Merge pull request #3378 from ClearlyClaire/glitch-soc/merge-4.5

Merge upstream changes up to e8045de79b into stable-4.5

.devcontainer/compose.yaml

@@ -73,7 +73,7 @@ services:
         hard: -1
 
   libretranslate:
-    image: libretranslate/libretranslate:v1.7.3
+    image: libretranslate/libretranslate:v1.6.2
     restart: unless-stopped
     volumes:
       - lt-data:/home/libretranslate/.local

.github/actions/setup-javascript/action.yml

@@ -9,7 +9,7 @@ runs:
   using: 'composite'
   steps:
     - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'
 

.github/renovate.json5

@@ -5,6 +5,7 @@
     'customManagers:dockerfileVersions',
     ':labels(dependencies)',
     ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
+    ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
     ':enableVulnerabilityAlertsWithLabel(security)',
   ],
   rebaseWhen: 'conflicted',
@@ -22,6 +23,8 @@
       // Require Dependency Dashboard Approval for major version bumps of these node packages
       matchManagers: ['npm'],
       matchPackageNames: [
+        'tesseract.js', // Requires code changes
+
         // react-router: Requires manual upgrade
         'history',
         'react-router-dom',

.github/workflows/build-container-image.yml

@@ -35,7 +35,7 @@ jobs:
           - linux/arm64
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - name: Prepare
         env:
@@ -100,7 +100,7 @@ jobs:
 
       - name: Upload digest
         if: ${{ inputs.push_to_images != '' }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           # `hashFiles` is used to disambiguate between streaming and non-streaming images
           name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
@@ -119,10 +119,10 @@ jobs:
       PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v4
         with:
           path: ${{ runner.temp }}/digests
           # `hashFiles` is used to disambiguate between streaming and non-streaming images

.github/workflows/build-push-pr.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       # Repository needs to be cloned so `git rev-parse` below works
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - id: version_vars
         run: |
           echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT

.github/workflows/build-releases.yml

@@ -9,7 +9,44 @@ permissions:
   packages: write
 
 jobs:
+  check-latest-stable:
+    runs-on: ubuntu-latest
+    outputs:
+      latest: ${{ steps.check.outputs.is_latest_stable }}
+    steps:
+      # Repository needs to be cloned to list branches
+      - name: Clone repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check latest stable
+        shell: bash
+        id: check
+        run: |
+          ref="${GITHUB_REF#refs/tags/}"
+
+          if [[ "$ref" =~ ^v([0-9]+)\.([0-9]+)(\.[0-9]+)?$ ]]; then
+            current="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
+          else
+            echo "tag $ref is not semver"
+            echo "is_latest_stable=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          latest=$(git for-each-ref --format='%(refname:short)' "refs/remotes/origin/stable-*.*" \
+            | sed -E 's#^origin/stable-##' \
+            | sort -Vr \
+            | head -n1)
+
+          if [[ "$current" == "$latest" ]]; then
+            echo "is_latest_stable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_latest_stable=false" >> "$GITHUB_OUTPUT"
+          fi
+
   build-image:
+    needs: check-latest-stable
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
@@ -20,13 +57,14 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.5.') }}
+        latest=${{ needs.check-latest-stable.outputs.latest }}
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}
     secrets: inherit
 
   build-image-streaming:
+    needs: check-latest-stable
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
@@ -37,7 +75,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.5.') }}
+        latest=${{ needs.check-latest-stable.outputs.latest }}
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}

.github/workflows/bundler-audit.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1

.github/workflows/check-i18n.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby

.github/workflows/chromatic.yml

@@ -1,51 +1,31 @@
 name: 'Chromatic'
-permissions:
-  contents: read
 
 on:
   push:
     branches-ignore:
       - renovate/*
       - stable-*
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '**/*.js'
+      - '**/*.jsx'
+      - '**/*.ts'
+      - '**/*.tsx'
+      - '**/*.css'
+      - '**/*.scss'
+      - '.github/workflows/chromatic.yml'
 
 jobs:
-  pathcheck:
-    name: Check for relevant changes
-    runs-on: ubuntu-latest
-    outputs:
-      changed: ${{ steps.filter.outputs.src }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-            src:
-              - 'package.json'
-              - 'yarn.lock'
-              - '**/*.js'
-              - '**/*.jsx'
-              - '**/*.ts'
-              - '**/*.tsx'
-              - '**/*.css'
-              - '**/*.scss'
-              - '.github/workflows/chromatic.yml'
-
   chromatic:
     name: Run Chromatic
     runs-on: ubuntu-latest
-    needs: pathcheck
-    if: github.repository == 'mastodon/mastodon' && needs.pathcheck.outputs.changed == 'true'
+    if: github.repository == 'mastodon/mastodon'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript
 
@@ -53,10 +33,9 @@ jobs:
         run: yarn build-storybook
 
       - name: Run Chromatic
-        uses: chromaui/action@v13
+        uses: chromaui/action@v12
         with:
+          # ⚠️ Make sure to configure a `CHROMATIC_PROJECT_TOKEN` repository secret
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           zip: true
           storybookBuildDir: 'storybook-static'
-          exitZeroOnChanges: false # Fail workflow if changes are found
-          autoAcceptChanges: 'main' # Auto-accept changes on main branch only

.github/workflows/codeql.yml

@@ -31,11 +31,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -48,7 +48,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -61,6 +61,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v3
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/crowdin-download-stable.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Increase Git http.postBuffer
         # This is needed due to a bug in Ubuntu's cURL version?

.github/workflows/crowdin-download.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Increase Git http.postBuffer
         # This is needed due to a bug in Ubuntu's cURL version?

.github/workflows/crowdin-upload.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: crowdin action
         uses: crowdin/github-action@v2

.github/workflows/format-check.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/lint-css.yml

@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/lint-haml.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1

.github/workflows/lint-js.yml

@@ -38,7 +38,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/lint-ruby.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1

.github/workflows/test-js.yml

@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/test-migrations.yml

@@ -72,7 +72,7 @@ jobs:
       BUNDLE_RETRY: 3
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby

.github/workflows/test-ruby.yml

@@ -32,7 +32,7 @@ jobs:
       SECRET_KEY_BASE_DUMMY: 1
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby
@@ -65,7 +65,7 @@ jobs:
         run: |
           tar --exclude={"*.br","*.gz"} -zcf artifacts.tar.gz public/assets public/packs* tmp/cache/vite/last-build*.json
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v4
         if: matrix.mode == 'test'
         with:
           path: |-
@@ -128,9 +128,9 @@ jobs:
           - '3.3'
           - '.ruby-version'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v4
         with:
           path: './'
           name: ${{ github.sha }}
@@ -230,9 +230,9 @@ jobs:
           - '3.3'
           - '.ruby-version'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v4
         with:
           path: './'
           name: ${{ github.sha }}
@@ -309,9 +309,9 @@ jobs:
           - '.ruby-version'
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v4
         with:
           path: './'
           name: ${{ github.sha }}
@@ -350,14 +350,14 @@ jobs:
       - run: bin/rspec spec/system --tag streaming --tag js
 
       - name: Archive logs
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: e2e-logs-${{ matrix.ruby-version }}
           path: log/
 
       - name: Archive test screenshots
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: e2e-screenshots-${{ matrix.ruby-version }}
@@ -447,9 +447,9 @@ jobs:
             search-image: opensearchproject/opensearch:2
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v4
         with:
           path: './'
           name: ${{ github.sha }}
@@ -469,14 +469,14 @@ jobs:
       - run: bin/rspec --tag search
 
       - name: Archive logs
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: test-search-logs-${{ matrix.ruby-version }}
           path: log/
 
       - name: Archive test screenshots
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: test-search-screenshots

.nvmrc

@@ -1 +1 @@
-24.11
+24.10

.prettierignore

@@ -95,7 +95,6 @@ AUTHORS.md
 
 # Ignore glitch-soc vendored CSS reset
 app/javascript/flavours/glitch/styles/reset.scss
-app/javascript/flavours/glitch/styles_new/mastodon/reset.scss
 
 # Ignore win95 theme
 app/javascript/styles/win95.scss

.storybook/main.ts

@@ -31,7 +31,7 @@ const config: StorybookConfig = {
   viteFinal(config) {
     // For an unknown reason, Storybook does not use the root
     // from the Vite config so we need to set it manually.
-    config.root = resolve(import.meta.dirname, '../app/javascript');
+    config.root = resolve(__dirname, '../app/javascript');
     return config;
   },
 };

.storybook/preview-body.html

@@ -1,2 +1,2 @@
-<html class="no-reduce-motion theme-light">
+<html class="no-reduce-motion">
 </html>

.storybook/static/mockServiceWorker.js

@@ -7,7 +7,7 @@
  * - Please do NOT modify this file.
  */
 
-const PACKAGE_VERSION = '2.12.1'
+const PACKAGE_VERSION = '2.11.3'
 const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()
@@ -205,7 +205,6 @@ async function resolveMainClient(event) {
  * @param {FetchEvent} event
  * @param {Client | undefined} client
  * @param {string} requestId
- * @param {number} requestInterceptedAt
  * @returns {Promise<Response>}
  */
 async function getResponse(event, client, requestId, requestInterceptedAt) {

.yarn/patches/babel-plugin-lodash-npm-3.3.4-c7161075b6.patch

@@ -0,0 +1,13 @@
+diff --git a/lib/index.js b/lib/index.js
+index 16ed6be8be8f555cc99096c2ff60954b42dc313d..d009c069770d066ad0db7ad02de1ea473a29334e 100644
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -99,7 +99,7 @@ function lodash(_ref) {
+ 
+         var node = _ref3;
+ 
+-        if ((0, _types.isModuleDeclaration)(node)) {
++        if ((0, _types.isImportDeclaration)(node)  || (0, _types.isExportDeclaration)(node)) {
+           isModule = true;
+           break;
+         }

AUTHORS.md

@@ -538,7 +538,7 @@ and provided thanks to the work of the following contributors:
 * [Drew Schuster](mailto:dtschust@gmail.com)
 * [Dryusdan](mailto:dryusdan@dryusdan.fr)
 * [Eai](mailto:eai@mizle.net)
-* [Eashwar Ranganathan](mailto:eashwar@eashwar.com)
+* [Eashwar Ranganathan](mailto:eranganathan@lyft.com)
 * [Ed Knutson](mailto:knutsoned@gmail.com)
 * [Elizabeth Martín Campos](mailto:me@elizabeth.sh)
 * [Elizabeth Myers](mailto:elizabeth@interlinked.me)

CHANGELOG.md

@@ -2,6 +2,77 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.5.6] - 2026-02-03
+
+### Security
+
+- Fix ActivityPub collection caching logic for pinned posts and featured tags not checking blocked accounts ([GHSA-ccpr-m53r-mfwr](https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr))
+
+### Changed
+
+- Shorten caching of quote posts pending approval (#37570 and #37592 by @ClearlyClaire)
+
+### Fixed
+
+- Fix relationship cache not being cleared when handling account migrations (#37664 by @ClearlyClaire)
+- Fix quote cancel button not appearing after edit then delete-and-redraft (#37066 by @PGrayCS)
+- Fix followers with profile subscription (bell icon) being notified of post edits (#37646 by @ClearlyClaire)
+- Fix error when encountering invalid tag in updated object (#37635 by @ClearlyClaire)
+- Fix cross-server conversation tracking (#37559 by @ClearlyClaire)
+- Fix recycled connections not being immediately closed (#37335 and #37674 by @ClearlyClaire and @shleeable)
+
+## [4.5.5] - 2026-01-20
+
+### Security
+
+- Fix missing limits on various federated properties [GHSA-gg8q-rcg7-p79g](https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g)
+- Fix remote user suspension bypass [GHSA-5h2f-wg8j-xqwp](https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp)
+- Fix missing length limits on some user-provided fields [GHSA-6x3w-9g92-gvf3](https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3)
+- Fix missing access check for push notification settings update [GHSA-f3q8-7vw3-69v4](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4)
+
+### Changed
+
+- Skip tombstone creation on deleting from 404 (#37533 by @ClearlyClaire)
+
+### Fixed
+
+- Fix potential duplicate handling of quote accept/reject/delete (#37537 by @ClearlyClaire)
+- Fix `FeedManager#filter_from_home` error when handling a reblog of a deleted status (#37486 by @ClearlyClaire)
+- Fix needlessly complicated SQL query in status batch removal (#37469 by @ClearlyClaire)
+- Fix `quote_approval_policy` being reset to user defaults when omitted in status update (#37436 and #37474 by @mjankowski and @shleeable)
+- Fix `Vary` parsing in cache control enforcement (#37426 by @MegaManSec)
+- Fix missing URI scheme test in `QuoteRequest` handling (#37425 by @MegaManSec)
+- Fix thread-unsafe ActivityPub activity dispatch (#37423 by @MegaManSec)
+- Fix URI generation for reblogs by accounts with numerical ActivityPub identifiers (#37415 by @oneiros)
+- Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375 by @shleeable)
+- Fix emoji with variant selector not being rendered properly (#37320 by @ChaosExAnima)
+- Fix mobile admin sidebar displaying under batch table toolbar (#37307 by @diondiondion)
+
+## [4.5.4] - 2026-01-07
+
+### Security
+
+- Fix SSRF protection bypass ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq))
+- Fix missing ownership check in severed relationships controller ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24))
+
+### Changed
+
+- Change HTTP Signature verification status from 401 to 503 on temporary failure to get remote actor (#37221 by @ClearlyClaire)
+
+### Fixed
+
+- Fix custom emojis not being rendered in profile fields (#37365 by @ClearlyClaire)
+- Fix serialization of context pages (#37376 by @ClearlyClaire)
+- Fix quotes with CWs but no text not having fallback link (#37361 by @ClearlyClaire)
+- Fix outdated link target for “locked” warning (#37366 by @ClearlyClaire)
+- Fix local custom emojis sometimes being rendered in remote posts (#37284 by @ChaosExAnima)
+- Fix some assets not being loaded from configured CDN (#37310 by @ChaosExAnima)
+- Fix notifications page error in Tor browser (#37285 by @diondiondion)
+- Fix custom emojis not being displayed in CWs and fav/boost notifications (#37272 and #37306 by @ChaosExAnima and @ClearlyClaire)
+- Fix default `Admin` role not including `view_feeds` permission (#37301 by @ClearlyClaire)
+- Fix hashtag autocomplete replacing suggestion's first characters with input (#37281 by @ClearlyClaire)
+- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
+
 ## [4.5.3] - 2025-12-08
 
 ### Security

FEDERATION.md

@@ -48,3 +48,22 @@ Mastodon requires all `POST` requests to be signed, and MAY require `GET` reques
 ### Additional documentation
 
 - [Mastodon documentation](https://docs.joinmastodon.org/)
+
+## Size limits
+
+Mastodon imposes a few hard limits on federated content.
+These limits are intended to be very generous and way above what the Mastodon user experience is optimized for, so as to accomodate future changes and unusual or unforeseen usage patterns, while still providing some limits for performance reasons.
+The following table attempts to summary those limits.
+
+| Limited property                                              | Size limit | Consequence of exceeding the limit |
+| ------------------------------------------------------------- | ---------- | ---------------------------------- |
+| Serialized JSON-LD                                            | 1MB        | **Activity is rejected/dropped**   |
+| Profile fields (actor `PropertyValue` attachments) name/value | 2047       | Field name/value is truncated      |
+| Number of profile fields (actor `PropertyValue` attachments)  | 50         | Fields list is truncated           |
+| Poll options (number of `anyOf`/`oneOf` in a `Question`)      | 500        | Items list is truncated            |
+| Account username (actor `preferredUsername`) length           | 2048       | **Actor will be rejected**         |
+| Account display name (actor `name`) length                    | 2048       | Display name will be truncated     |
+| Account note (actor `summary`) length                         | 20kB       | Account note will be truncated     |
+| Account `attributionDomains`                                  | 256        | List will be truncated             |
+| Account aliases (actor `alsoKnownAs`)                         | 256        | List will be truncated             |
+| Custom emoji shortcode (`Emoji` `name`)                       | 2048       | Emoji will be rejected             |

Gemfile

@@ -13,7 +13,7 @@ gem 'haml-rails', '~>3.0'
 gem 'pg', '~> 1.5'
 gem 'pghero'
 
-gem 'aws-sdk-core', require: false
+gem 'aws-sdk-core', '< 3.216.0', require: false # TODO: https://github.com/mastodon/mastodon/pull/34173#issuecomment-2733378873
 gem 'aws-sdk-s3', '~> 1.123', require: false
 gem 'blurhash', '~> 0.1'
 gem 'fog-core', '<= 2.6.0'
@@ -24,7 +24,7 @@ gem 'ruby-vips', '~> 2.2', require: false
 
 gem 'active_model_serializers', '~> 0.10'
 gem 'addressable', '~> 2.8'
-gem 'bootsnap', '~> 1.19.0', require: false
+gem 'bootsnap', '~> 1.18.0', require: false
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
 gem 'chewy', '~> 7.3'
@@ -40,7 +40,7 @@ gem 'net-ldap', '~> 0.18'
 gem 'omniauth', '~> 2.0'
 gem 'omniauth-cas', '~> 3.0.0.beta.1'
 gem 'omniauth_openid_connect', '~> 0.8.0'
-gem 'omniauth-rails_csrf_protection', '~> 2.0'
+gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'omniauth-saml', '~> 2.0'
 
 gem 'color_diff', '~> 0.1'
@@ -71,7 +71,7 @@ gem 'oj', '~> 3.14'
 gem 'ox', '~> 2.14'
 gem 'parslet'
 gem 'premailer-rails'
-gem 'public_suffix', '~> 7.0'
+gem 'public_suffix', '~> 6.0'
 gem 'pundit', '~> 2.3'
 gem 'rack-attack', '~> 6.6'
 gem 'rack-cors', require: 'rack/cors'
@@ -114,7 +114,7 @@ group :opentelemetry do
   gem 'opentelemetry-instrumentation-http', '~> 0.27.0', require: false
   gem 'opentelemetry-instrumentation-http_client', '~> 0.26.0', require: false
   gem 'opentelemetry-instrumentation-net_http', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.34.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.32.0', require: false
   gem 'opentelemetry-instrumentation-rack', '~> 0.29.0', require: false
   gem 'opentelemetry-instrumentation-rails', '~> 0.39.0', require: false
   gem 'opentelemetry-instrumentation-redis', '~> 0.28.0', require: false
@@ -138,7 +138,7 @@ group :test do
   # Browser integration testing
   gem 'capybara', '~> 3.39'
   gem 'capybara-playwright-driver'
-  gem 'playwright-ruby-client', '1.56.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
+  gem 'playwright-ruby-client', '1.55.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
 
   # Used to reset the database between system tests
   gem 'database_cleaner-active_record'

Gemfile.lock

@@ -86,8 +86,8 @@ GEM
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.8)
-      public_suffix (>= 2.0.2, < 8.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     aes_key_wrap (1.1.0)
     android_key_attestation (0.3.0)
     annotaterb (4.20.0)
@@ -96,20 +96,17 @@ GEM
     ast (2.4.3)
     attr_required (1.0.2)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1190.0)
-    aws-sdk-core (3.239.2)
+    aws-partitions (1.1168.0)
+    aws-sdk-core (3.215.1)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
-      base64
-      bigdecimal
       jmespath (~> 1, >= 1.6.1)
-      logger
-    aws-sdk-kms (1.118.0)
-      aws-sdk-core (~> 3, >= 3.239.1)
+    aws-sdk-kms (1.96.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.206.0)
-      aws-sdk-core (~> 3, >= 3.234.0)
+    aws-sdk-s3 (1.177.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.12.1)
@@ -129,14 +126,14 @@ GEM
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
     blurhash (0.1.8)
-    bootsnap (1.19.0)
+    bootsnap (1.18.6)
       msgpack (~> 1.2)
     brakeman (7.1.1)
       racc
     browser (6.2.0)
     builder (3.3.0)
-    bundler-audit (0.9.3)
-      bundler (>= 1.2.0)
+    bundler-audit (0.9.2)
+      bundler (>= 1.2.0, < 3)
       thor (~> 1.0)
     capybara (3.40.0)
       addressable
@@ -167,7 +164,7 @@ GEM
     cocoon (1.2.15)
     color_diff (0.1)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.5)
+    connection_pool (2.5.4)
     cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
@@ -182,7 +179,7 @@ GEM
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0)
     database_cleaner-core (2.0.1)
-    date (3.5.0)
+    date (3.4.1)
     debug (1.11.0)
       irb (~> 1.10)
       reline (>= 0.3.8)
@@ -234,7 +231,7 @@ GEM
     excon (1.3.0)
       logger
     fabrication (3.0.0)
-    faker (3.5.3)
+    faker (3.5.2)
       i18n (>= 1.8.11, < 2)
     faraday (2.14.0)
       faraday-net_http (>= 2.0, < 3.5)
@@ -282,7 +279,7 @@ GEM
       rake (>= 13)
     googleapis-common-protos-types (1.22.0)
       google-protobuf (~> 4.26)
-    haml (6.4.0)
+    haml (6.3.0)
       temple (>= 0.8.2)
       thor
       tilt
@@ -291,7 +288,7 @@ GEM
       activesupport (>= 5.1)
       haml (>= 4.0.6)
       railties (>= 5.1)
-    haml_lint (0.67.0)
+    haml_lint (0.66.0)
       haml (>= 5.0)
       parallel (~> 1.10)
       rainbow
@@ -304,8 +301,8 @@ GEM
     highline (3.1.2)
       reline
     hiredis (0.6.3)
-    hiredis-client (0.26.2)
-      redis-client (= 0.26.2)
+    hiredis-client (0.26.1)
+      redis-client (= 0.26.1)
     hkdf (0.3.0)
     htmlentities (4.3.4)
     http (5.3.1)
@@ -324,14 +321,13 @@ GEM
       rainbow (>= 2.0.0)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    i18n-tasks (1.1.2)
+    i18n-tasks (1.0.15)
       activesupport (>= 4.0.2)
       ast (>= 2.1.0)
       erubi
-      highline (>= 3.0.0)
+      highline (>= 2.0.0)
       i18n
       parser (>= 3.2.2.1)
-      prism
       rails-i18n
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.8, >= 1.8.1)
@@ -350,7 +346,7 @@ GEM
       azure-blob (~> 0.5.2)
       hashie (~> 5.0)
     jmespath (1.6.2)
-    json (2.16.0)
+    json (2.15.1)
     json-canonicalization (1.0.0)
     json-jwt (1.17.0)
       activesupport (>= 4.2)
@@ -447,7 +443,7 @@ GEM
     mime-types-data (3.2025.0924)
     mini_mime (1.1.5)
     mini_portile2 (2.8.9)
-    minitest (5.26.2)
+    minitest (5.26.0)
     msgpack (1.8.0)
     multi_json (1.17.0)
     mutex_m (0.3.0)
@@ -469,7 +465,7 @@ GEM
     nokogiri (1.18.10)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oj (3.16.13)
+    oj (3.16.11)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
     omniauth (2.1.4)
@@ -481,7 +477,7 @@ GEM
       addressable (~> 2.8)
       nokogiri (~> 1.12)
       omniauth (~> 2.1)
-    omniauth-rails_csrf_protection (2.0.0)
+    omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
     omniauth-saml (2.2.4)
@@ -516,9 +512,9 @@ GEM
       opentelemetry-common (~> 0.20)
       opentelemetry-sdk (~> 1.10)
       opentelemetry-semantic_conventions
-    opentelemetry-helpers-sql (0.3.0)
+    opentelemetry-helpers-sql (0.2.0)
       opentelemetry-api (~> 1.7)
-    opentelemetry-helpers-sql-processor (0.3.1)
+    opentelemetry-helpers-sql-obfuscation (0.4.0)
       opentelemetry-common (~> 0.21)
     opentelemetry-instrumentation-action_mailer (0.6.1)
       opentelemetry-instrumentation-active_support (~> 0.10)
@@ -542,19 +538,19 @@ GEM
       opentelemetry-registry (~> 0.1)
     opentelemetry-instrumentation-concurrent_ruby (0.24.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-excon (0.26.1)
+    opentelemetry-instrumentation-excon (0.26.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-faraday (0.30.1)
+    opentelemetry-instrumentation-faraday (0.30.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-http (0.27.1)
+    opentelemetry-instrumentation-http (0.27.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-http_client (0.26.1)
+    opentelemetry-instrumentation-http_client (0.26.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-net_http (0.26.1)
+    opentelemetry-instrumentation-net_http (0.26.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-pg (0.34.1)
+    opentelemetry-instrumentation-pg (0.32.0)
       opentelemetry-helpers-sql
-      opentelemetry-helpers-sql-processor
+      opentelemetry-helpers-sql-obfuscation
       opentelemetry-instrumentation-base (~> 0.25)
     opentelemetry-instrumentation-rack (0.29.0)
       opentelemetry-instrumentation-base (~> 0.25)
@@ -569,7 +565,7 @@ GEM
       opentelemetry-instrumentation-concurrent_ruby (~> 0.23)
     opentelemetry-instrumentation-redis (0.28.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-sidekiq (0.28.1)
+    opentelemetry-instrumentation-sidekiq (0.28.0)
       opentelemetry-instrumentation-base (~> 0.25)
     opentelemetry-registry (0.4.0)
       opentelemetry-api (~> 1.1)
@@ -585,7 +581,7 @@ GEM
     ox (2.14.23)
       bigdecimal (>= 3.0)
     parallel (1.27.0)
-    parser (3.3.10.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
     parslet (2.0.0)
@@ -594,7 +590,7 @@ GEM
     pg (1.6.2)
     pghero (3.7.0)
       activerecord (>= 7.1)
-    playwright-ruby-client (1.56.0)
+    playwright-ruby-client (1.55.0)
       concurrent-ruby (>= 1.1.6)
       mime-types (>= 3.0)
     pp (0.6.3)
@@ -608,8 +604,8 @@ GEM
       net-smtp
       premailer (~> 1.7, >= 1.7.9)
     prettyprint (0.2.0)
-    prism (1.6.0)
-    prometheus_exporter (2.3.1)
+    prism (1.5.2)
+    prometheus_exporter (2.3.0)
       webrick
     propshaft (1.3.1)
       actionpack (>= 7.0.0)
@@ -618,7 +614,7 @@ GEM
     psych (5.2.6)
       date
       stringio
-    public_suffix (7.0.0)
+    public_suffix (6.0.2)
     puma (7.1.0)
       nio4r (~> 2.0)
     pundit (2.5.2)
@@ -638,7 +634,7 @@ GEM
       faraday-follow_redirects
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
-    rack-protection (4.2.1)
+    rack-protection (4.1.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
@@ -672,7 +668,7 @@ GEM
     rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    rails-i18n (8.1.0)
+    rails-i18n (8.0.2)
       i18n (>= 0.7, < 2)
       railties (>= 8.0.0, < 9)
     railties (8.0.3)
@@ -685,7 +681,7 @@ GEM
       tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.3.1)
+    rake (13.3.0)
     rdf (3.3.4)
       bcp47_spec (~> 0.2)
       bigdecimal (~> 3.1, >= 3.1.5)
@@ -703,10 +699,10 @@ GEM
       reline
     redcarpet (3.6.1)
     redis (4.8.1)
-    redis-client (0.26.2)
+    redis-client (0.26.1)
       connection_pool
     regexp_parser (2.11.3)
-    reline (0.6.3)
+    reline (0.6.2)
       io-console (~> 0.5)
     request_store (1.7.0)
       rack (>= 1.4)
@@ -717,10 +713,10 @@ GEM
     rotp (6.3.0)
     rouge (4.6.1)
     rpam2 (4.0.2)
-    rqrcode (3.1.1)
+    rqrcode (3.1.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 2.0)
-    rqrcode_core (2.0.1)
+    rqrcode_core (2.0.0)
     rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -749,7 +745,7 @@ GEM
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 9)
     rspec-support (3.13.6)
-    rubocop (1.81.7)
+    rubocop (1.81.6)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -760,7 +756,7 @@ GEM
       rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.48.0)
+    rubocop-ast (1.47.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     rubocop-capybara (2.22.1)
@@ -779,10 +775,10 @@ GEM
       rack (>= 1.1)
       rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.44.0, < 2.0)
-    rubocop-rspec (3.8.0)
+    rubocop-rspec (3.7.0)
       lint_roller (~> 1.1)
-      rubocop (~> 1.81)
-    rubocop-rspec_rails (2.32.0)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-rspec_rails (2.31.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
       rubocop-rspec (~> 3.5)
@@ -807,9 +803,9 @@ GEM
       activerecord (>= 4.0.0)
       railties (>= 4.0.0)
     securerandom (0.4.1)
-    shoulda-matchers (7.0.1)
-      activesupport (>= 7.1)
-    sidekiq (8.0.10)
+    shoulda-matchers (6.5.0)
+      activesupport (>= 5.2.0)
+    sidekiq (8.0.9)
       connection_pool (>= 2.5.0)
       json (>= 2.9.0)
       logger (>= 1.6.2)
@@ -839,9 +835,9 @@ GEM
     stackprof (0.2.27)
     starry (0.2.0)
       base64
-    stoplight (5.6.0)
+    stoplight (5.4.0)
       zeitwerk
-    stringio (3.1.8)
+    stringio (3.1.7)
     strong_migrations (2.5.1)
       activerecord (>= 7.1)
     swd (2.0.3)
@@ -855,7 +851,7 @@ GEM
       unicode-display_width (>= 1.1.1, < 4)
     terrapin (1.1.1)
       climate_control
-    test-prof (1.5.0)
+    test-prof (1.4.4)
     thor (1.4.0)
     tilt (2.6.1)
     timeout (0.4.3)
@@ -887,7 +883,7 @@ GEM
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.1.0)
-    uri (1.1.1)
+    uri (1.0.4)
     useragent (0.16.11)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
@@ -915,7 +911,7 @@ GEM
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
-    webmock (3.26.1)
+    webmock (3.26.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -937,12 +933,12 @@ DEPENDENCIES
   active_model_serializers (~> 0.10)
   addressable (~> 2.8)
   annotaterb (~> 4.13)
-  aws-sdk-core
+  aws-sdk-core (< 3.216.0)
   aws-sdk-s3 (~> 1.123)
   better_errors (~> 2.9)
   binding_of_caller (~> 1.0)
   blurhash (~> 0.1)
-  bootsnap (~> 1.19.0)
+  bootsnap (~> 1.18.0)
   brakeman (~> 7.0)
   browser
   bundler-audit (~> 0.9)
@@ -1009,7 +1005,7 @@ DEPENDENCIES
   oj (~> 3.14)
   omniauth (~> 2.0)
   omniauth-cas (~> 3.0.0.beta.1)
-  omniauth-rails_csrf_protection (~> 2.0)
+  omniauth-rails_csrf_protection (~> 1.0)
   omniauth-saml (~> 2.0)
   omniauth_openid_connect (~> 0.8.0)
   opentelemetry-api (~> 1.7.0)
@@ -1022,7 +1018,7 @@ DEPENDENCIES
   opentelemetry-instrumentation-http (~> 0.27.0)
   opentelemetry-instrumentation-http_client (~> 0.26.0)
   opentelemetry-instrumentation-net_http (~> 0.26.0)
-  opentelemetry-instrumentation-pg (~> 0.34.0)
+  opentelemetry-instrumentation-pg (~> 0.32.0)
   opentelemetry-instrumentation-rack (~> 0.29.0)
   opentelemetry-instrumentation-rails (~> 0.39.0)
   opentelemetry-instrumentation-redis (~> 0.28.0)
@@ -1032,11 +1028,11 @@ DEPENDENCIES
   parslet
   pg (~> 1.5)
   pghero
-  playwright-ruby-client (= 1.56.0)
+  playwright-ruby-client (= 1.55.0)
   premailer-rails
   prometheus_exporter (~> 2.2)
   propshaft
-  public_suffix (~> 7.0)
+  public_suffix (~> 6.0)
   puma (~> 7.0)
   pundit (~> 2.3)
   rack-attack (~> 6.6)

SECURITY.md

@@ -18,5 +18,4 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 | 4.5.x   | Yes              |
 | 4.4.x   | Yes              |
 | 4.3.x   | Until 2026-05-06 |
-| 4.2.x   | Until 2026-01-08 |
-| < 4.2   | No               |
+| < 4.3   | No               |

app/controllers/activitypub/collections_controller.rb

@@ -4,17 +4,31 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
   vary_by -> { 'Signature' if authorized_fetch_mode? }
 
   before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :check_authorization
   before_action :set_items
   before_action :set_size
   before_action :set_type
 
   def show
     expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+
+    if @unauthorized
+      render json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    else
+      render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    end
   end
 
   private
 
+  def check_authorization
+    # Because in public fetch mode we cache the response, there would be no
+    # benefit from performing the check below, since a blocked account or domain
+    # would likely be served the cache from the reverse proxy anyway
+
+    @unauthorized = authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+  end
+
   def set_items
     case params[:id]
     when 'featured'
@@ -57,11 +71,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
   end
 
   def for_signed_account
-    # Because in public fetch mode we cache the response, there would be no
-    # benefit from performing the check below, since a blocked account or domain
-    # would likely be served the cache from the reverse proxy anyway
-
-    if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+    if @unauthorized
       []
     else
       yield

app/controllers/activitypub/contexts_controller.rb

@@ -36,9 +36,8 @@ class ActivityPub::ContextsController < ActivityPub::BaseController
 
   def context_presenter
     first_page = ActivityPub::CollectionPresenter.new(
-      id: items_context_url(@conversation, page_params),
       type: :unordered,
-      part_of: items_context_url(@conversation),
+      part_of: context_url(@conversation),
       next: next_page,
       items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
     )
@@ -52,7 +51,7 @@ class ActivityPub::ContextsController < ActivityPub::BaseController
     page = ActivityPub::CollectionPresenter.new(
       id: items_context_url(@conversation, page_params),
       type: :unordered,
-      part_of: items_context_url(@conversation),
+      part_of: context_url(@conversation),
       next: next_page,
       items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
     )

app/controllers/activitypub/inboxes_controller.rb

@@ -3,6 +3,7 @@
 class ActivityPub::InboxesController < ActivityPub::BaseController
   include JsonLdHelper
 
+  before_action :skip_large_payload
   before_action :skip_unknown_actor_activity
   before_action :require_actor_signature!
   skip_before_action :authenticate_user!
@@ -16,6 +17,10 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
 
   private
 
+  def skip_large_payload
+    head 413 if request.content_length > ActivityPub::Activity::MAX_JSON_SIZE
+  end
+
   def skip_unknown_actor_activity
     head 202 if unknown_affected_account?
   end

app/controllers/admin/custom_emojis_controller.rb

@@ -5,15 +5,6 @@ module Admin
     def index
       authorize :custom_emoji, :index?
 
-      # If filtering by local emojis, remove by_domain filter.
-      params.delete(:by_domain) if params[:local].present?
-
-      # If filtering by domain, ensure remote filter is set.
-      if params[:by_domain].present?
-        params.delete(:local)
-        params[:remote] = '1'
-      end
-
       @custom_emojis = filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page])
       @form          = Form::CustomEmojiBatch.new
     end

app/controllers/admin/site_uploads_controller.rb

@@ -9,7 +9,7 @@ module Admin
 
       @site_upload.destroy!
 
-      redirect_back_or_to admin_settings_path, notice: I18n.t('admin.site_uploads.destroyed_msg')
+      redirect_back fallback_location: admin_settings_path, notice: I18n.t('admin.site_uploads.destroyed_msg')
     end
 
     private

app/controllers/api/v1/annual_reports_controller.rb

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
 
 class Api::V1::AnnualReportsController < Api::BaseController
-  include AsyncRefreshesConcern
-
-  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, except: [:read, :generate]
-  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:read, :generate]
+  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, only: :index
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, except: :index
   before_action :require_user!
-  before_action :set_annual_report, only: [:show, :read]
+  before_action :set_annual_report, except: :index
 
   def index
     with_read_replica do
@@ -30,59 +28,14 @@ class Api::V1::AnnualReportsController < Api::BaseController
            relationships: @relationships
   end
 
-  def state
-    render json: { state: report_state }
-  end
-
-  def generate
-    return render_empty unless year == AnnualReport.current_campaign
-    return render_empty if GeneratedAnnualReport.exists?(account_id: current_account.id, year: year)
-
-    async_refresh = AsyncRefresh.new(refresh_key)
-
-    if async_refresh.running?
-      add_async_refresh_header(async_refresh, retry_seconds: 2)
-      return head 202
-    end
-
-    add_async_refresh_header(AsyncRefresh.create(refresh_key), retry_seconds: 2)
-
-    GenerateAnnualReportWorker.perform_async(current_account.id, year)
-
-    head 202
-  end
-
   def read
     @annual_report.view!
     render_empty
   end
 
-  def refresh_key
-    "wrapstodon:#{current_account.id}:#{year}"
-  end
-
   private
 
-  def report_state
-    return 'available' if GeneratedAnnualReport.exists?(account_id: current_account.id, year: year)
-
-    async_refresh = AsyncRefresh.new(refresh_key)
-
-    if async_refresh.running?
-      add_async_refresh_header(async_refresh, retry_seconds: 2)
-      'generating'
-    elsif AnnualReport.current_campaign == year && AnnualReport.new(current_account, year).eligible?
-      'eligible'
-    else
-      'ineligible'
-    end
-  end
-
-  def year
-    params[:id]&.to_i
-  end
-
   def set_annual_report
-    @annual_report = GeneratedAnnualReport.find_by!(account_id: current_account.id, year: year)
+    @annual_report = GeneratedAnnualReport.find_by!(account_id: current_account.id, year: params[:id])
   end
 end

app/controllers/api/v1/statuses_controller.rb

@@ -107,9 +107,7 @@ class Api::V1::StatusesController < Api::BaseController
     @status = Status.where(account: current_account).find(params[:id])
     authorize @status, :update?
 
-    UpdateStatusService.new.call(
-      @status,
-      current_account.id,
+    update_options = {
       text: status_params[:status],
       media_ids: status_params[:media_ids],
       media_attributes: status_params[:media_attributes],
@@ -117,9 +115,12 @@ class Api::V1::StatusesController < Api::BaseController
       language: status_params[:language],
       spoiler_text: status_params[:spoiler_text],
       poll: status_params[:poll],
-      quote_approval_policy: quote_approval_policy,
-      content_type: status_params[:content_type]
-    )
+      content_type: status_params[:content_type],
+    }
+
+    update_options[:quote_approval_policy] = quote_approval_policy if status_params[:quote_approval_policy].present?
+
+    UpdateStatusService.new.call(@status, current_account.id, update_options)
 
     render json: @status, serializer: REST::StatusSerializer
   end
@@ -128,11 +129,10 @@ class Api::V1::StatusesController < Api::BaseController
     @status = Status.where(account: current_account).find(params[:id])
     authorize @status, :destroy?
 
-    json = render_to_body json: @status, serializer: REST::StatusSerializer, source_requested: true
-
     @status.discard_with_reblogs
     StatusPin.find_by(status: @status)&.destroy
     @status.account.statuses_count = @status.account.statuses_count - 1
+    json = render_to_body json: @status, serializer: REST::StatusSerializer, source_requested: true
 
     RemovalWorker.perform_async(@status.id, { 'redraft' => !truthy_param?(:delete_media) })
 

app/controllers/api/v1_alpha/collections_controller.rb

@@ -1,114 +0,0 @@
-# frozen_string_literal: true
-
-class Api::V1Alpha::CollectionsController < Api::BaseController
-  include Authorization
-
-  DEFAULT_COLLECTIONS_LIMIT = 40
-
-  rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
-    render json: { error: ValidationErrorFormatter.new(e).as_json }, status: 422
-  end
-
-  before_action :check_feature_enabled
-
-  before_action -> { authorize_if_got_token! :read, :'read:collections' }, only: [:index, :show]
-  before_action -> { doorkeeper_authorize! :write, :'write:collections' }, only: [:create, :update, :destroy]
-
-  before_action :require_user!, only: [:create, :update, :destroy]
-
-  before_action :set_account, only: [:index]
-  before_action :set_collections, only: [:index]
-  before_action :set_collection, only: [:show, :update, :destroy]
-
-  after_action :insert_pagination_headers, only: [:index]
-
-  after_action :verify_authorized
-
-  def index
-    cache_if_unauthenticated!
-    authorize Collection, :index?
-
-    render json: @collections, each_serializer: REST::BaseCollectionSerializer
-  end
-
-  def show
-    cache_if_unauthenticated!
-    authorize @collection, :show?
-
-    render json: @collection, serializer: REST::CollectionSerializer
-  end
-
-  def create
-    authorize Collection, :create?
-
-    @collection = CreateCollectionService.new.call(collection_creation_params, current_user.account)
-
-    render json: @collection, serializer: REST::CollectionSerializer
-  end
-
-  def update
-    authorize @collection, :update?
-
-    @collection.update!(collection_update_params) # TODO: Create a service for this to federate changes
-
-    render json: @collection, serializer: REST::CollectionSerializer
-  end
-
-  def destroy
-    authorize @collection, :destroy?
-
-    @collection.destroy
-
-    head 200
-  end
-
-  private
-
-  def set_account
-    @account = Account.find(params[:account_id])
-  end
-
-  def set_collections
-    @collections = @account.collections
-                           .with_tag
-                           .order(created_at: :desc)
-                           .offset(offset_param)
-                           .limit(limit_param(DEFAULT_COLLECTIONS_LIMIT))
-  end
-
-  def set_collection
-    @collection = Collection.find(params[:id])
-  end
-
-  def collection_creation_params
-    params.permit(:name, :description, :sensitive, :discoverable, :tag_name, account_ids: [])
-  end
-
-  def collection_update_params
-    params.permit(:name, :description, :sensitive, :discoverable, :tag_name)
-  end
-
-  def check_feature_enabled
-    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
-  end
-
-  def next_path
-    return unless records_continue?
-
-    api_v1_alpha_account_collections_url(@account, pagination_params(offset: offset_param + limit_param(DEFAULT_COLLECTIONS_LIMIT)))
-  end
-
-  def prev_path
-    return if offset_param.zero?
-
-    api_v1_alpha_account_collections_url(@account, pagination_params(offset: offset_param - limit_param(DEFAULT_COLLECTIONS_LIMIT)))
-  end
-
-  def records_continue?
-    ((offset_param * limit_param(DEFAULT_COLLECTIONS_LIMIT)) + @collections.size) < @account.collections.size
-  end
-
-  def offset_param
-    params[:offset].to_i
-  end
-end

app/controllers/api/web/push_subscriptions_controller.rb

@@ -62,7 +62,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def set_push_subscription
-    @push_subscription = ::Web::PushSubscription.find(params[:id])
+    @push_subscription = ::Web::PushSubscription.where(user_id: active_session.user_id).find(params[:id])
   end
 
   def subscription_params

app/controllers/auth/registrations_controller.rb

@@ -135,7 +135,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
     @accept_token = session[:accept_token] = SecureRandom.hex
     @invite_code  = invite_code
 
-    render :rules
+    set_locale { render :rules }
   end
 
   def is_flashing_format? # rubocop:disable Naming/PredicatePrefix

app/controllers/concerns/cache_concern.rb

@@ -19,7 +19,7 @@ module CacheConcern
   # from being used as cache keys, while allowing to `Vary` on them (to not serve
   # anonymous cached data to authenticated requests when authentication matters)
   def enforce_cache_control!
-    vary = response.headers['Vary']&.split&.map { |x| x.strip.downcase }
+    vary = response.headers['Vary'].to_s.split(',').map { |x| x.strip.downcase }.reject(&:empty?)
     return unless vary.present? && %w(cookie authorization signature).any? { |header| vary.include?(header) && request.headers[header].present? }
 
     response.cache_control.replace(private: true, no_store: true)

app/controllers/concerns/signature_verification.rb

@@ -72,10 +72,13 @@ module SignatureVerification
   rescue Mastodon::SignatureVerificationError => e
     fail_with! e.message
   rescue *Mastodon::HTTP_CONNECTION_ERRORS => e
+    @signature_verification_failure_code ||= 503
     fail_with! "Failed to fetch remote data: #{e.message}"
   rescue Mastodon::UnexpectedResponseError
+    @signature_verification_failure_code ||= 503
     fail_with! 'Failed to fetch remote data (got unexpected reply from server)'
   rescue Stoplight::Error::RedLight
+    @signature_verification_failure_code ||= 503
     fail_with! 'Fetching attempt skipped because of recent connection failure'
   end
 

app/controllers/follower_accounts_controller.rb

@@ -7,7 +7,6 @@ class FollowerAccountsController < ApplicationController
   vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
 
   before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
-  before_action :protect_hidden_collections, if: -> { request.format.json? }
 
   skip_around_action :set_locale, if: -> { request.format == :json }
   skip_before_action :require_functional!, unless: :limited_federation_mode?
@@ -19,6 +18,8 @@ class FollowerAccountsController < ApplicationController
       end
 
       format.json do
+        raise Mastodon::NotPermittedError if page_requested? && @account.hide_collections?
+
         expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
 
         render json: collection_presenter,
@@ -40,10 +41,6 @@ class FollowerAccountsController < ApplicationController
     @follows = scope.recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:account)
   end
 
-  def protect_hidden_collections
-    raise Mastodon::NotPermittedError if page_requested? && @account.hide_collections?
-  end
-
   def page_requested?
     params[:page].present?
   end

app/controllers/following_accounts_controller.rb

@@ -7,7 +7,6 @@ class FollowingAccountsController < ApplicationController
   vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
 
   before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
-  before_action :protect_hidden_collections, if: -> { request.format.json? }
 
   skip_around_action :set_locale, if: -> { request.format == :json }
   skip_before_action :require_functional!, unless: :limited_federation_mode?
@@ -19,6 +18,11 @@ class FollowingAccountsController < ApplicationController
       end
 
       format.json do
+        if page_requested? && @account.hide_collections?
+          forbidden
+          next
+        end
+
         expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
 
         render json: collection_presenter,
@@ -40,10 +44,6 @@ class FollowingAccountsController < ApplicationController
     @follows = scope.recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:target_account)
   end
 
-  def protect_hidden_collections
-    raise Mastodon::NotPermittedError if page_requested? && @account.hide_collections?
-  end
-
   def page_requested?
     params[:page].present?
   end

app/controllers/severed_relationships_controller.rb

@@ -26,7 +26,7 @@ class SeveredRelationshipsController < ApplicationController
   private
 
   def set_event
-    @event = AccountRelationshipSeveranceEvent.find(params[:id])
+    @event = AccountRelationshipSeveranceEvent.where(account: current_account).find(params[:id])
   end
 
   def following_data

app/controllers/statuses_controller.rb

@@ -29,7 +29,7 @@ class StatusesController < ApplicationController
       end
 
       format.json do
-        expires_in 3.minutes, public: true if @status.distributable? && public_fetch_mode?
+        expires_in @status.quote&.pending? ? 5.seconds : 3.minutes, public: true if @status.distributable? && public_fetch_mode?
         render_with_cache json: @status, content_type: 'application/activity+json', serializer: ActivityPub::NoteSerializer, adapter: ActivityPub::Adapter
       end
     end

app/controllers/wrapstodon_controller.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-class WrapstodonController < ApplicationController
-  include WebAppControllerConcern
-  include Authorization
-  include AccountOwnedConcern
-
-  vary_by 'Accept, Accept-Language, Cookie'
-
-  before_action :set_generated_annual_report
-
-  skip_before_action :require_functional!, only: :show, unless: :limited_federation_mode?
-
-  def show
-    expires_in 10.seconds, public: true if current_account.nil?
-  end
-
-  private
-
-  def set_generated_annual_report
-    @generated_annual_report = GeneratedAnnualReport.find_by!(account: @account, year: params[:year], share_key: params[:share_key])
-  end
-end

app/helpers/application_helper.rb

@@ -153,9 +153,11 @@ module ApplicationHelper
     tag.meta(content: content, property: property)
   end
 
-  def html_classes
+  def body_classes
     output = []
-    output << content_for(:html_classes)
+    output << content_for(:body_classes)
+    output << "flavour-#{current_flavour.parameterize}"
+    output << "skin-#{current_skin.parameterize}"
     output << 'system-font' if current_account&.user&.setting_system_font_ui
     output << 'custom-scrollbars' unless current_account&.user&.setting_system_scrollbars_ui
     output << (current_account&.user&.setting_reduce_motion ? 'reduce-motion' : 'no-reduce-motion')
@@ -163,12 +165,6 @@ module ApplicationHelper
     output.compact_blank.join(' ')
   end
 
-  def body_classes
-    output = []
-    output << content_for(:body_classes)
-    output.compact_blank.join(' ')
-  end
-
   def cdn_host
     Rails.configuration.action_controller.asset_host
   end

app/helpers/languages_helper.rb

@@ -35,7 +35,7 @@ module LanguagesHelper
     cy: ['Welsh', 'Cymraeg'].freeze,
     da: ['Danish', 'dansk'].freeze,
     de: ['German', 'Deutsch'].freeze,
-    dv: ['Divehi', 'ދިވެހި'].freeze,
+    dv: ['Divehi', 'Dhivehi'].freeze,
     dz: ['Dzongkha', 'རྫོང་ཁ'].freeze,
     ee: ['Ewe', 'Eʋegbe'].freeze,
     el: ['Greek', 'Ελληνικά'].freeze,
@@ -100,7 +100,7 @@ module LanguagesHelper
     lo: ['Lao', 'ລາວ'].freeze,
     lt: ['Lithuanian', 'lietuvių kalba'].freeze,
     lu: ['Luba-Katanga', 'Tshiluba'].freeze,
-    lv: ['Latvian', 'Latviski'].freeze,
+    lv: ['Latvian', 'latviešu valoda'].freeze,
     mg: ['Malagasy', 'fiteny malagasy'].freeze,
     mh: ['Marshallese', 'Kajin M̧ajeļ'].freeze,
     mi: ['Māori', 'te reo Māori'].freeze,

app/helpers/wrapstodon_helper.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-module WrapstodonHelper
-  def render_wrapstodon_share_data(report)
-    json = ActiveModelSerializers::SerializableResource.new(
-      AnnualReportsPresenter.new([report]),
-      serializer: REST::AnnualReportsSerializer,
-      scope: nil,
-      scope_name: :current_user
-    ).to_json
-
-    # rubocop:disable Rails/OutputSafety
-    content_tag(:script, json_escape(json).html_safe, type: 'application/json', id: 'wrapstodon-data')
-    # rubocop:enable Rails/OutputSafety
-  end
-end

app/inputs/date_of_birth_input.rb

@@ -1,49 +1,31 @@
 # frozen_string_literal: true
 
 class DateOfBirthInput < SimpleForm::Inputs::Base
-  OPTIONS = {
-    day: { autocomplete: 'bday-day', maxlength: 2, pattern: '[0-9]+', placeholder: 'DD' },
-    month: { autocomplete: 'bday-month', maxlength: 2, pattern: '[0-9]+', placeholder: 'MM' },
-    year: { autocomplete: 'bday-year', maxlength: 4, pattern: '[0-9]+', placeholder: 'YYYY' },
-  }.freeze
+  OPTIONS = [
+    { autocomplete: 'bday-day', maxlength: 2, pattern: '[0-9]+', placeholder: 'DD' }.freeze,
+    { autocomplete: 'bday-month', maxlength: 2, pattern: '[0-9]+', placeholder: 'MM' }.freeze,
+    { autocomplete: 'bday-year', maxlength: 4, pattern: '[0-9]+', placeholder: 'YYYY' }.freeze,
+  ].freeze
 
   def input(wrapper_options = nil)
     merged_input_options = merge_wrapper_options(input_html_options, wrapper_options)
     merged_input_options[:inputmode] = 'numeric'
 
-    safe_join(
-      ordered_options.map do |option|
-        options = merged_input_options
-          .merge(OPTIONS[option])
-          .merge(
-            id: generate_id(option),
-            'aria-label': I18n.t("simple_form.labels.user.date_of_birth_#{param_for(option)}"),
-            value: values[option]
-          )
-        @builder.text_field("#{attribute_name}(#{param_for(option)})", options)
-      end
-    )
+    values = (object.public_send(attribute_name) || '').split('.')
+
+    safe_join(Array.new(3) do |index|
+      options = merged_input_options.merge(OPTIONS[index]).merge id: generate_id(index), 'aria-label': I18n.t("simple_form.labels.user.date_of_birth_#{index + 1}i"), value: values[index]
+      @builder.text_field("#{attribute_name}(#{index + 1}i)", options)
+    end)
   end
 
   def label_target
-    "#{attribute_name}_#{param_for(ordered_options.first)}"
+    "#{attribute_name}_1i"
   end
 
   private
 
-  def ordered_options
-    I18n.t('date.order').map(&:to_sym)
-  end
-
-  def generate_id(option)
-    "#{object_name}_#{attribute_name}_#{param_for(option)}"
-  end
-
-  def param_for(option)
-    "#{ActionView::Helpers::DateTimeSelector::POSITION[option]}i"
-  end
-
-  def values
-    Date._parse((object.public_send(attribute_name) || '').to_s).transform_keys(mon: :month, mday: :day)
+  def generate_id(index)
+    "#{object_name}_#{attribute_name}_#{index + 1}i"
   end
 end

app/javascript/entrypoints/admin.tsx

@@ -1,7 +1,7 @@
 import { createRoot } from 'react-dom/client';
 
+import Rails from '@rails/ujs';
 import { decode, ValidationError } from 'blurhash';
-import { on } from 'delegated-events';
 
 import ready from '../mastodon/ready';
 
@@ -24,9 +24,10 @@ const setAnnouncementEndsAttributes = (target: HTMLInputElement) => {
   }
 };
 
-on(
-  'change',
+Rails.delegate(
+  document,
   'input[type="datetime-local"]#announcement_starts_at',
+  'change',
   ({ target }) => {
     if (target instanceof HTMLInputElement)
       setAnnouncementEndsAttributes(target);
@@ -62,7 +63,7 @@ const hideSelectAll = () => {
   if (hiddenField) hiddenField.value = '0';
 };
 
-on('change', '#batch_checkbox_all', ({ target }) => {
+Rails.delegate(document, '#batch_checkbox_all', 'change', ({ target }) => {
   if (!(target instanceof HTMLInputElement)) return;
 
   const selectAllMatchingElement = document.querySelector(
@@ -84,7 +85,7 @@ on('change', '#batch_checkbox_all', ({ target }) => {
   }
 });
 
-on('click', '.batch-table__select-all button', () => {
+Rails.delegate(document, '.batch-table__select-all button', 'click', () => {
   const hiddenField = document.querySelector<HTMLInputElement>(
     '#select_all_matching',
   );
@@ -112,7 +113,7 @@ on('click', '.batch-table__select-all button', () => {
   }
 });
 
-on('change', batchCheckboxClassName, () => {
+Rails.delegate(document, batchCheckboxClassName, 'change', () => {
   const checkAllElement = document.querySelector<HTMLInputElement>(
     'input#batch_checkbox_all',
   );
@@ -139,9 +140,14 @@ on('change', batchCheckboxClassName, () => {
   }
 });
 
-on('change', '.filter-subset--with-select select', ({ target }) => {
-  if (target instanceof HTMLSelectElement) target.form?.submit();
-});
+Rails.delegate(
+  document,
+  '.filter-subset--with-select select',
+  'change',
+  ({ target }) => {
+    if (target instanceof HTMLSelectElement) target.form?.submit();
+  },
+);
 
 const onDomainBlockSeverityChange = (target: HTMLSelectElement) => {
   const rejectMediaDiv = document.querySelector(
@@ -162,11 +168,11 @@ const onDomainBlockSeverityChange = (target: HTMLSelectElement) => {
   }
 };
 
-on('change', '#domain_block_severity', ({ target }) => {
+Rails.delegate(document, '#domain_block_severity', 'change', ({ target }) => {
   if (target instanceof HTMLSelectElement) onDomainBlockSeverityChange(target);
 });
 
-function onEnableBootstrapTimelineAccountsChange(target: HTMLInputElement) {
+const onEnableBootstrapTimelineAccountsChange = (target: HTMLInputElement) => {
   const bootstrapTimelineAccountsField =
     document.querySelector<HTMLInputElement>(
       '#form_admin_settings_bootstrap_timeline_accounts',
@@ -188,11 +194,12 @@ function onEnableBootstrapTimelineAccountsChange(target: HTMLInputElement) {
       );
     }
   }
-}
+};
 
-on(
-  'change',
+Rails.delegate(
+  document,
   '#form_admin_settings_enable_bootstrap_timeline_accounts',
+  'change',
   ({ target }) => {
     if (target instanceof HTMLInputElement)
       onEnableBootstrapTimelineAccountsChange(target);
@@ -232,11 +239,11 @@ const onChangeRegistrationMode = (target: HTMLSelectElement) => {
     });
 };
 
-function convertUTCDateTimeToLocal(value: string) {
+const convertUTCDateTimeToLocal = (value: string) => {
   const date = new Date(value + 'Z');
   const twoChars = (x: number) => x.toString().padStart(2, '0');
   return `${date.getFullYear()}-${twoChars(date.getMonth() + 1)}-${twoChars(date.getDate())}T${twoChars(date.getHours())}:${twoChars(date.getMinutes())}`;
-}
+};
 
 function convertLocalDatetimeToUTC(value: string) {
   const date = new Date(value);
@@ -244,9 +251,14 @@ function convertLocalDatetimeToUTC(value: string) {
   return fullISO8601.slice(0, fullISO8601.indexOf('T') + 6);
 }
 
-on('change', '#form_admin_settings_registrations_mode', ({ target }) => {
-  if (target instanceof HTMLSelectElement) onChangeRegistrationMode(target);
-});
+Rails.delegate(
+  document,
+  '#form_admin_settings_registrations_mode',
+  'change',
+  ({ target }) => {
+    if (target instanceof HTMLSelectElement) onChangeRegistrationMode(target);
+  },
+);
 
 async function mountReactComponent(element: Element) {
   const componentName = element.getAttribute('data-admin-component');
@@ -293,7 +305,7 @@ ready(() => {
   if (registrationMode) onChangeRegistrationMode(registrationMode);
 
   const checkAllElement = document.querySelector<HTMLInputElement>(
-    '#batch_checkbox_all',
+    'input#batch_checkbox_all',
   );
   if (checkAllElement) {
     const allCheckboxes = Array.from(
@@ -306,7 +318,7 @@ ready(() => {
   }
 
   document
-    .querySelector<HTMLAnchorElement>('a#add-instance-button')
+    .querySelector('a#add-instance-button')
     ?.addEventListener('click', (e) => {
       const domain = document.querySelector<HTMLInputElement>(
         'input[type="text"]#by_domain',
@@ -330,7 +342,7 @@ ready(() => {
       }
     });
 
-  on('submit', 'form', ({ target }) => {
+  Rails.delegate(document, 'form', 'submit', ({ target }) => {
     if (target instanceof HTMLFormElement)
       target
         .querySelectorAll<HTMLInputElement>('input[type="datetime-local"]')

app/javascript/entrypoints/public.tsx

@@ -4,8 +4,8 @@ import { IntlMessageFormat } from 'intl-messageformat';
 import type { MessageDescriptor, PrimitiveType } from 'react-intl';
 import { defineMessages } from 'react-intl';
 
+import Rails from '@rails/ujs';
 import axios from 'axios';
-import { on } from 'delegated-events';
 import { throttle } from 'lodash';
 
 import { timeAgoString } from '../mastodon/components/relative_timestamp';
@@ -175,9 +175,10 @@ function loaded() {
       });
   }
 
-  on(
-    'input',
+  Rails.delegate(
+    document,
     'input#user_account_attributes_username',
+    'input',
     throttle(
       ({ target }) => {
         if (!(target instanceof HTMLInputElement)) return;
@@ -201,47 +202,60 @@ function loaded() {
     ),
   );
 
-  on('input', '#user_password,#user_password_confirmation', () => {
-    const password = document.querySelector<HTMLInputElement>(
-      'input#user_password',
-    );
-    const confirmation = document.querySelector<HTMLInputElement>(
-      'input#user_password_confirmation',
-    );
-    if (!confirmation || !password) return;
+  Rails.delegate(
+    document,
+    '#user_password,#user_password_confirmation',
+    'input',
+    () => {
+      const password = document.querySelector<HTMLInputElement>(
+        'input#user_password',
+      );
+      const confirmation = document.querySelector<HTMLInputElement>(
+        'input#user_password_confirmation',
+      );
+      if (!confirmation || !password) return;
 
-    if (confirmation.value && confirmation.value.length > password.maxLength) {
-      confirmation.setCustomValidity(
-        formatMessage(messages.passwordExceedsLength),
-      );
-    } else if (password.value && password.value !== confirmation.value) {
-      confirmation.setCustomValidity(
-        formatMessage(messages.passwordDoesNotMatch),
-      );
-    } else {
-      confirmation.setCustomValidity('');
-    }
-  });
+      if (
+        confirmation.value &&
+        confirmation.value.length > password.maxLength
+      ) {
+        confirmation.setCustomValidity(
+          formatMessage(messages.passwordExceedsLength),
+        );
+      } else if (password.value && password.value !== confirmation.value) {
+        confirmation.setCustomValidity(
+          formatMessage(messages.passwordDoesNotMatch),
+        );
+      } else {
+        confirmation.setCustomValidity('');
+      }
+    },
+  );
 }
 
-on('change', '#edit_profile input[type=file]', ({ target }) => {
-  if (!(target instanceof HTMLInputElement)) return;
+Rails.delegate(
+  document,
+  '#edit_profile input[type=file]',
+  'change',
+  ({ target }) => {
+    if (!(target instanceof HTMLInputElement)) return;
 
-  const avatar = document.querySelector<HTMLImageElement>(
-    `img#${target.id}-preview`,
-  );
+    const avatar = document.querySelector<HTMLImageElement>(
+      `img#${target.id}-preview`,
+    );
 
-  if (!avatar) return;
+    if (!avatar) return;
 
-  let file: File | undefined;
-  if (target.files) file = target.files[0];
+    let file: File | undefined;
+    if (target.files) file = target.files[0];
 
-  const url = file ? URL.createObjectURL(file) : avatar.dataset.originalSrc;
+    const url = file ? URL.createObjectURL(file) : avatar.dataset.originalSrc;
 
-  if (url) avatar.src = url;
-});
+    if (url) avatar.src = url;
+  },
+);
 
-on('click', '.input-copy input', ({ target }) => {
+Rails.delegate(document, '.input-copy input', 'click', ({ target }) => {
   if (!(target instanceof HTMLInputElement)) return;
 
   target.focus();
@@ -249,7 +263,7 @@ on('click', '.input-copy input', ({ target }) => {
   target.setSelectionRange(0, target.value.length);
 });
 
-on('click', '.input-copy button', ({ target }) => {
+Rails.delegate(document, '.input-copy button', 'click', ({ target }) => {
   if (!(target instanceof HTMLButtonElement)) return;
 
   const input = target.parentNode?.querySelector<HTMLInputElement>(
@@ -298,22 +312,22 @@ const toggleSidebar = () => {
   sidebar.classList.toggle('visible');
 };
 
-on('click', '.sidebar__toggle__icon', () => {
+Rails.delegate(document, '.sidebar__toggle__icon', 'click', () => {
   toggleSidebar();
 });
 
-on('keydown', '.sidebar__toggle__icon', (e) => {
+Rails.delegate(document, '.sidebar__toggle__icon', 'keydown', (e) => {
   if (e.key === ' ' || e.key === 'Enter') {
     e.preventDefault();
     toggleSidebar();
   }
 });
 
-on('mouseover', 'img.custom-emoji', ({ target }) => {
+Rails.delegate(document, 'img.custom-emoji', 'mouseover', ({ target }) => {
   if (target instanceof HTMLImageElement && target.dataset.original)
     target.src = target.dataset.original;
 });
-on('mouseout', 'img.custom-emoji', ({ target }) => {
+Rails.delegate(document, 'img.custom-emoji', 'mouseout', ({ target }) => {
   if (target instanceof HTMLImageElement && target.dataset.static)
     target.src = target.dataset.static;
 });
@@ -362,17 +376,22 @@ const setInputHint = (
   }
 };
 
-on('change', '#account_statuses_cleanup_policy_enabled', ({ target }) => {
-  if (!(target instanceof HTMLInputElement) || !target.form) return;
+Rails.delegate(
+  document,
+  '#account_statuses_cleanup_policy_enabled',
+  'change',
+  ({ target }) => {
+    if (!(target instanceof HTMLInputElement) || !target.form) return;
 
-  target.form
-    .querySelectorAll<
-      HTMLInputElement | HTMLSelectElement
-    >('input:not([type=hidden], #account_statuses_cleanup_policy_enabled), select')
-    .forEach((input) => {
-      setInputDisabled(input, !target.checked);
-    });
-});
+    target.form
+      .querySelectorAll<
+        HTMLInputElement | HTMLSelectElement
+      >('input:not([type=hidden], #account_statuses_cleanup_policy_enabled), select')
+      .forEach((input) => {
+        setInputDisabled(input, !target.checked);
+      });
+  },
+);
 
 const updateDefaultQuotePrivacyFromPrivacy = (
   privacySelect: EventTarget | null,
@@ -395,13 +414,18 @@ const updateDefaultQuotePrivacyFromPrivacy = (
   }
 };
 
-on('change', '#user_settings_attributes_default_privacy', ({ target }) => {
-  updateDefaultQuotePrivacyFromPrivacy(target);
-});
+Rails.delegate(
+  document,
+  '#user_settings_attributes_default_privacy',
+  'change',
+  ({ target }) => {
+    updateDefaultQuotePrivacyFromPrivacy(target);
+  },
+);
 
 // Empty the honeypot fields in JS in case something like an extension
 // automatically filled them.
-on('submit', '#registration_new_user,#new_user', () => {
+Rails.delegate(document, '#registration_new_user,#new_user', 'submit', () => {
   [
     'user_website',
     'user_confirm_password',
@@ -415,7 +439,7 @@ on('submit', '#registration_new_user,#new_user', () => {
   });
 });
 
-on('click', '.rules-list button', ({ target }) => {
+Rails.delegate(document, '.rules-list button', 'click', ({ target }) => {
   if (!(target instanceof HTMLElement)) {
     return;
   }

app/javascript/entrypoints/wrapstodon.tsx

@@ -1,63 +0,0 @@
-import { createRoot } from 'react-dom/client';
-
-import { Provider as ReduxProvider } from 'react-redux';
-
-import { importFetchedStatuses } from '@/mastodon/actions/importer';
-import { hydrateStore } from '@/mastodon/actions/store';
-import type { ApiAnnualReportResponse } from '@/mastodon/api/annual_report';
-import { Router } from '@/mastodon/components/router';
-import { WrapstodonSharedPage } from '@/mastodon/features/annual_report/shared_page';
-import { IntlProvider, loadLocale } from '@/mastodon/locales';
-import { loadPolyfills } from '@/mastodon/polyfills';
-import ready from '@/mastodon/ready';
-import { setReport } from '@/mastodon/reducers/slices/annual_report';
-import { store } from '@/mastodon/store';
-
-function loaded() {
-  const mountNode = document.getElementById('wrapstodon');
-  if (!mountNode) {
-    throw new Error('Mount node not found');
-  }
-  const propsNode = document.getElementById('wrapstodon-data');
-  if (!propsNode) {
-    throw new Error('Initial state prop not found');
-  }
-
-  const initialState = JSON.parse(
-    propsNode.textContent,
-  ) as ApiAnnualReportResponse;
-
-  const report = initialState.annual_reports[0];
-  if (!report) {
-    throw new Error('Initial state report not found');
-  }
-
-  // Set up store
-  store.dispatch(
-    hydrateStore({
-      meta: { locale: document.documentElement.lang },
-      accounts: initialState.accounts,
-    }),
-  );
-  store.dispatch(importFetchedStatuses(initialState.statuses));
-
-  store.dispatch(setReport(report));
-
-  const root = createRoot(mountNode);
-  root.render(
-    <IntlProvider>
-      <ReduxProvider store={store}>
-        <Router>
-          <WrapstodonSharedPage />
-        </Router>
-      </ReduxProvider>
-    </IntlProvider>,
-  );
-}
-
-loadPolyfills()
-  .then(loadLocale)
-  .then(() => ready(loaded))
-  .catch((err: unknown) => {
-    console.error(err);
-  });

app/javascript/flavours/glitch/actions/bundles.js

@@ -0,0 +1,25 @@
+export const BUNDLE_FETCH_REQUEST = 'BUNDLE_FETCH_REQUEST';
+export const BUNDLE_FETCH_SUCCESS = 'BUNDLE_FETCH_SUCCESS';
+export const BUNDLE_FETCH_FAIL = 'BUNDLE_FETCH_FAIL';
+
+export function fetchBundleRequest(skipLoading) {
+  return {
+    type: BUNDLE_FETCH_REQUEST,
+    skipLoading,
+  };
+}
+
+export function fetchBundleSuccess(skipLoading) {
+  return {
+    type: BUNDLE_FETCH_SUCCESS,
+    skipLoading,
+  };
+}
+
+export function fetchBundleFail(error, skipLoading) {
+  return {
+    type: BUNDLE_FETCH_FAIL,
+    error,
+    skipLoading,
+  };
+}

app/javascript/flavours/glitch/actions/compose.js

@@ -709,7 +709,16 @@ export function selectComposeSuggestion(position, token, suggestion, path) {
 
       dispatch(useEmoji(suggestion));
     } else if (suggestion.type === 'hashtag') {
-      completion    = token + suggestion.name.slice(token.length - 1);
+      // TODO: it could make sense to keep the “most capitalized” of the two
+      const tokenName = token.slice(1); // strip leading '#'
+      const suggestionPrefix = suggestion.name.slice(0, tokenName.length);
+      const prefixMatchesSuggestion = suggestionPrefix.localeCompare(tokenName, undefined, { sensitivity: 'accent' }) === 0;
+      if (prefixMatchesSuggestion) {
+        completion = token + suggestion.name.slice(tokenName.length);
+      } else {
+        completion = `${token.slice(0, 1)}${suggestion.name}`;
+      }
+
       startPosition = position - 1;
     } else if (suggestion.type === 'account') {
       completion    = `@${getState().getIn(['accounts', suggestion.id, 'acct'])}`;

app/javascript/flavours/glitch/actions/server.js

@@ -1,5 +1,3 @@
-import { checkAnnualReport } from '@/flavours/glitch/reducers/slices/annual_report';
-
 import api from '../api';
 
 import { importFetchedAccount } from './importer';
@@ -31,9 +29,6 @@ export const fetchServer = () => (dispatch, getState) => {
     .get('/api/v2/instance').then(({ data }) => {
       if (data.contact.account) dispatch(importFetchedAccount(data.contact.account));
       dispatch(fetchServerSuccess(data));
-      if (data.wrapstodon) {
-        void dispatch(checkAnnualReport());
-      }
     }).catch(err => dispatch(fetchServerFail(err)));
 };
 

app/javascript/flavours/glitch/actions/store.js

@@ -37,9 +37,7 @@ export function hydrateStore(rawState) {
 
     dispatch(hydrateCompose());
     dispatch(hydrateSearch());
-    if (rawState.accounts) {
-      dispatch(importFetchedAccounts(Object.values(rawState.accounts)));
-    }
+    dispatch(importFetchedAccounts(Object.values(rawState.accounts)));
     dispatch(saveSettings());
   };
 }

app/javascript/flavours/glitch/actions/timelines.js

@@ -1,6 +1,5 @@
 import { Map as ImmutableMap, List as ImmutableList } from 'immutable';
 
-import { reinsertAnnualReport, TIMELINE_WRAPSTODON } from '@/flavours/glitch/reducers/slices/annual_report';
 import api, { getLinks } from 'flavours/glitch/api';
 import { compareId } from 'flavours/glitch/compare_id';
 import { usePendingItems as preferPendingItems } from 'flavours/glitch/initial_state';
@@ -8,7 +7,7 @@ import { toServerSideType } from 'flavours/glitch/utils/filters';
 
 import { importFetchedStatus, importFetchedStatuses } from './importer';
 import { submitMarkers } from './markers';
-import { timelineDelete } from './timelines_typed';
+import {timelineDelete} from './timelines_typed';
 
 export { disconnectTimeline } from './timelines_typed';
 
@@ -26,16 +25,9 @@ export const TIMELINE_CONNECT      = 'TIMELINE_CONNECT';
 export const TIMELINE_MARK_AS_PARTIAL = 'TIMELINE_MARK_AS_PARTIAL';
 export const TIMELINE_INSERT          = 'TIMELINE_INSERT';
 
-// When adding new special markers here, make sure to update TIMELINE_NON_STATUS_MARKERS in actions/timelines_typed.js
 export const TIMELINE_SUGGESTIONS = 'inline-follow-suggestions';
 export const TIMELINE_GAP = null;
 
-export const TIMELINE_NON_STATUS_MARKERS = [
-  TIMELINE_GAP,
-  TIMELINE_SUGGESTIONS,
-  TIMELINE_WRAPSTODON,
-];
-
 export const loadPending = timeline => ({
   type: TIMELINE_LOAD_PENDING,
   timeline,
@@ -143,7 +135,6 @@ export function expandTimeline(timelineId, path, params = {}) {
 
       if (timelineId === 'home') {
         dispatch(submitMarkers());
-        dispatch(reinsertAnnualReport())
       }
     } catch(error) {
       dispatch(expandTimelineFail(timelineId, error, isLoadingMore));

app/javascript/flavours/glitch/actions/timelines_typed.ts

@@ -2,12 +2,6 @@ import { createAction } from '@reduxjs/toolkit';
 
 import { usePendingItems as preferPendingItems } from 'flavours/glitch/initial_state';
 
-import { TIMELINE_NON_STATUS_MARKERS } from './timelines';
-
-export function isNonStatusId(value: unknown) {
-  return TIMELINE_NON_STATUS_MARKERS.includes(value as string | null);
-}
-
 export const disconnectTimeline = createAction(
   'timeline/disconnect',
   ({ timeline }: { timeline: string }) => ({

app/javascript/flavours/glitch/api/annual_report.ts

@@ -1,38 +0,0 @@
-import api, { apiRequestGet, getAsyncRefreshHeader } from '../api';
-import type { ApiAccountJSON } from '../api_types/accounts';
-import type { ApiStatusJSON } from '../api_types/statuses';
-import type { AnnualReport } from '../models/annual_report';
-
-export type ApiAnnualReportState =
-  | 'available'
-  | 'generating'
-  | 'eligible'
-  | 'ineligible';
-
-export const apiGetAnnualReportState = async (year: number) => {
-  const response = await api().get<{ state: ApiAnnualReportState }>(
-    `/api/v1/annual_reports/${year}/state`,
-  );
-
-  return {
-    state: response.data.state,
-    refresh: getAsyncRefreshHeader(response),
-  };
-};
-
-export const apiRequestGenerateAnnualReport = async (year: number) => {
-  const response = await api().post(`/api/v1/annual_reports/${year}/generate`);
-
-  return {
-    refresh: getAsyncRefreshHeader(response),
-  };
-};
-
-export interface ApiAnnualReportResponse {
-  annual_reports: AnnualReport[];
-  accounts: ApiAccountJSON[];
-  statuses: ApiStatusJSON[];
-}
-
-export const apiGetAnnualReport = (year: number) =>
-  apiRequestGet<ApiAnnualReportResponse>(`v1/annual_reports/${year}`);

app/javascript/flavours/glitch/api_types/custom_emoji.ts

@@ -1,9 +1,8 @@
-// See app/serializers/rest/custom_emoji_serializer.rb
+// See app/serializers/rest/account_serializer.rb
 export interface ApiCustomEmojiJSON {
   shortcode: string;
   static_url: string;
   url: string;
   category?: string;
-  featured?: boolean;
   visible_in_picker: boolean;
 }

app/javascript/flavours/glitch/api_types/statuses.ts

@@ -51,7 +51,7 @@ export interface ApiPreviewCardJSON {
   html: string;
   width: number;
   height: number;
-  image: string | null;
+  image: string;
   image_description: string;
   embed_url: string;
   blurhash: string;

app/javascript/flavours/glitch/common.ts

@@ -1,5 +1,9 @@
-import { setupLinkListeners } from './utils/links';
+import Rails from '@rails/ujs';
 
 export function start() {
-  setupLinkListeners();
+  try {
+    Rails.start();
+  } catch {
+    // If called twice
+  }
 }

app/javascript/flavours/glitch/components/account_fields.tsx

@@ -6,7 +6,6 @@ import CheckIcon from '@/material-icons/400-24px/check.svg?react';
 import { Icon } from 'flavours/glitch/components/icon';
 import type { Account } from 'flavours/glitch/models/account';
 
-import { CustomEmojiProvider } from './emoji/context';
 import { EmojiHTML } from './emoji/html';
 import { useElementHandledLink } from './status/handled_link';
 
@@ -22,12 +21,13 @@ export const AccountFields: React.FC<Pick<Account, 'fields' | 'emojis'>> = ({
   }
 
   return (
-    <CustomEmojiProvider emojis={emojis}>
+    <>
       {fields.map((pair, i) => (
         <dl key={i} className={classNames({ verified: pair.verified_at })}>
           <EmojiHTML
             as='dt'
             htmlString={pair.name_emojified}
+            extraEmojis={emojis}
             className='translate'
             {...htmlHandlers}
           />
@@ -52,12 +52,13 @@ export const AccountFields: React.FC<Pick<Account, 'fields' | 'emojis'>> = ({
             <EmojiHTML
               as='span'
               htmlString={pair.value_emojified}
+              extraEmojis={emojis}
               {...htmlHandlers}
             />
           </dd>
         </dl>
       ))}
-    </CustomEmojiProvider>
+    </>
   );
 };
 

app/javascript/flavours/glitch/components/alert/index.tsx

@@ -49,11 +49,7 @@ export const Alert: React.FC<{
       </span>
 
       {hasAction && (
-        <button
-          className='notification-bar__action'
-          onClick={onActionClick}
-          type='button'
-        >
+        <button className='notification-bar__action' onClick={onActionClick}>
           {action}
         </button>
       )}

app/javascript/flavours/glitch/components/alt_text_badge.tsx

@@ -47,7 +47,7 @@ export const AltTextBadge: React.FC<{ description: string }> = ({
         rootClose
         onHide={handleClose}
         show={open}
-        target={anchorRef}
+        target={anchorRef.current}
         placement='top-end'
         flip
         offset={offset}

app/javascript/flavours/glitch/components/autosuggest_input.jsx

@@ -159,8 +159,8 @@ export default class AutosuggestInput extends ImmutablePureComponent {
     this.input.focus();
   };
 
-  componentDidUpdate (prevProps) {
-    if (prevProps.suggestions !== this.props.suggestions && this.props.suggestions.size > 0 && this.state.suggestionsHidden && this.state.focused) {
+  UNSAFE_componentWillReceiveProps (nextProps) {
+    if (nextProps.suggestions !== this.props.suggestions && nextProps.suggestions.size > 0 && this.state.suggestionsHidden && this.state.focused) {
       this.setState({ suggestionsHidden: false });
     }
   }

app/javascript/flavours/glitch/components/autosuggest_textarea.jsx

@@ -50,7 +50,6 @@ const AutosuggestTextarea = forwardRef(({
   onKeyUp,
   onKeyDown,
   onPaste,
-  onDrop,
   onFocus,
   autoFocus = true,
   lang,
@@ -154,12 +153,6 @@ const AutosuggestTextarea = forwardRef(({
     onPaste(e);
   }, [onPaste]);
 
-  const handleDrop = useCallback((e) => {
-    if (onDrop) {
-      onDrop(e);
-    }
-  }, [onDrop]);
-
   // Show the suggestions again whenever they change and the textarea is focused
   useEffect(() => {
     if (suggestions.size > 0 && textareaRef.current === document.activeElement) {
@@ -211,7 +204,6 @@ const AutosuggestTextarea = forwardRef(({
         onFocus={handleFocus}
         onBlur={handleBlur}
         onPaste={handlePaste}
-        onDrop={handleDrop}
         dir='auto'
         aria-autocomplete='list'
         aria-label={placeholder}
@@ -243,7 +235,6 @@ AutosuggestTextarea.propTypes = {
   onKeyUp: PropTypes.func,
   onKeyDown: PropTypes.func,
   onPaste: PropTypes.func.isRequired,
-  onDrop: PropTypes.func,
   onFocus:PropTypes.func,
   autoFocus: PropTypes.bool,
   lang: PropTypes.string,

app/javascript/flavours/glitch/components/button/index.tsx

@@ -78,7 +78,6 @@ export const Button: React.FC<Props> = ({
       aria-live={loading !== undefined ? 'polite' : undefined}
       onClick={handleClick}
       title={title}
-      // eslint-disable-next-line react/button-has-type -- set correctly via TS
       type={type}
       {...props}
     >

app/javascript/flavours/glitch/components/carousel/carousel.stories.tsx

@@ -1,126 +0,0 @@
-import type { FC } from 'react';
-
-import type { Meta, StoryObj } from '@storybook/react-vite';
-import { fn, userEvent, expect } from 'storybook/test';
-
-import type { CarouselProps } from './index';
-import { Carousel } from './index';
-
-interface TestSlideProps {
-  id: number;
-  text: string;
-  color: string;
-}
-
-const TestSlide: FC<TestSlideProps & { active: boolean }> = ({
-  active,
-  text,
-  color,
-}) => (
-  <div
-    className='test-slide'
-    style={{
-      backgroundColor: active ? color : undefined,
-    }}
-  >
-    {text}
-  </div>
-);
-
-const slides: TestSlideProps[] = [
-  {
-    id: 1,
-    text: 'first',
-    color: 'red',
-  },
-  {
-    id: 2,
-    text: 'second',
-    color: 'pink',
-  },
-  {
-    id: 3,
-    text: 'third',
-    color: 'orange',
-  },
-];
-
-type StoryProps = Pick<
-  CarouselProps<TestSlideProps>,
-  'items' | 'renderItem' | 'emptyFallback' | 'onChangeSlide'
->;
-
-const meta = {
-  title: 'Components/Carousel',
-  args: {
-    items: slides,
-    renderItem(item, active) {
-      return <TestSlide {...item} active={active} key={item.id} />;
-    },
-    onChangeSlide: fn(),
-    emptyFallback: 'No slides available',
-  },
-  render(args) {
-    return (
-      <>
-        <Carousel {...args} />
-        <style>
-          {`.test-slide {
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            color: white;
-            font-size: 24px;
-            font-weight: bold;
-            min-height: 100px;
-            transition: background-color 0.3s;
-            background-color: black;
-          }`}
-        </style>
-      </>
-    );
-  },
-  argTypes: {
-    emptyFallback: {
-      type: 'string',
-    },
-  },
-  tags: ['test'],
-} satisfies Meta<StoryProps>;
-
-export default meta;
-
-type Story = StoryObj<typeof meta>;
-
-export const Default: Story = {
-  async play({ args, canvas }) {
-    const nextButton = await canvas.findByRole('button', { name: /next/i });
-    const slides = await canvas.findAllByRole('group');
-    await expect(slides).toHaveLength(slides.length);
-
-    await userEvent.click(nextButton);
-    await expect(args.onChangeSlide).toHaveBeenCalledWith(1, slides[1]);
-
-    await userEvent.click(nextButton);
-    await expect(args.onChangeSlide).toHaveBeenCalledWith(2, slides[2]);
-
-    // Wrap around
-    await userEvent.click(nextButton);
-    await expect(args.onChangeSlide).toHaveBeenCalledWith(0, slides[0]);
-  },
-};
-
-export const DifferentHeights: Story = {
-  args: {
-    items: slides.map((props, index) => ({
-      ...props,
-      styles: { height: 100 + index * 100 },
-    })),
-  },
-};
-
-export const NoSlides: Story = {
-  args: {
-    items: [],
-  },
-};

app/javascript/flavours/glitch/components/carousel/index.tsx

@@ -1,244 +0,0 @@
-import { useCallback, useLayoutEffect, useMemo, useRef, useState } from 'react';
-import type {
-  ComponentPropsWithoutRef,
-  ComponentType,
-  ReactElement,
-  ReactNode,
-} from 'react';
-
-import type { MessageDescriptor } from 'react-intl';
-import { defineMessages, useIntl } from 'react-intl';
-
-import classNames from 'classnames';
-
-import { usePrevious } from '@dnd-kit/utilities';
-import { animated, useSpring } from '@react-spring/web';
-import { useDrag } from '@use-gesture/react';
-
-import type { CarouselPaginationProps } from './pagination';
-import { CarouselPagination } from './pagination';
-
-import './styles.scss';
-
-const defaultMessages = defineMessages({
-  previous: { id: 'lightbox.previous', defaultMessage: 'Previous' },
-  next: { id: 'lightbox.next', defaultMessage: 'Next' },
-  current: {
-    id: 'carousel.current',
-    defaultMessage: '<sr>Slide</sr> {current, number} / {max, number}',
-  },
-  slide: {
-    id: 'carousel.slide',
-    defaultMessage: 'Slide {current, number} of {max, number}',
-  },
-});
-
-export type MessageKeys = keyof typeof defaultMessages;
-
-export interface CarouselSlideProps {
-  id: string | number;
-}
-
-export type RenderSlideFn<
-  SlideProps extends CarouselSlideProps = CarouselSlideProps,
-> = (item: SlideProps, active: boolean, index: number) => ReactElement;
-
-export interface CarouselProps<
-  SlideProps extends CarouselSlideProps = CarouselSlideProps,
-> {
-  items: SlideProps[];
-  renderItem: RenderSlideFn<SlideProps>;
-  onChangeSlide?: (index: number, ref: Element) => void;
-  paginationComponent?: ComponentType<CarouselPaginationProps> | null;
-  paginationProps?: Partial<CarouselPaginationProps>;
-  messages?: Record<MessageKeys, MessageDescriptor>;
-  emptyFallback?: ReactNode;
-  classNamePrefix?: string;
-  slideClassName?: string;
-}
-
-export const Carousel = <
-  SlideProps extends CarouselSlideProps = CarouselSlideProps,
->({
-  items,
-  renderItem,
-  onChangeSlide,
-  paginationComponent: Pagination = CarouselPagination,
-  paginationProps = {},
-  messages = defaultMessages,
-  children,
-  emptyFallback = null,
-  className,
-  classNamePrefix = 'carousel',
-  slideClassName,
-  ...wrapperProps
-}: CarouselProps<SlideProps> & ComponentPropsWithoutRef<'div'>) => {
-  // Handle slide change
-  const [slideIndex, setSlideIndex] = useState(0);
-  const wrapperRef = useRef<HTMLDivElement>(null);
-  // Handle slide heights
-  const [currentSlideHeight, setCurrentSlideHeight] = useState(
-    () => wrapperRef.current?.scrollHeight ?? 0,
-  );
-  const previousSlideHeight = usePrevious(currentSlideHeight);
-  const handleSlideChange = useCallback(
-    (direction: number) => {
-      setSlideIndex((prev) => {
-        const max = items.length - 1;
-        let newIndex = prev + direction;
-        if (newIndex < 0) {
-          newIndex = max;
-        } else if (newIndex > max) {
-          newIndex = 0;
-        }
-
-        const slide = wrapperRef.current?.children[newIndex];
-        if (slide) {
-          setCurrentSlideHeight(slide.scrollHeight);
-          if (slide instanceof HTMLElement) {
-            onChangeSlide?.(newIndex, slide);
-          }
-        }
-
-        return newIndex;
-      });
-    },
-    [items.length, onChangeSlide],
-  );
-
-  const observerRef = useRef<ResizeObserver | null>(null);
-  observerRef.current ??= new ResizeObserver(() => {
-    handleSlideChange(0);
-  });
-
-  const wrapperStyles = useSpring({
-    x: `-${slideIndex * 100}%`,
-    height: currentSlideHeight,
-    // Don't animate from zero to the height of the initial slide
-    immediate: !previousSlideHeight,
-  });
-  useLayoutEffect(() => {
-    // Update slide height when the component mounts
-    if (currentSlideHeight === 0) {
-      handleSlideChange(0);
-    }
-  }, [currentSlideHeight, handleSlideChange]);
-
-  // Handle swiping animations
-  const bind = useDrag(
-    ({ swipe: [swipeX] }) => {
-      handleSlideChange(swipeX * -1); // Invert swipe as swiping left loads the next slide.
-    },
-    { pointer: { capture: false } },
-  );
-  const handlePrev = useCallback(() => {
-    handleSlideChange(-1);
-    // We're focusing on the wrapper as the child slides can potentially be inert.
-    // Because of that, only the active slide can be focused anyway.
-    wrapperRef.current?.focus();
-  }, [handleSlideChange]);
-  const handleNext = useCallback(() => {
-    handleSlideChange(1);
-    wrapperRef.current?.focus();
-  }, [handleSlideChange]);
-
-  const intl = useIntl();
-
-  if (items.length === 0) {
-    return emptyFallback;
-  }
-
-  return (
-    <div
-      {...bind()}
-      aria-roledescription='carousel'
-      role='region'
-      className={classNames(classNamePrefix, className)}
-      {...wrapperProps}
-    >
-      <div className={`${classNamePrefix}__header`}>
-        {children}
-        {Pagination && items.length > 1 && (
-          <Pagination
-            current={slideIndex}
-            max={items.length}
-            onNext={handleNext}
-            onPrev={handlePrev}
-            className={`${classNamePrefix}__pagination`}
-            messages={messages}
-            {...paginationProps}
-          />
-        )}
-      </div>
-
-      <animated.div
-        className={`${classNamePrefix}__slides`}
-        ref={wrapperRef}
-        style={wrapperStyles}
-        aria-label={intl.formatMessage(messages.slide, {
-          current: slideIndex + 1,
-          max: items.length,
-        })}
-        tabIndex={-1}
-      >
-        {items.map((itemsProps, index) => (
-          <CarouselSlideWrapper<SlideProps>
-            item={itemsProps}
-            renderItem={renderItem}
-            observer={observerRef.current}
-            index={index}
-            key={`slide-${itemsProps.id}`}
-            className={classNames(`${classNamePrefix}__slide`, slideClassName, {
-              active: index === slideIndex,
-            })}
-            active={index === slideIndex}
-          />
-        ))}
-      </animated.div>
-    </div>
-  );
-};
-
-type CarouselSlideWrapperProps<SlideProps extends CarouselSlideProps> = {
-  observer: ResizeObserver | null;
-  className: string;
-  active: boolean;
-  item: SlideProps;
-  index: number;
-} & Pick<CarouselProps<SlideProps>, 'renderItem'>;
-
-const CarouselSlideWrapper = <SlideProps extends CarouselSlideProps>({
-  observer,
-  className,
-  active,
-  renderItem,
-  item,
-  index,
-}: CarouselSlideWrapperProps<SlideProps>) => {
-  const handleRef = useCallback(
-    (instance: HTMLDivElement | null) => {
-      if (observer && instance) {
-        observer.observe(instance);
-      }
-    },
-    [observer],
-  );
-
-  const children = useMemo(
-    () => renderItem(item, active, index),
-    [renderItem, item, active, index],
-  );
-
-  return (
-    <div
-      ref={handleRef}
-      className={className}
-      role='group'
-      aria-roledescription='slide'
-      inert={active ? undefined : ''}
-      data-index={index}
-    >
-      {children}
-    </div>
-  );
-};

app/javascript/flavours/glitch/components/carousel/pagination.tsx

@@ -1,54 +0,0 @@
-import type { FC, MouseEventHandler } from 'react';
-
-import type { MessageDescriptor } from 'react-intl';
-import { useIntl } from 'react-intl';
-
-import ChevronLeftIcon from '@/material-icons/400-24px/chevron_left.svg?react';
-import ChevronRightIcon from '@/material-icons/400-24px/chevron_right.svg?react';
-
-import { IconButton } from '../icon_button';
-
-import type { MessageKeys } from './index';
-
-export interface CarouselPaginationProps {
-  onNext: MouseEventHandler;
-  onPrev: MouseEventHandler;
-  current: number;
-  max: number;
-  className?: string;
-  messages: Record<MessageKeys, MessageDescriptor>;
-}
-
-export const CarouselPagination: FC<CarouselPaginationProps> = ({
-  onNext,
-  onPrev,
-  current,
-  max,
-  className = '',
-  messages,
-}) => {
-  const intl = useIntl();
-  return (
-    <div className={className}>
-      <IconButton
-        title={intl.formatMessage(messages.previous)}
-        icon='chevron-left'
-        iconComponent={ChevronLeftIcon}
-        onClick={onPrev}
-      />
-      <span aria-live='polite'>
-        {intl.formatMessage(messages.current, {
-          current: current + 1,
-          max,
-          sr: (chunk) => <span className='sr-only'>{chunk}</span>,
-        })}
-      </span>
-      <IconButton
-        title={intl.formatMessage(messages.next)}
-        icon='chevron-right'
-        iconComponent={ChevronRightIcon}
-        onClick={onNext}
-      />
-    </div>
-  );
-};

app/javascript/flavours/glitch/components/carousel/styles.scss

@@ -1,28 +0,0 @@
-.carousel {
-  gap: 16px;
-  overflow: hidden;
-  touch-action: pan-y;
-
-  &__header {
-    padding: 8px 16px;
-  }
-
-  &__pagination {
-    display: flex;
-    align-items: center;
-    justify-content: center;
-    gap: 4px;
-  }
-
-  &__slides {
-    display: flex;
-    flex-wrap: nowrap;
-    align-items: start;
-  }
-
-  &__slide {
-    flex: 0 0 100%;
-    width: 100%;
-    overflow: hidden;
-  }
-}

app/javascript/flavours/glitch/components/column_back_button.tsx

@@ -30,7 +30,7 @@ export const ColumnBackButton: React.FC<{ onClick?: OnClickCallback }> = ({
   const handleClick = useHandleClick(onClick);
 
   const component = (
-    <button onClick={handleClick} className='column-back-button' type='button'>
+    <button onClick={handleClick} className='column-back-button'>
       <Icon
         id='chevron-left'
         icon={ArrowBackIcon}

app/javascript/flavours/glitch/components/column_header.tsx

@@ -53,7 +53,6 @@ const BackButton: React.FC<{
         compact: onlyIcon,
       })}
       aria-label={intl.formatMessage(messages.back)}
-      type='button'
     >
       <Icon
         id='chevron-left'
@@ -173,7 +172,6 @@ export const ColumnHeader: React.FC<Props> = ({
       <button
         className='text-btn column-header__setting-btn'
         onClick={handlePin}
-        type='button'
       >
         <Icon id='times' icon={CloseIcon} />{' '}
         <FormattedMessage id='column_header.unpin' defaultMessage='Unpin' />
@@ -187,7 +185,6 @@ export const ColumnHeader: React.FC<Props> = ({
           aria-label={intl.formatMessage(messages.moveLeft)}
           className='icon-button column-header__setting-btn'
           onClick={handleMoveLeft}
-          type='button'
         >
           <Icon id='chevron-left' icon={ChevronLeftIcon} />
         </button>
@@ -196,7 +193,6 @@ export const ColumnHeader: React.FC<Props> = ({
           aria-label={intl.formatMessage(messages.moveRight)}
           className='icon-button column-header__setting-btn'
           onClick={handleMoveRight}
-          type='button'
         >
           <Icon id='chevron-right' icon={ChevronRightIcon} />
         </button>
@@ -207,7 +203,6 @@ export const ColumnHeader: React.FC<Props> = ({
       <button
         className='text-btn column-header__setting-btn'
         onClick={handlePin}
-        type='button'
       >
         <Icon id='plus' icon={AddIcon} />{' '}
         <FormattedMessage id='column_header.pin' defaultMessage='Pin' />
@@ -242,7 +237,6 @@ export const ColumnHeader: React.FC<Props> = ({
           collapsed ? messages.show : messages.hide,
         )}
         onClick={handleToggleClick}
-        type='button'
       >
         <i className='icon-with-badge'>
           <Icon
@@ -265,11 +259,7 @@ export const ColumnHeader: React.FC<Props> = ({
           <>
             {backButton}
 
-            <button
-              onClick={handleTitleClick}
-              className='column-header__title'
-              type='button'
-            >
+            <button onClick={handleTitleClick} className='column-header__title'>
               {!backButton && (
                 <Icon
                   id={icon}

app/javascript/flavours/glitch/components/column_search_header.tsx

@@ -1,4 +1,4 @@
-import { useCallback, useState, useRef } from 'react';
+import { useCallback, useState, useEffect, useRef } from 'react';
 
 import { FormattedMessage } from 'react-intl';
 
@@ -12,15 +12,11 @@ export const ColumnSearchHeader: React.FC<{
   const inputRef = useRef<HTMLInputElement>(null);
   const [value, setValue] = useState('');
 
-  // Reset the component when it turns from active to inactive.
-  // [More on this pattern](https://react.dev/learn/you-might-not-need-an-effect#adjusting-some-state-when-a-prop-changes)
-  const [previousActive, setPreviousActive] = useState(active);
-  if (active !== previousActive) {
-    setPreviousActive(active);
+  useEffect(() => {
     if (!active) {
       setValue('');
     }
-  }
+  }, [active]);
 
   const handleChange = useCallback(
     ({ target: { value } }: React.ChangeEvent<HTMLInputElement>) => {

app/javascript/flavours/glitch/components/content_warning.tsx

@@ -41,7 +41,7 @@ export const ContentWarning: React.FC<{
       <EmojiHTML
         as='span'
         htmlString={text}
-        extraEmojis={status.get('emoji') as List<CustomEmoji>}
+        extraEmojis={status.get('emojis') as List<CustomEmoji>}
       />
     </StatusBanner>
   );

app/javascript/flavours/glitch/components/copy_paste_text.tsx

@@ -74,7 +74,7 @@ export const CopyPasteText: React.FC<{ value: string }> = ({ value }) => {
         onBlur={handleBlur}
       />
 
-      <button className='button' onClick={handleButtonClick} type='button'>
+      <button className='button' onClick={handleButtonClick}>
         <Icon id='copy' icon={ContentCopyIcon} />{' '}
         {copied ? (
           <FormattedMessage id='copypaste.copied' defaultMessage='Copied' />

app/javascript/flavours/glitch/components/dropdown/index.tsx

@@ -109,7 +109,7 @@ export const Dropdown: FC<
         placement='bottom-start'
         onHide={handleClose}
         flip
-        target={buttonRef}
+        target={buttonRef.current}
         popperConfig={{
           strategy: 'fixed',
           modifiers: [matchWidth],

app/javascript/flavours/glitch/components/dropdown_menu.tsx

@@ -216,7 +216,6 @@ export const DropdownMenu = <Item = MenuItem,>({
           onClick={handleItemClick}
           data-index={i}
           aria-disabled={disabled}
-          type='button'
         >
           <DropdownMenuItemContent item={option} />
         </button>

app/javascript/flavours/glitch/components/edited_timestamp/index.tsx

@@ -108,7 +108,7 @@ export const EditedTimestamp: React.FC<{
       onItemClick={handleItemClick}
       forceDropdown
     >
-      <button className='dropdown-menu__text-button' type='button'>
+      <button className='dropdown-menu__text-button'>
         <FormattedMessage
           id='status.edited'
           defaultMessage='Edited {date}'

app/javascript/flavours/glitch/components/emoji/index.tsx

@@ -1,14 +1,9 @@
 import type { FC } from 'react';
 import { useContext, useEffect, useState } from 'react';
 
-import classNames from 'classnames';
-
 import { EMOJI_TYPE_CUSTOM } from '@/flavours/glitch/features/emoji/constants';
 import { useEmojiAppState } from '@/flavours/glitch/features/emoji/mode';
-import {
-  emojiToInversionClassName,
-  unicodeHexToUrl,
-} from '@/flavours/glitch/features/emoji/normalize';
+import { unicodeHexToUrl } from '@/flavours/glitch/features/emoji/normalize';
 import {
   isStateLoaded,
   loadEmojiDataToState,
@@ -46,9 +41,6 @@ export const Emoji: FC<EmojiProps> = ({
   }, [appState.currentLocale, state]);
 
   const animate = useContext(AnimateEmojiContext);
-
-  const inversionClass = emojiToInversionClassName(code);
-
   const fallback = showFallback ? code : null;
 
   // If the code is invalid or we otherwise know it's not valid, show the fallback.
@@ -87,7 +79,7 @@ export const Emoji: FC<EmojiProps> = ({
       src={src}
       alt={state.data.unicode}
       title={state.data.label}
-      className={classNames('emojione', inversionClass)}
+      className='emojione'
       loading='lazy'
     />
   );

app/javascript/flavours/glitch/components/exit_animation_wrapper.tsx

@@ -27,23 +27,22 @@ export const ExitAnimationWrapper: React.FC<{
    */
   children: (delayedIsActive: boolean) => React.ReactNode;
 }> = ({ isActive = false, delayMs = 500, withEntryDelay, children }) => {
-  const [delayedIsActive, setDelayedIsActive] = useState(
-    isActive && !withEntryDelay,
-  );
+  const [delayedIsActive, setDelayedIsActive] = useState(false);
 
   useEffect(() => {
-    const withDelay = !isActive || withEntryDelay;
+    if (isActive && !withEntryDelay) {
+      setDelayedIsActive(true);
 
-    const timeout = setTimeout(
-      () => {
+      return () => '';
+    } else {
+      const timeout = setTimeout(() => {
         setDelayedIsActive(isActive);
-      },
-      withDelay ? delayMs : 0,
-    );
+      }, delayMs);
 
-    return () => {
-      clearTimeout(timeout);
-    };
+      return () => {
+        clearTimeout(timeout);
+      };
+    }
   }, [isActive, delayMs, withEntryDelay]);
 
   if (!isActive && !delayedIsActive) {

app/javascript/flavours/glitch/components/featured_carousel.tsx

@@ -1,43 +1,38 @@
-import { useCallback, useEffect, useId } from 'react';
+import type { ComponentPropsWithRef } from 'react';
+import {
+  useCallback,
+  useEffect,
+  useLayoutEffect,
+  useRef,
+  useState,
+  useId,
+} from 'react';
 
-import { defineMessages, FormattedMessage } from 'react-intl';
+import { defineMessages, FormattedMessage, useIntl } from 'react-intl';
 
 import type { Map as ImmutableMap } from 'immutable';
 import { List as ImmutableList } from 'immutable';
 
+import type { AnimatedProps } from '@react-spring/web';
+import { animated, useSpring } from '@react-spring/web';
+import { useDrag } from '@use-gesture/react';
+
 import { expandAccountFeaturedTimeline } from '@/flavours/glitch/actions/timelines';
 import { Icon } from '@/flavours/glitch/components/icon';
+import { IconButton } from '@/flavours/glitch/components/icon_button';
 import { StatusQuoteManager } from '@/flavours/glitch/components/status_quoted';
-import {
-  createAppSelector,
-  useAppDispatch,
-  useAppSelector,
-} from '@/flavours/glitch/store';
+import { usePrevious } from '@/flavours/glitch/hooks/usePrevious';
+import { useAppDispatch, useAppSelector } from '@/flavours/glitch/store';
+import ChevronLeftIcon from '@/material-icons/400-24px/chevron_left.svg?react';
+import ChevronRightIcon from '@/material-icons/400-24px/chevron_right.svg?react';
 import PushPinIcon from '@/material-icons/400-24px/push_pin.svg?react';
 
-import { Carousel } from './carousel';
-
-const pinnedStatusesSelector = createAppSelector(
-  [
-    (state, accountId: string, tagged?: string) =>
-      (state.timelines as ImmutableMap<string, unknown>).getIn(
-        [`account:${accountId}:pinned${tagged ? `:${tagged}` : ''}`, 'items'],
-        ImmutableList(),
-      ) as ImmutableList<string>,
-  ],
-  (items) => items.toArray().map((id) => ({ id })),
-);
-
 const messages = defineMessages({
-  previous: { id: 'lightbox.previous', defaultMessage: 'Previous' },
-  next: { id: 'lightbox.next', defaultMessage: 'Next' },
-  current: {
-    id: 'featured_carousel.current',
-    defaultMessage: '<sr>Post</sr> {current, number} / {max, number}',
-  },
+  previous: { id: 'featured_carousel.previous', defaultMessage: 'Previous' },
+  next: { id: 'featured_carousel.next', defaultMessage: 'Next' },
   slide: {
     id: 'featured_carousel.slide',
-    defaultMessage: 'Post {current, number} of {max, number}',
+    defaultMessage: '{index} of {total}',
   },
 });
 
@@ -45,6 +40,7 @@ export const FeaturedCarousel: React.FC<{
   accountId: string;
   tagged?: string;
 }> = ({ accountId, tagged }) => {
+  const intl = useIntl();
   const accessibilityId = useId();
 
   // Load pinned statuses
@@ -54,37 +50,175 @@ export const FeaturedCarousel: React.FC<{
       void dispatch(expandAccountFeaturedTimeline(accountId, { tagged }));
     }
   }, [accountId, dispatch, tagged]);
-  const pinnedStatuses = useAppSelector((state) =>
-    pinnedStatusesSelector(state, accountId, tagged),
+  const pinnedStatuses = useAppSelector(
+    (state) =>
+      (state.timelines as ImmutableMap<string, unknown>).getIn(
+        [`account:${accountId}:pinned${tagged ? `:${tagged}` : ''}`, 'items'],
+        ImmutableList(),
+      ) as ImmutableList<string>,
   );
 
-  const renderSlide = useCallback(
-    ({ id }: { id: string }) => (
-      <StatusQuoteManager id={id} contextType='account' withCounters />
-    ),
-    [],
+  // Handle slide change
+  const [slideIndex, setSlideIndex] = useState(0);
+  const wrapperRef = useRef<HTMLDivElement>(null);
+  const handleSlideChange = useCallback(
+    (direction: number) => {
+      setSlideIndex((prev) => {
+        const max = pinnedStatuses.size - 1;
+        let newIndex = prev + direction;
+        if (newIndex < 0) {
+          newIndex = max;
+        } else if (newIndex > max) {
+          newIndex = 0;
+        }
+        const slide = wrapperRef.current?.children[newIndex];
+        if (slide) {
+          setCurrentSlideHeight(slide.scrollHeight);
+        }
+        return newIndex;
+      });
+    },
+    [pinnedStatuses.size],
   );
 
-  if (!accountId || pinnedStatuses.length === 0) {
+  // Handle slide heights
+  const [currentSlideHeight, setCurrentSlideHeight] = useState(
+    wrapperRef.current?.scrollHeight ?? 0,
+  );
+  const previousSlideHeight = usePrevious(currentSlideHeight);
+  const observerRef = useRef<ResizeObserver>(
+    new ResizeObserver(() => {
+      handleSlideChange(0);
+    }),
+  );
+  const wrapperStyles = useSpring({
+    x: `-${slideIndex * 100}%`,
+    height: currentSlideHeight,
+    // Don't animate from zero to the height of the initial slide
+    immediate: !previousSlideHeight,
+  });
+  useLayoutEffect(() => {
+    // Update slide height when the component mounts
+    if (currentSlideHeight === 0) {
+      handleSlideChange(0);
+    }
+  }, [currentSlideHeight, handleSlideChange]);
+
+  // Handle swiping animations
+  const bind = useDrag(({ swipe: [swipeX] }) => {
+    handleSlideChange(swipeX * -1); // Invert swipe as swiping left loads the next slide.
+  });
+  const handlePrev = useCallback(() => {
+    handleSlideChange(-1);
+  }, [handleSlideChange]);
+  const handleNext = useCallback(() => {
+    handleSlideChange(1);
+  }, [handleSlideChange]);
+
+  if (!accountId || pinnedStatuses.isEmpty()) {
     return null;
   }
 
   return (
-    <Carousel
-      items={pinnedStatuses}
-      renderItem={renderSlide}
+    <div
+      className='featured-carousel'
+      {...bind()}
+      aria-roledescription='carousel'
       aria-labelledby={`${accessibilityId}-title`}
-      classNamePrefix='featured-carousel'
-      messages={messages}
+      role='region'
     >
-      <h4 className='featured-carousel__title' id={`${accessibilityId}-title`}>
-        <Icon id='thumb-tack' icon={PushPinIcon} />
-        <FormattedMessage
-          id='featured_carousel.header'
-          defaultMessage='{count, plural, one {Pinned Post} other {Pinned Posts}}'
-          values={{ count: pinnedStatuses.length }}
-        />
-      </h4>
-    </Carousel>
+      <div className='featured-carousel__header'>
+        <h4
+          className='featured-carousel__title'
+          id={`${accessibilityId}-title`}
+        >
+          <Icon id='thumb-tack' icon={PushPinIcon} />
+          <FormattedMessage
+            id='featured_carousel.header'
+            defaultMessage='{count, plural, one {Pinned Post} other {Pinned Posts}}'
+            values={{ count: pinnedStatuses.size }}
+          />
+        </h4>
+        {pinnedStatuses.size > 1 && (
+          <>
+            <IconButton
+              title={intl.formatMessage(messages.previous)}
+              icon='chevron-left'
+              iconComponent={ChevronLeftIcon}
+              onClick={handlePrev}
+            />
+            <span aria-live='polite'>
+              <FormattedMessage
+                id='featured_carousel.post'
+                defaultMessage='Post'
+              >
+                {(text) => <span className='sr-only'>{text}</span>}
+              </FormattedMessage>
+              {slideIndex + 1} / {pinnedStatuses.size}
+            </span>
+            <IconButton
+              title={intl.formatMessage(messages.next)}
+              icon='chevron-right'
+              iconComponent={ChevronRightIcon}
+              onClick={handleNext}
+            />
+          </>
+        )}
+      </div>
+      <animated.div
+        className='featured-carousel__slides'
+        ref={wrapperRef}
+        style={wrapperStyles}
+        aria-atomic='false'
+        aria-live='polite'
+      >
+        {pinnedStatuses.map((statusId, index) => (
+          <FeaturedCarouselItem
+            key={`f-${statusId}`}
+            data-index={index}
+            aria-label={intl.formatMessage(messages.slide, {
+              index: index + 1,
+              total: pinnedStatuses.size,
+            })}
+            statusId={statusId}
+            observer={observerRef.current}
+            active={index === slideIndex}
+          />
+        ))}
+      </animated.div>
+    </div>
+  );
+};
+
+interface FeaturedCarouselItemProps {
+  statusId: string;
+  active: boolean;
+  observer: ResizeObserver;
+}
+
+const FeaturedCarouselItem: React.FC<
+  FeaturedCarouselItemProps & AnimatedProps<ComponentPropsWithRef<'div'>>
+> = ({ statusId, active, observer, ...props }) => {
+  const handleRef = useCallback(
+    (instance: HTMLDivElement | null) => {
+      if (instance) {
+        observer.observe(instance);
+      }
+    },
+    [observer],
+  );
+
+  return (
+    <animated.div
+      className='featured-carousel__slide'
+      // @ts-expect-error inert in not in this version of React
+      inert={!active ? 'true' : undefined}
+      aria-roledescription='slide'
+      role='group'
+      ref={handleRef}
+      {...props}
+    >
+      <StatusQuoteManager id={statusId} contextType='account' withCounters />
+    </animated.div>
   );
 };

app/javascript/flavours/glitch/components/hashtag_bar.tsx

@@ -235,7 +235,7 @@ const HashtagBar: React.FC<{
       ))}
 
       {!expanded && hashtags.length > VISIBLE_HASHTAGS && (
-        <button className='link-button' onClick={handleClick} type='button'>
+        <button className='link-button' onClick={handleClick}>
           <FormattedMessage
             id='hashtags.and_other'
             defaultMessage='…and {count, plural, other {# more}}'

app/javascript/flavours/glitch/components/hotkeys/index.tsx

@@ -112,7 +112,6 @@ const hotkeyMatcherMap = {
   openProfile: just('p'),
   moveDown: just('j'),
   moveUp: just('k'),
-  moveToTop: just('0'),
   toggleHidden: just('x'),
   toggleSensitive: just('h'),
   toggleComposeSpoilers: optionPlus('x'),

app/javascript/flavours/glitch/components/hover_card_controller.tsx

@@ -27,6 +27,7 @@ export const HoverCardController: React.FC = () => {
   const [setLeaveTimeout, cancelLeaveTimeout] = useTimeout();
   const [setEnterTimeout, cancelEnterTimeout, delayEnterTimeout] = useTimeout();
   const [setScrollTimeout] = useTimeout();
+  const location = useLocation();
 
   const handleClose = useCallback(() => {
     cancelEnterTimeout();
@@ -35,12 +36,9 @@ export const HoverCardController: React.FC = () => {
     setAnchor(null);
   }, [cancelEnterTimeout, cancelLeaveTimeout, setOpen, setAnchor]);
 
-  const location = useLocation();
-  const [previousLocation, setPreviousLocation] = useState(location);
-  if (location !== previousLocation) {
-    setPreviousLocation(location);
+  useEffect(() => {
     handleClose();
-  }
+  }, [handleClose, location]);
 
   useEffect(() => {
     let isScrolling = false;

app/javascript/flavours/glitch/components/icon_button.tsx

@@ -1,9 +1,7 @@
-import { useCallback, forwardRef } from 'react';
+import { useState, useEffect, useCallback, forwardRef } from 'react';
 
 import classNames from 'classnames';
 
-import { usePrevious } from '../hooks/usePrevious';
-
 import { AnimatedNumber } from './animated_number';
 import type { IconProp } from './icon';
 import { Icon } from './icon';
@@ -61,6 +59,23 @@ export const IconButton = forwardRef<HTMLButtonElement, Props>(
     },
     buttonRef,
   ) => {
+    const [activate, setActivate] = useState(false);
+    const [deactivate, setDeactivate] = useState(false);
+
+    useEffect(() => {
+      if (!animate) {
+        return;
+      }
+
+      if (activate && !active) {
+        setActivate(false);
+        setDeactivate(true);
+      } else if (!activate && active) {
+        setActivate(true);
+        setDeactivate(false);
+      }
+    }, [setActivate, setDeactivate, animate, active, activate]);
+
     const handleClick: React.MouseEventHandler<HTMLButtonElement> = useCallback(
       (e) => {
         e.preventDefault();
@@ -97,15 +112,12 @@ export const IconButton = forwardRef<HTMLButtonElement, Props>(
       ...(active ? activeStyle : {}),
     };
 
-    const previousActive = usePrevious(active) ?? active;
-    const shouldAnimate = animate && active !== previousActive;
-
     const classes = classNames(className, 'icon-button', {
       active,
       disabled,
       inverted,
-      activate: shouldAnimate && active,
-      deactivate: shouldAnimate && !active,
+      activate,
+      deactivate,
       overlayed: overlay,
       'icon-button--with-counter': typeof counter !== 'undefined',
     });

app/javascript/flavours/glitch/components/learn_more_link.tsx

@@ -23,7 +23,6 @@ export const LearnMoreLink: React.FC<{ children: React.ReactNode }> = ({
         onClick={handleClick}
         aria-expanded={open}
         aria-controls={accessibilityId}
-        type='button'
       >
         <FormattedMessage
           id='learn_more_link.learn_more'
@@ -49,11 +48,7 @@ export const LearnMoreLink: React.FC<{ children: React.ReactNode }> = ({
             <div className='learn-more__popout__content'>{children}</div>
 
             <div>
-              <button
-                className='link-button'
-                onClick={handleClick}
-                type='button'
-              >
+              <button className='link-button' onClick={handleClick}>
                 <FormattedMessage
                   id='learn_more_link.got_it'
                   defaultMessage='Got it'

app/javascript/flavours/glitch/components/load_gap.tsx

@@ -32,7 +32,6 @@ export const LoadGap = <T,>({ disabled, param, onClick }: Props<T>) => {
       onClick={handleClick}
       aria-label={intl.formatMessage(messages.load_more)}
       title={intl.formatMessage(messages.load_more)}
-      type='button'
     >
       {loading ? (
         <LoadingIndicator />

app/javascript/flavours/glitch/components/load_pending.tsx

@@ -7,7 +7,7 @@ interface Props {
 
 export const LoadPending: React.FC<Props> = ({ onClick, count }) => {
   return (
-    <button className='load-more load-gap' onClick={onClick} type='button'>
+    <button className='load-more load-gap' onClick={onClick}>
       <FormattedMessage
         id='load_pending'
         defaultMessage='{count, plural, one {# new item} other {# new items}}'

app/javascript/flavours/glitch/components/logo.tsx

@@ -1,5 +1,3 @@
-import classNames from 'classnames';
-
 import logo from '@/images/logo.svg';
 
 export const WordmarkLogo: React.FC = () => (
@@ -9,12 +7,8 @@ export const WordmarkLogo: React.FC = () => (
   </svg>
 );
 
-export const IconLogo: React.FC<{ className?: string }> = ({ className }) => (
-  <svg
-    viewBox='0 0 79 79'
-    className={classNames('logo logo--icon', className)}
-    role='img'
-  >
+export const IconLogo: React.FC = () => (
+  <svg viewBox='0 0 79 79' className='logo logo--icon' role='img'>
     <title>Mastodon</title>
     <use xlinkHref='#logo-symbol-icon' />
   </svg>

app/javascript/flavours/glitch/components/media_gallery.jsx

@@ -251,13 +251,15 @@ class MediaGallery extends PureComponent {
     window.removeEventListener('resize', this.handleResize);
   }
 
-  componentDidUpdate (prevProps) {
-    if (!is(prevProps.media, this.props.media) && this.props.visible === undefined) {
-      this.setState({ visible: displayMedia !== 'hide_all' && !this.props.sensitive || displayMedia === 'show_all' });
-    } else if (!is(prevProps.visible, this.props.visible) && this.props.visible !== undefined) {
-      this.setState({ visible: this.props.visible });
+  UNSAFE_componentWillReceiveProps (nextProps) {
+    if (!is(nextProps.media, this.props.media) && nextProps.visible === undefined) {
+      this.setState({ visible: displayMedia !== 'hide_all' && !nextProps.sensitive || displayMedia === 'show_all' });
+    } else if (!is(nextProps.visible, this.props.visible) && nextProps.visible !== undefined) {
+      this.setState({ visible: nextProps.visible });
     }
+  }
 
+  componentDidUpdate () {
     if (this.node) {
       this.handleResize();
     }

app/javascript/flavours/glitch/components/modal_root.jsx

@@ -66,6 +66,14 @@ class ModalRoot extends PureComponent {
     }
   }
 
+  UNSAFE_componentWillReceiveProps (nextProps) {
+    if (!!nextProps.children && !this.props.children) {
+      this.activeElement = document.activeElement;
+
+      this.getSiblings().forEach(sibling => sibling.setAttribute('inert', true));
+    }
+  }
+
   componentDidUpdate (prevProps) {
     if (!this.props.children && !!prevProps.children) {
       this.getSiblings().forEach(sibling => sibling.removeAttribute('inert'));
@@ -82,15 +90,9 @@ class ModalRoot extends PureComponent {
 
       this._handleModalClose();
     }
-
     if (this.props.children && !prevProps.children) {
-      this.activeElement = document.activeElement;
-
-      this.getSiblings().forEach(sibling => sibling.setAttribute('inert', true));
-
       this._handleModalOpen();
     }
-
     if (this.props.children) {
       this._ensureHistoryBuffer();
     }

app/javascript/flavours/glitch/components/poll.tsx

@@ -35,9 +35,6 @@ const messages = defineMessages({
   },
 });
 
-const isPollExpired = (expiresAt: Model.Poll['expires_at']) =>
-  new Date(expiresAt).getTime() < Date.now();
-
 interface PollProps {
   pollId: string;
   status: Status;
@@ -61,7 +58,8 @@ export const Poll: React.FC<PollProps> = ({ pollId, disabled, status }) => {
     if (!poll) {
       return false;
     }
-    return poll.expired || isPollExpired(poll.expires_at);
+    const expiresAt = poll.expires_at;
+    return poll.expired || new Date(expiresAt).getTime() < Date.now();
   }, [poll]);
   const timeRemaining = useMemo(() => {
     if (!poll) {
@@ -173,14 +171,13 @@ export const Poll: React.FC<PollProps> = ({ pollId, disabled, status }) => {
             className='button button-secondary'
             disabled={voteDisabled}
             onClick={handleVote}
-            type='button'
           >
             <FormattedMessage id='poll.vote' defaultMessage='Vote' />
           </button>
         )}
         {!showResults && (
           <>
-            <button className='poll__link' onClick={handleReveal} type='button'>
+            <button className='poll__link' onClick={handleReveal}>
               <FormattedMessage id='poll.reveal' defaultMessage='See results' />
             </button>{' '}
             ·{' '}
@@ -188,11 +185,7 @@ export const Poll: React.FC<PollProps> = ({ pollId, disabled, status }) => {
         )}
         {showResults && !disabled && (
           <>
-            <button
-              className='poll__link'
-              onClick={handleRefresh}
-              type='button'
-            >
+            <button className='poll__link' onClick={handleRefresh}>
               <FormattedMessage id='poll.refresh' defaultMessage='Refresh' />
             </button>{' '}
             ·{' '}

app/javascript/flavours/glitch/components/status.jsx

@@ -115,7 +115,6 @@ class Status extends ImmutablePureComponent {
     muted: PropTypes.bool,
     hidden: PropTypes.bool,
     unread: PropTypes.bool,
-    showActions: PropTypes.bool,
     prepend: PropTypes.string,
     withDismiss: PropTypes.bool,
     isQuotedPost: PropTypes.bool,
@@ -160,6 +159,7 @@ class Status extends ImmutablePureComponent {
     'expanded',
     'unread',
     'pictureInPicture',
+    'onQuoteCancel',
     'previousId',
     'nextInReplyToId',
     'rootId',
@@ -466,8 +466,7 @@ class Status extends ImmutablePureComponent {
       onOpenMedia,
       notification,
       history,
-      showActions = true,
-      isQuotedPost = false,
+      isQuotedPost,
       ...other
     } = this.props;
     let attachments = null;
@@ -636,7 +635,7 @@ class Status extends ImmutablePureComponent {
     } else if (status.get('card') && settings.get('inline_preview_cards') && !this.props.muted && !status.get('quote')) {
       media.push(
         <Card
-          key={`${status.get('id')}-${status.get('edited_at')}`}
+          onOpenMedia={this.handleOpenMedia}
           card={status.get('card')}
           sensitive={status.get('sensitive')}
         />,
@@ -765,7 +764,7 @@ class Status extends ImmutablePureComponent {
             {/* This is a glitch-soc addition to have a placeholder */}
             {!expanded && <MentionsPlaceholder status={status} />}
 
-            {(showActions && !isQuotedPost) &&
+            {!isQuotedPost &&
               <StatusActionBar
                 status={status}
                 account={status.get('account')}