From 60771df3e7cef76ad3a11378a907d8c7a1b0cbc7 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Fri, 19 Sep 2025 10:45:13 +0200
Subject: [PATCH 1/4] Fix getting `Create` and `Update` out of order (#36176)

---
 app/lib/activitypub/activity/update.rb |  3 ++
 spec/lib/activitypub/activity_spec.rb  | 71 ++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 spec/lib/activitypub/activity_spec.rb

diff --git a/app/lib/activitypub/activity/update.rb b/app/lib/activitypub/activity/update.rb
index 973706f595..15025ca5e7 100644
--- a/app/lib/activitypub/activity/update.rb
+++ b/app/lib/activitypub/activity/update.rb
@@ -28,6 +28,9 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
 
     @status = Status.find_by(uri: object_uri, account_id: @account.id)
 
+    # We may be getting `Create` and `Update` out of order
+    @status ||= ActivityPub::Activity::Create.new(@json, @account, **@options).perform
+
     return if @status.nil?
 
     ActivityPub::ProcessStatusUpdateService.new.call(@status, @json, @object, request_id: @options[:request_id])
diff --git a/spec/lib/activitypub/activity_spec.rb b/spec/lib/activitypub/activity_spec.rb
new file mode 100644
index 0000000000..a8bb75161d
--- /dev/null
+++ b/spec/lib/activitypub/activity_spec.rb
@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ActivityPub::Activity do
+  describe 'processing a Create and an Update' do
+    let(:sender) { Fabricate(:account, followers_url: 'http://example.com/followers', domain: 'example.com', uri: 'https://example.com/actor') }
+
+    let(:create_json) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+        ],
+        id: [ActivityPub::TagManager.instance.uri_for(sender), '#create'].join,
+        type: 'Create',
+        actor: ActivityPub::TagManager.instance.uri_for(sender),
+        object: {
+          id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+          type: 'Note',
+          to: [
+            'https://www.w3.org/ns/activitystreams#Public',
+          ],
+          content: 'foo',
+          published: '2025-05-24T11:03:10Z',
+        },
+      }.deep_stringify_keys
+    end
+
+    let(:update_json) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+        ],
+        id: [ActivityPub::TagManager.instance.uri_for(sender), '#update'].join,
+        type: 'Update',
+        actor: ActivityPub::TagManager.instance.uri_for(sender),
+        object: {
+          id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+          type: 'Note',
+          to: [
+            'https://www.w3.org/ns/activitystreams#Public',
+          ],
+          content: 'bar',
+          updated: '2025-05-25T11:03:10Z',
+        },
+      }.deep_stringify_keys
+    end
+
+    before do
+      sender.update(uri: ActivityPub::TagManager.instance.uri_for(sender))
+    end
+
+    context 'when getting them in order' do
+      it 'creates a status with the edited contents' do
+        described_class.factory(create_json, sender).perform
+        status = described_class.factory(update_json, sender).perform
+
+        expect(status.text).to eq 'bar'
+      end
+    end
+
+    context 'when getting them out of order' do
+      it 'creates a status with the edited contents' do
+        described_class.factory(update_json, sender).perform
+        status = described_class.factory(create_json, sender).perform
+
+        expect(status.text).to eq 'bar'
+      end
+    end
+  end
+end

From 06081721eff12407f9f74b48b2c64c888349eac4 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Fri, 19 Sep 2025 11:52:17 +0200
Subject: [PATCH 2/4] Fix processing of out-of-order `Update` as implicit
 updates (#36190)

---
 app/services/activitypub/process_status_update_service.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/services/activitypub/process_status_update_service.rb b/app/services/activitypub/process_status_update_service.rb
index 8792b94550..77fcabc536 100644
--- a/app/services/activitypub/process_status_update_service.rb
+++ b/app/services/activitypub/process_status_update_service.rb
@@ -23,6 +23,9 @@ class ActivityPub::ProcessStatusUpdateService < BaseService
 
     if @status_parser.edited_at.present? && (@status.edited_at.nil? || @status_parser.edited_at > @status.edited_at)
       handle_explicit_update!
+    elsif @status.edited_at.present? && (@status_parser.edited_at.nil? || @status_parser.edited_at < @status.edited_at)
+      # This is an older update, reject it
+      return @status
     else
       handle_implicit_update!
     end

From a3a02549e80c06d576ababe86e3ee883cf2cc6df Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Tue, 23 Sep 2025 11:30:29 +0200
Subject: [PATCH 3/4] Update dependency `rexml`

---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 36c5cf38a6..45b03b0d94 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -702,7 +702,7 @@ GEM
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.3.9)
+    rexml (3.4.4)
     rotp (6.3.0)
     rouge (4.3.0)
     rpam2 (4.0.2)

From a86078e8bb082eb15e0fd0d183a8a610f043827f Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Tue, 23 Sep 2025 11:33:01 +0200
Subject: [PATCH 4/4] Bump version to v4.3.13

---
 CHANGELOG.md            | 11 +++++++++++
 docker-compose.yml      |  6 +++---
 lib/mastodon/version.rb |  2 +-
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5213bc2412..9270013621 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.13] - 2025-09-23
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix processing of out-of-order `Update` as implicit updates (#36190 by @ClearlyClaire)
+- Fix getting `Create` and `Update` out of order (#36176 by @ClearlyClaire)
+
 ## [4.3.12] - 2025-09-16
 
 ### Security
diff --git a/docker-compose.yml b/docker-compose.yml
index d1814e235c..2005e759bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.12
+    image: ghcr.io/mastodon/mastodon:v4.3.13
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.12
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.13
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.12
+    image: ghcr.io/mastodon/mastodon:v4.3.13
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq
diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb
index 8a8f5d1145..a16cf9118b 100644
--- a/lib/mastodon/version.rb
+++ b/lib/mastodon/version.rb
@@ -13,7 +13,7 @@ module Mastodon
     end
 
     def patch
-      12
+      13
     end
 
     def default_prerelease