Fix styling of the quote notification settings pillbar in the glitch flavor (#3187)

Fix quotes crashing glitch flavor because of missing translatable message

.annotaterb.yml

@@ -0,0 +1,59 @@
+---
+:position: before
+:position_in_additional_file_patterns: before
+:position_in_class: before
+:position_in_factory: before
+:position_in_fixture: before
+:position_in_routes: before
+:position_in_serializer: before
+:position_in_test: before
+:classified_sort: true
+:exclude_controllers: true
+:exclude_factories: true
+:exclude_fixtures: true
+:exclude_helpers: true
+:exclude_scaffolds: true
+:exclude_serializers: true
+:exclude_sti_subclasses: true
+:exclude_tests: true
+:force: false
+:format_markdown: false
+:format_rdoc: false
+:format_yard: false
+:frozen: false
+:ignore_model_sub_dir: false
+:ignore_unknown_models: false
+:include_version: false
+:show_complete_foreign_keys: false
+:show_foreign_keys: false
+:show_indexes: false
+:simple_indexes: false
+:sort: false
+:timestamp: false
+:trace: false
+:with_comment: true
+:with_column_comments: true
+:with_table_comments: true
+:active_admin: false
+:command:
+:debug: false
+:hide_default_column_types: ''
+:hide_limit_column_types: 'integer,boolean'
+:ignore_columns:
+:ignore_routes:
+:models: true
+:routes: false
+:skip_on_db_migrate: false
+:target_action: :do_annotations
+:wrapper:
+:wrapper_close:
+:wrapper_open:
+:classes_default_to_s: []
+:additional_file_patterns: []
+:model_dir:
+  - app/models
+:require: []
+:root_dir:
+  - ''
+
+:show_check_constraints: false

.browserslistrc

@@ -1,10 +1,6 @@
-[production]
 defaults
 > 0.2%
 firefox >= 78
 ios >= 15.6
 not dead
 not OperaMini all
-
-[development]
-supports es6-module

.devcontainer/compose.yaml

@@ -9,7 +9,9 @@ services:
     environment:
       RAILS_ENV: development
       NODE_ENV: development
+      VITE_RUBY_HOST: 0.0.0.0
       BIND: 0.0.0.0
+      BOOTSNAP_CACHE_DIR: /tmp
       REDIS_HOST: redis
       REDIS_PORT: '6379'
       DB_HOST: db
@@ -20,12 +22,14 @@ services:
       ES_HOST: es
       ES_PORT: '9200'
       LIBRE_TRANSLATE_ENDPOINT: http://libretranslate:5000
+      LOCAL_DOMAIN: ${LOCAL_DOMAIN:-localhost:3000}
+      VITE_DEV_SERVER_PUBLIC: ${VITE_DEV_SERVER_PUBLIC:-localhost:3036}
     # Overrides default command so things don't shut down after the process ends.
     command: sleep infinity
     ports:
-      - '127.0.0.1:3000:3000'
-      - '127.0.0.1:3035:3035'
-      - '127.0.0.1:4000:4000'
+      - '3000:3000'
+      - '3036:3036'
+      - '4000:4000'
     networks:
       - external_network
       - internal_network
@@ -69,7 +73,7 @@ services:
         hard: -1
 
   libretranslate:
-    image: libretranslate/libretranslate:v1.6.1
+    image: libretranslate/libretranslate:v1.6.2
     restart: unless-stopped
     volumes:
       - lt-data:/home/libretranslate/.local

.dockerignore

@@ -5,6 +5,7 @@
 .gitattributes
 .gitignore
 .github
+.vscode
 public/system
 public/assets
 public/packs
@@ -20,3 +21,10 @@ postgres14
 redis
 elasticsearch
 chart
+storybook-static
+.yarn/
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions

.env.production.sample

@@ -71,8 +71,17 @@ DB_PORT=5432
 # Generate each with the `RAILS_ENV=production bundle exec rails secret` task (`docker-compose run --rm web bundle exec rails secret` if you use docker compose)
 # -------
 SECRET_KEY_BASE=
-OTP_SECRET=
 
+# Encryption secrets
+# ------------------
+# Must be available (and set to same values) for all server processes
+# These are private/secret values, do not share outside hosting environment
+# Use `bin/rails db:encryption:init` to generate fresh secrets
+# Do NOT change these secrets once in use, as this would cause data loss and other issues
+# ------------------
+# ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
+# ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
+# ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
 
 # Web Push
 # --------
@@ -299,6 +308,9 @@ MAX_POLL_OPTION_CHARS=100
 # HCAPTCHA_SECRET_KEY=
 # HCAPTCHA_SITE_KEY=
 
+# Optional list of hosts that are allowed to serve media for your instance
+# EXTRA_MEDIA_HOSTS=https://data.example1.com,https://data.example2.com
+
 # IP and session retention
 # -----------------------
 # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml
@@ -306,3 +318,24 @@ MAX_POLL_OPTION_CHARS=100
 # -----------------------
 IP_RETENTION_PERIOD=31556952
 SESSION_RETENTION_PERIOD=31556952
+
+# Fetch All Replies Behavior
+# --------------------------
+# When a user expands a post (DetailedStatus view), fetch all of its replies
+# (default: false)
+FETCH_REPLIES_ENABLED=false
+
+# Period to wait between fetching replies (in minutes)
+FETCH_REPLIES_COOLDOWN_MINUTES=15
+
+# Period to wait after a post is first created before fetching its replies (in minutes)
+FETCH_REPLIES_INITIAL_WAIT_MINUTES=5
+
+# Max number of replies to fetch - total, recursively through a whole reply tree
+FETCH_REPLIES_MAX_GLOBAL=1000
+
+# Max number of replies to fetch - for a single post
+FETCH_REPLIES_MAX_SINGLE=500
+
+# Max number of replies Collection pages to fetch - total
+FETCH_REPLIES_MAX_PAGES=500

.eslintignore

@@ -1,13 +0,0 @@
-/build/**
-/coverage/**
-/db/**
-/lib/**
-/log/**
-/node_modules/**
-/nonobox/**
-/public/**
-!/public/embed.js
-/spec/**
-/tmp/**
-/vendor/**
-!.eslintrc.js

.eslintrc.js

@@ -1,385 +0,0 @@
-// @ts-check
-const { defineConfig } = require('eslint-define-config');
-
-module.exports = defineConfig({
-  root: true,
-
-  extends: [
-    'eslint:recommended',
-    'plugin:react/recommended',
-    'plugin:react-hooks/recommended',
-    'plugin:jsx-a11y/recommended',
-    'plugin:import/recommended',
-    'plugin:promise/recommended',
-    'plugin:jsdoc/recommended',
-  ],
-
-  env: {
-    browser: true,
-    node: true,
-    es6: true,
-  },
-
-  parser: '@typescript-eslint/parser',
-
-  plugins: [
-    'react',
-    'jsx-a11y',
-    'import',
-    'promise',
-    '@typescript-eslint',
-    'formatjs',
-  ],
-
-  parserOptions: {
-    sourceType: 'module',
-    ecmaFeatures: {
-      jsx: true,
-    },
-    ecmaVersion: 2021,
-    requireConfigFile: false,
-    babelOptions: {
-      configFile: false,
-      presets: ['@babel/react', '@babel/env'],
-    },
-  },
-
-  settings: {
-    react: {
-      version: 'detect',
-    },
-    'import/ignore': [
-      'node_modules',
-      '\\.(css|scss|json)$',
-    ],
-    'import/resolver': {
-      typescript: {},
-    },
-  },
-
-  rules: {
-    'consistent-return': 'error',
-    'dot-notation': 'error',
-    eqeqeq: ['error', 'always', { 'null': 'ignore' }],
-    'indent': ['error', 2],
-    'jsx-quotes': ['error', 'prefer-single'],
-    'semi': ['error', 'always'],
-    'no-case-declarations': 'off',
-    'no-catch-shadow': 'error',
-    'no-console': [
-      'warn',
-      {
-        allow: [
-          'error',
-          'warn',
-        ],
-      },
-    ],
-    'no-empty': ['error', { "allowEmptyCatch": true }],
-    'no-restricted-properties': [
-      'error',
-      { property: 'substring', message: 'Use .slice instead of .substring.' },
-      { property: 'substr', message: 'Use .slice instead of .substr.' },
-    ],
-    'no-restricted-syntax': [
-      'error',
-      {
-        // eslint-disable-next-line no-restricted-syntax
-        selector: 'Literal[value=/•/], JSXText[value=/•/]',
-        // eslint-disable-next-line no-restricted-syntax
-        message: "Use '·' (middle dot) instead of '•' (bullet)",
-      },
-    ],
-    'no-unused-expressions': 'error',
-    'no-unused-vars': 'off',
-    '@typescript-eslint/no-unused-vars': [
-      'error',
-      {
-        vars: 'all',
-        args: 'after-used',
-        destructuredArrayIgnorePattern: '^_',
-        ignoreRestSiblings: true,
-      },
-    ],
-    'valid-typeof': 'error',
-
-    'react/jsx-filename-extension': ['error', { extensions: ['.jsx', 'tsx'] }],
-    'react/jsx-boolean-value': 'error',
-    'react/display-name': 'off',
-    'react/jsx-fragments': ['error', 'syntax'],
-    'react/jsx-equals-spacing': 'error',
-    'react/jsx-no-bind': 'error',
-    'react/jsx-no-useless-fragment': 'error',
-    'react/jsx-no-target-blank': 'off',
-    'react/jsx-tag-spacing': 'error',
-    'react/jsx-uses-react': 'off', // not needed with new JSX transform
-    'react/jsx-wrap-multilines': 'error',
-    'react/react-in-jsx-scope': 'off', // not needed with new JSX transform
-    'react/self-closing-comp': 'error',
-
-    // recommended values found in https://github.com/jsx-eslint/eslint-plugin-jsx-a11y/blob/v6.8.0/src/index.js#L46
-    'jsx-a11y/click-events-have-key-events': 'off',
-    'jsx-a11y/label-has-associated-control': 'off',
-    'jsx-a11y/media-has-caption': 'off',
-    'jsx-a11y/no-autofocus': 'off',
-    // recommended rule is:
-    // 'jsx-a11y/no-interactive-element-to-noninteractive-role': [
-    //   'error',
-    //   {
-    //     tr: ['none', 'presentation'],
-    //     canvas: ['img'],
-    //   },
-    // ],
-    'jsx-a11y/no-interactive-element-to-noninteractive-role': 'off',
-    // recommended rule is:
-    // 'jsx-a11y/no-noninteractive-tabindex': [
-    //   'error',
-    //   {
-    //     tags: [],
-    //     roles: ['tabpanel'],
-    //     allowExpressionValues: true,
-    //   },
-    // ],
-    'jsx-a11y/no-noninteractive-tabindex': 'off',
-    // recommended is full 'error'
-    'jsx-a11y/no-static-element-interactions': [
-      'warn',
-      {
-        handlers: [
-          'onClick',
-        ],
-      },
-    ],
-
-    // See https://github.com/import-js/eslint-plugin-import/blob/v2.29.1/config/recommended.js
-    'import/extensions': [
-      'error',
-      'always',
-      {
-        js: 'never',
-        jsx: 'never',
-        mjs: 'never',
-        ts: 'never',
-        tsx: 'never',
-      },
-    ],
-    'import/first': 'error',
-    'import/newline-after-import': 'error',
-    'import/no-anonymous-default-export': 'error',
-    'import/no-extraneous-dependencies': [
-      'error',
-      {
-        devDependencies: [
-          '.eslintrc.js',
-          'config/webpack/**',
-          'app/javascript/mastodon/performance.js',
-          'app/javascript/mastodon/test_setup.js',
-          'app/javascript/**/__tests__/**',
-        ],
-      },
-    ],
-    'import/no-amd': 'error',
-    'import/no-commonjs': 'error',
-    'import/no-import-module-exports': 'error',
-    'import/no-relative-packages': 'error',
-    'import/no-self-import': 'error',
-    'import/no-useless-path-segments': 'error',
-    'import/no-webpack-loader-syntax': 'error',
-
-    'import/order': [
-      'error',
-      {
-        alphabetize: { order: 'asc' },
-        'newlines-between': 'always',
-        groups: [
-          'builtin',
-          'external',
-          'internal',
-          'parent',
-          ['index', 'sibling'],
-          'object',
-        ],
-        pathGroups: [
-          // React core packages
-          {
-            pattern: '{react,react-dom,react-dom/client,prop-types}',
-            group: 'builtin',
-            position: 'after',
-          },
-          // I18n
-          {
-            pattern: '{react-intl,intl-messageformat}',
-            group: 'builtin',
-            position: 'after',
-          },
-          // Common React utilities
-          {
-            pattern: '{classnames,react-helmet,react-router,react-router-dom}',
-            group: 'external',
-            position: 'before',
-          },
-          // Immutable / Redux / data store
-          {
-            pattern: '{immutable,@reduxjs/toolkit,react-redux,react-immutable-proptypes,react-immutable-pure-component}',
-            group: 'external',
-            position: 'before',
-          },
-          // Internal packages
-          {
-            pattern: '{mastodon/**}',
-            group: 'internal',
-            position: 'after',
-          },
-          {
-            pattern: '{flavours/glitch-soc/**}',
-            group: 'internal',
-            position: 'after',
-          },
-        ],
-        pathGroupsExcludedImportTypes: [],
-      },
-    ],
-
-    // Forbid imports from vanilla in glitch flavour
-    'import/no-restricted-paths': [
-      'error',
-      {
-        zones: [{
-          target: 'app/javascript/flavours/glitch/',
-          from: 'app/javascript/mastodon/',
-          message: 'Import from /flavours/glitch/ instead'
-        }]
-      }
-    ],
-
-    'promise/always-return': 'off',
-    'promise/catch-or-return': [
-      'error',
-      {
-        allowFinally: true,
-      },
-    ],
-    'promise/no-callback-in-promise': 'off',
-    'promise/no-nesting': 'off',
-    'promise/no-promise-in-callback': 'off',
-
-    'formatjs/blocklist-elements': 'error',
-    'formatjs/enforce-default-message': ['error', 'literal'],
-    'formatjs/enforce-description': 'off', // description values not currently used
-    'formatjs/enforce-id': 'off', // Explicit IDs are used in the project
-    'formatjs/enforce-placeholders': 'off', // Issues in short_number.jsx
-    'formatjs/enforce-plural-rules': 'error',
-    'formatjs/no-camel-case': 'off', // disabledAccount is only non-conforming
-    'formatjs/no-complex-selectors': 'error',
-    'formatjs/no-emoji': 'error',
-    'formatjs/no-id': 'off', // IDs are used for translation keys
-    'formatjs/no-invalid-icu': 'error',
-    'formatjs/no-literal-string-in-jsx': 'off', // Should be looked at, but mainly flagging punctuation outside of strings
-    'formatjs/no-multiple-whitespaces': 'error',
-    'formatjs/no-offset': 'error',
-    'formatjs/no-useless-message': 'error',
-    'formatjs/prefer-formatted-message': 'error',
-    'formatjs/prefer-pound-in-plural': 'error',
-
-    'jsdoc/check-types': 'off',
-    'jsdoc/no-undefined-types': 'off',
-    'jsdoc/require-jsdoc': 'off',
-    'jsdoc/require-param-description': 'off',
-    'jsdoc/require-property-description': 'off',
-    'jsdoc/require-returns-description': 'off',
-    'jsdoc/require-returns': 'off',
-  },
-
-  overrides: [
-    {
-      files: [
-        '.eslintrc.js',
-        '*.config.js',
-        '.*rc.js',
-        'ide-helper.js',
-        'config/webpack/**/*',
-        'config/formatjs-formatter.js',
-      ],
-
-      env: {
-        commonjs: true,
-      },
-
-      parserOptions: {
-        sourceType: 'script',
-      },
-
-      rules: {
-        'import/no-commonjs': 'off',
-      },
-    },
-    {
-      files: [
-        '**/*.ts',
-        '**/*.tsx',
-      ],
-
-      extends: [
-        'eslint:recommended',
-        'plugin:@typescript-eslint/strict-type-checked',
-        'plugin:@typescript-eslint/stylistic-type-checked',
-        'plugin:react/recommended',
-        'plugin:react-hooks/recommended',
-        'plugin:jsx-a11y/recommended',
-        'plugin:import/recommended',
-        'plugin:import/typescript',
-        'plugin:promise/recommended',
-        'plugin:jsdoc/recommended-typescript',
-      ],
-
-      parserOptions: {
-        projectService: true,
-        tsconfigRootDir: __dirname,
-      },
-
-      rules: {
-        // Disable formatting rules that have been enabled in the base config
-        'indent': 'off',
-
-        // This is not needed as we use noImplicitReturns, which handles this in addition to understanding types
-        'consistent-return': 'off',
-
-        'import/consistent-type-specifier-style': ['error', 'prefer-top-level'],
-
-        '@typescript-eslint/consistent-type-definitions': ['warn', 'interface'],
-        '@typescript-eslint/consistent-type-exports': 'error',
-        '@typescript-eslint/consistent-type-imports': 'error',
-        "@typescript-eslint/prefer-nullish-coalescing": ['error', { ignorePrimitives: { boolean: true } }],
-        "@typescript-eslint/no-restricted-imports": [
-          "warn",
-          {
-            "name": "react-redux",
-            "importNames": ["useSelector", "useDispatch"],
-            "message": "Use typed hooks `useAppDispatch` and `useAppSelector` instead."
-          }
-        ],
-        "@typescript-eslint/restrict-template-expressions": ['warn', { allowNumber: true }],
-        'jsdoc/require-jsdoc': 'off',
-
-        // Those rules set stricter rules for TS files
-        // to enforce better practices when converting from JS
-        'import/no-default-export': 'warn',
-        'react/prefer-stateless-function': 'warn',
-        'react/function-component-definition': ['error', { namedComponents: 'arrow-function' }],
-        'react/jsx-uses-react': 'off', // not needed with new JSX transform
-        'react/react-in-jsx-scope': 'off', // not needed with new JSX transform
-        'react/prop-types': 'off',
-      },
-    },
-    {
-      files: [
-        '**/__tests__/*.js',
-        '**/__tests__/*.jsx',
-      ],
-
-      env: {
-        jest: true,
-      },
-    }
-  ],
-});

.github/.well-known/funding-manifest-urls

@@ -0,0 +1 @@
+https://joinmastodon.org/funding.json

.github/ISSUE_TEMPLATE/1.web_bug_report.yml

@@ -1,5 +1,5 @@
 name: Bug Report (Web Interface)
-description: If you are using Mastodon's web interface and something is not working as expected
+description: There is a problem using Mastodon's web interface.
 labels: [bug, 'status/to triage', 'area/web interface']
 body:
   - type: markdown
@@ -47,8 +47,8 @@ body:
     attributes:
       label: Mastodon version
       description: |
-        This is displayed at the bottom of the About page, eg. `v4.1.2+nightly-20230627`
-      placeholder: v4.1.2
+        This is displayed at the bottom of the About page, eg. `v4.4.0-beta.1`
+      placeholder: v4.4.0-beta.1
     validations:
       required: true
   - type: input
@@ -56,7 +56,7 @@ body:
       label: Browser name and version
       description: |
         What browser are you using when getting this bug? Please specify the version as well.
-      placeholder: Firefox 105.0.3
+      placeholder: Firefox 139.0.0
     validations:
       required: true
   - type: input
@@ -64,7 +64,7 @@ body:
       label: Operating system
       description: |
         What OS are you running? Please specify the version as well.
-      placeholder: macOS 13.4.1
+      placeholder: macOS 15.5
     validations:
       required: true
   - type: textarea

.github/ISSUE_TEMPLATE/2.server_bug_report.yml

@@ -1,6 +1,6 @@
 name: Bug Report (server / API)
 description: |
-  If something is not working as expected, but is not from using the web interface.
+  There is a problem with the HTTP server, REST API, ActivityPub interaction, etc.
 labels: [bug, 'status/to triage']
 body:
   - type: markdown
@@ -48,8 +48,8 @@ body:
     attributes:
       label: Mastodon version
       description: |
-        This is displayed at the bottom of the About page, eg. `v4.1.2+nightly-20230627`
-      placeholder: v4.1.2
+        This is displayed at the bottom of the About page, eg. `v4.4.0-beta.1`
+      placeholder: v4.4.0-beta.1
     validations:
       required: false
   - type: textarea
@@ -59,7 +59,7 @@ body:
         Any additional technical details you may have, like logs or error traces
       value: |
         If this is happening on your own Mastodon server, please fill out those:
-        - Ruby version: (from `ruby --version`, eg. v3.1.2)
-        - Node.js version: (from `node --version`, eg. v18.16.0)
+        - Ruby version: (from `ruby --version`, eg. v3.4.4)
+        - Node.js version: (from `node --version`, eg. v22.16.0)
     validations:
       required: false

.github/ISSUE_TEMPLATE/3.troubleshooting.yml

@@ -0,0 +1,73 @@
+name: Deployment troubleshooting
+description: |
+  You are a server administrator and you are encountering a technical issue during installation, upgrade or operations of Mastodon.
+labels: [bug, 'status/to triage']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Make sure that you are submitting a new bug that was not previously reported or already fixed.
+
+        Please use a concise and distinct title for the issue.
+  - type: textarea
+    attributes:
+      label: Steps to reproduce the problem
+      description: What were you trying to do?
+      value: |
+        1.
+        2.
+        3.
+        ...
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Expected behaviour
+      description: What should have happened?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Actual behaviour
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detailed description
+    validations:
+      required: false
+  - type: input
+    attributes:
+      label: Mastodon instance
+      description: The address of the Mastodon instance where you experienced the issue
+      placeholder: mastodon.social
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Mastodon version
+      description: |
+        This is displayed at the bottom of the About page, eg. `v4.4.0-alpha.1`
+      placeholder: v4.4.0-beta.1
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Environment
+      description: |
+        Details about your environment, like how Mastodon is deployed, if containers are used, version numbers, etc.
+      value: |
+        Please at least include those informations:
+        - Operating system: (eg. Ubuntu 24.04.2)
+        - Ruby version: (from `ruby --version`, eg. v3.4.4)
+        - Node.js version: (from `node --version`, eg. v22.16.0)
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Technical details
+      description: |
+        Any additional technical details you may have, like logs or error traces
+    validations:
+      required: false

.github/renovate.json5

@@ -6,6 +6,7 @@
     ':labels(dependencies)',
     ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
     ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
+    ':enableVulnerabilityAlertsWithLabel(security)',
   ],
   rebaseWhen: 'conflicted',
   minimumReleaseAge: '3', // Wait 3 days after the package has been published before upgrading it
@@ -15,34 +16,21 @@
   // to `null` after any other rule set it to something.
   dependencyDashboardHeader: 'This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more. Before approving any upgrade: read the description and comments in the [`renovate.json5` file](https://github.com/mastodon/mastodon/blob/main/.github/renovate.json5).',
   postUpdateOptions: ['yarnDedupeHighest'],
+  // The types are now included in recent versions,we ignore them here until we upgrade and remove the dependency
+  ignoreDeps: ['@types/emoji-mart'],
   packageRules: [
     {
       // Require Dependency Dashboard Approval for major version bumps of these node packages
       matchManagers: ['npm'],
       matchPackageNames: [
         'tesseract.js', // Requires code changes
-        'react-hotkeys', // Requires code changes
-
-        // Requires Webpacker upgrade or replacement
-        '@svgr/webpack',
-        '@types/webpack',
-        'babel-loader',
-        'compression-webpack-plugin',
-        'css-loader',
-        'imports-loader',
-        'mini-css-extract-plugin',
-        'postcss-loader',
-        'sass-loader',
-        'terser-webpack-plugin',
-        'webpack',
-        'webpack-assets-manifest',
-        'webpack-bundle-analyzer',
-        'webpack-dev-server',
-        'webpack-cli',
 
         // react-router: Requires manual upgrade
         'history',
         'react-router-dom',
+
+        // react-spring: Requires manual upgrade when upgrading react
+        '@react-spring/web',
       ],
       matchUpdateTypes: ['major'],
       dependencyDashboardApproval: true,
@@ -51,7 +39,6 @@
       // Require Dependency Dashboard Approval for major version bumps of these Ruby packages
       matchManagers: ['bundler'],
       matchPackageNames: [
-        'rack', // Needs to be synced with Rails version
         'strong_migrations', // Requires manual upgrade
         'sidekiq', // Requires manual upgrade
         'sidekiq-unique-jobs', // Requires manual upgrades and sync with Sidekiq version
@@ -97,10 +84,29 @@
     {
       // Group all eslint-related packages with `eslint` in the same PR
       matchManagers: ['npm'],
-      matchPackageNames: ['eslint', 'eslint-*', '@typescript-eslint/*'],
+      matchPackageNames: [
+        'eslint',
+        'eslint-*',
+        'typescript-eslint',
+        '@eslint/*',
+        'globals',
+      ],
       matchUpdateTypes: ['patch', 'minor'],
       groupName: 'eslint (non-major)',
     },
+    {
+      // Group all Storybook-related packages in the same PR
+      matchManagers: ['npm'],
+      matchPackageNames: [
+        'chromatic',
+        'storybook',
+        '@storybook/*',
+        'msw',
+        'msw-storybook-addon',
+      ],
+      matchUpdateTypes: ['patch', 'minor'],
+      groupName: 'storybook (non-major)',
+    },
     {
       // Group actions/*-artifact in the same PR
       matchManagers: ['github-actions'],
@@ -149,6 +155,12 @@
       matchUpdateTypes: ['patch', 'minor'],
       groupName: 'opentelemetry-ruby (non-major)',
     },
+    {
+      // Group Playwright Ruby & JS deps in the same PR, as they need to be in sync
+      matchManagers: ['bundler', 'npm'],
+      matchPackageNames: ['playwright-ruby-client', 'playwright'],
+      groupName: 'Playwright',
+    },
     // Add labels depending on package manager
     { matchManagers: ['npm', 'nvm'], addLabels: ['javascript'] },
     { matchManagers: ['bundler', 'ruby-version'], addLabels: ['ruby'] },

.github/workflows/build-container-image.yml

@@ -1,14 +1,9 @@
 on:
   workflow_call:
     inputs:
-      platforms:
-        required: true
-        type: string
       cache:
         type: boolean
         default: true
-      use_native_arm64_builder:
-        type: boolean
       push_to_images:
         type: string
       version_prerelease:
@@ -24,42 +19,36 @@ on:
       file_to_build:
         type: string
 
+# This builds multiple images with one runner each, allowing us to build for multiple architectures
+# using Github's runners.
+# The two-step process is adapted form:
+# https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
 jobs:
+  # Build each (amd64 and arm64) image separately
   build-image:
-    runs-on: ubuntu-latest
+    runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
 
     steps:
       - uses: actions/checkout@v4
 
-      - uses: docker/setup-qemu-action@v3
-        if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder
+      - name: Prepare
+        env:
+          PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          # Transform multi-line variable into comma-separated variable
+          image_names=${PUSH_TO_IMAGES//$'\n'/,}
+          echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV
 
       - uses: docker/setup-buildx-action@v3
         id: buildx
-        if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }}
-
-      - name: Start a local Docker Builder
-        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
-        run: |
-          docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234
-
-      - uses: docker/setup-buildx-action@v3
-        id: buildx-native
-        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
-        with:
-          driver: remote
-          endpoint: tcp://localhost:1234
-          platforms: linux/amd64
-          append: |
-            - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865
-              platforms: linux/arm64
-              name: mastodon-docker-builder-arm64-01
-              driver-opts:
-                - servername=mastodon-docker-builder-arm64-01
-        env:
-          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }}
-          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }}
-          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }}
 
       - name: Log in to Docker Hub
         if: contains(inputs.push_to_images, 'tootsuite')
@@ -76,8 +65,91 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/metadata-action@v5
+      - name: Docker meta
         id: meta
+        uses: docker/metadata-action@v5
+        if: ${{ inputs.push_to_images != '' }}
+        with:
+          images: ${{ inputs.push_to_images }}
+          flavor: ${{ inputs.flavor }}
+          labels: ${{ inputs.labels }}
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ inputs.file_to_build }}
+          build-args: |
+            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
+            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
+            SOURCE_COMMIT=${{ github.sha }}
+          platforms: ${{ matrix.platform }}
+          provenance: false
+          push: ${{ inputs.push_to_images != '' }}
+          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
+          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
+          outputs: type=image,"name=${{ env.IMAGE_NAMES }}",push-by-digest=true,name-canonical=true,push=${{ inputs.push_to_images != '' }}
+
+      - name: Export digest
+        if: ${{ inputs.push_to_images != '' }}
+        run: |
+          mkdir -p "${{ runner.temp }}/digests"
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: ${{ inputs.push_to_images != '' }}
+        uses: actions/upload-artifact@v4
+        with:
+          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  # Then merge the docker images into a single one
+  merge-images:
+    if: ${{ inputs.push_to_images != '' }}
+    runs-on: ubuntu-24.04
+    needs:
+      - build-image
+
+    env:
+      PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          pattern: digests-${{ hashFiles(inputs.file_to_build) }}-*
+          merge-multiple: true
+
+      - name: Log in to Docker Hub
+        if: contains(inputs.push_to_images, 'tootsuite')
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to the GitHub Container registry
+        if: contains(inputs.push_to_images, 'ghcr.io')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
         if: ${{ inputs.push_to_images != '' }}
         with:
           images: ${{ inputs.push_to_images }}
@@ -85,18 +157,14 @@ jobs:
           tags: ${{ inputs.tags }}
           labels: ${{ inputs.labels }}
 
-      - uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ${{ inputs.file_to_build }}
-          build-args: |
-            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
-            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
-          platforms: ${{ inputs.platforms }}
-          provenance: false
-          builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }}
-          push: ${{ inputs.push_to_images != '' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
-          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          echo "$PUSH_TO_IMAGES" | xargs -I{} \
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+              $(printf '{}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          echo "$PUSH_TO_IMAGES" | xargs -i{} \
+            docker buildx imagetools inspect {}:${{ steps.meta.outputs.version }}

.github/workflows/build-nightly.yml

@@ -26,8 +26,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
@@ -47,8 +45,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming

.github/workflows/build-push-pr.yml

@@ -21,17 +21,17 @@ jobs:
         uses: actions/checkout@v4
       - id: version_vars
         run: |
-          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT
+          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
+          echo mastodon_short_sha=$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
     outputs:
       metadata: ${{ steps.version_vars.outputs.mastodon_version_metadata }}
+      short_sha: ${{ steps.version_vars.outputs.mastodon_short_sha }}
 
   build-image:
     needs: compute-suffix
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
       version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -39,6 +39,7 @@ jobs:
         latest=auto
       tags: |
         type=ref,event=pr
+        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
     secrets: inherit
 
   build-image-streaming:
@@ -46,8 +47,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming
       version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -55,4 +54,5 @@ jobs:
         latest=auto
       tags: |
         type=ref,event=pr
+        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
     secrets: inherit

.github/workflows/build-releases.yml

@@ -13,8 +13,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
       # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
@@ -22,19 +20,16 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.2.') }}
+        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}
     secrets: inherit
 
   build-image-streaming:
-    if: startsWith(github.ref, 'refs/tags/v4.3.')
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming
       # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages

.github/workflows/build-security.yml

@@ -23,8 +23,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
@@ -32,7 +30,7 @@ jobs:
       labels: |
         org.opencontainers.image.description=Nightly build image used for testing purposes
       flavor: |
-        latest=true
+        latest=auto
       tags: |
         type=raw,value=edge
         type=raw,value=nightly
@@ -44,8 +42,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming
@@ -53,7 +49,7 @@ jobs:
       labels: |
         org.opencontainers.image.description=Nightly build image used for testing purposes
       flavor: |
-        latest=true
+        latest=auto
       tags: |
         type=raw,value=edge
         type=raw,value=nightly

.github/workflows/bundler-audit.yml

@@ -36,4 +36,4 @@ jobs:
           bundler-cache: true
 
       - name: Run bundler-audit
-        run: bundle exec bundler-audit check --update
+        run: bin/bundler-audit check --update

.github/workflows/check-i18n.yml

@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   check-i18n:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
@@ -35,18 +35,18 @@ jobs:
           git diff --exit-code
 
       - name: Check locale file normalization
-        run: bundle exec i18n-tasks check-normalized
+        run: bin/i18n-tasks check-normalized
 
       - name: Check for unused strings
-        run: bundle exec i18n-tasks unused
+        run: bin/i18n-tasks unused
 
       - name: Check for missing strings in English YML
         run: |
-          bundle exec i18n-tasks add-missing -l en
+          bin/i18n-tasks add-missing -l en
           git diff --exit-code
 
       - name: Check for wrong string interpolations
-        run: bundle exec i18n-tasks check-consistent-interpolations
+        run: bin/i18n-tasks check-consistent-interpolations
 
       - name: Check that all required locale files exist
-        run: bundle exec rake repo:check_locales_files
+        run: bin/rake repo:check_locales_files

.github/workflows/chromatic.yml

@@ -0,0 +1,41 @@
+name: 'Chromatic'
+
+on:
+  push:
+    branches-ignore:
+      - renovate/*
+      - stable-*
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '**/*.js'
+      - '**/*.jsx'
+      - '**/*.ts'
+      - '**/*.tsx'
+      - '**/*.css'
+      - '**/*.scss'
+      - '.github/workflows/chromatic.yml'
+
+jobs:
+  chromatic:
+    name: Run Chromatic
+    runs-on: ubuntu-latest
+    if: github.repository == 'mastodon/mastodon'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Javascript environment
+        uses: ./.github/actions/setup-javascript
+
+      - name: Build Storybook
+        run: yarn build-storybook
+
+      - name: Run Chromatic
+        uses: chromaui/action@v12
+        with:
+          # ⚠️ Make sure to configure a `CHROMATIC_PROJECT_TOKEN` repository secret
+          projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
+          zip: true
+          storybookBuildDir: 'storybook-static'

.github/workflows/codeql.yml

@@ -25,8 +25,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript', 'ruby']
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        language: ['actions', 'javascript', 'ruby']
+        # CodeQL supports [ 'actions', 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:

.github/workflows/crowdin-download-stable.yml

@@ -0,0 +1,70 @@
+name: Crowdin / Download translations (stable branches)
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  download-translations-stable:
+    runs-on: ubuntu-latest
+    if: github.repository == 'mastodon/mastodon'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Increase Git http.postBuffer
+        # This is needed due to a bug in Ubuntu's cURL version?
+        # See https://github.com/orgs/community/discussions/55820
+        run: |
+          git config --global http.version HTTP/1.1
+          git config --global http.postBuffer 157286400
+
+      # Download the translation files from Crowdin
+      - name: crowdin action
+        uses: crowdin/github-action@v2
+        with:
+          config: crowdin-glitch.yml
+          upload_sources: false
+          upload_translations: false
+          download_translations: true
+          crowdin_branch_name: ${{ github.base_ref || github.ref_name }}
+          push_translations: false
+          create_pull_request: false
+        env:
+          CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+
+      # As the files are extracted from a Docker container, they belong to root:root
+      # We need to fix this before the next steps
+      - name: Fix file permissions
+        run: sudo chown -R runner:docker .
+
+      # This is needed to run the normalize step
+      - name: Set up Ruby environment
+        uses: ./.github/actions/setup-ruby
+
+      - name: Run i18n normalize task
+        run: bin/i18n-tasks normalize
+
+      # Create or update the pull request
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7.0.8
+        with:
+          commit-message: 'New Crowdin translations'
+          title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'
+          author: 'GitHub Actions <noreply@github.com>'
+          body: |
+            New Crowdin translations, automated with GitHub Actions
+
+            See `.github/workflows/crowdin-download.yml`
+
+            This PR will be updated every day with new translations.
+
+            Due to a limitation in GitHub Actions, checks are not running on this PR without manual action.
+            If you want to run the checks, then close and re-open it.
+          branch: i18n/crowdin/translations-${{ github.base_ref || github.ref_name }}
+          base: ${{ github.base_ref || github.ref_name }}
+          labels: i18n

.github/workflows/crowdin-download.yml

@@ -49,11 +49,11 @@ jobs:
         uses: ./.github/actions/setup-ruby
 
       - name: Run i18n normalize task
-        run: bundle exec i18n-tasks normalize
+        run: bin/i18n-tasks normalize
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.1
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations (automated)'

.github/workflows/crowdin-upload.yml

@@ -1,7 +1,6 @@
 name: Crowdin / Upload translations
 
 on:
-  merge_group:
   push:
     branches:
       - 'main'
@@ -15,6 +14,7 @@ on:
       - config/locales-glitch/devise.en.yml
       - config/locales-glitch/doorkeeper.en.yml
       - .github/workflows/crowdin-upload.yml
+  workflow_dispatch:
 
 jobs:
   upload-translations:
@@ -32,7 +32,7 @@ jobs:
           upload_sources: true
           upload_translations: false
           download_translations: false
-          crowdin_branch_name: main
+          crowdin_branch_name: ${{ github.base_ref || github.ref_name }}
 
         env:
           CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}

.github/workflows/lint-css.yml

@@ -40,4 +40,4 @@ jobs:
         uses: ./.github/actions/setup-javascript
 
       - name: Stylelint
-        run: yarn lint:css -f github
+        run: yarn lint:css --custom-formatter @csstools/stylelint-formatter-github

.github/workflows/lint-haml.yml

@@ -43,4 +43,4 @@ jobs:
       - name: Run haml-lint
         run: |
           echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json"
-          bundle exec haml-lint --reporter github
+          bin/haml-lint --reporter github

.github/workflows/lint-js.yml

@@ -11,7 +11,7 @@ on:
       - 'tsconfig.json'
       - '.nvmrc'
       - '.prettier*'
-      - '.eslint*'
+      - 'eslint.config.mjs'
       - '**/*.js'
       - '**/*.jsx'
       - '**/*.ts'
@@ -25,7 +25,7 @@ on:
       - 'tsconfig.json'
       - '.nvmrc'
       - '.prettier*'
-      - '.eslint*'
+      - 'eslint.config.mjs'
       - '**/*.js'
       - '**/*.jsx'
       - '**/*.ts'
@@ -44,7 +44,7 @@ jobs:
         uses: ./.github/actions/setup-javascript
 
       - name: ESLint
-        run: yarn lint:js --max-warnings 0
+        run: yarn workspaces foreach --all --parallel run lint:js --max-warnings 0
 
       - name: Typecheck
         run: yarn typecheck

.github/workflows/lint-ruby.yml

@@ -9,6 +9,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
+      - 'bin/rubocop'
       - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'
@@ -19,6 +20,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
+      - 'bin/rubocop'
       - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'

.github/workflows/test-image-build.yml

@@ -8,6 +8,7 @@ on:
       - .github/workflows/test-image-build.yml
       - Dockerfile
       - streaming/Dockerfile
+      - .dockerignore
 permissions:
   contents: read
 
@@ -20,7 +21,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64 # Testing only on native platform so it is performant
       cache: true
 
   build-image-streaming:
@@ -31,5 +31,4 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64 # Testing only on native platform so it is performant
       cache: true

.github/workflows/test-js.yml

@@ -40,4 +40,4 @@ jobs:
         uses: ./.github/actions/setup-javascript
 
       - name: JavaScript testing
-        run: yarn jest --reporters github-actions summary
+        run: yarn test:js

.github/workflows/test-migrations.yml

@@ -12,6 +12,7 @@ on:
       - '**/*.rb'
       - '.github/workflows/test-migrations.yml'
       - 'lib/tasks/tests.rake'
+      - 'lib/tasks/db.rake'
 
   pull_request:
     paths:
@@ -32,6 +33,8 @@ jobs:
         postgres:
           - 14-alpine
           - 15-alpine
+          - 16-alpine
+          - 17-alpine
 
     services:
       postgres:
@@ -61,7 +64,6 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
       RAILS_ENV: test
       BUNDLE_CLEAN: true
       BUNDLE_FROZEN: true
@@ -75,6 +77,18 @@ jobs:
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby
 
+      - name: Ensure no errors with `db:prepare`
+        run: |
+          bin/rails db:drop
+          bin/rails db:prepare
+          bin/rails db:migrate
+
+      - name: Ensure no errors with `db:prepare` and SKIP_POST_DEPLOYMENT_MIGRATIONS
+        run: |
+          bin/rails db:drop
+          SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails db:prepare
+          bin/rails db:migrate
+
       - name: Test "one step migration" flow
         run: |
           bin/rails db:drop
@@ -88,6 +102,11 @@ jobs:
           bin/rails db:drop
           bin/rails db:create
           SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails tests:migrations:prepare_database
+
+          # Migrate up to v4.2.0 breakpoint
+          bin/rails db:migrate VERSION=20230907150100
+
+          # Migrate the rest
           SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails db:migrate
           bin/rails db:migrate
           bin/rails tests:migrations:check_database

.github/workflows/test-ruby.yml

@@ -49,7 +49,7 @@ jobs:
             public/assets
             public/packs
             public/packs-test
-            tmp/cache/webpacker
+            tmp/cache/vite
           key: ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
           restore-keys: |
             ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
@@ -63,7 +63,7 @@ jobs:
 
       - name: Archive asset artifacts
         run: |
-          tar --exclude={"*.br","*.gz"} -zcf artifacts.tar.gz public/assets public/packs*
+          tar --exclude={"*.br","*.gz"} -zcf artifacts.tar.gz public/assets public/packs* tmp/cache/vite/last-build*.json
 
       - uses: actions/upload-artifact@v4
         if: matrix.mode == 'test'
@@ -107,7 +107,7 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: ${{ matrix.ruby-version != '.ruby-version' }}
+      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
       RAILS_ENV: test
       ALLOW_NOPAM: true
       PAM_ENABLED: true
@@ -124,8 +124,8 @@ jobs:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.1'
           - '3.2'
+          - '3.3'
           - '.ruby-version'
     steps:
       - uses: actions/checkout@v4
@@ -167,15 +167,15 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           files: coverage/lcov/*.lcov
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-  test-libvips:
-    name: Libvips tests
-    runs-on: ubuntu-24.04
+  test-imagemagick:
+    name: ImageMagick tests
+    runs-on: ubuntu-latest
 
     needs:
       - build
@@ -208,7 +208,7 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: ${{ matrix.ruby-version != '.ruby-version' }}
+      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
       RAILS_ENV: test
       ALLOW_NOPAM: true
       PAM_ENABLED: true
@@ -220,14 +220,14 @@ jobs:
       CAS_ENABLED: true
       BUNDLE_WITH: 'pam_authentication test'
       GITHUB_RSPEC: ${{ matrix.ruby-version == '.ruby-version' && github.event.pull_request && 'true' }}
-      MASTODON_USE_LIBVIPS: true
+      MASTODON_USE_LIBVIPS: false
 
     strategy:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.1'
           - '3.2'
+          - '3.3'
           - '.ruby-version'
     steps:
       - uses: actions/checkout@v4
@@ -245,7 +245,7 @@ jobs:
         uses: ./.github/actions/setup-ruby
         with:
           ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg libpam-dev libyaml-dev
+          additional-system-dependencies: ffmpeg imagemagick libpam-dev
 
       - name: Load database schema
         run: './bin/rails db:create db:schema:load db:seed'
@@ -254,7 +254,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           files: coverage/lcov/mastodon.lcov
         env:
@@ -295,7 +295,6 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
       RAILS_ENV: test
       BUNDLE_WITH: test
       LOCAL_DOMAIN: localhost:3000
@@ -305,8 +304,8 @@ jobs:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.1'
           - '3.2'
+          - '3.3'
           - '.ruby-version'
 
     steps:
@@ -333,6 +332,21 @@ jobs:
       - name: Load database schema
         run: './bin/rails db:create db:schema:load db:seed'
 
+      - name: Cache Playwright Chromium browser
+        id: playwright-cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-browsers-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
+
+      - name: Install Playwright Chromium browser (with deps)
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
+        run: yarn run playwright install --with-deps chromium
+
+      - name: Install Playwright Chromium browser deps
+        if: steps.playwright-cache.outputs.cache-hit == 'true'
+        run: yarn run playwright install-deps chromium
+
       - run: bin/rspec spec/system --tag streaming --tag js
 
       - name: Archive logs
@@ -346,7 +360,7 @@ jobs:
         uses: actions/upload-artifact@v4
         if: failure()
         with:
-          name: e2e-screenshots
+          name: e2e-screenshots-${{ matrix.ruby-version }}
           path: tmp/capybara/
 
   test-search:
@@ -411,7 +425,6 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
       RAILS_ENV: test
       BUNDLE_WITH: test
       ES_ENABLED: true
@@ -422,8 +435,8 @@ jobs:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.1'
           - '3.2'
+          - '3.3'
           - '.ruby-version'
         search-image:
           - docker.elastic.co/elasticsearch/elasticsearch:7.17.13

.gitignore

@@ -21,10 +21,11 @@
 /public/system
 /public/assets
 /public/packs
+/public/packs-dev
 /public/packs-test
 .env
 .env.production
-/node_modules/
+node_modules/
 /build/
 
 # Ignore Vagrant files
@@ -74,3 +75,6 @@ docker-compose.override.yml
 
 # Ignore local-only rspec configuration
 .rspec-local
+
+*storybook.log
+storybook-static

.nvmrc

@@ -1 +1 @@
-20.17
+22.19

.prettierignore

@@ -18,10 +18,6 @@
 !/log/.keep
 /tmp
 /coverage
-/public/system
-/public/assets
-/public/packs
-/public/packs-test
 .env
 .env.production
 .env.development
@@ -60,9 +56,11 @@ docker-compose.override.yml
 /public/packs
 /public/packs-test
 /public/system
+/public/vite*
 
 # Ignore emoji map file
 /app/javascript/mastodon/features/emoji/emoji_map.json
+/app/javascript/mastodon/features/emoji/emoji_data.json
 
 # Ignore locale files
 /app/javascript/mastodon/locales/*.json
@@ -84,8 +82,12 @@ AUTHORS.md
 # Process a few selected JS files
 !lint-staged.config.js
 
+# Ignore config YAML files that include ERB/ruby code prettier does not understand
+/config/email.yml
+
 # Ignore glitch-soc emoji map file
 /app/javascript/flavours/glitch/features/emoji/emoji_map.json
+/app/javascript/flavours/glitch/features/emoji/emoji_data.json
 
 # Ignore glitch-soc locale files
 /app/javascript/flavours/glitch/locales
@@ -95,4 +97,4 @@ AUTHORS.md
 app/javascript/flavours/glitch/styles/reset.scss
 
 # Ignore win95 theme
-app/javascript/styles/win95.scss
+app/javascript/styles/win95.scss

.prettierrc.js

@@ -1,4 +1,4 @@
 module.exports = {
   singleQuote: true,
   jsxSingleQuote: true
-}
+};

.rubocop.yml

@@ -8,7 +8,7 @@ AllCops:
     - lib/mastodon/migration_helpers.rb
   ExtraDetails: true
   NewCops: enable
-  TargetRubyVersion: 3.1 # Oldest supported ruby version
+  TargetRubyVersion: 3.2 # Oldest supported ruby version
 
 inherit_from:
   - .rubocop/layout.yml
@@ -18,6 +18,7 @@ inherit_from:
   - .rubocop/rspec_rails.yml
   - .rubocop/rspec.yml
   - .rubocop/style.yml
+  - .rubocop/i18n.yml
   - .rubocop/custom.yml
   - .rubocop_todo.yml
   - .rubocop/strict.yml
@@ -26,9 +27,10 @@ inherit_mode:
   merge:
     - Exclude
 
-require:
+plugins:
+  - rubocop-capybara
+  - rubocop-i18n
+  - rubocop-performance
   - rubocop-rails
   - rubocop-rspec
   - rubocop-rspec_rails
-  - rubocop-performance
-  - rubocop-capybara

.rubocop/i18n.yml

@@ -0,0 +1,12 @@
+I18n/RailsI18n:
+  Enabled: true
+  Exclude:
+    - 'config/**/*'
+    - 'db/**/*'
+    - 'lib/**/*'
+    - 'spec/**/*'
+I18n/GetText:
+  Enabled: false
+
+I18n/RailsI18n/DecorateStringFormattingUsingInterpolation:
+  Enabled: false

.rubocop/metrics.yml

@@ -1,17 +1,21 @@
 ---
 Metrics/AbcSize:
-  Exclude:
-    - lib/mastodon/cli/*.rb
+  Enabled: false
 
 Metrics/BlockLength:
   Enabled: false
 
+Metrics/BlockNesting:
+  Enabled: false
+
 Metrics/ClassLength:
   Enabled: false
 
+Metrics/CollectionLiteralLength:
+  Enabled: false
+
 Metrics/CyclomaticComplexity:
-  Exclude:
-    - lib/mastodon/cli/*.rb
+  Enabled: false
 
 Metrics/MethodLength:
   Enabled: false
@@ -20,4 +24,7 @@ Metrics/ModuleLength:
   Enabled: false
 
 Metrics/ParameterLists:
-  CountKeywordArgs: false
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false

.rubocop/naming.yml

@@ -1,3 +1,6 @@
 ---
 Naming/BlockForwarding:
   EnforcedStyle: explicit
+
+Naming/PredicateMethod:
+  Enabled: false

.rubocop/rails.yml

@@ -2,6 +2,9 @@
 Rails/BulkChangeTable:
   Enabled: false # Conflicts with strong_migrations features
 
+Rails/Delegate:
+  Enabled: false
+
 Rails/FilePath:
   EnforcedStyle: arguments
 

.rubocop/rspec.yml

@@ -23,5 +23,6 @@ RSpec/SpecFilePathFormat:
     ActivityPub: activitypub
     DeepL: deepl
     FetchOEmbedService: fetch_oembed_service
+    OAuth: oauth
     OEmbedController: oembed_controller
     OStatus: ostatus

.rubocop/style.yml

@@ -1,4 +1,7 @@
 ---
+Style/ArrayIntersect:
+  Enabled: false
+
 Style/ClassAndModuleChildren:
   Enabled: false
 
@@ -19,6 +22,13 @@ Style/HashSyntax:
   EnforcedShorthandSyntax: either
   EnforcedStyle: ruby19_no_mixed_keys
 
+Style/IfUnlessModifier:
+  Exclude:
+    - '**/*.haml'
+
+Style/KeywordArgumentsMerging:
+  Enabled: false
+
 Style/NumericLiterals:
   AllowedPatterns:
     - \d{4}_\d{2}_\d{2}_\d{6}
@@ -37,6 +47,9 @@ Style/RedundantFetchBlock:
 Style/RescueStandardError:
   EnforcedStyle: implicit
 
+Style/SafeNavigationChainLength:
+  Enabled: false
+
 Style/SymbolArray:
   Enabled: false
 
@@ -45,3 +58,6 @@ Style/TrailingCommaInArrayLiteral:
 
 Style/TrailingCommaInHashLiteral:
   EnforcedStyleForMultiline: comma
+
+Style/WordArray:
+  MinSize: 3 # Override default of 2

.rubocop_todo.yml

@@ -1,113 +1,18 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-offense-counts --no-auto-gen-timestamp`
-# using RuboCop version 1.66.1.
+# using RuboCop version 1.80.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-Lint/NonLocalExitFromIterator:
-  Exclude:
-    - 'app/helpers/jsonld_helper.rb'
-
-# Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
-Metrics/AbcSize:
-  Max: 90
-
-# Configuration parameters: CountBlocks, CountModifierForms, Max.
-Metrics/BlockNesting:
-  Exclude:
-    - 'lib/tasks/mastodon.rake'
-
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/CyclomaticComplexity:
-  Max: 25
-
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/PerceivedComplexity:
-  Max: 27
-
-Rails/OutputSafety:
-  Exclude:
-    - 'config/initializers/simple_form.rb'
-
 # This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: AllowedVars.
+# Configuration parameters: AllowedVars, DefaultToNil.
 Style/FetchEnvVar:
   Exclude:
-    - 'app/lib/translation_service.rb'
-    - 'config/environments/production.rb'
-    - 'config/initializers/2_limited_federation_mode.rb'
-    - 'config/initializers/3_omniauth.rb'
-    - 'config/initializers/cache_buster.rb'
-    - 'config/initializers/devise.rb'
     - 'config/initializers/paperclip.rb'
-    - 'config/initializers/vapid.rb'
-    - 'lib/tasks/repo.rake'
-
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyle, MaxUnannotatedPlaceholdersAllowed, AllowedMethods, AllowedPatterns.
-# SupportedStyles: annotated, template, unannotated
-# AllowedMethods: redirect
-Style/FormatStringToken:
-  Exclude:
-    - 'config/initializers/devise.rb'
-    - 'lib/paperclip/color_extractor.rb'
 
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: MinBodyLength, AllowConsecutiveConditionals.
 Style/GuardClause:
   Enabled: false
-
-# This cop supports unsafe autocorrection (--autocorrect-all).
-Style/HashTransformValues:
-  Exclude:
-    - 'app/serializers/rest/web_push_subscription_serializer.rb'
-    - 'app/services/import_service.rb'
-
-# This cop supports unsafe autocorrection (--autocorrect-all).
-Style/MapToHash:
-  Exclude:
-    - 'app/models/status.rb'
-
-# This cop supports unsafe autocorrection (--autocorrect-all).
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: literals, strict
-Style/MutableConstant:
-  Exclude:
-    - 'app/models/tag.rb'
-    - 'app/services/delete_account_service.rb'
-    - 'lib/mastodon/migration_warning.rb'
-
-# Configuration parameters: AllowedMethods.
-# AllowedMethods: respond_to_missing?
-Style/OptionalBooleanParameter:
-  Exclude:
-    - 'app/helpers/jsonld_helper.rb'
-    - 'app/lib/admin/system_check/message.rb'
-    - 'app/lib/request.rb'
-    - 'app/lib/webfinger.rb'
-    - 'app/services/block_domain_service.rb'
-    - 'app/services/fetch_resource_service.rb'
-    - 'app/workers/domain_block_worker.rb'
-    - 'app/workers/unfollow_follow_worker.rb'
-
-# This cop supports unsafe autocorrection (--autocorrect-all).
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: short, verbose
-Style/PreferredHashMethods:
-  Exclude:
-    - 'config/initializers/paperclip.rb'
-
-# This cop supports safe autocorrection (--autocorrect).
-Style/RedundantConstantBase:
-  Exclude:
-    - 'config/environments/production.rb'
-    - 'config/initializers/sidekiq.rb'
-
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: WordRegex.
-# SupportedStyles: percent, brackets
-Style/WordArray:
-  EnforcedStyle: percent
-  MinSize: 3

.ruby-version

@@ -1 +1 @@
-3.3.5
+3.4.6

.storybook/main.ts

@@ -0,0 +1,39 @@
+import { resolve } from 'node:path';
+
+import type { StorybookConfig } from '@storybook/react-vite';
+
+const config: StorybookConfig = {
+  stories: ['../app/javascript/**/*.stories.@(js|jsx|mjs|ts|tsx)'],
+  addons: [
+    '@storybook/addon-docs',
+    '@storybook/addon-a11y',
+    '@storybook/addon-vitest',
+  ],
+  framework: {
+    name: '@storybook/react-vite',
+    options: {},
+  },
+  staticDirs: [
+    './static',
+    // We need to manually specify the assets because of the symlink in public/sw.js
+    ...[
+      'avatars',
+      'emoji',
+      'headers',
+      'sounds',
+      'badge.png',
+      'loading.gif',
+      'loading.png',
+      'oops.gif',
+      'oops.png',
+    ].map((path) => ({ from: `../public/${path}`, to: `/${path}` })),
+  ],
+  viteFinal(config) {
+    // For an unknown reason, Storybook does not use the root
+    // from the Vite config so we need to set it manually.
+    config.root = resolve(__dirname, '../app/javascript');
+    return config;
+  },
+};
+
+export default config;

.storybook/manager.ts

@@ -0,0 +1,7 @@
+import { addons } from 'storybook/manager-api';
+
+import theme from './storybook-theme';
+
+addons.setConfig({
+  theme,
+});

.storybook/preview-body.html

@@ -0,0 +1,2 @@
+<html class="no-reduce-motion">
+</html>

.storybook/preview-head.html

@@ -0,0 +1,18 @@
+<style>
+	/* Increase docs font size */
+	.sbdocs.sbdocs-content :where(p:not(.sb-anchor, .sb-unstyled, .sb-unstyled p)),
+	.sbdocs.sbdocs-content :where(li:not(.sb-anchor, .sb-unstyled, .sb-unstyled li)) {
+		font-size: 1.0666rem; /* 17px */
+		line-height: 1.585; /* 27px */
+	}
+
+	.sbdocs.sbdocs-content :where(p:not(.sb-anchor, .sb-unstyled, .sb-unstyled p)) code,
+	.sbdocs.sbdocs-content :where(li:not(.sb-anchor, .sb-unstyled, .sb-unstyled li)) code {
+		font-size: 0.875rem; /* ~15px */
+	}
+
+	/* Bring numbers back for ordered lists */
+	ol {
+		list-style: revert !important;
+	}
+</style>

.storybook/preview.tsx

@@ -0,0 +1,152 @@
+import { useEffect, useState } from 'react';
+
+import { IntlProvider } from 'react-intl';
+
+import { MemoryRouter, Route } from 'react-router';
+
+import { configureStore } from '@reduxjs/toolkit';
+import { Provider } from 'react-redux';
+
+import type { Preview } from '@storybook/react-vite';
+import { initialize, mswLoader } from 'msw-storybook-addon';
+import { action } from 'storybook/actions';
+
+import type { LocaleData } from '@/mastodon/locales';
+import { reducerWithInitialState } from '@/mastodon/reducers';
+import { defaultMiddleware } from '@/mastodon/store/store';
+import { mockHandlers, unhandledRequestHandler } from '@/testing/api';
+
+// If you want to run the dark theme during development,
+// you can change the below to `/application.scss`
+import '../app/javascript/styles/mastodon-light.scss';
+import './styles.css';
+
+const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
+  query: { as: 'json' },
+});
+
+// Initialize MSW
+initialize({
+  onUnhandledRequest: unhandledRequestHandler,
+});
+
+const preview: Preview = {
+  // Auto-generate docs: https://storybook.js.org/docs/writing-docs/autodocs
+  tags: ['autodocs'],
+  globalTypes: {
+    locale: {
+      description: 'Locale for the story',
+      toolbar: {
+        title: 'Locale',
+        icon: 'globe',
+        items: Object.keys(localeFiles).map((path) =>
+          path.replace('/mastodon/locales/', '').replace('.json', ''),
+        ),
+        dynamicTitle: true,
+      },
+    },
+  },
+  initialGlobals: {
+    locale: 'en',
+  },
+  decorators: [
+    (Story, { parameters, globals }) => {
+      const { locale } = globals as { locale: string };
+      const { state = {} } = parameters;
+      const reducer = reducerWithInitialState(
+        {
+          meta: {
+            locale,
+          },
+        },
+        state as Record<string, unknown>,
+      );
+      const store = configureStore({
+        reducer,
+        middleware(getDefaultMiddleware) {
+          return getDefaultMiddleware(defaultMiddleware);
+        },
+      });
+      return (
+        <Provider store={store}>
+          <Story />
+        </Provider>
+      );
+    },
+    (Story, { globals }) => {
+      const currentLocale = (globals.locale as string) || 'en';
+      const [messages, setMessages] = useState<
+        Record<string, Record<string, string>>
+      >({});
+      const currentLocaleData = messages[currentLocale];
+
+      useEffect(() => {
+        async function loadLocaleData() {
+          const { default: localeFile } = (await import(
+            `@/mastodon/locales/${currentLocale}.json`
+          )) as { default: LocaleData['messages'] };
+          setMessages((prevLocales) => ({
+            ...prevLocales,
+            [currentLocale]: localeFile,
+          }));
+        }
+        if (!currentLocaleData) {
+          void loadLocaleData();
+        }
+      }, [currentLocale, currentLocaleData]);
+
+      return (
+        <IntlProvider
+          locale={currentLocale}
+          messages={currentLocaleData}
+          textComponent='span'
+        >
+          <Story />
+        </IntlProvider>
+      );
+    },
+    (Story) => (
+      <MemoryRouter>
+        <Story />
+        <Route
+          path='*'
+          // eslint-disable-next-line react/jsx-no-bind
+          render={({ location }) => {
+            if (location.pathname !== '/') {
+              action(`route change to ${location.pathname}`)(location);
+            }
+            return null;
+          }}
+        />
+      </MemoryRouter>
+    ),
+  ],
+  loaders: [mswLoader],
+  parameters: {
+    layout: 'centered',
+
+    controls: {
+      matchers: {
+        color: /(background|color)$/i,
+        date: /Date$/i,
+      },
+    },
+
+    a11y: {
+      // 'todo' - show a11y violations in the test UI only
+      // 'error' - fail CI on a11y violations
+      // 'off' - skip a11y checks entirely
+      test: 'todo',
+    },
+
+    state: {},
+
+    docs: {},
+
+    msw: {
+      handlers: mockHandlers,
+    },
+  },
+};
+
+export default preview;

.storybook/static/mockServiceWorker.js

@@ -0,0 +1,348 @@
+/* eslint-disable */
+/* tslint:disable */
+
+/**
+ * Mock Service Worker.
+ * @see https://github.com/mswjs/msw
+ * - Please do NOT modify this file.
+ */
+
+const PACKAGE_VERSION = '2.11.3'
+const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82'
+const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
+const activeClientIds = new Set()
+
+addEventListener('install', function () {
+  self.skipWaiting()
+})
+
+addEventListener('activate', function (event) {
+  event.waitUntil(self.clients.claim())
+})
+
+addEventListener('message', async function (event) {
+  const clientId = Reflect.get(event.source || {}, 'id')
+
+  if (!clientId || !self.clients) {
+    return
+  }
+
+  const client = await self.clients.get(clientId)
+
+  if (!client) {
+    return
+  }
+
+  const allClients = await self.clients.matchAll({
+    type: 'window',
+  })
+
+  switch (event.data) {
+    case 'KEEPALIVE_REQUEST': {
+      sendToClient(client, {
+        type: 'KEEPALIVE_RESPONSE',
+      })
+      break
+    }
+
+    case 'INTEGRITY_CHECK_REQUEST': {
+      sendToClient(client, {
+        type: 'INTEGRITY_CHECK_RESPONSE',
+        payload: {
+          packageVersion: PACKAGE_VERSION,
+          checksum: INTEGRITY_CHECKSUM,
+        },
+      })
+      break
+    }
+
+    case 'MOCK_ACTIVATE': {
+      activeClientIds.add(clientId)
+
+      sendToClient(client, {
+        type: 'MOCKING_ENABLED',
+        payload: {
+          client: {
+            id: client.id,
+            frameType: client.frameType,
+          },
+        },
+      })
+      break
+    }
+
+    case 'CLIENT_CLOSED': {
+      activeClientIds.delete(clientId)
+
+      const remainingClients = allClients.filter((client) => {
+        return client.id !== clientId
+      })
+
+      // Unregister itself when there are no more clients
+      if (remainingClients.length === 0) {
+        self.registration.unregister()
+      }
+
+      break
+    }
+  }
+})
+
+addEventListener('fetch', function (event) {
+  const requestInterceptedAt = Date.now()
+
+  // Bypass navigation requests.
+  if (event.request.mode === 'navigate') {
+    return
+  }
+
+  // Opening the DevTools triggers the "only-if-cached" request
+  // that cannot be handled by the worker. Bypass such requests.
+  if (
+    event.request.cache === 'only-if-cached' &&
+    event.request.mode !== 'same-origin'
+  ) {
+    return
+  }
+
+  // Bypass all requests when there are no active clients.
+  // Prevents the self-unregistered worked from handling requests
+  // after it's been terminated (still remains active until the next reload).
+  if (activeClientIds.size === 0) {
+    return
+  }
+
+  const requestId = crypto.randomUUID()
+  event.respondWith(handleRequest(event, requestId, requestInterceptedAt))
+})
+
+/**
+ * @param {FetchEvent} event
+ * @param {string} requestId
+ * @param {number} requestInterceptedAt
+ */
+async function handleRequest(event, requestId, requestInterceptedAt) {
+  const client = await resolveMainClient(event)
+  const requestCloneForEvents = event.request.clone()
+  const response = await getResponse(
+    event,
+    client,
+    requestId,
+    requestInterceptedAt,
+  )
+
+  // Send back the response clone for the "response:*" life-cycle events.
+  // Ensure MSW is active and ready to handle the message, otherwise
+  // this message will pend indefinitely.
+  if (client && activeClientIds.has(client.id)) {
+    const serializedRequest = await serializeRequest(requestCloneForEvents)
+
+    // Clone the response so both the client and the library could consume it.
+    const responseClone = response.clone()
+
+    sendToClient(
+      client,
+      {
+        type: 'RESPONSE',
+        payload: {
+          isMockedResponse: IS_MOCKED_RESPONSE in response,
+          request: {
+            id: requestId,
+            ...serializedRequest,
+          },
+          response: {
+            type: responseClone.type,
+            status: responseClone.status,
+            statusText: responseClone.statusText,
+            headers: Object.fromEntries(responseClone.headers.entries()),
+            body: responseClone.body,
+          },
+        },
+      },
+      responseClone.body ? [serializedRequest.body, responseClone.body] : [],
+    )
+  }
+
+  return response
+}
+
+/**
+ * Resolve the main client for the given event.
+ * Client that issues a request doesn't necessarily equal the client
+ * that registered the worker. It's with the latter the worker should
+ * communicate with during the response resolving phase.
+ * @param {FetchEvent} event
+ * @returns {Promise<Client | undefined>}
+ */
+async function resolveMainClient(event) {
+  const client = await self.clients.get(event.clientId)
+
+  if (activeClientIds.has(event.clientId)) {
+    return client
+  }
+
+  if (client?.frameType === 'top-level') {
+    return client
+  }
+
+  const allClients = await self.clients.matchAll({
+    type: 'window',
+  })
+
+  return allClients
+    .filter((client) => {
+      // Get only those clients that are currently visible.
+      return client.visibilityState === 'visible'
+    })
+    .find((client) => {
+      // Find the client ID that's recorded in the
+      // set of clients that have registered the worker.
+      return activeClientIds.has(client.id)
+    })
+}
+
+/**
+ * @param {FetchEvent} event
+ * @param {Client | undefined} client
+ * @param {string} requestId
+ * @returns {Promise<Response>}
+ */
+async function getResponse(event, client, requestId, requestInterceptedAt) {
+  // Clone the request because it might've been already used
+  // (i.e. its body has been read and sent to the client).
+  const requestClone = event.request.clone()
+
+  function passthrough() {
+    // Cast the request headers to a new Headers instance
+    // so the headers can be manipulated with.
+    const headers = new Headers(requestClone.headers)
+
+    // Remove the "accept" header value that marked this request as passthrough.
+    // This prevents request alteration and also keeps it compliant with the
+    // user-defined CORS policies.
+    const acceptHeader = headers.get('accept')
+    if (acceptHeader) {
+      const values = acceptHeader.split(',').map((value) => value.trim())
+      const filteredValues = values.filter(
+        (value) => value !== 'msw/passthrough',
+      )
+
+      if (filteredValues.length > 0) {
+        headers.set('accept', filteredValues.join(', '))
+      } else {
+        headers.delete('accept')
+      }
+    }
+
+    return fetch(requestClone, { headers })
+  }
+
+  // Bypass mocking when the client is not active.
+  if (!client) {
+    return passthrough()
+  }
+
+  // Bypass initial page load requests (i.e. static assets).
+  // The absence of the immediate/parent client in the map of the active clients
+  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
+  // and is not ready to handle requests.
+  if (!activeClientIds.has(client.id)) {
+    return passthrough()
+  }
+
+  // Notify the client that a request has been intercepted.
+  const serializedRequest = await serializeRequest(event.request)
+  const clientMessage = await sendToClient(
+    client,
+    {
+      type: 'REQUEST',
+      payload: {
+        id: requestId,
+        interceptedAt: requestInterceptedAt,
+        ...serializedRequest,
+      },
+    },
+    [serializedRequest.body],
+  )
+
+  switch (clientMessage.type) {
+    case 'MOCK_RESPONSE': {
+      return respondWithMock(clientMessage.data)
+    }
+
+    case 'PASSTHROUGH': {
+      return passthrough()
+    }
+  }
+
+  return passthrough()
+}
+
+/**
+ * @param {Client} client
+ * @param {any} message
+ * @param {Array<Transferable>} transferrables
+ * @returns {Promise<any>}
+ */
+function sendToClient(client, message, transferrables = []) {
+  return new Promise((resolve, reject) => {
+    const channel = new MessageChannel()
+
+    channel.port1.onmessage = (event) => {
+      if (event.data && event.data.error) {
+        return reject(event.data.error)
+      }
+
+      resolve(event.data)
+    }
+
+    client.postMessage(message, [
+      channel.port2,
+      ...transferrables.filter(Boolean),
+    ])
+  })
+}
+
+/**
+ * @param {Response} response
+ * @returns {Response}
+ */
+function respondWithMock(response) {
+  // Setting response status code to 0 is a no-op.
+  // However, when responding with a "Response.error()", the produced Response
+  // instance will have status code set to 0. Since it's not possible to create
+  // a Response instance with status code 0, handle that use-case separately.
+  if (response.status === 0) {
+    return Response.error()
+  }
+
+  const mockedResponse = new Response(response.body, response)
+
+  Reflect.defineProperty(mockedResponse, IS_MOCKED_RESPONSE, {
+    value: true,
+    enumerable: true,
+  })
+
+  return mockedResponse
+}
+
+/**
+ * @param {Request} request
+ */
+async function serializeRequest(request) {
+  return {
+    url: request.url,
+    mode: request.mode,
+    method: request.method,
+    headers: Object.fromEntries(request.headers.entries()),
+    cache: request.cache,
+    credentials: request.credentials,
+    destination: request.destination,
+    integrity: request.integrity,
+    redirect: request.redirect,
+    referrer: request.referrer,
+    referrerPolicy: request.referrerPolicy,
+    body: await request.arrayBuffer(),
+    keepalive: request.keepalive,
+  }
+}

.storybook/storybook-addon-vitest.d.ts

@@ -0,0 +1,7 @@
+// The addon package.json incorrectly exports types, so we need to override them here.
+// See: https://github.com/storybookjs/storybook/blob/v9.0.4/code/addons/vitest/package.json#L70-L76
+declare module '@storybook/addon-vitest/vitest-plugin' {
+  export * from '@storybook/addon-vitest/dist/vitest-plugin/index';
+}
+
+export {};

.storybook/storybook-theme.ts

@@ -0,0 +1,7 @@
+import { create } from 'storybook/theming';
+
+export default create({
+  base: 'light',
+  brandTitle: 'Mastodon Storybook',
+  brandImage: 'https://joinmastodon.org/logos/wordmark-black-text.svg',
+});

.storybook/styles.css

@@ -0,0 +1,8 @@
+a {
+  color: inherit;
+  text-decoration: none;
+}
+
+a:hover {
+  text-decoration: underline;
+}

.storybook/vitest.setup.ts

@@ -0,0 +1,8 @@
+import * as a11yAddonAnnotations from '@storybook/addon-a11y/preview';
+import { setProjectAnnotations } from '@storybook/react-vite';
+
+import * as projectAnnotations from './preview';
+
+// This is an important step to apply the right configuration when testing your stories.
+// More info at: https://storybook.js.org/docs/api/portable-stories/portable-stories-vitest#setprojectannotations
+setProjectAnnotations([a11yAddonAnnotations, projectAnnotations]);

CHANGELOG.md

@@ -2,7 +2,585 @@
 
 All notable changes to this project will be documented in this file.
 
-## [4.3.0] - UNRELEASED
+## [4.4.4] - 2025-09-16
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix missing memoization in `Web::PushNotificationWorker` (#36085 by @ClearlyClaire)
+- Fix unresponsive areas around GIFV modals in some cases (#36059 by @ClearlyClaire)
+- Fix missing `beforeUnload` confirmation when a poll is being authored (#36030 by @ClearlyClaire)
+- Fix processing of remote edited statuses with new media and no text (#35970 by @unfokus)
+- Fix polls not being displayed in moderation interface (#35644 and #35933 by @ThisIsMissEm)
+- Fix WebUI handling of deleted quoted posts (#35909 and #35918 by @ClearlyClaire and @diondiondion)
+- Fix “Edit” and “Delete & Redraft” on a poll not inserting empty option (#35892 by @ClearlyClaire)
+- Fix loading of some compatibility CSS on some configurations (#35876 by @shleeable)
+- Fix HttpLog not being enabled with `RAILS_LOG_LEVEL=debug` (#35833 by @mjankowski)
+- Fix self-destruct scheduler behavior on some Redis setups (#35823 by @ClearlyClaire)
+- Fix `tootctl admin create` not bypassing reserved username checks (#35779 by @ClearlyClaire)
+- Fix interaction policy changes in implicit updates not being saved (#35751 by @ClearlyClaire)
+- Fix quote revocation not being streamed (#35710 by @ClearlyClaire)
+- Fix export of large user archives by enabling Zip64 (#35850 by @ClearlyClaire)
+
+### Changed
+
+- Change labels for quote policy settings (#35893 by @ClearlyClaire)
+- Change standalone “Share” page to redirect to web interface after posting (#35763 by @ChaosExAnima)
+
+## [4.4.3] - 2025-08-05
+
+### Security
+
+- Update dependencies
+- Fix incorrect rate-limit handling [GHSA-84ch-6436-c7mg](https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg)
+
+### Fixed
+
+- Fix race condition caused by ActiveRecord query cache in `Create` critical path (#35662 by @ClearlyClaire)
+- Fix race condition caused by quote post processing (#35657 by @ClearlyClaire)
+- Fix WebUI crashing for accounts with `null` URL (#35651 by @ClearlyClaire)
+- Fix friends-of-friends recommendations suggesting already-requested accounts (#35604 by @ClearlyClaire)
+- Fix synchronous recursive fetching of deeply-nested quoted posts (#35600 by @ClearlyClaire)
+- Fix “Expand this post” link including user `@undefined` (#35478 by @ClearlyClaire)
+
+### Changed
+
+- Change `StatusReachFinder` to consider quotes as well as reblogs (#35601 by @ClearlyClaire)
+- Add restrictions on which quote posts can trend (#35507 by @ClearlyClaire)
+- Change quote verification to not bypass authorization flow for mentions (#35528 by @ClearlyClaire)
+
+## [4.4.2] - 2025-07-23
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix menu not clickable in Firefox (#35390 and #35414 by @diondiondion)
+- Add `lang` attribute to current composer language in alt text modal (#35412 by @diondiondion)
+- Fix quote posts styling on notifications page (#35411 by @diondiondion)
+- Improve a11y of custom select menus in notifications settings (#35403 by @diondiondion)
+- Fix selected item in poll select menus is unreadable in Firefox (#35402 by @diondiondion)
+- Update age limit wording (#35387 by @diondiondion)
+- Fix support for quote verification in implicit status updates (#35384 by @ClearlyClaire)
+- Improve `Dropdown` component accessibility (#35373 by @diondiondion)
+- Fix processing some incoming quotes failing because of missing JSON-LD context (#35354 and #35380 by @ClearlyClaire)
+- Make bio hashtags open the local page instead of the remote instance (#35349 by @ChaosExAnima)
+- Fix styling of external log-in button (#35320 by @ClearlyClaire)
+
+## [4.4.1] - 2025-07-09
+
+### Fixed
+
+- Fix nearly every sub-directory being crawled as part of Vite build (#35323 by @ClearlyClaire)
+- Fix assets not building when Redis is unavailable (#35321 by @oneiros)
+- Fix replying from media modal or pop-in-player tagging user `@undefined` (#35317 by @ClearlyClaire)
+- Fix support for special characters in various environment variables (#35314 by @mjankowski and @ClearlyClaire)
+- Fix some database migrations failing for indexes manually removed by admins (#35309 by @mjankowski)
+
+## [4.4.0] - 2025-07-08
+
+### Added
+
+- **Add “Followers you know” widget to user profiles and hover cards** (#34652, #34678, #34681, #34697, #34699, #34769, #34774 and #34914 by @diondiondion)
+- **Add featured tab to profiles on web UI and rework pinned posts** (#34405, #34483, #34491, #34754, #34855, #34858, #34868, #34869, #34927, #34995, #35056 and #34931 by @ChaosExAnima, @ClearlyClaire, @Gargron, and @diondiondion)
+- Add endorsed accounts to featured tab in web UI (#34421 and #34568 by @Gargron)\
+  This also includes the following new REST API endpoints:
+  - `GET /api/v1/accounts/:id/endorsements`: https://docs.joinmastodon.org/methods/accounts/#endorsements
+  - `POST /api/v1/accounts/:id/endorse`: https://docs.joinmastodon.org/methods/accounts/#endorse
+  - `POST /api/v1/accounts/:id/unendorse`: https://docs.joinmastodon.org/methods/accounts/#unendorse
+- Add ability to add and remove hashtags from featured tags in web UI (#34489, #34887, and #34490 by @ClearlyClaire and @Gargron)\
+  This is achieved through the new REST API endpoints:
+  - `POST /api/v1/tags/:id/feature`: https://docs.joinmastodon.org/methods/tags/#feature
+  - `POST /api/v1/tags/:id/unfeature`: https://docs.joinmastodon.org/methods/tags/#unfeature
+- Add reminder when about to post without alt text in web UI (#33760 and #33784 by @Gargron)
+- Add a warning in Web UI when composing a post when the selected and detected language are different (#33042, #33683, #33700, #33724, #33770, and #34193 by @ClearlyClaire and @Gargron)
+- Add support for verifying and displaying remote quote posts (#34370, #34481, #34510, #34551, #34480, #34479, #34553, #34584, #34623, #34738, #34766, #34770, #34772, #34773, #34786, #34790, #34864, #34957, #34961, #35016, #35022, #35036, #34946, #34945 and #34958 by @ClearlyClaire and @diondiondion)\
+  Support for verifying remote quotes according to [FEP-044f](https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md) and displaying them in the Web UI has been implemented.\
+  Quoting other people is not implemented yet, and it is currently not possible to mark your own posts as allowing quotes. However, a new “Who can quote” setting has been added to the “Posting defaults” section of the user settings. This setting allows you to set a default that will be used for new posts made on Mastodon 4.5 and newer, when quote posts will be fully implemented.\
+  In the REST API, quote posts are represented by a new `quote` attribute on `Status` and `StatusEdit` entities: https://docs.joinmastodon.org/entities/StatusEdit/#quote https://docs.joinmastodon.org/entities/Status/#quote
+- Add ability to reorder and translate server rules (#34637, #34737, #34494, #34756, #34820, #34997, #35170, #35174 and #35174 by @ChaosExAnima and @ClearlyClaire)\
+  Rules are now shown in the user’s language, if a translation has been set.\
+  In the REST API, `Rule` entities now have a new `translations` attribute: https://docs.joinmastodon.org/entities/Rule/#translations
+- Add emoji from Twemoji 15.1.0, including in the emoji picker/completion (#33395, #34321, #34620, and #34677 by @ChaosExAnima, @ClearlyClaire, @TheEssem, and @eramdam)
+- Add option to remove account from followers in web UI (#34488 by @Gargron)
+- Add relationship tags to profiles and hover cards in web UI (#34467 and #34792 by @Gargron and @diondiondion)
+- Add ability to open posts in a new tab by middle-clicking in web UI (#32988, #33106, #33419, and #34700 by @ClearlyClaire, @Gargron, and @tribela)
+- Add new filter action to blur media (#34256 by @ClearlyClaire)\
+  In the REST API, this adds a new possible value of `blur` to the `filter_action` attribute: https://docs.joinmastodon.org/entities/Filter/#filter_action
+- Add dropdown menu to hashtag links in web UI (#34393 by @Gargron)
+- **Add server setting to allow referrer** (#33214, #33239, #33903, and #34731 by @ChaosExAnima, @ClearlyClaire, @Gargron, and @renchap)\
+  In order to protect the privacy of users of small or thematic servers, Mastodon previously avoided transmitting referrer information when clicking outside links, which unfortunately made Mastodon completely invisible to other websites, even though the privacy implications on large generic servers are very limited.\
+  Server administrators can now chose to opt in to transmit referrer information when following an external link. Only the domain name is transmitted, not the referrer path.
+- Add double tap to zoom and swipe to dismiss to media modal in web UI (#34210 by @Gargron)
+- Add link from Web UI for Hashtags to the Moderation UI (#31448 by @ThisIsMissEm)
+- **Add terms of service** (#33055, #33233, #33230, #33703, #33699, #33994, #33993, #34105, #34122, #34200, #34527, #35053, #35115, #35126, #35127 and #35233 by @ClearlyClaire, @Gargron, @mjankowski, and @oneiros)\
+  Server administrators can now fill in Terms of Service and notify their users of upcoming changes.
+- Add optional bulk mailer settings (#35191 and #35203 by @oneiros)\
+  This adds the optional environment variables `BULK_SMTP_PORT`, `BULK_SMTP_SERVER`, `BULK_SMTP_LOGIN` and so on analogous to `SMTP_PORT`, `SMTP_SERVER`, `SMTP_LOGIN` and related SMTP configuration environment variables.\
+  When `BULK_SMTP_SERVER` is set, this group of variables is used instead of the regular ones for sending announcement notification emails and Terms of Service notification emails.
+- **Add age verification on sign-up** (#34150, #34663, and #34636 by @ClearlyClaire and @Gargron)\
+  Server administrators now have a setting to set a minimum age requirement for creating a new server, asking users for their date of birth. The date of birth is checked against the minimum age requirement server-side but not stored.\
+  The following REST API changes have been made to accommodate this:
+  - `registrations.min_age` has been added to the `Instance` entity: https://docs.joinmastodon.org/entities/Instance/#registrations-min_age
+  - the `date_of_birth` parameter has been added to the account creation API: https://docs.joinmastodon.org/methods/accounts/#create
+- Add ability to dismiss alt text badge by tapping it in web UI (#33737 by @Gargron)
+- Add loading indicator to timeline gap indicators in web UI (#33762 by @Gargron)
+- Add interaction modal when trying to interact with a poll while logged out (#32609 by @ThisIsMissEm)
+- **Add experimental FASP support** (#34031, #34415, #34765, #34965, #34964, #34033, #35218, #35262 and #35263 by @oneiros)\
+  This is a first step towards supporting “Fediverse Auxiliary Service Providers” (https://github.com/mastodon/fediverse_auxiliary_service_provider_specifications). This is mostly interesting to developers who would like to implement their own FASP, but also includes the capability to share data with a discovery provider (see https://www.fediscovery.org).
+- Add ability for admins to send announcements to all users via email (#33928 and #34411 by @ClearlyClaire)\
+  This is meant for critical announcements only, as this will potentially send a lot of emails and cannot be opted out of by users.
+- Add Server Moderation Notes (#31529 by @ThisIsMissEm)
+- Add loading spinner to “Post” button when sending a post (#35153 by @diondiondion)
+- Add option to use system scrollbar styling (#32117 by @vmstan)
+- Add hover cards to follow suggestions (#33749 by @ClearlyClaire)
+- Add `t` hotkey for post translations (#33441 by @ClearlyClaire)
+- Add timestamp to all announcements in Web UI (#18329 by @ClearlyClaire)
+- Add dropdown menu with quick actions to lists of accounts in web UI (#34391, #34709, and #34767 by @Gargron, @diondiondion, and @mkljczk)
+- Add support for displaying “year in review” notification in web UI (#32710, #32765, #32709, #32807, #32914, #33148, and #33882 by @Gargron and @mjankowski)\
+  Note that the notification is currently not generated automatically, and at the moment requires a manual undocumented administrator action.
+- Add experimental support for receiving HTTP Message Signatures (RFC9421) (#34814, #35033, #35109 and #35278 by @oneiros)\
+  For now, this needs to be explicitly enabled through the `http_message_signatures` feature flag (`EXPERIMENTAL_FEATURES=http_message_signatures`). This currently only covers verifying such signatures (inbound HTTP requests), not issuing them (outbound HTTP requests).
+- Add experimental Async Refreshes API (#34918 by @oneiros)
+- Add experimental server-side feature to fetch remote replies (#32615, #34147, #34149, #34151, #34615, #34682, and #34702 by @ClearlyClaire and @sneakers-the-rat)\
+  This experimental feature causes the server to recursively fetch replies in background tasks whenever a user opens a remote post. This happens asynchronously and the client is currently not notified of the existence of new replies, which will thus only be displayed the next time this post’s context gets requested.\
+  This feature needs to be explicitly enabled server-side by setting `FETCH_REPLIES_ENABLED` environment variable to `true`.
+- Add simple feature flag system through the `EXPERIMENTAL_FEATURES` environment variable (#34038 and #34124 by @oneiros)\
+  This allows enabling comma-separated feature flags for experimental features.\
+  The current supported feature flags are `inbound_quotes`, `fasp` and `http_message_signatures`.
+- Add `dev:populate_sample_data` rake task to populate test data (#34676, #34733, #34771, #34787, and #34791 by @ClearlyClaire and @diondiondion)
+- Add support for displaying fallback representation when receiving MathML (#27107 by @4e554c4c)
+- Add warning for Elasticsearch index analyzers mismatch (#34515 and #34567 by @ClearlyClaire and @Gargron)
+- Add `-only-mapping` option to `tootctl search deploy` (#34466 and #34566 by @Gargron)
+- Add server-side support for grouping account sign-up notifications (#34298 by @ClearlyClaire)
+- Add `registrations.reason_required` attribute to `/api/v2/instance` response (#34280 by @ClearlyClaire)\
+  This is documented at https://docs.joinmastodon.org/entities/Instance/#registrations-reason_required
+- Add `EXTRA_MEDIA_HOSTS` environment variable to add extra hosts to Content-Security-Policy (#34184 by @shleeable)
+- Add `Deprecation` headers on deprecated API endpoints (#34262 and #34397 by @ClearlyClaire)\
+  This is documented at https://docs.joinmastodon.org/api/guidelines/#deprecations
+- Add `about`, `privacy_policy` and `terms_of_service` URLs to `/api/v2/instance` (#33849 by @ClearlyClaire)
+- Add API to delete media attachments that are not in use (#33991 and #34035 by @ClearlyClaire and @ThisIsMissEm)\
+  `DELETE /api/v1/media/:id`: https://docs.joinmastodon.org/methods/media/#delete
+- Add optional `delete_media` parameter to `DELETE /api/v1/statuses/:id` (#33988 by @ClearlyClaire)\
+  This is documented at https://docs.joinmastodon.org/methods/statuses/#delete
+- Add `og:locale` to expose status language in OpenGraph previews (#34012 by @ThisIsMissEm)
+- Add `-skip-filled-timeline` option to `tootctl feed build` to skip half-filled feeds (#33844 by @ClearlyClaire)
+- Add support for changing the base Docker registry with the `BASE_REGISTRY` `ARG` (#33712 by @wolfspyre)
+- Add an optional metric exporter (#33734, #33840, #34172, #34192, #34223, and #35005 by @oneiros and @renchap)\
+  Optionally enable the `prometheus_exporter` ruby gem (see https://github.com/discourse/prometheus_exporter) to collect and expose metrics. See the documentation for all the details: https://docs.joinmastodon.org/admin/config/#prometheus
+- Add `attribution_domains` attribute to `PATCH /api/v1/accounts/update_credentials` (#32730 by @c960657)\
+  This is documented at https://docs.joinmastodon.org/methods/accounts/#update_credentials
+- Add support for standard WebPush in addition to previous draft (#33572, #33528, and #33587 by @ClearlyClaire and @p1gp1g)
+- Add support for Active Record query log tags (#33342 by @renchap)
+- Add OTel trace & span IDs to logs (#33339 and #33362 by @renchap)
+- Add missing `on_delete: :cascade` foreign keys option to various database columns (#33175 by @mjankowski)
+- Add explicit migration breakpoints (#33089 by @ClearlyClaire)
+- Add rel alternate rss/json links to pages for tags (#33179 by @mjankowski)
+- Add media attachment description limit to instance API response (#33153 by @mjankowski)\
+  This adds the `configuration.media_attachments.description_limit` attribute to the `Instance` entity, documented at https://docs.joinmastodon.org/entities/Instance/#description_limit
+- Add `maxlength` to registration reason input (#33162 by @mjankowski)
+- Add `REPLICA_PREPARED_STATEMENTS` and `REPLICA_DB_TASKS` environment variables (#32908 by @shleeable)\
+  See documentation at https://docs.joinmastodon.org/admin/scaling/#read-replicas
+- Add a range of reserved usernames to reduce potential misuse by malicious actors (#32828 by @jmking-iftas)
+- Add operations on relays to the admin audit log (#32819 by @ThisIsMissEm)
+- Add userinfo OAuth endpoint (#32548 by @ThisIsMissEm)
+- Add the standard VCS attributes to OpenTelemetry spans (#32904 by @renchap)
+- Add endpoint to remove web push subscription (#32626 by @oneiros)\
+  Mastodon now sets a new `Unsubscribe-URL` request header when performing WebPush requests. This URL can be used by the WebPush server to disable the WebPush subscription on Mastodon’s side in case of unfixable errors.
+- Add missing content warning text to RSS feeds (#32406 by @mjankowski)
+- Add Swiss German to languages dropdown (#29281 by @FlohEinstein)
+
+### Changed
+
+- Change design of navigation panel in Web UI, change layout on narrow screens (#34910, #34987, #35017, #34986, #35029, #35065, #35067, #35072, #35074, #35075, #35101, #35173, #35183, #35193 and #35225 by @ClearlyClaire, @Gargron, and @diondiondion)
+- Change design of lists in web UI (#32881, #33054, and #33036 by @Gargron)
+- Change design of edit media modal in web UI (#33516, #33702, #33725, #33725, #33771, and #34345 by @Gargron)
+- Change design of audio player in web UI (#34520, #34740, #34865, #34929, #34933, and #35034 by @ClearlyClaire, @Gargron, and @diondiondion)
+- Change design of interaction modal in web UI (#33278 by @Gargron)
+- Change list timelines to reflect added and removed users retroactively (#32930 by @Gargron)
+- Change account search to be more forgiving of spaces (#34455 by @Gargron)
+- Change unfollow button label from “Mutual” to “Unfollow” in web UI (#34392 by @Gargron)
+- Change “Specific people” to “Private mention” in menu in web UI (#33963 by @Gargron)
+- Change "Explore" to "Trending" and remove explanation banners (#34985 by @Gargron)
+- Change media attachments of moderated posts to not be accessible (#34872 by @Gargron)
+  Moderators will still be able to access them while they are kept, but they won't be accessible to the public in the meantime.
+- Change language names in compose box language picker to be localized (#33402 by @c960657)
+- Change onboarding flow in web UI (#32998, #33119, #33471 and #34962 by @ClearlyClaire and @Gargron)
+- Change Advanced Web UI to use the new main menu instead of the “Getting started” column (#35117 by @diondiondion)
+- Change emoji categories in admin interface to be ordered by name (#33630 by @ShadowJonathan)
+- Change design of rich text elements in web UI (#32633 by @Gargron)
+- Change wording of “single choice” to “pick one” in poll authoring form (#32397 by @ThisIsMissEm)
+- Change returned favorite and boost counts to use those provided by the remote server, if available (#32620, #34594, #34618, and #34619 by @ClearlyClaire and @sneakers-the-rat)
+- Change label of favourite notifications on private mentions (#31659 by @ClearlyClaire)
+- Change wording of "discard draft?" confirmation dialogs (#35192 by @diondiondion)
+- Change `libvips` to be enabled by default in place of ImageMagick (#34741 and #34753 by @ClearlyClaire and @diondiondion)
+- Change avatar and header size limits from 2MB to 8MB when using libvips (#33002 by @Gargron)
+- Change search to use query params in web UI (#32949 and #33670 by @ClearlyClaire and @Gargron)
+- Change build system from Webpack to Vite (#34454, #34450, #34758, #34768, #34813, #34808, #34837, #34732, #35007, #35035 and #35177 by @ChaosExAnima, @ClearlyClaire, @mjankowski, and @renchap)
+- Change account creation API to forbid creation from user tokens (#34828 by @ThisIsMissEm)
+- Change `/api/v2/instance` to be enabled without authentication when limited federation mode is enabled (#34576 by @ClearlyClaire)
+- Change `DEFAULT_LOCALE` to not override unauthenticated users’ browser language (#34535 by @ClearlyClaire)\
+  If you want to preserve the old behavior, you can add `FORCE_DEFAULT_LOCALE=true`.
+- Change size of profile picture on profile page from 90px to 92px (#34807 by @larouxn)
+- Change passthrough video processing to emit `moov` atom at start of video (#34726 by @ClearlyClaire)
+- Change kerning to be disabled for Japanese text to preserve monospaced alignment for readability (#34448 by @nagutabby)
+- Change error handling of various endpoints to return 422 instead of 500 on invalid parameters (#29308, #34434, and #34452 by @danielmbrasil and @mjankowski)
+- Change Web UI to use `<time>` tags for various timestamps (#34131 by @scarf005)
+- Change devcontainer to be accessible from local network (#34269 by @ChaosExAnima)
+- Change video transcoding code to skip re-encoding yuvj420p videos (#34098 by @rinsuki)
+- Change web client settings to be saved earlier and more often (#34074 by @ClearlyClaire)
+- Change test coverage report generation to be disabled by default, with opt-in through the `COVERAGE` environment variable (#33824 by @mjankowski)
+- Change devcontainer to store bootsnap cache outside of bind mounts (#33677 by @c960657)
+- Change error handling in the `mastodon:setup` rake task to summarize encountered errors at the end (#33603 by @mjankowski)
+- Change tooltip of some moderation interface timestamps to include time in addition to date (#33191 by @ThisIsMissEm)
+- Change organization and wording of `README.md`, `CONTRIBUTING.md` and `DEVELOPMENT.md` (#32143, #33328, #33517, #33637, #33728, #34675, and #34761 by @Lamparter, @andypiper, @diondiondion, @larouxn, @mikkelricky, and @mjankowski)
+- Change custom CSS to be cached for longer and invalidated based on its contents (#33207 and #33583 by @mjankowski and @tribela)
+- Change `tootctl maintenance fix-duplicates` to disable database statement timeouts (#33484 by @mjankowski)
+- Change some icons in settings sidebar to avoid “double icon” near each other (#33449 by @mjankowski)
+- Change animation on feed generation screen in web UI (#33311 by @Gargron)
+- Change OTel instrumentation to not start traces with Redis spans (#33090 by @robbkidd)
+- Change new post delivery to skip suspended followers (#27509 and #33030 by @ClearlyClaire and @oneiros)
+- Change URL truncation to account for ellipses (#33229 by @FND)
+- Change ability to navigate of unconfirmed users (#33209 by @Gargron)
+- Change hashtag trends to be stored in the database instead of redis (#32837, #33189, and #34016 by @Gargron and @onekopaka)
+- Change “social web” to “fediverse” in a few banners in web UI (#33101 by @Gargron)
+- Change server rules to be collapsible (#33039 by @Gargron)
+- Change design of modal loading and error screens in web UI (#33092 by @Gargron)
+- Change error messages to be more accurate when failing to add an account to a list (#33082 by @Gargron)
+- Change timezone picker in the default settings to show the default timezone (#31803 by @c960657)
+- Change `tootctl accounts modify --disable-2fa` to remove webauthn credentials (#29883 by @mszpro)
+- Change preview card processing to be more liberal in what it accepts (#31357 by @c960657)
+- Change scheduled statuses to be discarded if the author’s account is frozen (#30729 by @PauloVilarinho)
+- Change display of statuses in admin panel (#30813 by @ThisIsMissEm)
+- Change parsing of `ALLOWED_PRIVATE_ADDRESSES` to happen at startup (#32850 by @ClearlyClaire)
+- Change WebPush delivery to skip notifications older than 2 days old (#32842 by @ThisIsMissEm)
+- Change PWA manifest to prefer official mobile apps (#27254 by @jake-anto)
+
+### Removed
+
+- **Remove support for Redis namespaces** (#34664 and #34665 by @ClearlyClaire)\
+  See https://github.com/mastodon/redis_namespace_migration
+- Remove support for imports started on pre-4.2.0 Mastodon versions (#34371 by @mjankowski)
+- Remove support for PostgreSQL 12 and earlier (#34744 by @ClearlyClaire)
+- Remove support for Node.JS < 20 (#34390 by @renchap)
+- Remove support for Redis < 6.2 (#30413 by @ClearlyClaire)
+- Remove support for Ruby 3.1 (#32363 by @mjankowski)
+- Remove support for OAuth Password Grant Type (#30960 by @ThisIsMissEm)\
+  https://docs.joinmastodon.org/spec/oauth/#token
+- Remove `OTP_SECRET` environment variable and legacy OTP code (#34743, #34757, #34748, and #34810 by @ClearlyClaire and @mjankowski)\
+  This breaks zero-downtime migrations from versions earlier than 4.3.0.
+- Remove broken support for HTTP Basic Authentication (#34501 by @ThisIsMissEm)
+- Remove system tooltip for alt text in web UI (#33736 by @Gargron)
+- Remove `thing_type` and `thing_id` columns from settings table (#31971 and #33196 by @ClearlyClaire and @mjankowski)
+- Remove redundant temporary index creation in `tootctl status remove` (#33023 by @ClearlyClaire)
+- Remove duplicate indexes from database (#32454 by @mjankowski)
+- Remove redundant title attribute in column links (#32258 by @c960657)
+
+### Fixed
+
+- Fix remote suspension of a user causing local instance to remove remote follows (#27588 by @ShadowJonathan)
+- Fix blocked accounts not being automatically removed from trending statuses (#34891 by @ClearlyClaire)
+- Fix nested buttons in search popout in web UI (#34871 by @Gargron)
+- Fix not being able to scroll dropdown on touch devices in web UI (#34873 by @Gargron)
+- Fix inconsistent filtering of silenced accounts for other silenced accounts (#34863 by @ClearlyClaire)
+- Fix update checker listing updates older or equal to current running version (#33906 by @ClearlyClaire)
+- Fix clicking a status multiple times causing duplicate entries in browser history (#35118 by @ClearlyClaire)
+- Fix “Alt text” button submitting form in moderation interface (#35147 by @ClearlyClaire)
+- Fix Firefox sometimes not updating spellcheck language in textarea (#35148 by @ClearlyClaire)
+- Fix `NoMethodError` in edge case of emoji cache handling (#34749 by @dariusk)
+- Fix handling of inlined `featured` collections in ActivityPub actor objects (#34789 and #34811 by @ClearlyClaire)
+- Fix long link names in admin sidebar being truncated (#34727 by @diondiondion)
+- Fix admin dashboard crash on specific Elasticsearch connection errors (#34683 by @ClearlyClaire)
+- Fix OIDC account creation failing for long display names (#34639 by @defnull)
+- Fix use of the deprecated `/api/v1/instance` endpoint in the moderation interface (#34613 by @renchap)
+- Fix inaccessible “Clear search” button (#35152 and #35281 by @diondiondion)
+- Fix search operators sometimes getting lost (#35190 by @ClearlyClaire)
+- Fix directory scroll position reset (#34560 by @przucidlo)
+- Fix needlessly complex SVG paths for oEmbed and logo (#34538 by @edent)
+- Fix avatar sizing with long account name in some UI elements (#34514 by @gomasy)
+- Fix empty menu section in status dropdown (#34431 by @ClearlyClaire)
+- Fix the delete suggestion button not working (#34396 and #34398 by @ClearlyClaire and @renchap)
+- Fix popover/dialog backgrounds not being blurred on older Webkit browsers (#35220 by @diondiondion)
+- Fix radio buttons not always being correctly centered (#34389 by @ChaosExAnima)
+- Fix visual glitches with adding post filters (#34387 by @ChaosExAnima)
+- Fix bugs with upload progress (#34325 by @ChaosExAnima)
+- Fix being unable to hide controls in full screen video in web UI (#34308 by @Gargron)
+- Fix extra space under left-indented vertical videos (#34313 by @ClearlyClaire)
+- Fix glitchy iOS media attachment drag interactions (#35057 by @diondiondion)
+- Fix zoomed images being blurry in Safari (#35052 by @diondiondion)
+- Fix redundant focus stop within status component in Web UI and make focus style more noticeable (#35037, #35051, #35096, #35150 and #35251 by @diondiondion)
+- Fix digits in media player time readout not having a consistent width (#35038 by @diondiondion)
+- Fix wrong text color for “Open in advanced web interface” banner in high-contrast theme (#35032 by @diondiondion)
+- Fix hover card for limited accounts not hiding information as expected (#35024 by @diondiondion)
+- Fix some animations not respecting the reduced animation preferences (#35018 by @ChaosExAnima)
+- Fix direction of media gallery arrows in RTL locales (#35014 by @diondiondion)
+- Fix cramped layout of follower recommendations on small viewports (#34967 and #35023 by @diondiondion)
+- Fix two composers being shown at the same time in some cases (#35006 by @ChaosExAnima)
+- Fix handling of remote attachments with multiple media types (#34996 by @ClearlyClaire)
+- Fix broken colors in some themed SVGs in web UI (#34988 by @Gargron)
+- Fix wrong dimensions on blurhash previews of news articles in web UI (#34990 by @Gargron)
+- Fix wrong styles on action bar in media modal in web UI (#34989 by @Gargron)
+- Fix search column input not updating on param change (#34951 by @PGrayCS)
+- Fix account note textarea being interactable before the relationship gets fetched (#34932 by @ClearlyClaire)
+- Fix SASS deprecation notices (#34278 by @ChaosExAnima)
+- Fix display of failed-to-load image attachments in web UI (#34217 by @Gargron)
+- Fix duplicate REST API requests on submitting account personal note with ctrl+enter (#34213 by @ClearlyClaire)
+- Fix unnecessary rerenders in composer dropdown menu (#34133 by @ClearlyClaire)
+- Fix behavior of database schema loading with `SKIP_POST_DEPLOYMENT_MIGRATIONS` (#34089 by @ClearlyClaire)
+- Fix infinite scroll not working on profile media tab in web UI (#33860 and #34171 by @ClearlyClaire and @Gargron)
+- Fix minor inefficiencies in domain suspension code (#33897 by @larouxn)
+- Fix potential inefficiency in media privacy system check (#33858 by @ClearlyClaire)
+- Fix public timeline inefficiency by adding the `language` column to the public timelines index (#33779 by @ClearlyClaire)
+- Fix re-encoding of high-framerate VFR videos with FFmpeg 6+ (#33634 by @ClearlyClaire)
+- Fix error when processing invalid `Announce` activity with missing object (#33570 by @ShadowJonathan)
+- Fix color contrast in report modal (#33468 by @ClearlyClaire)
+- Fix error 500 when passing an invalid `lang` parameter (#33467 by @ClearlyClaire)
+- Fix `/share` not using server-set characters limit (#33459 by @kescherCode)
+- Fix audio player modal having white-on-white buttons in light theme (#33444 by @ClearlyClaire)
+- Fix favorite & bookmark text toggle in timeline, status and image view (#27209 by @gunchleoc)
+- Fix Web UI erroneously stopping to offer expanding search results after second page (#33428 by @ClearlyClaire)
+- Fix missing value limits for `UserRole` position (#33172 and #33349 by @mjankowski)
+- Fix clicking on a profile mention while logged out potentially leading to incorrect account (#33324 by @ClearlyClaire)
+- Fix missing `NOT NULL` constraints on various database columns (#33244, #33284, #33308, #33330, #33374, and #34498 by @ClearlyClaire and @mjankowski)
+- Fix long account username overflowing on profiles (#33286 by @mjankowski)
+- Fix Vagrant failure to sync dangling symlinks (#28101 by @filippog)
+- Fix Chromium showing scrollbar on embedded posts (#33237 by @ClearlyClaire)
+- Fix missing top border on Admin Hashtags UI (#31443 by @ThisIsMissEm)
+- Fix design of search bar on explore screen in light theme in web UI (#33224 by @Gargron)
+- Fix various visual sign-up flow issues (#33206 by @Gargron)
+- Fix support of bidi text in account profiles (#33088 by @mokazemi)
+- Fix wording of the error returned when scheduling a status too soon (#33156 by @mjankowski)
+- Fix `inbox_url` presence on Relay not being validated (#32364 by @mjankowski)
+- Fix ability to include multiple copies of `embed.js` (#33107 by @YKWeyer)
+- Fix `rel="me"` check being case-sensitive (#32238 by @c960657)
+- Fix wrong video dimensions for some rotated videos (#33008 and #33261 by @Gargron and @tribela)
+- Fix error when viewing statuses to deleted replies in moderation view (#32986 by @ClearlyClaire)
+- Fix missing autofocus on boost modal (#32953 by @tribela)
+- Fix logic in “last used at per application” OAuth token list (#32912 by @mjankowski)
+- Fix admin dashboard linking to pages the user does not have permission to see (#32843 by @ThisIsMissEm)
+- Fix backspace navigation hotkey going back two pages instead of one on some browsers (#32826 by @c960657)
+- Fix typo in translation string (#32821 by @ThisIsMissEm)
+- Fix list of follow requests not having a back button (#32797 by @ClearlyClaire)
+- Fix out-of-view post contents being inconsistent with in-view post contents (#32778, #32887, and #32895 by @ClearlyClaire)
+- Fix `httplog` gem being used in production (#32776 and #32796 by @ClearlyClaire and @oneiros)
+- Fix use of deprecated `execCommand` for copying text by using the `clipboard` API (#32598 by @renchap)
+- Fix some translation strings not being properly pluralized (#27094 by @gunchleoc)
+
+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
+## [4.3.7] - 2025-04-02
+
+### Added
+
+- Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
+- Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)
+
+### Changed
+
+- Change account suspensions to be federated to recently-followed accounts as well (#34294 by @ClearlyClaire)
+- Change `AccountReachFinder` to consider statuses based on suspension date (#32805 and #34291 by @ClearlyClaire and @mjankowski)
+- Change user archive signed URL TTL from 10 seconds to 1 hour (#34254 by @ClearlyClaire)
+
+### Fixed
+
+- Fix static version of animated PNG emojis not being properly extracted (#34337 by @ClearlyClaire)
+- Fix filters not applying in detailed view, favourites and bookmarks (#34259 and #34260 by @ClearlyClaire)
+- Fix handling of malformed/unusual HTML (#34201 by @ClearlyClaire)
+- Fix `CacheBuster` being queued for missing media attachments (#34253 by @ClearlyClaire)
+- Fix incorrect URL being used when cache busting (#34189 by @ClearlyClaire)
+- Fix streaming server refusing unix socket path in `DATABASE_URL` (#34091 by @ClearlyClaire)
+- Fix “x” hotkey not working on boosted filtered posts (#33758 by @ClearlyClaire)
+
+## [4.3.6] - 2025-03-13
+
+### Security
+
+- Update dependency `omniauth-saml`
+- Update dependency `rack`
+
+### Fixed
+
+- Fix Stoplight errors when using `REDIS_NAMESPACE` (#34126 by @ClearlyClaire)
+
+## [4.3.5] - 2025-03-10
+
+### Changed
+
+- Change hashtag suggestion to prefer personal history capitalization (#34070 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing errors for some HEIF images from iOS 18 (#34086 by @renchap)
+- Fix streaming server not filtering unknown-language posts from public timelines (#33774 by @ClearlyClaire)
+- Fix preview cards under Content Warnings not being shown in detailed statuses (#34068 by @ClearlyClaire)
+- Fix username and display name being hidden on narrow screens in moderation interface (#33064 by @ClearlyClaire)
+
+## [4.3.4] - 2025-02-27
+
+### Security
+
+- Update dependencies
+- Change HTML sanitization to remove unusable and unused `embed` tag (#34021 by @ClearlyClaire, [GHSA-mq2m-hr29-8gqf](https://github.com/mastodon/mastodon/security/advisories/GHSA-mq2m-hr29-8gqf))
+- Fix rate-limit on sign-up email verification ([GHSA-v39f-c9jj-8w7h](https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h))
+- Fix improper disclosure of domain blocks to unverified users ([GHSA-94h4-fj37-c825](https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825))
+
+### Changed
+
+- Change preview cards to be shown when Content Warnings are expanded (#33827 by @ClearlyClaire)
+- Change warnings against changing encryption secrets to be even more noticeable (#33631 by @ClearlyClaire)
+- Change `mastodon:setup` to prevent overwriting already-configured servers (#33603, #33616, and #33684 by @ClearlyClaire and @mjankowski)
+- Change notifications from moderators to not be filtered (#32974 and #33654 by @ClearlyClaire and @mjankowski)
+
+### Fixed
+
+- Fix `GET /api/v2/notifications/:id` and `POST /api/v2/notifications/:id/dismiss` for ungrouped notifications (#33990 by @ClearlyClaire)
+- Fix issue with some versions of libvips on some systems (#33853 by @kleisauke)
+- Fix handling of duplicate mentions in incoming status `Update` (#33911 by @ClearlyClaire)
+- Fix inefficiencies in timeline generation (#33839 and #33842 by @ClearlyClaire)
+- Fix emoji rewrite adding unnecessary curft to the DOM for most emoji (#33818 by @ClearlyClaire)
+- Fix `tootctl feeds build` not building list timelines (#33783 by @ClearlyClaire)
+- Fix flaky test in `/api/v2/notifications` tests (#33773 by @ClearlyClaire)
+- Fix incorrect signature after HTTP redirect (#33757 and #33769 by @ClearlyClaire)
+- Fix polls not being validated on edition (#33755 by @ClearlyClaire)
+- Fix media preview height in compose form when 3 or more images are attached (#33571 by @ClearlyClaire)
+- Fix preview card sizing in “Author attribution” in profile settings (#33482 by @ClearlyClaire)
+- Fix processing of incoming notifications for unfilterable types (#33429 by @ClearlyClaire)
+- Fix featured tags for remote accounts not being kept up to date (#33372, #33406, and #33425 by @ClearlyClaire and @mjankowski)
+- Fix notification polling showing a loading bar in web UI (#32960 by @Gargron)
+- Fix accounts table long display name (#29316 by @WebCoder49)
+- Fix exclusive lists interfering with notifications (#28162 by @ShadowJonathan)
+
+## [4.3.3] - 2025-01-16
+
+### Security
+
+- Fix insufficient validation of account URIs ([GHSA-5wxh-3p65-r4g6](https://github.com/mastodon/mastodon/security/advisories/GHSA-5wxh-3p65-r4g6))
+- Update dependencies
+
+### Fixed
+
+- Fix `libyaml` missing from `Dockerfile` build stage (#33591 by @vmstan)
+- Fix incorrect notification settings migration for non-followers (#33348 by @ClearlyClaire)
+- Fix down clause for notification policy v2 migrations (#33340 by @jesseplusplus)
+- Fix error decrementing status count when `FeaturedTags#last_status_at` is `nil` (#33320 by @ClearlyClaire)
+- Fix last paginated notification group only including data on a single notification (#33271 by @ClearlyClaire)
+- Fix processing of mentions for post edits with an existing corresponding silent mention (#33227 by @ClearlyClaire)
+- Fix deletion of unconfirmed users with Webauthn set (#33186 by @ClearlyClaire)
+- Fix empty authors preview card serialization (#33151, #33466 by @mjankowski and @ClearlyClaire)
+
+## [4.3.2] - 2024-12-03
+
+### Added
+
+- Add `tootctl feeds vacuum` (#33065 by @ClearlyClaire)
+- Add error message when user tries to follow their own account (#31910 by @lenikadali)
+- Add client_secret_expires_at to OAuth Applications (#30317 by @ThisIsMissEm)
+
+### Changed
+
+- Change design of Content Warnings and filters (#32543 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing incoming post edits with mentions to unresolvable accounts (#33129 by @ClearlyClaire)
+- Fix error when including multiple instances of `embed.js` (#33107 by @YKWeyer)
+- Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
+- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
+- Fix `TagFollow` records not being correctly handled in account operations (#33063 by @ClearlyClaire)
+- Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
+- Fix duplicate notifications in notification groups when using slow mode (#33014 by @ClearlyClaire)
+- Fix posts made in the future being allowed to trend (#32996 by @ClearlyClaire)
+- Fix uploading higher-than-wide GIF profile picture with libvips enabled (#32911 by @ClearlyClaire)
+- Fix domain attribution field having autocorrect and autocapitalize enabled (#32903 by @ClearlyClaire)
+- Fix titles being escaped twice (#32889 by @ClearlyClaire)
+- Fix list creation limit check (#32869 by @ClearlyClaire)
+- Fix error in `tootctl email_domain_blocks` when supplying `--with-dns-records` (#32863 by @mjankowski)
+- Fix `min_id` and `max_id` causing error in search API (#32857 by @Gargron)
+- Fix inefficiencies when processing removal of posts that use featured tags (#32787 by @ClearlyClaire)
+- Fix alt-text pop-in not using the translated description (#32766 by @ClearlyClaire)
+- Fix preview cards with long titles erroneously causing layout changes (#32678 by @ClearlyClaire)
+- Fix embed modal layout on mobile (#32641 by @DismalShadowX)
+- Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
+- Fix blocks not being applied on link timeline (#32625 by @tribela)
+- Fix follow counters being incorrectly changed (#32622 by @oneiros)
+- Fix 'unknown' media attachment type rendering (#32613 and #32713 by @ThisIsMissEm and @renatolond)
+- Fix tl language native name (#32606 by @seav)
+
+### Security
+
+- Update dependencies
+
+## [4.3.1] - 2024-10-21
+
+### Added
+
+- Add more explicit explanations about author attribution and `fediverse:creator` (#32383 by @ClearlyClaire)
+- Add ability to group follow notifications in WebUI, can be disabled in the column settings (#32520 by @renchap)
+- Add back a 6 hours mute duration option (#32522 by @renchap)
+- Add note about not changing ActiveRecord encryption secrets once they are set (#32413, #32476, #32512, and #32537 by @ClearlyClaire and @mjankowski)
+
+### Changed
+
+- Change translation feature to translate to selected regional variant (e.g. pt-BR) if available (#32428 by @c960657)
+
+### Removed
+
+- Remove ability to get embed code for remote posts (#32578 by @ClearlyClaire)\
+  Getting the embed code is only reliable for local posts.\
+  It never worked for non-Mastodon servers, and stopped working correctly with the changes made in 4.3.0.\
+  We have therefore decided to remove the menu entry while we investigate solutions.
+
+### Fixed
+
+- Fix follow recommendation moderation page default language when using regional variant (#32580 by @ClearlyClaire)
+- Fix column-settings spacing in local timeline in advanced view (#32567 by @lindwurm)
+- Fix broken i18n in text welcome mailer tags area (#32571 by @mjankowski)
+- Fix missing or incorrect cache-control headers for Streaming server (#32551 by @ThisIsMissEm)
+- Fix only the first paragraph being displayed in some notifications (#32348 by @ClearlyClaire)
+- Fix reblog icons on account media view (#32506 by @tribela)
+- Fix Content-Security-Policy not allowing OpenStack SWIFT object storage URI (#32439 by @kenkiku1021)
+- Fix back arrow pointing to the incorrect direction in RTL languages (#32485 by @renchap)
+- Fix streaming server using `REDIS_USERNAME` instead of `REDIS_USER` (#32493 by @ThisIsMissEm)
+- Fix follow recommendation carrousel scrolling on RTL layouts (#32462 and #32505 by @ClearlyClaire)
+- Fix follow recommendation suppressions not applying immediately (#32392 by @ClearlyClaire)
+- Fix language of push notifications (#32415 by @ClearlyClaire)
+- Fix mute duration not being shown in list of muted accounts in web UI (#32388 by @ClearlyClaire)
+- Fix “Mark every notification as read” not updating the read marker if scrolled down (#32385 by @ClearlyClaire)
+- Fix “Mention” appearing for otherwise filtered posts (#32356 by @ClearlyClaire)
+- Fix notification requests from suspended accounts still being listed (#32354 by @ClearlyClaire)
+- Fix list edition modal styling (#32358 and #32367 by @ClearlyClaire and @vmstan)
+- Fix 4 columns barely not fitting on 1920px screen (#32361 by @ClearlyClaire)
+- Fix icon alignment in applications list (#32293 by @mjankowski)
+
+## [4.3.0] - 2024-10-08
 
 The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
 
@@ -11,12 +589,12 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources** (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)\
   This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.
 - Fix ReDoS vulnerability on some Ruby versions ([GHSA-jpxp-r43f-rhvx](https://github.com/mastodon/mastodon/security/advisories/GHSA-jpxp-r43f-rhvx))
-- Change `form-action` Content-Security-Policy directive to be more restrictive (#26897 by @ClearlyClaire)
+- Change `form-action` Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire)
 - Update dependencies
 
 ### Added
 
-- **Add server-side notification grouping** (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610, #31929, #32089 and #32085 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)\
+- **Add server-side notification grouping** (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610, #31929, #32089, #32085, #32243, #32179 and #32254 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)\
   Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.\
   This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.\
   As part of this, the visual design of the entire notifications feature has been revamped.\
@@ -26,14 +604,13 @@ The following changelog entries focus on changes visible to users, administrator
   - `GET /api/v2/notifications`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped
   - `GET /api/v2/notifications/:group_key`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-notification-group
   - `GET /api/v2/notifications/:group_key/accounts`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts
-  - `POST /api/v2/notifications/:group_key/dimsiss`: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-group
+  - `POST /api/v2/notifications/:group_key/dismiss`: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-group
   - `GET /api/v2/notifications/:unread_count`: https://docs.joinmastodon.org/methods/grouped_notifications/#unread-group-count
-- **Add notification policies, filtered notifications and notification requests** (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, #31723 and #32062 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)\
+- **Add notification policies, filtered notifications and notification requests** (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, #31723, #32062 and #32281 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)\
   The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.\
   You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.\
   Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.\
   This adds the following REST API endpoints:
-
   - `GET /api/v2/notifications/policy`: https://docs.joinmastodon.org/methods/notifications/#get-policy
   - `PATCH /api/v2/notifications/policy`: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notifications
   - `GET /api/v1/notifications/requests`: https://docs.joinmastodon.org/methods/notifications/#get-requests
@@ -45,13 +622,12 @@ The following changelog entries focus on changes visible to users, administrator
   - `GET /api/v1/notifications/requests/merged`: https://docs.joinmastodon.org/methods/notifications/#requests-merged
 
   In addition, accepting one or more notification requests generates a new streaming event:
-
   - `notifications_merged`: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed
 
 - **Add notifications of severed relationships** (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)\
   Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.\
   Note that this does not notify remote users.\
-  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`relationship_severance_event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
+  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
 - **Add hover cards in web UI** (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)\
   Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.\
   This can be disabled in the “Animations and accessibility” section of the preferences.
@@ -61,13 +637,13 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add timeline of public posts about a trending link** (#30381 and #30840 by @Gargron)\
   You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.\
   This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link
-- **Add author highlight for news articles whose authors are on the fediverse** (#30398, #30670, #30521, #30846, #31819, and #31900 by @Gargron and @oneiros)\
+- **Add author highlight for news articles whose authors are on the fediverse** (#30398, #30670, #30521, #30846, #31819, #31900 and #32188 by @Gargron, @mjankowski and @oneiros)\
   This adds a mechanism to [highlight the author of news articles](https://blog.joinmastodon.org/2024/07/highlighting-journalism-on-mastodon/) shared on Mastodon.\
   Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:
   ```html
   <meta name="fediverse:creator" content="username@domain" />
   ```
-  On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\
+  On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors \
   Users can allow arbitrary domains to use `fediverse:creator` to credit them by visiting `/settings/verification`.\
   This is federated as a new `attributionDomains` property in the `http://joinmastodon.org/ns` namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1
 - **Add in-app notifications for moderation actions and warnings** (#30065, #30082, and #30081 by @ClearlyClaire)\
@@ -150,10 +726,12 @@ The following changelog entries focus on changes visible to users, administrator
 - Add groundwork for annual reports for accounts (#28693 by @Gargron)\
   This lays the groundwork for a “year-in-review”/“wrapped” style report for local users, but is currently not in use.
 - Add notification email on invalid second authenticator (#28822 by @ClearlyClaire)
+- Add date of account deletion in list of accounts in the admin interface (#25640 by @tribela)
 - Add new emojis from `jdecked/twemoji` 15.0 (#28404 by @TheEssem)
 - Add configurable error handling in attachment batch deletion (#28184 by @vmstan)\
   This makes the S3 batch size configurable through the `S3_BATCH_DELETE_LIMIT` environment variable (defaults to 1000), and adds some retry logic, configurable through the `S3_BATCH_DELETE_RETRY` environment variable (defaults to 3).
 - Add VAPID public key to instance serializer (#28006 by @ThisIsMissEm)
+- Add support for serving JRD `/.well-known/host-meta.json` in addition to XRD host-meta (#32206 by @c960657)
 - Add `nodeName` and `nodeDescription` to nodeinfo `metadata` (#28079 by @6543)
 - Add Thai diacritics and tone marks in `HASHTAG_INVALID_CHARS_RE` (#26576 by @ppnplus)
 - Add variable delay before link verification of remote account links (#27774 by @ClearlyClaire)
@@ -168,7 +746,7 @@ The following changelog entries focus on changes visible to users, administrator
 
 ### Changed
 
-- **Change icons throughout the web interface** (#27385, #27539, #27555, #27579, #27700, #27817, #28519, #28709, #28064, #28775, #28780, #27924, #29294, #29395, #29537, #29569, #29610, #29612, #29649, #29844, #27780, #30974, #30963, #30962, #30961, #31362, #31363, #31359, #31371, #31360, #31512, #31511, and #31525 by @ClearlyClaire, @Gargron, @arbolitoloco1, @mjankowski, @nclm, @renchap, @ronilaukkarinen, and @zunda)\
+- **Change icons throughout the web interface** (#27385, #27539, #27555, #27579, #27700, #27817, #28519, #28709, #28064, #28775, #28780, #27924, #29294, #29395, #29537, #29569, #29610, #29612, #29649, #29844, #27780, #30974, #30963, #30962, #30961, #31362, #31363, #31359, #31371, #31360, #31512, #31511, #31525, #32153, and #32201 by @ClearlyClaire, @Gargron, @arbolitoloco1, @mjankowski, @nclm, @renchap, @ronilaukkarinen, and @zunda)\
   This changes all the interface icons from FontAwesome to Material Symbols for a more modern look, consistent with the official Mastodon Android app.\
   In addition, better care is given to pixel alignment, and icon variants are used to better highlight active/inactive state.
 - **Change design of compose form in web UI** (#28119, #29059, #29248, #29372, #29384, #29417, #29456, #29406, #29651, #29659, #31889 and #32033 by @ClearlyClaire, @Gargron, @eai04191, @hinaloe, and @ronilaukkarinen)\
@@ -192,9 +770,9 @@ The following changelog entries focus on changes visible to users, administrator
   Administrators may need to update their setup accordingly.
 - Change how content warnings and filters are displayed in web UI (#31365, and #31761 by @Gargron)
 - Change preview card processing to ignore `undefined` as canonical url (#31882 by @oneiros)
-- Change embedded posts to use web UI (#31766 and #32135 by @Gargron)
+- Change embedded posts to use web UI (#31766, #32135 and #32271 by @Gargron)
 - Change inner borders in media galleries in web UI (#31852 by @Gargron)
-- Change design of media attachments and profile media tab in web UI (#31807, #32048, and #31967 by @Gargron)
+- Change design of media attachments and profile media tab in web UI (#31807, #32048, #31967, #32217, #32224 and #32257 by @ClearlyClaire and @Gargron)
 - Change labels on thread indicators in web UI (#31806 by @Gargron)
 - Change label of "Data export" menu item in settings interface (#32099 by @c960657)
 - Change responsive break points on navigation panel in web UI (#32034 by @Gargron)
@@ -284,9 +862,10 @@ The following changelog entries focus on changes visible to users, administrator
 - Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
 - Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
 - Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
+- Fix unresolvable mentions sometimes preventing processing incoming posts (#29215 by @tribela and @ClearlyClaire)
 - Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
 - Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
-- Fix the appearance of avatars when they do not load (#31966 by @renchap)
+- Fix the appearance of avatars when they do not load (#31966 and #32270 by @Gargron and @renchap)
 - Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)
 - Fix HTTP 500 error in `/api/v1/polls/:id/votes` when required `choices` parameter is missing (#25598 by @danielmbrasil)
 - Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
@@ -309,10 +888,12 @@ The following changelog entries focus on changes visible to users, administrator
 - Fix “Redirect URI” field not being marked as required in “New application” form (#30311 by @ThisIsMissEm)
 - Fix right-to-left text in preview cards (#30930 by @ClearlyClaire)
 - Fix rack attack `match_type` value typo in logging config (#30514 by @mjankowski)
-- Fix various cases of duplicate, missing, or inconsistent borders or scrollbar styles (#31068, #31286, #31268, #31275, #31284, #31305, #31346, #31372, #31373, #31389, #31432, #31391, #31445 and #32091 by @ClearlyClaire, @valtlai and @vmstan)
+- Fix various cases of duplicate, missing, or inconsistent borders or scrollbar styles (#31068, #31286, #31268, #31275, #31284, #31305, #31346, #31372, #31373, #31389, #31432, #31391, #31445, #32091, #32147 and #32137 by @ClearlyClaire, @mjankowski, @valtlai and @vmstan)
+- Fix editing description of media uploads with custom thumbnails (#32221 by @ClearlyClaire)
 - Fix race condition in `POST /api/v1/push/subscription` (#30166 by @ClearlyClaire)
 - Fix post deletion not being delayed when those are part of an account warning (#30163 by @ClearlyClaire)
 - Fix rendering error on `/start` when not logged in (#30023 by @timothyjrogers)
+- Fix unneeded requests to blocked domains when receiving relayed signed activities from them (#31161 by @ClearlyClaire)
 - Fix logo pushing header buttons out of view on certain conditions in mobile layout (#29787 by @ClearlyClaire)
 - Fix notification-related records not being reattributed when merging accounts (#29694 by @ClearlyClaire)
 - Fix results/query in `api/v1/featured_tags/suggestions` (#29597 by @mjankowski)
@@ -322,6 +903,7 @@ The following changelog entries focus on changes visible to users, administrator
 - Fix full date display not respecting the locale 12/24h format (#29448 by @renchap)
 - Fix filters title and keywords overflow (#29396 by @GeopJr)
 - Fix incorrect date format in “Follows and followers” (#29390 by @JasonPunyon)
+- Fix navigation item active highlight for some paths (#32159 by @mjankowski)
 - Fix “Edit media” modal sizing and layout when space-constrained (#27095 by @ronilaukkarinen)
 - Fix modal container bounds (#29185 by @nico3333fr)
 - Fix inefficient HTTP signature parsing using regexps and `StringScanner` (#29133 by @ClearlyClaire)
@@ -351,7 +933,7 @@ The following changelog entries focus on changes visible to users, administrator
 - Fix empty environment variables not using default nil value (#27400 by @renchap)
 - Fix language sorting in settings (#27158 by @gunchleoc)
 
-## |4.2.11] - 2024-08-16
+## [4.2.11] - 2024-08-16
 
 ### Added
 

CONTRIBUTING.md

@@ -48,30 +48,56 @@ You can contribute in the following ways:
 - Contributing code to Mastodon by fixing bugs or implementing features
 - Improving the documentation
 
-If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
-
 Please review the org-level [contribution guidelines] for high-level acceptance
-criteria guidance.
-
-[contribution guidelines]: https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md
+criteria guidance and the [DEVELOPMENT] guide for environment-specific details.
 
 ## API Changes and Additions
 
-Please note that any changes or additions made to the API should have an accompanying pull request on [our documentation repository](https://github.com/mastodon/documentation).
+Any changes or additions made to the API should have an accompanying pull
+request on our [documentation repository].
 
-## Bug reports
+## Bug Reports
 
-Bug reports and feature suggestions must use descriptive and concise titles and be submitted to [GitHub Issues](https://github.com/mastodon/mastodon/issues). Please use the search function to make sure that you are not submitting duplicates, and that a similar report or request has not already been resolved or rejected.
+Bug reports and feature suggestions must use descriptive and concise titles and
+be submitted to [GitHub Issues]. Please use the search function to make sure
+there are not duplicate bug reports or feature requests.
+
+## Security Issues
+
+If you believe you have identified a security issue in Mastodon or our own apps,
+check [SECURITY].
 
 ## Translations
 
-You can submit translations via [Crowdin](https://crowdin.com/project/mastodon). They are periodically merged into the codebase.
+Translations are community contributed via [Crowdin]. They are periodically
+reviewed and merged into the codebase.
 
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg)](https://crowdin.com/project/mastodon)
 
-## Pull requests
+## Pull Requests
 
-**Please use clean, concise titles for your pull requests.** Unless the pull request is about refactoring code, updating dependencies or other internal tasks, assume that the person reading the pull request title is not a programmer or Mastodon developer, but instead a Mastodon user or server administrator, and **try to describe your change or fix from their perspective**. We use commit squashing, so the final commit in the main branch will carry the title of the pull request, and commits from the main branch are fed into the changelog. The changelog is separated into [keepachangelog.com categories](https://keepachangelog.com/en/1.0.0/), and while that spec does not prescribe how the entries ought to be named, for easier sorting, start your pull request titles using one of the verbs "Add", "Change", "Deprecate", "Remove", or "Fix" (present tense).
+### Size and Scope
+
+Our time is limited and PRs making large, unsolicited changes are unlikely to
+get a response. Changes which link to an existing confirmed issue, or which come
+from a "help wanted" issue or other request are more likely to be reviewed.
+
+The smaller and more narrowly focused the changes in a PR are, the easier they
+are to review and potentially merge. If the change only makes sense in some
+larger context of future ongoing work, note that in the description, but still
+aim to keep each distinct PR to a "smallest viable change" chunk of work.
+
+### Description of Changes
+
+Unless the Pull Request is about refactoring code, updating dependencies or
+other internal tasks, assume that the audience are not developers, but a
+Mastodon user or server admin, and try to describe it from their perspective.
+
+The final commit in the main branch will carry the title from the PR. The main
+branch is then fed into the changelog and ultimately into release notes. We try
+to follow the [keepachangelog] spec, and while that does not prescribe how
+exactly the entries ought to be named, starting titles using one of the verbs
+"Add", "Change", "Deprecate", "Remove", or "Fix" (present tense) is helpful.
 
 Example:
 
@@ -79,18 +105,28 @@ Example:
 | ------------------------------------ | ------------------------------------------------------------- |
 | Fixed NoMethodError in RemovalWorker | Fix nil error when removing statuses caused by race condition |
 
-It is not always possible to phrase every change in such a manner, but it is desired.
+### Technical Requirements
 
-**The smaller the set of changes in the pull request is, the quicker it can be reviewed and merged.** Splitting tasks into multiple smaller pull requests is often preferable.
+Pull requests that do not pass automated checks on CI may not be reviewed. In
+particular, please keep in mind:
 
-**Pull requests that do not pass automated checks may not be reviewed**. In particular, you need to keep in mind:
-
-- Unit and integration tests (rspec, jest)
+- Unit and integration tests (rspec, vitest)
 - Code style rules (rubocop, eslint)
 - Normalization of locale files (i18n-tasks)
+- Relevant accessibility or performance concerns
 
 ## Documentation
 
-The [Mastodon documentation](https://docs.joinmastodon.org) is a statically generated site. You can [submit merge requests to mastodon/documentation](https://github.com/mastodon/documentation).
+The [Mastodon documentation] is a statically generated site that contains guides
+and API docs. Improvements are made via PRs to the [documentation repository].
 
 </blockquote>
+
+[contribution guidelines]: https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md
+[Crowdin]: https://crowdin.com/project/mastodon
+[DEVELOPMENT]: docs/DEVELOPMENT.md
+[documentation repository]: https://github.com/mastodon/documentation
+[GitHub Issues]: https://github.com/mastodon/mastodon/issues
+[keepachangelog]: https://keepachangelog.com/en/1.0.0/
+[Mastodon documentation]: https://docs.joinmastodon.org
+[SECURITY]: SECURITY.md

Dockerfile

@@ -1,7 +1,7 @@
-# syntax=docker/dockerfile:1.9
+# syntax=docker/dockerfile:1.18
 
 # This file is designed for production server deployment, not local development work
-# For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/README.md#docker
+# For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/docs/DEVELOPMENT.md#docker
 
 # Please see https://docs.docker.com/engine/reference/builder for information about
 # the extended buildx capabilities used in this file.
@@ -9,19 +9,20 @@
 # See: https://docs.docker.com/build/building/multi-platform/
 ARG TARGETPLATFORM=${TARGETPLATFORM}
 ARG BUILDPLATFORM=${BUILDPLATFORM}
+ARG BASE_REGISTRY="docker.io"
 
-# Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.3.x"]
+# Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.3.5"
-# # Node version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
+ARG RUBY_VERSION="3.4.6"
+# # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
 # renovate: datasource=node-version depName=node
-ARG NODE_MAJOR_VERSION="20"
-# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
-ARG DEBIAN_VERSION="bookworm"
-# Node image to use for base image based on combined variables (ex: 20-bookworm-slim)
-FROM docker.io/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
-# Ruby image to use for base image based on combined variables (ex: 3.3.x-slim-bookworm)
-FROM docker.io/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
+ARG NODE_MAJOR_VERSION="22"
+# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="trixie"]
+ARG DEBIAN_VERSION="trixie"
+# Node.js image to use for base image based on combined variables (ex: 20-trixie-slim)
+FROM ${BASE_REGISTRY}/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
+# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-trixie)
+FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
 
 # Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
 # Example: v4.3.0-nightly.2023.11.09+pr-123456
@@ -29,6 +30,8 @@ FROM docker.io/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
 ARG MASTODON_VERSION_PRERELEASE=""
 # Append build metadata or fork information to version.rb [--build-arg MASTODON_VERSION_METADATA="pr-123456"]
 ARG MASTODON_VERSION_METADATA=""
+# Will be available as Mastodon::Version.source_commit
+ARG SOURCE_COMMIT=""
 
 # Allow Ruby on Rails to serve static files
 # See: https://docs.joinmastodon.org/admin/config/#rails_serve_static_files
@@ -45,30 +48,31 @@ ARG GID="991"
 
 # Apply Mastodon build options based on options above
 ENV \
-# Apply Mastodon version information
+  # Apply Mastodon version information
   MASTODON_VERSION_PRERELEASE="${MASTODON_VERSION_PRERELEASE}" \
   MASTODON_VERSION_METADATA="${MASTODON_VERSION_METADATA}" \
-# Apply Mastodon static files and YJIT options
+  SOURCE_COMMIT="${SOURCE_COMMIT}" \
+  # Apply Mastodon static files and YJIT options
   RAILS_SERVE_STATIC_FILES=${RAILS_SERVE_STATIC_FILES} \
   RUBY_YJIT_ENABLE=${RUBY_YJIT_ENABLE} \
-# Apply timezone
+  # Apply timezone
   TZ=${TZ}
 
 ENV \
-# Configure the IP to bind Mastodon to when serving traffic
+  # Configure the IP to bind Mastodon to when serving traffic
   BIND="0.0.0.0" \
-# Use production settings for Yarn, Node and related nodejs based tools
+  # Use production settings for Yarn, Node.js and related tools
   NODE_ENV="production" \
-# Use production settings for Ruby on Rails
+  # Use production settings for Ruby on Rails
   RAILS_ENV="production" \
-# Add Ruby and Mastodon installation to the PATH
+  # Add Ruby and Mastodon installation to the PATH
   DEBIAN_FRONTEND="noninteractive" \
   PATH="${PATH}:/opt/ruby/bin:/opt/mastodon/bin" \
-# Optimize jemalloc 5.x performance
+  # Optimize jemalloc 5.x performance
   MALLOC_CONF="narenas:2,background_thread:true,thp:never,dirty_decay_ms:1000,muzzy_decay_ms:0" \
-# Enable libvips, should not be changed
+  # Enable libvips, should not be changed
   MASTODON_USE_LIBVIPS=true \
-# Sidekiq will touch tmp/sidekiq_process_has_started_and_will_begin_processing_jobs to indicate it is ready. This can be used for a readiness check in Kubernetes
+  # Sidekiq will touch tmp/sidekiq_process_has_started_and_will_begin_processing_jobs to indicate it is ready. This can be used for a readiness check in Kubernetes
   MASTODON_SIDEKIQ_READY_FILENAME=sidekiq_process_has_started_and_will_begin_processing_jobs
 
 # Set default shell used for running commands
@@ -79,14 +83,14 @@ ARG TARGETPLATFORM
 RUN echo "Target platform is $TARGETPLATFORM"
 
 RUN \
-# Remove automatic apt cache Docker cleanup scripts
+  # Remove automatic apt cache Docker cleanup scripts
   rm -f /etc/apt/apt.conf.d/docker-clean; \
-# Sets timezone
+  # Sets timezone
   echo "${TZ}" > /etc/localtime; \
-# Creates mastodon user/group and sets home directory
+  # Creates mastodon user/group and sets home directory
   groupadd -g "${GID}" mastodon; \
   useradd -l -u "${UID}" -g "${GID}" -m -d /opt/mastodon mastodon; \
-# Creates /mastodon symlink to /opt/mastodon
+  # Creates /mastodon symlink to /opt/mastodon
   ln -s /opt/mastodon /mastodon;
 
 # Set /opt/mastodon as working directory
@@ -94,104 +98,92 @@ WORKDIR /opt/mastodon
 
 # hadolint ignore=DL3008,DL3005
 RUN \
-# Mount Apt cache and lib directories from Docker buildx caches
---mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
---mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
-# Apt update & upgrade to check for security updates to Debian image
+  # Mount Apt cache and lib directories from Docker buildx caches
+  --mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
+  # Apt update & upgrade to check for security updates to Debian image
   apt-get update; \
   apt-get dist-upgrade -yq; \
-# Install jemalloc, curl and other necessary components
+  # Install jemalloc, curl and other necessary components
   apt-get install -y --no-install-recommends \
-    curl \
-    file \
-    libjemalloc2 \
-    patchelf \
-    procps \
-    tini \
-    tzdata \
-    wget \
+  curl \
+  file \
+  libjemalloc2 \
+  patchelf \
+  procps \
+  tini \
+  tzdata \
+  wget \
   ; \
-# Patch Ruby to use jemalloc
+  # Patch Ruby to use jemalloc
   patchelf --add-needed libjemalloc.so.2 /usr/local/bin/ruby; \
-# Discard patchelf after use
+  # Discard patchelf after use
   apt-get purge -y \
-    patchelf \
+  patchelf \
   ;
 
 # Create temporary build layer from base image
 FROM ruby AS build
 
-# Copy Node package configuration files into working directory
-COPY package.json yarn.lock .yarnrc.yml /opt/mastodon/
-COPY .yarn /opt/mastodon/.yarn
-
-COPY --from=node /usr/local/bin /usr/local/bin
-COPY --from=node /usr/local/lib /usr/local/lib
-
 ARG TARGETPLATFORM
 
 # hadolint ignore=DL3008
 RUN \
-# Mount Apt cache and lib directories from Docker buildx caches
---mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
---mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
-# Install build tools and bundler dependencies from APT
+  # Mount Apt cache and lib directories from Docker buildx caches
+  --mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
+  # Install build tools and bundler dependencies from APT
   apt-get install -y --no-install-recommends \
-    autoconf \
-    automake \
-    build-essential \
-    cmake \
-    git \
-    libgdbm-dev \
-    libglib2.0-dev \
-    libgmp-dev \
-    libicu-dev \
-    libidn-dev \
-    libpq-dev \
-    libssl-dev \
-    libtool \
-    meson \
-    nasm \
-    pkg-config \
-    shared-mime-info \
-    xz-utils \
-	# libvips components
-    libcgif-dev \
-    libexif-dev \
-    libexpat1-dev \
-    libgirepository1.0-dev \
-    libheif-dev \
-    libimagequant-dev \
-    libjpeg62-turbo-dev \
-    liblcms2-dev \
-    liborc-dev \
-    libspng-dev \
-    libtiff-dev \
-    libwebp-dev \
+  autoconf \
+  automake \
+  build-essential \
+  cmake \
+  git \
+  libgdbm-dev \
+  libglib2.0-dev \
+  libgmp-dev \
+  libicu-dev \
+  libidn-dev \
+  libpq-dev \
+  libssl-dev \
+  libtool \
+  libyaml-dev \
+  meson \
+  nasm \
+  pkg-config \
+  shared-mime-info \
+  xz-utils \
+  # libvips components
+  libcgif-dev \
+  libexif-dev \
+  libexpat1-dev \
+  libgirepository1.0-dev \
+  libheif-dev \
+  libhwy-dev \
+  libimagequant-dev \
+  libjpeg62-turbo-dev \
+  liblcms2-dev \
+  libspng-dev \
+  libtiff-dev \
+  libwebp-dev \
   # ffmpeg components
-    libdav1d-dev \
-    liblzma-dev \
-    libmp3lame-dev \
-    libopus-dev \
-    libsnappy-dev \
-    libvorbis-dev \
-    libvpx-dev \
-    libx264-dev \
-    libx265-dev \
+  libdav1d-dev \
+  liblzma-dev \
+  libmp3lame-dev \
+  libopus-dev \
+  libsnappy-dev \
+  libvorbis-dev \
+  libvpx-dev \
+  libx264-dev \
+  libx265-dev \
   ;
 
-RUN \
-# Configure Corepack
-  rm /usr/local/bin/yarn*; \
-  corepack enable; \
-  corepack prepare --activate;
-
 # Create temporary libvips specific build layer from build layer
 FROM build AS libvips
 
 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
-ARG VIPS_VERSION=8.15.3
+ARG VIPS_VERSION=8.17.2
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download
 
@@ -214,7 +206,7 @@ FROM build AS ffmpeg
 
 # ffmpeg version to compile, change with [--build-arg FFMPEG_VERSION="7.0.x"]
 # renovate: datasource=repology depName=ffmpeg packageName=openpkg_current/ffmpeg
-ARG FFMPEG_VERSION=7.0.2
+ARG FFMPEG_VERSION=8.0
 # ffmpeg download URL, change with [--build-arg FFMPEG_URL="https://ffmpeg.org/releases"]
 ARG FFMPEG_URL=https://ffmpeg.org/releases
 
@@ -228,28 +220,28 @@ WORKDIR /usr/local/ffmpeg/src/ffmpeg-${FFMPEG_VERSION}
 # Configure and compile ffmpeg
 RUN \
   ./configure \
-    --prefix=/usr/local/ffmpeg \
-    --toolchain=hardened \
-    --disable-debug \
-    --disable-devices \
-    --disable-doc \
-    --disable-ffplay \
-    --disable-network \
-    --disable-static \
-    --enable-ffmpeg \
-    --enable-ffprobe \
-    --enable-gpl \
-    --enable-libdav1d \
-    --enable-libmp3lame \
-    --enable-libopus \
-    --enable-libsnappy \
-    --enable-libvorbis \
-    --enable-libvpx \
-    --enable-libwebp \
-    --enable-libx264 \
-    --enable-libx265 \
-    --enable-shared \
-    --enable-version3 \
+  --prefix=/usr/local/ffmpeg \
+  --toolchain=hardened \
+  --disable-debug \
+  --disable-devices \
+  --disable-doc \
+  --disable-ffplay \
+  --disable-network \
+  --disable-static \
+  --enable-ffmpeg \
+  --enable-ffprobe \
+  --enable-gpl \
+  --enable-libdav1d \
+  --enable-libmp3lame \
+  --enable-libopus \
+  --enable-libsnappy \
+  --enable-libvorbis \
+  --enable-libvpx \
+  --enable-libwebp \
+  --enable-libx264 \
+  --enable-libx265 \
+  --enable-shared \
+  --enable-version3 \
   ; \
   make -j$(nproc); \
   make install;
@@ -263,58 +255,57 @@ ARG TARGETPLATFORM
 COPY Gemfile* /opt/mastodon/
 
 RUN \
-# Mount Ruby Gem caches
---mount=type=cache,id=gem-cache-${TARGETPLATFORM},target=/usr/local/bundle/cache/,sharing=locked \
-# Configure bundle to prevent changes to Gemfile and Gemfile.lock
+  # Mount Ruby Gem caches
+  --mount=type=cache,id=gem-cache-${TARGETPLATFORM},target=/usr/local/bundle/cache/,sharing=locked \
+  # Configure bundle to prevent changes to Gemfile and Gemfile.lock
   bundle config set --global frozen "true"; \
-# Configure bundle to not cache downloaded Gems
+  # Configure bundle to not cache downloaded Gems
   bundle config set --global cache_all "false"; \
-# Configure bundle to only process production Gems
+  # Configure bundle to only process production Gems
   bundle config set --local without "development test"; \
-# Configure bundle to not warn about root user
+  # Configure bundle to not warn about root user
   bundle config set silence_root_warning "true"; \
-# Download and install required Gems
+  # Download and install required Gems
   bundle install -j"$(nproc)";
 
-# Create temporary node specific build layer from build layer
-FROM build AS yarn
-
-ARG TARGETPLATFORM
-
-# Copy Node package configuration files into working directory
-COPY package.json yarn.lock .yarnrc.yml /opt/mastodon/
-COPY streaming/package.json /opt/mastodon/streaming/
-COPY .yarn /opt/mastodon/.yarn
-
-# hadolint ignore=DL3008
-RUN \
---mount=type=cache,id=corepack-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/corepack,sharing=locked \
---mount=type=cache,id=yarn-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/yarn,sharing=locked \
-# Install Node packages
-  yarn workspaces focus --production @mastodon/mastodon;
-
 # Create temporary assets build layer from build layer
 FROM build AS precompiler
 
-# Copy Mastodon sources into precompiler layer
+ARG TARGETPLATFORM
+
+# Copy Mastodon sources into layer
 COPY . /opt/mastodon/
 
-# Copy bundler and node packages from build layer to container
-COPY --from=yarn /opt/mastodon /opt/mastodon/
-COPY --from=bundler /opt/mastodon /opt/mastodon/
-COPY --from=bundler /usr/local/bundle/ /usr/local/bundle/
-# Copy libvips components to layer for precompiler
+# Copy Node.js binaries/libraries into layer
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /usr/local/lib /usr/local/lib
+
+RUN \
+  # Configure Corepack
+  rm /usr/local/bin/yarn*; \
+  corepack enable; \
+  corepack prepare --activate;
+
+# hadolint ignore=DL3008
+RUN \
+  --mount=type=cache,id=corepack-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/corepack,sharing=locked \
+  --mount=type=cache,id=yarn-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/yarn,sharing=locked \
+  # Install Node.js packages
+  yarn workspaces focus --production @mastodon/mastodon;
+
+# Copy libvips components into layer for precompiler
 COPY --from=libvips /usr/local/libvips/bin /usr/local/bin
 COPY --from=libvips /usr/local/libvips/lib /usr/local/lib
-
-ARG TARGETPLATFORM
+# Copy bundler packages into layer for precompiler
+COPY --from=bundler /opt/mastodon /opt/mastodon/
+COPY --from=bundler /usr/local/bundle/ /usr/local/bundle/
 
 RUN \
   ldconfig; \
-# Use Ruby on Rails to create Mastodon assets
+  # Use Ruby on Rails to create Mastodon assets
   SECRET_KEY_BASE_DUMMY=1 \
   bundle exec rails assets:precompile; \
-# Cleanup temporary files
+  # Cleanup temporary files
   rm -fr /opt/mastodon/tmp;
 
 # Prep final Mastodon Ruby layer
@@ -324,49 +315,49 @@ ARG TARGETPLATFORM
 
 # hadolint ignore=DL3008
 RUN \
-# Mount Apt cache and lib directories from Docker buildx caches
---mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
---mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
-# Mount Corepack and Yarn caches from Docker buildx caches
---mount=type=cache,id=corepack-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/corepack,sharing=locked \
---mount=type=cache,id=yarn-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/yarn,sharing=locked \
-# Apt update install non-dev versions of necessary components
+  # Mount Apt cache and lib directories from Docker buildx caches
+  --mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
+  # Mount Corepack and Yarn caches from Docker buildx caches
+  --mount=type=cache,id=corepack-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/corepack,sharing=locked \
+  --mount=type=cache,id=yarn-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/yarn,sharing=locked \
+  # Apt update install non-dev versions of necessary components
   apt-get install -y --no-install-recommends \
-    libexpat1 \
-    libglib2.0-0 \
-    libicu72 \
-    libidn12 \
-    libpq5 \
-    libreadline8 \
-    libssl3 \
-    libyaml-0-2 \
+  libexpat1 \
+  libglib2.0-0t64 \
+  libicu76 \
+  libidn12 \
+  libpq5 \
+  libreadline8t64 \
+  libssl3t64 \
+  libyaml-0-2 \
   # libvips components
-    libcgif0 \
-    libexif12 \
-    libheif1 \
-    libimagequant0 \
-    libjpeg62-turbo \
-    liblcms2-2 \
-    liborc-0.4-0 \
-    libspng0 \
-    libtiff6 \
-    libwebp7 \
-    libwebpdemux2 \
-    libwebpmux3 \
+  libcgif0 \
+  libexif12 \
+  libheif1 \
+  libhwy1t64 \
+  libimagequant0 \
+  libjpeg62-turbo \
+  liblcms2-2 \
+  libspng0 \
+  libtiff6 \
+  libwebp7 \
+  libwebpdemux2 \
+  libwebpmux3 \
   # ffmpeg components
-    libdav1d6 \
-    libmp3lame0 \
-    libopencore-amrnb0 \
-    libopencore-amrwb0 \
-    libopus0 \
-    libsnappy1v5 \
-    libtheora0 \
-    libvorbis0a \
-    libvorbisenc2 \
-    libvorbisfile3 \
-    libvpx7 \
-    libx264-164 \
-    libx265-199 \
+  libdav1d7 \
+  libmp3lame0 \
+  libopencore-amrnb0 \
+  libopencore-amrwb0 \
+  libopus0 \
+  libsnappy1v5 \
+  libtheora0 \
+  libvorbis0a \
+  libvorbisenc2 \
+  libvorbisfile3 \
+  libvpx9 \
+  libx264-164 \
+  libx265-215 \
   ;
 
 # Copy Mastodon sources into final layer
@@ -386,7 +377,7 @@ COPY --from=ffmpeg /usr/local/ffmpeg/lib /usr/local/lib
 
 RUN \
   ldconfig; \
-# Smoketest media processors
+  # Smoketest media processors
   vips -v; \
   ffmpeg -version; \
   ffprobe -version;
@@ -396,10 +387,10 @@ RUN \
   bundle exec bootsnap precompile --gemfile app/ lib/;
 
 RUN \
-# Pre-create and chown system volume to Mastodon user
+  # Pre-create and chown system volume to Mastodon user
   mkdir -p /opt/mastodon/public/system; \
   chown mastodon:mastodon /opt/mastodon/public/system; \
-# Set Mastodon user as owner of tmp folder
+  # Set Mastodon user as owner of tmp folder
   chown -R mastodon:mastodon /opt/mastodon/tmp;
 
 # Set the running user for resulting container

FEDERATION.md

@@ -13,6 +13,7 @@
 - [FEP-f1d5: NodeInfo in Fediverse Software](https://codeberg.org/fediverse/fep/src/branch/main/fep/f1d5/fep-f1d5.md)
 - [FEP-8fcf: Followers collection synchronization across servers](https://codeberg.org/fediverse/fep/src/branch/main/fep/8fcf/fep-8fcf.md)
 - [FEP-5feb: Search indexing consent for actors](https://codeberg.org/fediverse/fep/src/branch/main/fep/5feb/fep-5feb.md)
+- [FEP-044f: Consent-respecting quote posts](https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md): partial support for incoming quote-posts
 
 ## ActivityPub in Mastodon
 

Gemfile

@@ -1,12 +1,11 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-ruby '>= 3.1.0'
+ruby '>= 3.2.0', '< 3.5.0'
 
 gem 'propshaft'
 gem 'puma', '~> 6.3'
-gem 'rack', '~> 2.2.7'
-gem 'rails', '~> 7.1.1'
+gem 'rails', '~> 8.0'
 gem 'thor', '~> 1.2'
 
 gem 'dotenv'
@@ -14,18 +13,19 @@ gem 'haml-rails', '~>2.0'
 gem 'pg', '~> 1.5'
 gem 'pghero'
 
+gem 'aws-sdk-core', '< 3.216.0', require: false # TODO: https://github.com/mastodon/mastodon/pull/34173#issuecomment-2733378873
 gem 'aws-sdk-s3', '~> 1.123', require: false
 gem 'blurhash', '~> 0.1'
-gem 'fog-core', '<= 2.5.0'
+gem 'fog-core', '<= 2.6.0'
 gem 'fog-openstack', '~> 1.0', require: false
+gem 'jd-paperclip-azure', '~> 3.0', require: false
 gem 'kt-paperclip', '~> 7.2'
-gem 'md-paperclip-azure', '~> 2.2', require: false
 gem 'ruby-vips', '~> 2.2', require: false
 
 gem 'active_model_serializers', '~> 0.10'
 gem 'addressable', '~> 2.8'
 gem 'bootsnap', '~> 1.18.0', require: false
-gem 'browser', '< 6' # https://github.com/fnando/browser/issues/543
+gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
 gem 'chewy', '~> 7.3'
 gem 'devise', '~> 4.9'
@@ -39,7 +39,7 @@ gem 'net-ldap', '~> 0.18'
 
 gem 'omniauth', '~> 2.0'
 gem 'omniauth-cas', '~> 3.0.0.beta.1'
-gem 'omniauth_openid_connect', '~> 0.6.1'
+gem 'omniauth_openid_connect', '~> 0.8.0'
 gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'omniauth-saml', '~> 2.0'
 
@@ -47,21 +47,25 @@ gem 'color_diff', '~> 0.1'
 gem 'csv', '~> 3.2'
 gem 'discard', '~> 1.2'
 gem 'doorkeeper', '~> 5.6'
+gem 'faraday-httpclient'
 gem 'fast_blank', '~> 1.0'
 gem 'fastimage'
 gem 'hiredis', '~> 0.6'
+gem 'hiredis-client'
 gem 'htmlentities', '~> 4.3'
-gem 'http', '~> 5.2.0'
+gem 'http', '~> 5.3.0'
 gem 'http_accept_language', '~> 2.1'
-gem 'httplog', '~> 1.7.0'
+gem 'httplog', '~> 1.7.0', require: false
 gem 'i18n'
 gem 'idn-ruby', require: 'idn'
 gem 'inline_svg'
 gem 'irb', '~> 1.8'
 gem 'kaminari', '~> 1.2'
 gem 'link_header', '~> 0.0'
+gem 'linzer', '~> 0.7.7'
 gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
-gem 'mime-types', '~> 3.5.0', require: 'mime/types/columnar'
+gem 'mime-types', '~> 3.7.0', require: 'mime/types/columnar'
+gem 'mutex_m'
 gem 'nokogiri', '~> 1.15'
 gem 'oj', '~> 3.14'
 gem 'ox', '~> 2.14'
@@ -70,51 +74,51 @@ gem 'premailer-rails'
 gem 'public_suffix', '~> 6.0'
 gem 'pundit', '~> 2.3'
 gem 'rack-attack', '~> 6.6'
-gem 'rack-cors', '~> 2.0', require: 'rack/cors'
-gem 'rails-i18n', '~> 7.0'
+gem 'rack-cors', require: 'rack/cors'
+gem 'rails-i18n', '~> 8.0'
 gem 'redcarpet', '~> 3.6'
 gem 'redis', '~> 4.5', require: ['redis', 'redis/connection/hiredis']
-gem 'redis-namespace', '~> 1.10'
-gem 'rqrcode', '~> 2.2'
+gem 'rqrcode', '~> 3.0'
 gem 'ruby-progressbar', '~> 1.13'
-gem 'sanitize', '~> 6.0'
+gem 'sanitize', '~> 7.0'
 gem 'scenic', '~> 1.7'
-gem 'sidekiq', '~> 6.5'
+gem 'sidekiq', '< 9'
 gem 'sidekiq-bulk', '~> 0.2.0'
-gem 'sidekiq-scheduler', '~> 5.0'
-gem 'sidekiq-unique-jobs', '~> 7.1'
+gem 'sidekiq-scheduler', '~> 6.0'
+gem 'sidekiq-unique-jobs', '> 8'
 gem 'simple_form', '~> 5.2'
 gem 'simple-navigation', '~> 4.4'
-gem 'stoplight', '~> 4.1'
+gem 'stoplight'
 gem 'strong_migrations'
 gem 'tty-prompt', '~> 0.23', require: false
 gem 'twitter-text', '~> 3.1.0'
 gem 'tzinfo-data', '~> 1.2023'
 gem 'webauthn', '~> 3.0'
-gem 'webpacker', '~> 5.4'
-gem 'webpush', github: 'ClearlyClaire/webpush', ref: 'f14a4d52e201128b1b00245d11b6de80d6cfdcd9'
+gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913'
 
 gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.2'
 gem 'rdf-normalize', '~> 0.5'
 
-gem 'opentelemetry-api', '~> 1.4.0'
+gem 'prometheus_exporter', '~> 2.2', require: false
+
+gem 'opentelemetry-api', '~> 1.7.0'
 
 group :opentelemetry do
-  gem 'opentelemetry-exporter-otlp', '~> 0.29.0', require: false
-  gem 'opentelemetry-instrumentation-active_job', '~> 0.7.1', require: false
-  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.20.1', require: false
-  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.21.2', require: false
-  gem 'opentelemetry-instrumentation-excon', '~> 0.22.0', require: false
-  gem 'opentelemetry-instrumentation-faraday', '~> 0.24.1', require: false
-  gem 'opentelemetry-instrumentation-http', '~> 0.23.2', require: false
-  gem 'opentelemetry-instrumentation-http_client', '~> 0.22.3', require: false
-  gem 'opentelemetry-instrumentation-net_http', '~> 0.22.4', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.29.0', require: false
-  gem 'opentelemetry-instrumentation-rack', '~> 0.24.1', require: false
-  gem 'opentelemetry-instrumentation-rails', '~> 0.31.0', require: false
-  gem 'opentelemetry-instrumentation-redis', '~> 0.25.3', require: false
-  gem 'opentelemetry-instrumentation-sidekiq', '~> 0.25.2', require: false
+  gem 'opentelemetry-exporter-otlp', '~> 0.30.0', require: false
+  gem 'opentelemetry-instrumentation-active_job', '~> 0.8.0', require: false
+  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.22.0', require: false
+  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.22.0', require: false
+  gem 'opentelemetry-instrumentation-excon', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-faraday', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-http', '~> 0.25.0', require: false
+  gem 'opentelemetry-instrumentation-http_client', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-net_http', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.30.0', require: false
+  gem 'opentelemetry-instrumentation-rack', '~> 0.27.0', require: false
+  gem 'opentelemetry-instrumentation-rails', '~> 0.37.0', require: false
+  gem 'opentelemetry-instrumentation-redis', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-sidekiq', '~> 0.26.0', require: false
   gem 'opentelemetry-sdk', '~> 1.4', require: false
 end
 
@@ -123,7 +127,7 @@ group :test do
   gem 'flatware-rspec'
 
   # Adds RSpec Error/Warning annotations to GitHub PRs on the Files tab
-  gem 'rspec-github', '~> 2.4', require: false
+  gem 'rspec-github', '~> 3.0', require: false
 
   # RSpec helpers for email specs
   gem 'email_spec'
@@ -133,7 +137,8 @@ group :test do
 
   # Browser integration testing
   gem 'capybara', '~> 3.39'
-  gem 'selenium-webdriver'
+  gem 'capybara-playwright-driver'
+  gem 'playwright-ruby-client', '1.55.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
 
   # Used to reset the database between system tests
   gem 'database_cleaner-active_record'
@@ -141,18 +146,15 @@ group :test do
   # Used to mock environment variables
   gem 'climate_control'
 
-  # Add back helpers functions removed in Rails 5.1
-  gem 'rails-controller-testing', '~> 1.0'
-
   # Validate schemas in specs
-  gem 'json-schema', '~> 5.0'
+  gem 'json-schema', '~> 6.0'
 
   # Test harness fo rack components
   gem 'rack-test', '~> 2.1'
 
   gem 'shoulda-matchers'
 
-  # Coverage formatter for RSpec test if DISABLE_SIMPLECOV is false
+  # Coverage formatter for RSpec
   gem 'simplecov', '~> 0.22', require: false
   gem 'simplecov-lcov', '~> 0.8', require: false
 
@@ -164,13 +166,14 @@ group :development do
   # Code linting CLI and plugins
   gem 'rubocop', require: false
   gem 'rubocop-capybara', require: false
+  gem 'rubocop-i18n', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rails', require: false
   gem 'rubocop-rspec', require: false
   gem 'rubocop-rspec_rails', require: false
 
   # Annotates modules with schema
-  gem 'annotate', '~> 3.2'
+  gem 'annotaterb', '~> 4.13', require: false
 
   # Enhanced error message pages for development
   gem 'better_errors', '~> 2.9'
@@ -181,7 +184,7 @@ group :development do
   gem 'letter_opener_web', '~> 3.0'
 
   # Security analysis CLI tools
-  gem 'brakeman', '~> 6.0', require: false
+  gem 'brakeman', '~> 7.0', require: false
   gem 'bundler-audit', '~> 0.9', require: false
 
   # Linter CLI for HAML files
@@ -193,22 +196,22 @@ end
 
 group :development, :test do
   # Interactive Debugging tools
-  gem 'debug', '~> 1.8'
+  gem 'debug', '~> 1.8', require: false
 
   # Generate fake data values
   gem 'faker', '~> 3.2'
 
   # Generate factory objects
-  gem 'fabrication', '~> 2.30'
+  gem 'fabrication'
 
   # Profiling tools
   gem 'memory_profiler', require: false
   gem 'ruby-prof', require: false
   gem 'stackprof', require: false
-  gem 'test-prof'
+  gem 'test-prof', require: false
 
   # RSpec runner for rails
-  gem 'rspec-rails', '~> 7.0'
+  gem 'rspec-rails', '~> 8.0'
 end
 
 group :production do
@@ -220,9 +223,11 @@ gem 'concurrent-ruby', require: false
 gem 'connection_pool', require: false
 gem 'xorcist', '~> 1.1'
 
-gem 'net-http', '~> 0.4.0'
-gem 'rubyzip', '~> 2.3'
+gem 'net-http', '~> 0.6.0'
+gem 'rubyzip', '~> 3.0'
 
 gem 'hcaptcha', '~> 7.1'
 
 gem 'mail', '~> 2.8'
+
+gem 'vite_rails', '~> 3.0.19'

Procfile.dev

@@ -1,4 +1,4 @@
 web: env PORT=3000 RAILS_ENV=development bundle exec puma -C config/puma.rb
 sidekiq: env PORT=3000 RAILS_ENV=development bundle exec sidekiq
 stream: env PORT=4000 yarn workspace @mastodon/streaming start
-webpack: bin/webpack-dev-server
+vite: yarn dev

README.md

@@ -14,161 +14,102 @@ Mastodon Glitch Edition is a fork of [Mastodon](https://github.com/mastodon/mast
 
 ---
 
-<h1><picture>
-  <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true">
-  <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true">
-  <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34">
-</picture></h1>
+> [!NOTE]
+> Want to learn more about Mastodon?
+> Click below to find out more in a video.
 
-[![GitHub release](https://img.shields.io/github/release/mastodon/mastodon.svg)][releases]
-[![Ruby Testing](https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml/badge.svg)](https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml)
-[![Crowdin](https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg)][crowdin]
+<p align="center">
+  <a style="text-decoration:none" href="https://www.youtube.com/watch?v=IPSbNdBmWKE">
+    <img alt="Mastodon hero image" src="https://github.com/user-attachments/assets/ef53f5e9-c0d8-484d-9f53-00efdebb92c3" />
+  </a>
+</p>
 
-[releases]: https://github.com/mastodon/mastodon/releases
-[crowdin]: https://crowdin.com/project/mastodon
+<p align="center">
+  <a style="text-decoration:none" href="https://github.com/mastodon/mastodon/releases">
+    <img src="https://img.shields.io/github/release/mastodon/mastodon.svg" alt="Release" /></a>
+  <a style="text-decoration:none" href="https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml">
+    <img src="https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml/badge.svg" alt="Ruby Testing" /></a>
+  <a style="text-decoration:none" href="https://crowdin.com/project/mastodon">
+    <img src="https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg" alt="Crowdin" /></a>
+</p>
 
-Mastodon is a **free, open-source social network server** based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub!)
-
-Click below to **learn more** in a video:
-
-[![Screenshot](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/ezgif-2-60f1b00403.gif)][youtube_demo]
-
-[youtube_demo]: https://www.youtube.com/watch?v=IPSbNdBmWKE
+Mastodon is a **free, open-source social network server** based on [ActivityPub](https://www.w3.org/TR/activitypub/) where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub!)
 
 ## Navigation
 
 - [Project homepage 🐘](https://joinmastodon.org)
-- [Support the development via Patreon][patreon]
-- [View sponsors](https://joinmastodon.org/sponsors)
-- [Blog](https://blog.joinmastodon.org)
-- [Documentation](https://docs.joinmastodon.org)
-- [Roadmap](https://joinmastodon.org/roadmap)
-- [Official Docker image](https://github.com/mastodon/mastodon/pkgs/container/mastodon)
-- [Browse Mastodon servers](https://joinmastodon.org/communities)
-- [Browse Mastodon apps](https://joinmastodon.org/apps)
-
-[patreon]: https://www.patreon.com/mastodon
+- [Donate to support development 🎁](https://joinmastodon.org/sponsors#donate)
+  - [View sponsors](https://joinmastodon.org/sponsors)
+- [Blog 📰](https://blog.joinmastodon.org)
+- [Documentation 📚](https://docs.joinmastodon.org)
+- [Official container image 🚢](https://github.com/mastodon/mastodon/pkgs/container/mastodon)
 
 ## Features
 
-<img src="/app/javascript/images/elephant_ui_working.svg?raw=true" align="right" width="30%" />
+<img src="./app/javascript/images/elephant_ui_working.svg?raw=true" align="right" width="30%" />
 
-### No vendor lock-in: Fully interoperable with any conforming platform
+**Part of the Fediverse. Based on open standards, with no vendor lock-in.** - the network goes beyond just Mastodon; anything that implements ActivityPub is part of a broader social network known as [the Fediverse](https://jointhefediverse.net/). You can follow and interact with users on other servers (including those running different software), and they can follow you back.
 
-It doesn't have to be Mastodon; whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
+**Real-time, chronological timeline updates** - updates of people you're following appear in real-time in the UI.
 
-### Real-time, chronological timeline updates
+**Media attachments** - upload and view images and videos attached to the updates. Videos with no audio track are treated like animated GIFs; normal videos loop continuously.
 
-Updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
+**Safety and moderation tools** - Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and many other features, along with a reporting and moderation system.
 
-### Media attachments like images and short videos
-
-Upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos loop continuously!
-
-### Safety and moderation tools
-
-Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
-
-### OAuth2 and a straightforward REST API
-
-Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Streaming APIs. This results in a rich app ecosystem with a lot of choices!
+**OAuth2 and a straightforward REST API** - Mastodon acts as an OAuth2 provider, and third party apps can use the REST and Streaming APIs. This results in a [rich app ecosystem](https://joinmastodon.org/apps) with a variety of choices!
 
 ## Deployment
 
 ### Tech stack
 
-- **Ruby on Rails** powers the REST API and other web pages
-- **React.js** and **Redux** are used for the dynamic parts of the interface
-- **Node.js** powers the streaming API
+- [Ruby on Rails](https://github.com/rails/rails) powers the REST API and other web pages.
+- [PostgreSQL](https://www.postgresql.org/) is the main database.
+- [Redis](https://redis.io/) and [Sidekiq](https://sidekiq.org/) are used for caching and queueing.
+- [Node.js](https://nodejs.org/) powers the streaming API.
+- [React.js](https://reactjs.org/) and [Redux](https://redux.js.org/) are used for the dynamic parts of the interface.
+- [BrowserStack](https://www.browserstack.com/) supports testing on real devices and browsers. (This project is tested with BrowserStack)
+- [Chromatic](https://www.chromatic.com/) provides visual regression testing. (This project is tested with Chromatic)
 
 ### Requirements
 
-- **PostgreSQL** 12+
-- **Redis** 4+
-- **Ruby** 3.1+
-- **Node.js** 18+
+- **Ruby** 3.2+
+- **PostgreSQL** 13+
+- **Redis** 7.0+
+- **Node.js** 20+
 
-The repository includes deployment configurations for **Docker and docker-compose** as well as specific platforms like **Heroku**, and **Scalingo**. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). The [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
-
-## Development
-
-### Vagrant
-
-A **Vagrant** configuration is included for development purposes. To use it, complete the following steps:
-
-- Install Vagrant and Virtualbox
-- Install the `vagrant-hostsupdater` plugin: `vagrant plugin install vagrant-hostsupdater`
-- Run `vagrant up`
-- Run `vagrant ssh -c "cd /vagrant && bin/dev"`
-- Open `http://mastodon.local` in your browser
-
-### macOS
-
-To set up **macOS** for native development, complete the following steps:
-
-- Install [Homebrew] and run `brew install postgresql@14 redis imagemagick
-libidn nvm` to install the required project dependencies
-- Use a Ruby version manager to activate the ruby in `.ruby-version` and run
-  `nvm use` to activate the node version from `.nvmrc`
-- Run the `bin/setup` script, which will install the required ruby gems and node
-  packages and prepare the database for local development
-- Finally, run the `bin/dev` script which will launch services via `overmind`
-  (if installed) or `foreman`
-
-### Docker
-
-For production hosting and deployment with **Docker**, use the `Dockerfile` and
-`docker-compose.yml` in the project root directory.
-
-For local development, install and launch [Docker], and run:
-
-```shell
-docker compose -f .devcontainer/compose.yaml up -d
-docker compose -f .devcontainer/compose.yaml exec app bin/setup
-docker compose -f .devcontainer/compose.yaml exec app bin/dev
-```
-
-### Dev Containers
-
-Within IDEs that support the [Development Containers] specification, start the
-"Mastodon on local machine" container from the editor. The necessary `docker
-compose` commands to build and setup the container should run automatically. For
-**Visual Studio Code** this requires installing the [Dev Container extension].
-
-### GitHub Codespaces
-
-[GitHub Codespaces] provides a web-based version of VS Code and a cloud hosted
-development environment configured with the software needed for this project.
-
-[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)][codespace]
-
-- Click the button to create a new codespace, and confirm the options
-- Wait for the environment to build (takes a few minutes)
-- When the editor is ready, run `bin/dev` in the terminal
-- Wait for an _Open in Browser_ prompt. This will open Mastodon
-- On the _Ports_ tab "stream" setting change _Port visibility_ → _Public_
+This repository includes deployment configurations for **Docker and docker-compose**, as well as for other environments like Heroku and Scalingo. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). A [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the main documentation.
 
 ## Contributing
 
-Mastodon is **free, open-source software** licensed under **AGPLv3**.
+Mastodon is **free, open-source software** licensed under **AGPLv3**. We welcome contributions and help from anyone who wants to improve the project.
 
-You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository or submit translations using Crowdin. To get started, take a look at [CONTRIBUTING.md](CONTRIBUTING.md). If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
+You should read the overall [CONTRIBUTING](https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md) guide, which covers our development processes.
 
-**IRC channel**: #mastodon on irc.libera.chat
+You should also read and understand the [CODE OF CONDUCT](https://github.com/mastodon/.github/blob/main/CODE_OF_CONDUCT.md) that enables us to maintain a welcoming and inclusive community. Collaboration begins with mutual respect and understanding.
 
-## License
+You can learn about setting up a development environment in the [DEVELOPMENT](docs/DEVELOPMENT.md) documentation.
 
-Copyright (C) 2016-2024 Eugen Rochko & other Mastodon contributors (see [AUTHORS.md](AUTHORS.md))
+If you would like to help with translations 🌐 you can do so on [Crowdin](https://crowdin.com/project/mastodon).
 
-This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+## LICENSE
 
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
+Copyright (c) 2016-2025 Eugen Rochko (+ [`mastodon authors`](AUTHORS.md))
 
-You should have received a copy of the GNU Affero General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
+Licensed under GNU Affero General Public License as stated in the [LICENSE](LICENSE):
 
-[codespace]: https://codespaces.new/mastodon/mastodon?quickstart=1&devcontainer_path=.devcontainer%2Fcodespaces%2Fdevcontainer.json
-[Dev Container extension]: https://containers.dev/supporting#dev-containers
-[Development Containers]: https://containers.dev/supporting
-[Docker]: https://docs.docker.com
-[GitHub Codespaces]: https://docs.github.com/en/codespaces
-[Homebrew]: https://brew.sh
+```text
+Copyright (c) 2016-2025 Eugen Rochko & other Mastodon contributors
+
+This program is free software: you can redistribute it and/or modify it under
+the terms of the GNU Affero General Public License as published by the Free
+Software Foundation, either version 3 of the License, or (at your option) any
+later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT
+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+details.
+
+You should have received a copy of the GNU Affero General Public License along
+with this program. If not, see https://www.gnu.org/licenses/
+```

Rakefile

@@ -3,6 +3,6 @@
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
 
-require File.expand_path('config/application', __dir__)
+require_relative 'config/application'
 
 Rails.application.load_tasks

SECURITY.md

@@ -13,8 +13,9 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 
 ## Supported Versions
 
-| Version | Supported |
-| ------- | --------- |
-| 4.2.x   | Yes       |
-| 4.1.x   | Yes       |
-| < 4.1   | No        |
+| Version | Supported        |
+| ------- | ---------------- |
+| 4.4.x   | Yes              |
+| 4.3.x   | Yes              |
+| 4.2.x   | Until 2026-01-08 |
+| < 4.2   | No               |

Vagrantfile

@@ -54,6 +54,7 @@ sudo apt-get install \
   pkg-config \
   protobuf-compiler \
   zlib1g-dev \
+  libvips42t64 \
   -y
 
 # Install rvm
@@ -134,7 +135,7 @@ VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
-  config.vm.box = "ubuntu/focal64"
+  config.vm.box = "bento/ubuntu-24.04"
 
   config.vm.provider :virtualbox do |vb|
     vb.name = "mastodon"
@@ -174,7 +175,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   if config.vm.networks.any? { |type, options| type == :private_network }
     config.vm.synced_folder ".", "/vagrant", type: "nfs", mount_options: ['rw', 'actimeo=1']
   else
-    config.vm.synced_folder ".", "/vagrant"
+    config.vm.synced_folder ".", "/vagrant", type: "rsync", create: true, rsync__args: ["--verbose", "--archive", "--delete", "-z"]
   end
 
   # Otherwise, you can access the site at http://localhost:3000 and http://localhost:4000 , http://localhost:8080

app.json

@@ -17,10 +17,6 @@
       "description": "The secret key base",
       "generator": "secret"
     },
-    "OTP_SECRET": {
-      "description": "One-time password secret",
-      "generator": "secret"
-    },
     "SINGLE_USER_MODE": {
       "description": "Should the instance run in single user mode? (Disable registrations, redirect to front page)",
       "value": "false",

app/chewy/accounts_index.rb

@@ -19,9 +19,16 @@ class AccountsIndex < Chewy::Index
         type: 'stemmer',
         language: 'possessive_english',
       },
+
+      word_joiner: {
+        type: 'shingle',
+        output_unigrams: true,
+        token_separator: '',
+      },
     },
 
     analyzer: {
+      # "The FOOING's bar" becomes "foo bar"
       natural: {
         tokenizer: 'standard',
         filter: %w(
@@ -35,11 +42,20 @@ class AccountsIndex < Chewy::Index
         ),
       },
 
+      # "FOO bar" becomes "foo bar"
       verbatim: {
         tokenizer: 'standard',
         filter: %w(lowercase asciifolding cjk_width),
       },
 
+      # "Foo bar" becomes "foo bar foobar"
+      word_join_analyzer: {
+        type: 'custom',
+        tokenizer: 'standard',
+        filter: %w(lowercase asciifolding cjk_width word_joiner),
+      },
+
+      # "Foo bar" becomes "f fo foo b ba bar"
       edge_ngram: {
         tokenizer: 'edge_ngram',
         filter: %w(lowercase asciifolding cjk_width),

app/controllers/activitypub/collections_controller.rb

@@ -49,7 +49,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
 
   def collection_presenter
     ActivityPub::CollectionPresenter.new(
-      id: account_collection_url(@account, params[:id]),
+      id: ActivityPub::TagManager.instance.collection_uri_for(@account, params[:id]),
       type: @type,
       size: @size,
       items: @items

app/controllers/activitypub/contexts_controller.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+class ActivityPub::ContextsController < ActivityPub::BaseController
+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_conversation
+  before_action :set_items
+
+  DESCENDANTS_LIMIT = 60
+
+  def show
+    expires_in 3.minutes, public: public_fetch_mode?
+    render_with_cache json: context_presenter, serializer: ActivityPub::ContextSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  def items
+    expires_in 3.minutes, public: public_fetch_mode?
+    render_with_cache json: items_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def account_required?
+    false
+  end
+
+  def set_conversation
+    account_id, status_id = params[:id].split('-')
+    @conversation = Conversation.local.find_by(parent_account_id: account_id, parent_status_id: status_id)
+  end
+
+  def set_items
+    @items = @conversation.statuses.distributable_visibility.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
+  end
+
+  def context_presenter
+    first_page = ActivityPub::CollectionPresenter.new(
+      id: items_context_url(@conversation, page_params),
+      type: :unordered,
+      part_of: items_context_url(@conversation),
+      next: next_page,
+      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
+    )
+
+    ActivityPub::ContextPresenter.from_conversation(@conversation).tap do |presenter|
+      presenter.first = first_page
+    end
+  end
+
+  def items_collection_presenter
+    page = ActivityPub::CollectionPresenter.new(
+      id: items_context_url(@conversation, page_params),
+      type: :unordered,
+      part_of: items_context_url(@conversation),
+      next: next_page,
+      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
+    )
+
+    return page if page_requested?
+
+    ActivityPub::CollectionPresenter.new(
+      id: items_context_url(@conversation),
+      type: :unordered,
+      first: page
+    )
+  end
+
+  def page_requested?
+    truthy_param?(:page)
+  end
+
+  def next_page
+    return nil if @items.size < DESCENDANTS_LIMIT
+
+    items_context_url(@conversation, page: true, min_id: @items.last.id)
+  end
+
+  def page_params
+    params.permit(:page, :min_id)
+  end
+end

app/controllers/activitypub/outboxes_controller.rb

@@ -41,12 +41,8 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
     end
   end
 
-  def outbox_url(**kwargs)
-    if params[:account_username].present?
-      account_outbox_url(@account, **kwargs)
-    else
-      instance_actor_outbox_url(**kwargs)
-    end
+  def outbox_url(...)
+    ActivityPub::TagManager.instance.outbox_uri_for(@account, ...)
   end
 
   def next_page

app/controllers/activitypub/quote_authorizations_controller.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class ActivityPub::QuoteAuthorizationsController < ActivityPub::BaseController
+  include Authorization
+
+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_quote_authorization
+
+  def show
+    expires_in 30.seconds, public: true if @quote.status.distributable? && public_fetch_mode?
+    render json: @quote, serializer: ActivityPub::QuoteAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def pundit_user
+    signed_request_account
+  end
+
+  def set_quote_authorization
+    @quote = Quote.accepted.where(quoted_account: @account).find(params[:id])
+    return not_found unless @quote.status.present? && @quote.quoted_status.present?
+
+    authorize @quote.status, :show?
+  rescue Mastodon::NotPermittedError
+    not_found
+  end
+end

app/controllers/admin/account_actions_controller.rb

@@ -14,16 +14,20 @@ module Admin
     def create
       authorize @account, :show?
 
-      account_action                 = Admin::AccountAction.new(resource_params)
-      account_action.target_account  = @account
-      account_action.current_account = current_account
+      @account_action                 = Admin::AccountAction.new(resource_params)
+      @account_action.target_account  = @account
+      @account_action.current_account = current_account
 
-      account_action.save!
-
-      if account_action.with_report?
-        redirect_to admin_reports_path, notice: I18n.t('admin.reports.processed_msg', id: resource_params[:report_id])
+      if @account_action.save
+        if @account_action.with_report?
+          redirect_to admin_reports_path, notice: I18n.t('admin.reports.processed_msg', id: resource_params[:report_id])
+        else
+          redirect_to admin_account_path(@account.id)
+        end
       else
-        redirect_to admin_account_path(@account.id)
+        @warning_presets = AccountWarningPreset.all
+
+        render :new
       end
     end
 
@@ -34,7 +38,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:admin_account_action).permit(:type, :report_id, :warning_preset_id, :text, :send_email_notification, :include_statuses)
+      params
+        .expect(admin_account_action: [:type, :report_id, :warning_preset_id, :text, :send_email_notification, :include_statuses])
     end
   end
 end

app/controllers/admin/account_moderation_notes_controller.rb

@@ -29,10 +29,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:account_moderation_note).permit(
-        :content,
-        :target_account_id
-      )
+      params
+        .expect(account_moderation_note: [:content, :target_account_id])
     end
 
     def set_account_moderation_note

app/controllers/admin/accounts_controller.rb

@@ -16,11 +16,14 @@ module Admin
     def batch
       authorize :account, :index?
 
-      @form = Form::AccountBatch.new(form_account_batch_params)
-      @form.current_account = current_account
-      @form.action = action_from_button
-      @form.select_all_matching = params[:select_all_matching]
-      @form.query = filtered_accounts
+      @form = Form::AccountBatch.new(
+        form_account_batch_params.merge(
+          action: action_from_button,
+          current_account:,
+          query: filtered_accounts,
+          select_all_matching: params[:select_all_matching]
+        )
+      )
       @form.save
     rescue ActionController::ParameterMissing
       flash[:alert] = I18n.t('admin.accounts.no_account_selected')
@@ -158,7 +161,8 @@ module Admin
     end
 
     def form_account_batch_params
-      params.require(:form_account_batch).permit(:action, account_ids: [])
+      params
+        .expect(form_account_batch: [:action, account_ids: []])
     end
 
     def action_from_button

app/controllers/admin/action_logs_controller.rb

@@ -6,7 +6,7 @@ module Admin
 
     def index
       authorize :audit_log, :index?
-      @auditable_accounts = Account.auditable.select(:id, :username)
+      @auditable_accounts = Account.auditable.select(:id, :username).order(username: :asc)
     end
 
     private

app/controllers/admin/announcements/distributions_controller.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class Admin::Announcements::DistributionsController < Admin::BaseController
+  before_action :set_announcement
+
+  def create
+    authorize @announcement, :distribute?
+    @announcement.touch(:notification_sent_at)
+    Admin::DistributeAnnouncementNotificationWorker.perform_async(@announcement.id)
+    redirect_to admin_announcements_path
+  end
+
+  private
+
+  def set_announcement
+    @announcement = Announcement.find(params[:announcement_id])
+  end
+end

app/controllers/admin/announcements/previews_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Admin::Announcements::PreviewsController < Admin::BaseController
+  before_action :set_announcement
+
+  def show
+    authorize @announcement, :distribute?
+    @user_count = @announcement.scope_for_notification.count
+  end
+
+  private
+
+  def set_announcement
+    @announcement = Announcement.find(params[:announcement_id])
+  end
+end

app/controllers/admin/announcements/tests_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Admin::Announcements::TestsController < Admin::BaseController
+  before_action :set_announcement
+
+  def create
+    authorize @announcement, :distribute?
+    UserMailer.announcement_published(current_user, @announcement).deliver_later!
+    redirect_to admin_announcements_path
+  end
+
+  private
+
+  def set_announcement
+    @announcement = Announcement.find(params[:announcement_id])
+  end
+end

app/controllers/admin/announcements_controller.rb

@@ -6,6 +6,7 @@ class Admin::AnnouncementsController < Admin::BaseController
 
   def index
     authorize :announcement, :index?
+    @published_announcements_count = Announcement.published.async_count
   end
 
   def new
@@ -83,6 +84,7 @@ class Admin::AnnouncementsController < Admin::BaseController
   end
 
   def resource_params
-    params.require(:announcement).permit(:text, :scheduled_at, :starts_at, :ends_at, :all_day)
+    params
+      .expect(announcement: [:text, :scheduled_at, :starts_at, :ends_at, :all_day])
   end
 end

app/controllers/admin/base_controller.rb

@@ -7,14 +7,14 @@ module Admin
 
     layout 'admin'
 
-    before_action :set_cache_headers
+    before_action :set_referrer_policy_header
 
     after_action :verify_authorized
 
     private
 
-    def set_cache_headers
-      response.cache_control.replace(private: true, no_store: true)
+    def set_referrer_policy_header
+      response.headers['Referrer-Policy'] = 'same-origin'
     end
 
     def set_user

app/controllers/admin/change_emails_controller.rb

@@ -41,9 +41,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:user).permit(
-        :unconfirmed_email
-      )
+      params
+        .expect(user: [:unconfirmed_email])
     end
   end
 end

app/controllers/admin/confirmations_controller.rb

@@ -19,15 +19,13 @@ module Admin
 
       log_action :resend, @user
 
-      flash[:notice] = I18n.t('admin.accounts.resend_confirmation.success')
-      redirect_to admin_accounts_path
+      redirect_to admin_accounts_path, notice: t('admin.accounts.resend_confirmation.success')
     end
 
     private
 
     def redirect_confirmed_user
-      flash[:error] = I18n.t('admin.accounts.resend_confirmation.already_confirmed')
-      redirect_to admin_accounts_path
+      redirect_to admin_accounts_path, flash: { error: t('admin.accounts.resend_confirmation.already_confirmed') }
     end
 
     def user_confirmed?

app/controllers/admin/custom_emojis_controller.rb

@@ -47,7 +47,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:custom_emoji).permit(:shortcode, :image, :visible_in_picker)
+      params
+        .expect(custom_emoji: [:shortcode, :image, :visible_in_picker])
     end
 
     def filtered_custom_emojis
@@ -77,7 +78,8 @@ module Admin
     end
 
     def form_custom_emoji_batch_params
-      params.require(:form_custom_emoji_batch).permit(:action, :category_id, :category_name, custom_emoji_ids: [])
+      params
+        .expect(form_custom_emoji_batch: [:action, :category_id, :category_name, custom_emoji_ids: []])
     end
   end
 end

app/controllers/admin/disputes/appeals_controller.rb

@@ -6,6 +6,7 @@ class Admin::Disputes::AppealsController < Admin::BaseController
   def index
     authorize :appeal, :index?
 
+    @pending_appeals_count = Appeal.pending.async_count
     @appeals = filtered_appeals.page(params[:page])
   end
 
@@ -17,7 +18,7 @@ class Admin::Disputes::AppealsController < Admin::BaseController
   end
 
   def reject
-    authorize @appeal, :approve?
+    authorize @appeal, :reject?
     log_action :reject, @appeal
     @appeal.reject!(current_account)
     UserMailer.appeal_rejected(@appeal.account.user, @appeal).deliver_later

app/controllers/admin/domain_allows_controller.rb

@@ -37,6 +37,7 @@ class Admin::DomainAllowsController < Admin::BaseController
   end
 
   def resource_params
-    params.require(:domain_allow).permit(:domain)
+    params
+      .expect(domain_allow: [:domain])
   end
 end

app/controllers/admin/domain_blocks_controller.rb

@@ -25,7 +25,9 @@ module Admin
     rescue Mastodon::NotPermittedError
       flash[:alert] = I18n.t('admin.domain_blocks.not_permitted')
     else
-      redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
+      flash[:notice] = I18n.t('admin.domain_blocks.created_msg')
+    ensure
+      redirect_to admin_instances_path(limited: '1')
     end
 
     def new
@@ -34,7 +36,7 @@ module Admin
     end
 
     def edit
-      authorize :domain_block, :create?
+      authorize :domain_block, :update?
     end
 
     def create
@@ -114,7 +116,12 @@ module Admin
     end
 
     def form_domain_block_batch_params
-      params.require(:form_domain_block_batch).permit(domain_blocks_attributes: [:enabled, :domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate])
+      params
+        .expect(
+          form_domain_block_batch: [
+            domain_blocks_attributes: [[:enabled, :domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate]],
+          ]
+        )
     end
 
     def action_from_button
@@ -122,7 +129,7 @@ module Admin
     end
 
     def requires_confirmation?
-      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.severity.to_s == 'suspend' && !params[:confirm]
+      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.suspend? && !params[:confirm]
     end
   end
 end

app/controllers/admin/email_domain_blocks_controller.rb

@@ -5,7 +5,7 @@ module Admin
     def index
       authorize :email_domain_block, :index?
 
-      @email_domain_blocks = EmailDomainBlock.where(parent_id: nil).includes(:children).order(id: :desc).page(params[:page])
+      @email_domain_blocks = EmailDomainBlock.parents.includes(:children).order(id: :desc).page(params[:page])
       @form                = Form::EmailDomainBlockBatch.new
     end
 
@@ -58,18 +58,17 @@ module Admin
     private
 
     def set_resolved_records
-      Resolv::DNS.open do |dns|
-        dns.timeouts = 5
-        @resolved_records = dns.getresources(@email_domain_block.domain, Resolv::DNS::Resource::IN::MX).to_a
-      end
+      @resolved_records = DomainResource.new(@email_domain_block.domain).mx
     end
 
     def resource_params
-      params.require(:email_domain_block).permit(:domain, :allow_with_approval, other_domains: [])
+      params
+        .expect(email_domain_block: [:domain, :allow_with_approval, other_domains: []])
     end
 
     def form_email_domain_block_batch_params
-      params.require(:form_email_domain_block_batch).permit(email_domain_block_ids: [])
+      params
+        .expect(form_email_domain_block_batch: [email_domain_block_ids: []])
     end
 
     def action_from_button

app/controllers/admin/export_domain_allows_controller.rb

@@ -49,8 +49,8 @@ module Admin
 
     def export_data
       CSV.generate(headers: export_headers, write_headers: true) do |content|
-        DomainAllow.allowed_domains.each do |instance|
-          content << [instance.domain]
+        DomainAllow.allowed_domains.each do |domain|
+          content << [domain]
         end
       end
     end

app/controllers/admin/fasp/debug/callbacks_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class Admin::Fasp::Debug::CallbacksController < Admin::BaseController
+  def index
+    authorize [:admin, :fasp, :provider], :update?
+
+    @callbacks = Fasp::DebugCallback
+                 .includes(:fasp_provider)
+                 .order(created_at: :desc)
+  end
+
+  def destroy
+    authorize [:admin, :fasp, :provider], :update?
+
+    callback = Fasp::DebugCallback.find(params[:id])
+    callback.destroy
+
+    redirect_to admin_fasp_debug_callbacks_path
+  end
+end

app/controllers/admin/fasp/debug_calls_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class Admin::Fasp::DebugCallsController < Admin::BaseController
+  before_action :set_provider
+
+  def create
+    authorize [:admin, @provider], :update?
+
+    @provider.perform_debug_call
+
+    redirect_to admin_fasp_providers_path
+  end
+
+  private
+
+  def set_provider
+    @provider = Fasp::Provider.find(params[:provider_id])
+  end
+end

app/controllers/admin/fasp/providers_controller.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+class Admin::Fasp::ProvidersController < Admin::BaseController
+  before_action :set_provider, only: [:show, :edit, :update, :destroy]
+
+  def index
+    authorize [:admin, :fasp, :provider], :index?
+
+    @providers = Fasp::Provider.order(confirmed: :asc, created_at: :desc)
+  end
+
+  def show
+    authorize [:admin, @provider], :show?
+  end
+
+  def edit
+    authorize [:admin, @provider], :update?
+  end
+
+  def update
+    authorize [:admin, @provider], :update?
+
+    if @provider.update(provider_params)
+      redirect_to admin_fasp_providers_path
+    else
+      render :edit
+    end
+  end
+
+  def destroy
+    authorize [:admin, @provider], :destroy?
+
+    @provider.destroy
+
+    redirect_to admin_fasp_providers_path
+  end
+
+  private
+
+  def provider_params
+    params.expect(fasp_provider: [capabilities_attributes: {}])
+  end
+
+  def set_provider
+    @provider = Fasp::Provider.find(params[:id])
+  end
+end

app/controllers/admin/fasp/registrations_controller.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class Admin::Fasp::RegistrationsController < Admin::BaseController
+  before_action :set_provider
+
+  def new
+    authorize [:admin, @provider], :create?
+  end
+
+  def create
+    authorize [:admin, @provider], :create?
+
+    @provider.update_info!(confirm: true)
+
+    redirect_to edit_admin_fasp_provider_path(@provider)
+  end
+
+  private
+
+  def set_provider
+    @provider = Fasp::Provider.find(params[:provider_id])
+  end
+end

app/controllers/admin/follow_recommendations_controller.rb

@@ -37,7 +37,8 @@ module Admin
     end
 
     def form_account_batch_params
-      params.require(:form_account_batch).permit(:action, account_ids: [])
+      params
+        .expect(form_account_batch: [:action, account_ids: []])
     end
 
     def filter_params

app/controllers/admin/instances/moderation_notes_controller.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+class Admin::Instances::ModerationNotesController < Admin::BaseController
+  before_action :set_instance, only: [:create]
+  before_action :set_instance_note, only: [:destroy]
+
+  def create
+    authorize :instance_moderation_note, :create?
+
+    @instance_moderation_note = current_account.instance_moderation_notes.new(content: resource_params[:content], domain: @instance.domain)
+
+    if @instance_moderation_note.save
+      redirect_to admin_instance_path(@instance.domain, anchor: helpers.dom_id(@instance_moderation_note)), notice: I18n.t('admin.instances.moderation_notes.created_msg')
+    else
+      @instance_moderation_notes = @instance.moderation_notes.includes(:account).chronological
+      @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
+      @action_logs = Admin::ActionLogFilter.new(target_domain: @instance.domain).results.limit(5)
+
+      render 'admin/instances/show'
+    end
+  end
+
+  def destroy
+    authorize @instance_moderation_note, :destroy?
+    @instance_moderation_note.destroy!
+    redirect_to admin_instance_path(@instance_moderation_note.domain, anchor: 'instance-notes'), notice: I18n.t('admin.instances.moderation_notes.destroyed_msg')
+  end
+
+  private
+
+  def resource_params
+    params
+      .expect(instance_moderation_note: [:content])
+  end
+
+  def set_instance
+    domain = params[:instance_id]&.strip
+    @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(domain))
+  end
+
+  def set_instance_note
+    @instance_moderation_note = InstanceModerationNote.find(params[:id])
+  end
+end

app/controllers/admin/instances_controller.rb

@@ -5,6 +5,8 @@ module Admin
     before_action :set_instances, only: :index
     before_action :set_instance, except: :index
 
+    LOGS_LIMIT = 5
+
     def index
       authorize :instance, :index?
       preload_delivery_failures!
@@ -12,8 +14,11 @@ module Admin
 
     def show
       authorize :instance, :show?
+
+      @instance_moderation_note = @instance.moderation_notes.new
+      @instance_moderation_notes = @instance.moderation_notes.includes(:account).chronological
       @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
-      @action_logs = Admin::ActionLogFilter.new(target_domain: @instance.domain).results.limit(5)
+      @action_logs = Admin::ActionLogFilter.new(target_domain: @instance.domain).results.limit(LOGS_LIMIT)
     end
 
     def destroy
@@ -50,7 +55,8 @@ module Admin
     private
 
     def set_instance
-      @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(params[:id]&.strip))
+      domain = params[:id]&.strip
+      @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(domain))
     end
 
     def set_instances

app/controllers/admin/invites_controller.rb

@@ -32,14 +32,15 @@ module Admin
 
     def deactivate_all
       authorize :invite, :deactivate_all?
-      Invite.available.in_batches.update_all(expires_at: Time.now.utc)
+      Invite.available.in_batches.touch_all(:expires_at)
       redirect_to admin_invites_path
     end
 
     private
 
     def resource_params
-      params.require(:invite).permit(:max_uses, :expires_in)
+      params
+        .expect(invite: [:max_uses, :expires_in])
     end
 
     def filtered_invites

app/controllers/admin/ip_blocks_controller.rb

@@ -44,7 +44,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:ip_block).permit(:ip, :severity, :comment, :expires_in)
+      params
+        .expect(ip_block: [:ip, :severity, :comment, :expires_in])
     end
 
     def action_from_button
@@ -52,7 +53,8 @@ module Admin
     end
 
     def form_ip_block_batch_params
-      params.require(:form_ip_block_batch).permit(ip_block_ids: [])
+      params
+        .expect(form_ip_block_batch: [ip_block_ids: []])
     end
   end
 end

app/controllers/admin/relays_controller.rb

@@ -21,6 +21,7 @@ module Admin
       @relay = Relay.new(resource_params)
 
       if @relay.save
+        log_action :create, @relay
         @relay.enable!
         redirect_to admin_relays_path
       else
@@ -31,18 +32,21 @@ module Admin
     def destroy
       authorize :relay, :update?
       @relay.destroy
+      log_action :destroy, @relay
       redirect_to admin_relays_path
     end
 
     def enable
       authorize :relay, :update?
       @relay.enable!
+      log_action :enable, @relay
       redirect_to admin_relays_path
     end
 
     def disable
       authorize :relay, :update?
       @relay.disable!
+      log_action :disable, @relay
       redirect_to admin_relays_path
     end
 
@@ -53,7 +57,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:relay).permit(:inbox_url)
+      params
+        .expect(relay: [:inbox_url])
     end
 
     def warn_signatures_not_enabled!