perform
+        status = described_class.factory(create_json, sender).perform
+
+        expect(status.text).to eq 'bar'
+      end
+    end
+  end
+end