Merge pull request #3379 from ClearlyClaire/glitch-soc/merge-4.4

Merge upstream changes up to 3871f3a399 into stable-4.4

.dockerignore

@@ -5,7 +5,6 @@
 .gitattributes
 .gitignore
 .github
-.vscode
 public/system
 public/assets
 public/packs
@@ -21,7 +20,6 @@ postgres14
 redis
 elasticsearch
 chart
-storybook-static
 .yarn/
 !.yarn/patches
 !.yarn/plugins

.github/renovate.json5

@@ -6,7 +6,6 @@
     ':labels(dependencies)',
     ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
     ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
-    ':enableVulnerabilityAlertsWithLabel(security)',
   ],
   rebaseWhen: 'conflicted',
   minimumReleaseAge: '3', // Wait 3 days after the package has been published before upgrading it
@@ -24,6 +23,7 @@
       matchManagers: ['npm'],
       matchPackageNames: [
         'tesseract.js', // Requires code changes
+        'react-hotkeys', // Requires code changes
 
         // react-router: Requires manual upgrade
         'history',
@@ -94,19 +94,6 @@
       matchUpdateTypes: ['patch', 'minor'],
       groupName: 'eslint (non-major)',
     },
-    {
-      // Group all Storybook-related packages in the same PR
-      matchManagers: ['npm'],
-      matchPackageNames: [
-        'chromatic',
-        'storybook',
-        '@storybook/*',
-        'msw',
-        'msw-storybook-addon',
-      ],
-      matchUpdateTypes: ['patch', 'minor'],
-      groupName: 'storybook (non-major)',
-    },
     {
       // Group actions/*-artifact in the same PR
       matchManagers: ['github-actions'],
@@ -155,12 +142,6 @@
       matchUpdateTypes: ['patch', 'minor'],
       groupName: 'opentelemetry-ruby (non-major)',
     },
-    {
-      // Group Playwright Ruby & JS deps in the same PR, as they need to be in sync
-      matchManagers: ['bundler', 'npm'],
-      matchPackageNames: ['playwright-ruby-client', 'playwright'],
-      groupName: 'Playwright',
-    },
     // Add labels depending on package manager
     { matchManagers: ['npm', 'nvm'], addLabels: ['javascript'] },
     { matchManagers: ['bundler', 'ruby-version'], addLabels: ['ruby'] },

.github/workflows/build-releases.yml

@@ -20,7 +20,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
+        latest=false
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}
@@ -37,7 +37,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
+        latest=false
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}

.github/workflows/codeql.yml

@@ -25,8 +25,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['actions', 'javascript', 'ruby']
-        # CodeQL supports [ 'actions', 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        language: ['javascript', 'ruby']
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:

.github/workflows/crowdin-download-stable.yml

@@ -9,7 +9,7 @@ permissions:
 jobs:
   download-translations-stable:
     runs-on: ubuntu-latest
-    if: github.repository == 'mastodon/mastodon'
+    if: github.repository == 'glitch-soc/mastodon'
 
     steps:
       - name: Checkout
@@ -51,7 +51,7 @@ jobs:
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.8
+        uses: peter-evans/create-pull-request@v7.0.6
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'

.nvmrc

@@ -1 +1 @@
-22.19
+22.17

.rubocop/metrics.yml

@@ -1,21 +1,17 @@
 ---
 Metrics/AbcSize:
-  Enabled: false
+  Exclude:
+    - lib/mastodon/cli/*.rb
 
 Metrics/BlockLength:
   Enabled: false
 
-Metrics/BlockNesting:
-  Enabled: false
-
 Metrics/ClassLength:
   Enabled: false
 
-Metrics/CollectionLiteralLength:
-  Enabled: false
-
 Metrics/CyclomaticComplexity:
-  Enabled: false
+  Exclude:
+    - lib/mastodon/cli/*.rb
 
 Metrics/MethodLength:
   Enabled: false
@@ -24,7 +20,4 @@ Metrics/ModuleLength:
   Enabled: false
 
 Metrics/ParameterLists:
-  Enabled: false
-
-Metrics/PerceivedComplexity:
-  Enabled: false
+  CountKeywordArgs: false

.rubocop_todo.yml

@@ -1,11 +1,32 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-offense-counts --no-auto-gen-timestamp`
-# using RuboCop version 1.80.2.
+# using RuboCop version 1.77.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
+Lint/NonLocalExitFromIterator:
+  Exclude:
+    - 'app/helpers/json_ld_helper.rb'
+
+# Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
+Metrics/AbcSize:
+  Max: 90
+
+# Configuration parameters: CountBlocks, CountModifierForms, Max.
+Metrics/BlockNesting:
+  Exclude:
+    - 'lib/tasks/mastodon.rake'
+
+# Configuration parameters: AllowedMethods, AllowedPatterns.
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+# Configuration parameters: AllowedMethods, AllowedPatterns.
+Metrics/PerceivedComplexity:
+  Enabled: false
+
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowedVars, DefaultToNil.
 Style/FetchEnvVar:

.ruby-version

@@ -1 +1 @@
-3.4.6
+3.4.4

.storybook/main.ts

@@ -1,5 +1,3 @@
-import { resolve } from 'node:path';
-
 import type { StorybookConfig } from '@storybook/react-vite';
 
 const config: StorybookConfig = {
@@ -28,12 +26,6 @@ const config: StorybookConfig = {
       'oops.png',
     ].map((path) => ({ from: `../public/${path}`, to: `/${path}` })),
   ],
-  viteFinal(config) {
-    // For an unknown reason, Storybook does not use the root
-    // from the Vite config so we need to set it manually.
-    config.root = resolve(__dirname, '../app/javascript');
-    return config;
-  },
 };
 
 export default config;

.storybook/preview-body.html

@@ -1,2 +0,0 @@
-<html class="no-reduce-motion">
-</html>

.storybook/preview.tsx

@@ -12,14 +12,13 @@ import { initialize, mswLoader } from 'msw-storybook-addon';
 import { action } from 'storybook/actions';
 
 import type { LocaleData } from '@/mastodon/locales';
-import { reducerWithInitialState } from '@/mastodon/reducers';
+import { reducerWithInitialState, rootReducer } from '@/mastodon/reducers';
 import { defaultMiddleware } from '@/mastodon/store/store';
 import { mockHandlers, unhandledRequestHandler } from '@/testing/api';
 
 // If you want to run the dark theme during development,
 // you can change the below to `/application.scss`
 import '../app/javascript/styles/mastodon-light.scss';
-import './styles.css';
 
 const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
   query: { as: 'json' },
@@ -50,17 +49,12 @@ const preview: Preview = {
     locale: 'en',
   },
   decorators: [
-    (Story, { parameters, globals }) => {
-      const { locale } = globals as { locale: string };
+    (Story, { parameters }) => {
       const { state = {} } = parameters;
-      const reducer = reducerWithInitialState(
-        {
-          meta: {
-            locale,
-          },
-        },
-        state as Record<string, unknown>,
-      );
+      let reducer = rootReducer;
+      if (typeof state === 'object' && state) {
+        reducer = reducerWithInitialState(state as Record<string, unknown>);
+      }
       const store = configureStore({
         reducer,
         middleware(getDefaultMiddleware) {

.storybook/static/mockServiceWorker.js

@@ -7,8 +7,8 @@
  * - Please do NOT modify this file.
  */
 
-const PACKAGE_VERSION = '2.11.3'
-const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82'
+const PACKAGE_VERSION = '2.10.2'
+const INTEGRITY_CHECKSUM = 'f5825c521429caf22a4dd13b66e243af'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()
 
@@ -71,6 +71,11 @@ addEventListener('message', async function (event) {
       break
     }
 
+    case 'MOCK_DEACTIVATE': {
+      activeClientIds.delete(clientId)
+      break
+    }
+
     case 'CLIENT_CLOSED': {
       activeClientIds.delete(clientId)
 
@@ -89,8 +94,6 @@ addEventListener('message', async function (event) {
 })
 
 addEventListener('fetch', function (event) {
-  const requestInterceptedAt = Date.now()
-
   // Bypass navigation requests.
   if (event.request.mode === 'navigate') {
     return
@@ -107,29 +110,23 @@ addEventListener('fetch', function (event) {
 
   // Bypass all requests when there are no active clients.
   // Prevents the self-unregistered worked from handling requests
-  // after it's been terminated (still remains active until the next reload).
+  // after it's been deleted (still remains active until the next reload).
   if (activeClientIds.size === 0) {
     return
   }
 
   const requestId = crypto.randomUUID()
-  event.respondWith(handleRequest(event, requestId, requestInterceptedAt))
+  event.respondWith(handleRequest(event, requestId))
 })
 
 /**
  * @param {FetchEvent} event
  * @param {string} requestId
- * @param {number} requestInterceptedAt
  */
-async function handleRequest(event, requestId, requestInterceptedAt) {
+async function handleRequest(event, requestId) {
   const client = await resolveMainClient(event)
   const requestCloneForEvents = event.request.clone()
-  const response = await getResponse(
-    event,
-    client,
-    requestId,
-    requestInterceptedAt,
-  )
+  const response = await getResponse(event, client, requestId)
 
   // Send back the response clone for the "response:*" life-cycle events.
   // Ensure MSW is active and ready to handle the message, otherwise
@@ -207,7 +204,7 @@ async function resolveMainClient(event) {
  * @param {string} requestId
  * @returns {Promise<Response>}
  */
-async function getResponse(event, client, requestId, requestInterceptedAt) {
+async function getResponse(event, client, requestId) {
   // Clone the request because it might've been already used
   // (i.e. its body has been read and sent to the client).
   const requestClone = event.request.clone()
@@ -258,7 +255,6 @@ async function getResponse(event, client, requestId, requestInterceptedAt) {
       type: 'REQUEST',
       payload: {
         id: requestId,
-        interceptedAt: requestInterceptedAt,
         ...serializedRequest,
       },
     },

.storybook/styles.css

@@ -1,8 +0,0 @@
-a {
-  color: inherit;
-  text-decoration: none;
-}
-
-a:hover {
-  text-decoration: underline;
-}

CHANGELOG.md

@@ -2,6 +2,133 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.4.13] - 2026-02-03
+
+### Security
+
+- Fix ActivityPub collection caching logic for pinned posts and featured tags not checking blocked accounts ([GHSA-ccpr-m53r-mfwr](https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr))
+
+### Fixed
+
+- Fix relationship cache not being cleared when handling account migrations (#37664 by @ClearlyClaire)
+- Fix error when encountering invalid tag in updated object (#37635 by @ClearlyClaire)
+- Fix recycled connections not being immediately closed (#37335 and #37674 by @ClearlyClaire and @shleeable)
+
+## [4.4.12] - 2026-01-20
+
+### Security
+
+- Fix missing limits on various federated properties [GHSA-gg8q-rcg7-p79g](https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g)
+- Fix remote user suspension bypass [GHSA-5h2f-wg8j-xqwp](https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp)
+- Fix missing length limits on some user-provided fields [GHSA-6x3w-9g92-gvf3](https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3)
+- Fix missing access check for push notification settings update [GHSA-f3q8-7vw3-69v4](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4)
+
+### Changed
+
+- Skip tombstone creation on deleting from 404 (#37533 by @ClearlyClaire)
+
+### Fixed
+
+- Fix potential duplicate handling of quote accept/reject/delete (#37537 by @ClearlyClaire)
+- Fix `FeedManager#filter_from_home` error when handling a reblog of a deleted status (#37486 by @ClearlyClaire)
+- Fix needlessly complicated SQL query in status batch removal (#37469 by @ClearlyClaire)
+- Fix `Vary` parsing in cache control enforcement (#37426 by @MegaManSec)
+- Fix thread-unsafe ActivityPub activity dispatch (#37423 by @MegaManSec)
+- Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375 by @shleeable)
+
+## [4.4.11] - 2026-01-07
+
+### Security
+
+- Fix SSRF protection bypass ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq))
+- Fix missing ownership check in severed relationships controller ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24))
+
+### Changed
+
+- Change HTTP Signature verification status from 401 to 503 on temporary failure to get remote actor (#37221 by @ClearlyClaire)
+
+### Fixed
+
+- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
+
+## [4.4.10] - 2025-12-08
+
+### Security
+
+- Fix inconsistent error handling leaking information on existence of private posts ([GHSA-gwhw-gcjx-72v8](https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8))
+
+### Fixed
+
+- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
+- Fix YouTube iframe not being able to start at a defined time (#26584 by @BrunoViveiros)
+- Fix streamed quoted polls not being hydrated correctly (#37118 by @ClearlyClaire)
+- Fix error handling when re-fetching already-known statuses (#37077 by @ClearlyClaire)
+- Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
+
+## [4.4.9] - 2025-11-20
+
+### Fixed
+
+- Fix `tootctl upgrade storage-schema` failing with `ArgumentError` (#36914 by @shugo)
+- Fix old previously-undiscovered posts being treated as new when receiving an `Update` (#36848 by @ClearlyClaire)
+- Fix filters not being applied to quotes in detailed view (#36843 by @ClearlyClaire)
+
+## [4.4.8] - 2025-10-21
+
+### Security
+
+- Fix quote control bypass ([GHSA-8h43-rcqj-wpc6](https://github.com/mastodon/mastodon/security/advisories/GHSA-8h43-rcqj-wpc6))
+
+## [4.4.7] - 2025-10-15
+
+### Fixed
+
+- Fix forwarder being called with `nil` status when quote post is soft-deleted (#36463 by @ClearlyClaire)
+- Fix moderation warning e-mails that include posts (#36462 by @ClearlyClaire)
+- Fix allow_referrer_origin typo (#36460 by @ShadowJonathan)
+
+## [4.4.6] - 2025-10-13
+
+### Security
+
+- Update dependencies `rack` and `uri`
+- Fix streaming server connection not being closed on user suspension (by @ThisIsMissEm, [GHSA-r2fh-jr9c-9pxh](https://github.com/mastodon/mastodon/security/advisories/GHSA-r2fh-jr9c-9pxh))
+- Fix password change through admin CLI not invalidating existing sessions and access tokens (by @ThisIsMissEm, [GHSA-f3q3-rmf7-9655](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655))
+- Fix streaming server allowing access to public timelines even without the `read` or `read:statuses` OAuth scopes (by @ThisIsMissEm, [GHSA-7gwh-mw97-qjgp](https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgp))
+
+### Added
+
+- Add support for processing quotes of deleted posts signaled through a `Tombstone` (#36381 by @ClearlyClaire)
+
+### Fixed
+
+- Fix quote post state sometimes not being updated through streaming server (#36408 by @ClearlyClaire)
+- Fix inconsistent “pending tags” count on admin dashboard (#36404 by @mjankowski)
+- Fix JSON payload being potentially mutated when processing interaction policies (#36392 by @ClearlyClaire)
+- Fix quotes not being displayed in email notifications (#36379 by @diondiondion)
+- Fix redirect to external object when URL is missing or malformed (#36347 by @ClearlyClaire)
+- Fix quotes not being displayed in the featured carousel (#36335 by @diondiondion)
+
+## [4.4.5] - 2025-09-23
+
+### Security
+
+- Update dependencies
+
+### Added
+
+- Add support for `has:quote` in search (#36217 by @ClearlyClaire)
+
+### Changed
+
+- Change quoted posts from silenced accounts to use a click-through rather than being hidden (#36166 and #36167 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing of out-of-order `Update` as implicit updates (#36190 by @ClearlyClaire)
+- Fix getting `Create` and `Update` out of order (#36176 by @ClearlyClaire)
+- Fix quotes with Content Warnings but no text being shown without Content Warnings (#36150 by @ClearlyClaire)
+
 ## [4.4.4] - 2025-09-16
 
 ### Security
@@ -611,6 +738,7 @@ The following changelog entries focus on changes visible to users, administrator
   You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.\
   Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.\
   This adds the following REST API endpoints:
+
   - `GET /api/v2/notifications/policy`: https://docs.joinmastodon.org/methods/notifications/#get-policy
   - `PATCH /api/v2/notifications/policy`: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notifications
   - `GET /api/v1/notifications/requests`: https://docs.joinmastodon.org/methods/notifications/#get-requests
@@ -622,6 +750,7 @@ The following changelog entries focus on changes visible to users, administrator
   - `GET /api/v1/notifications/requests/merged`: https://docs.joinmastodon.org/methods/notifications/#requests-merged
 
   In addition, accepting one or more notification requests generates a new streaming event:
+
   - `notifications_merged`: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed
 
 - **Add notifications of severed relationships** (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)\

Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.18
+# syntax=docker/dockerfile:1.12
 
 # This file is designed for production server deployment, not local development work
 # For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/docs/DEVELOPMENT.md#docker
@@ -13,15 +13,15 @@ ARG BASE_REGISTRY="docker.io"
 
 # Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.4.6"
+ARG RUBY_VERSION="3.4.4"
 # # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
 # renovate: datasource=node-version depName=node
 ARG NODE_MAJOR_VERSION="22"
-# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="trixie"]
-ARG DEBIAN_VERSION="trixie"
-# Node.js image to use for base image based on combined variables (ex: 20-trixie-slim)
+# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
+ARG DEBIAN_VERSION="bookworm"
+# Node.js image to use for base image based on combined variables (ex: 20-bookworm-slim)
 FROM ${BASE_REGISTRY}/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
-# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-trixie)
+# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-bookworm)
 FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
 
 # Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
@@ -96,6 +96,9 @@ RUN \
 # Set /opt/mastodon as working directory
 WORKDIR /opt/mastodon
 
+# Add backport repository for some specific packages where we need the latest version
+RUN echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list
+
 # hadolint ignore=DL3008,DL3005
 RUN \
   # Mount Apt cache and lib directories from Docker buildx caches
@@ -158,11 +161,11 @@ RUN \
   libexif-dev \
   libexpat1-dev \
   libgirepository1.0-dev \
-  libheif-dev \
-  libhwy-dev \
+  libheif-dev/bookworm-backports \
   libimagequant-dev \
   libjpeg62-turbo-dev \
   liblcms2-dev \
+  liborc-dev \
   libspng-dev \
   libtiff-dev \
   libwebp-dev \
@@ -183,7 +186,7 @@ FROM build AS libvips
 
 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
-ARG VIPS_VERSION=8.17.2
+ARG VIPS_VERSION=8.17.0
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download
 
@@ -206,7 +209,7 @@ FROM build AS ffmpeg
 
 # ffmpeg version to compile, change with [--build-arg FFMPEG_VERSION="7.0.x"]
 # renovate: datasource=repology depName=ffmpeg packageName=openpkg_current/ffmpeg
-ARG FFMPEG_VERSION=8.0
+ARG FFMPEG_VERSION=7.1
 # ffmpeg download URL, change with [--build-arg FFMPEG_URL="https://ffmpeg.org/releases"]
 ARG FFMPEG_URL=https://ffmpeg.org/releases
 
@@ -324,28 +327,28 @@ RUN \
   # Apt update install non-dev versions of necessary components
   apt-get install -y --no-install-recommends \
   libexpat1 \
-  libglib2.0-0t64 \
-  libicu76 \
+  libglib2.0-0 \
+  libicu72 \
   libidn12 \
   libpq5 \
-  libreadline8t64 \
-  libssl3t64 \
+  libreadline8 \
+  libssl3 \
   libyaml-0-2 \
   # libvips components
   libcgif0 \
   libexif12 \
-  libheif1 \
-  libhwy1t64 \
+  libheif1/bookworm-backports \
   libimagequant0 \
   libjpeg62-turbo \
   liblcms2-2 \
+  liborc-0.4-0 \
   libspng0 \
   libtiff6 \
   libwebp7 \
   libwebpdemux2 \
   libwebpmux3 \
   # ffmpeg components
-  libdav1d7 \
+  libdav1d6 \
   libmp3lame0 \
   libopencore-amrnb0 \
   libopencore-amrwb0 \
@@ -355,9 +358,9 @@ RUN \
   libvorbis0a \
   libvorbisenc2 \
   libvorbisfile3 \
-  libvpx9 \
+  libvpx7 \
   libx264-164 \
-  libx265-215 \
+  libx265-199 \
   ;
 
 # Copy Mastodon sources into final layer

FEDERATION.md

@@ -48,3 +48,22 @@ Mastodon requires all `POST` requests to be signed, and MAY require `GET` reques
 ### Additional documentation
 
 - [Mastodon documentation](https://docs.joinmastodon.org/)
+
+## Size limits
+
+Mastodon imposes a few hard limits on federated content.
+These limits are intended to be very generous and way above what the Mastodon user experience is optimized for, so as to accomodate future changes and unusual or unforeseen usage patterns, while still providing some limits for performance reasons.
+The following table attempts to summary those limits.
+
+| Limited property                                              | Size limit | Consequence of exceeding the limit |
+| ------------------------------------------------------------- | ---------- | ---------------------------------- |
+| Serialized JSON-LD                                            | 1MB        | **Activity is rejected/dropped**   |
+| Profile fields (actor `PropertyValue` attachments) name/value | 2047       | Field name/value is truncated      |
+| Number of profile fields (actor `PropertyValue` attachments)  | 50         | Fields list is truncated           |
+| Poll options (number of `anyOf`/`oneOf` in a `Question`)      | 500        | Items list is truncated            |
+| Account username (actor `preferredUsername`) length           | 2048       | **Actor will be rejected**         |
+| Account display name (actor `name`) length                    | 2048       | Display name will be truncated     |
+| Account note (actor `summary`) length                         | 20kB       | Account note will be truncated     |
+| Account `attributionDomains`                                  | 256        | List will be truncated             |
+| Account aliases (actor `alsoKnownAs`)                         | 256        | List will be truncated             |
+| Custom emoji shortcode (`Emoji` `name`)                       | 2048       | Emoji will be rejected             |

Gemfile

@@ -62,7 +62,7 @@ gem 'inline_svg'
 gem 'irb', '~> 1.8'
 gem 'kaminari', '~> 1.2'
 gem 'link_header', '~> 0.0'
-gem 'linzer', '~> 0.7.7'
+gem 'linzer', '~> 0.7.2'
 gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
 gem 'mime-types', '~> 3.7.0', require: 'mime/types/columnar'
 gem 'mutex_m'
@@ -82,13 +82,13 @@ gem 'rqrcode', '~> 3.0'
 gem 'ruby-progressbar', '~> 1.13'
 gem 'sanitize', '~> 7.0'
 gem 'scenic', '~> 1.7'
-gem 'sidekiq', '< 9'
+gem 'sidekiq', '< 8'
 gem 'sidekiq-bulk', '~> 0.2.0'
-gem 'sidekiq-scheduler', '~> 6.0'
+gem 'sidekiq-scheduler', '~> 5.0'
 gem 'sidekiq-unique-jobs', '> 8'
 gem 'simple_form', '~> 5.2'
 gem 'simple-navigation', '~> 4.4'
-gem 'stoplight'
+gem 'stoplight', '~> 4.1'
 gem 'strong_migrations'
 gem 'tty-prompt', '~> 0.23', require: false
 gem 'twitter-text', '~> 3.1.0'
@@ -102,21 +102,21 @@ gem 'rdf-normalize', '~> 0.5'
 
 gem 'prometheus_exporter', '~> 2.2', require: false
 
-gem 'opentelemetry-api', '~> 1.7.0'
+gem 'opentelemetry-api', '~> 1.5.0'
 
 group :opentelemetry do
   gem 'opentelemetry-exporter-otlp', '~> 0.30.0', require: false
   gem 'opentelemetry-instrumentation-active_job', '~> 0.8.0', require: false
   gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.22.0', require: false
   gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.22.0', require: false
-  gem 'opentelemetry-instrumentation-excon', '~> 0.24.0', require: false
-  gem 'opentelemetry-instrumentation-faraday', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-excon', '~> 0.23.0', require: false
+  gem 'opentelemetry-instrumentation-faraday', '~> 0.27.0', require: false
   gem 'opentelemetry-instrumentation-http', '~> 0.25.0', require: false
-  gem 'opentelemetry-instrumentation-http_client', '~> 0.24.0', require: false
-  gem 'opentelemetry-instrumentation-net_http', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-http_client', '~> 0.23.0', require: false
+  gem 'opentelemetry-instrumentation-net_http', '~> 0.23.0', require: false
   gem 'opentelemetry-instrumentation-pg', '~> 0.30.0', require: false
-  gem 'opentelemetry-instrumentation-rack', '~> 0.27.0', require: false
-  gem 'opentelemetry-instrumentation-rails', '~> 0.37.0', require: false
+  gem 'opentelemetry-instrumentation-rack', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-rails', '~> 0.36.0', require: false
   gem 'opentelemetry-instrumentation-redis', '~> 0.26.0', require: false
   gem 'opentelemetry-instrumentation-sidekiq', '~> 0.26.0', require: false
   gem 'opentelemetry-sdk', '~> 1.4', require: false
@@ -138,7 +138,6 @@ group :test do
   # Browser integration testing
   gem 'capybara', '~> 3.39'
   gem 'capybara-playwright-driver'
-  gem 'playwright-ruby-client', '1.55.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
 
   # Used to reset the database between system tests
   gem 'database_cleaner-active_record'
@@ -147,7 +146,7 @@ group :test do
   gem 'climate_control'
 
   # Validate schemas in specs
-  gem 'json-schema', '~> 6.0'
+  gem 'json-schema', '~> 5.0'
 
   # Test harness fo rack components
   gem 'rack-test', '~> 2.1'
@@ -160,6 +159,9 @@ group :test do
 
   # Stub web requests for specs
   gem 'webmock', '~> 3.18'
+
+  # Websocket driver for testing integration between rails/sidekiq and streaming
+  gem 'websocket-driver', '~> 0.8', require: false
 end
 
 group :development do
@@ -224,7 +226,7 @@ gem 'connection_pool', require: false
 gem 'xorcist', '~> 1.1'
 
 gem 'net-http', '~> 0.6.0'
-gem 'rubyzip', '~> 3.0'
+gem 'rubyzip', '~> 2.3'
 
 gem 'hcaptcha', '~> 7.1'
 

Gemfile.lock

@@ -90,13 +90,13 @@ GEM
       public_suffix (>= 2.0.2, < 7.0)
     aes_key_wrap (1.1.0)
     android_key_attestation (0.3.0)
-    annotaterb (4.19.0)
+    annotaterb (4.16.0)
       activerecord (>= 6.0.0)
       activesupport (>= 6.0.0)
     ast (2.4.3)
     attr_required (1.0.2)
-    aws-eventstream (1.4.0)
-    aws-partitions (1.1135.0)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1103.0)
     aws-sdk-core (3.215.1)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
@@ -109,9 +109,9 @@ GEM
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.12.1)
+    aws-sigv4 (1.11.0)
       aws-eventstream (~> 1, >= 1.0.2)
-    azure-blob (0.5.9.1)
+    azure-blob (0.5.8)
       rexml
     base64 (0.3.0)
     bcp47_spec (0.2.1)
@@ -121,7 +121,7 @@ GEM
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
       rouge (>= 1.0.0)
-    bigdecimal (3.2.3)
+    bigdecimal (3.2.2)
     bindata (2.5.1)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
@@ -144,7 +144,7 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
-    capybara-playwright-driver (0.5.7)
+    capybara-playwright-driver (0.5.6)
       addressable
       capybara
       playwright-ruby-client (>= 1.16.0)
@@ -164,7 +164,7 @@ GEM
     cocoon (1.2.15)
     color_diff (0.1)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    connection_pool (2.5.3)
     cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
@@ -175,9 +175,9 @@ GEM
     css_parser (1.21.1)
       addressable
     csv (3.3.5)
-    database_cleaner-active_record (2.2.2)
+    database_cleaner-active_record (2.2.1)
       activerecord (>= 5.a)
-      database_cleaner-core (~> 2.0)
+      database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
     date (3.4.1)
     debug (1.11.0)
@@ -224,16 +224,16 @@ GEM
       mail (~> 2.7)
     email_validator (2.2.4)
       activemodel
-    erb (5.0.2)
+    erb (5.0.1)
     erubi (1.13.1)
     et-orbi (1.2.11)
       tzinfo
-    excon (1.2.8)
+    excon (1.2.5)
       logger
     fabrication (3.0.0)
-    faker (3.5.2)
+    faker (3.5.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.13.4)
+    faraday (2.13.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
@@ -241,7 +241,7 @@ GEM
       faraday (>= 1, < 3)
     faraday-httpclient (2.0.2)
       httpclient (>= 2.2)
-    faraday-net_http (3.4.1)
+    faraday-net_http (3.4.0)
       net-http (>= 0.5.0)
     fast_blank (1.0.1)
     fastimage (2.4.0)
@@ -266,14 +266,14 @@ GEM
     fog-openstack (1.1.5)
       fog-core (~> 2.1)
       fog-json (>= 1.0)
-    formatador (1.1.1)
+    formatador (1.1.0)
     forwardable (1.3.3)
     fugit (1.11.1)
       et-orbi (~> 1, >= 1.2.11)
       raabro (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
-    google-protobuf (4.31.1)
+    google-protobuf (4.31.0)
       bigdecimal
       rake (>= 13)
     googleapis-common-protos-types (1.20.0)
@@ -287,21 +287,21 @@ GEM
       activesupport (>= 5.1)
       haml (>= 4.0.6)
       railties (>= 5.1)
-    haml_lint (0.66.0)
+    haml_lint (0.64.0)
       haml (>= 5.0)
       parallel (~> 1.10)
       rainbow
       rubocop (>= 1.0)
       sysexits (~> 1.1)
-    hashdiff (1.2.0)
+    hashdiff (1.1.2)
     hashie (5.0.0)
     hcaptcha (7.1.0)
       json
     highline (3.1.2)
       reline
     hiredis (0.6.3)
-    hiredis-client (0.25.3)
-      redis-client (= 0.25.3)
+    hiredis-client (0.24.0)
+      redis-client (= 0.24.0)
     hkdf (0.3.0)
     htmlentities (4.3.4)
     http (5.3.1)
@@ -315,7 +315,7 @@ GEM
     http_accept_language (2.1.1)
     httpclient (2.9.0)
       mutex_m
-    httplog (1.7.3)
+    httplog (1.7.0)
       rack (>= 2.0)
       rainbow (>= 2.0.0)
     i18n (1.14.7)
@@ -335,7 +335,7 @@ GEM
     inline_svg (1.10.0)
       activesupport (>= 3.0)
       nokogiri (>= 1.6)
-    io-console (0.8.1)
+    io-console (0.8.0)
     irb (1.15.2)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
@@ -345,7 +345,7 @@ GEM
       azure-blob (~> 0.5.2)
       hashie (~> 5.0)
     jmespath (1.6.2)
-    json (2.13.2)
+    json (2.12.2)
     json-canonicalization (1.0.0)
     json-jwt (1.16.7)
       activesupport (>= 4.2)
@@ -362,14 +362,14 @@ GEM
       rack (>= 2.2, < 4)
       rdf (~> 3.3)
       rexml (~> 3.2)
-    json-ld-preloaded (3.3.2)
+    json-ld-preloaded (3.3.1)
       json-ld (~> 3.3)
       rdf (~> 3.3)
-    json-schema (6.0.0)
+    json-schema (5.1.1)
       addressable (~> 2.8)
       bigdecimal (~> 3.1)
     jsonapi-renderer (0.2.2)
-    jwt (2.10.2)
+    jwt (2.10.1)
       base64
     kaminari (1.2.2)
       activesupport (>= 4.1.0)
@@ -403,7 +403,7 @@ GEM
       rexml
     link_header (0.0.8)
     lint_roller (1.1.0)
-    linzer (0.7.7)
+    linzer (0.7.3)
       cgi (~> 0.4.2)
       forwardable (~> 1.3, >= 1.3.3)
       logger (~> 1.7, >= 1.7.0)
@@ -433,26 +433,24 @@ GEM
     marcel (1.0.4)
     mario-redis-lock (1.2.1)
       redis (>= 3.0.5)
-    matrix (0.4.3)
+    matrix (0.4.2)
     memory_profiler (1.1.0)
     mime-types (3.7.0)
       logger
       mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0916)
+    mime-types-data (3.2025.0514)
     mini_mime (1.1.5)
     mini_portile2 (2.8.9)
     minitest (5.25.5)
     msgpack (1.8.0)
-    multi_json (1.17.0)
+    multi_json (1.15.0)
     mutex_m (0.3.0)
     net-http (0.6.0)
       uri
-    net-imap (0.5.9)
+    net-imap (0.5.8)
       date
       net-protocol
-    net-ldap (0.20.0)
-      base64
-      ostruct
+    net-ldap (0.19.0)
     net-pop (0.1.2)
       net-protocol
     net-protocol (0.2.2)
@@ -460,7 +458,7 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.10)
+    nokogiri (1.18.9)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     oj (3.16.11)
@@ -470,7 +468,7 @@ GEM
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
-    omniauth-cas (3.0.2)
+    omniauth-cas (3.0.1)
       addressable (~> 2.8)
       nokogiri (~> 1.12)
       omniauth (~> 2.1)
@@ -496,10 +494,10 @@ GEM
       tzinfo
       validate_url
       webfinger (~> 2.0)
-    openssl (3.3.0)
+    openssl (3.3.1)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
-    opentelemetry-api (1.7.0)
+    opentelemetry-api (1.5.0)
     opentelemetry-common (0.22.0)
       opentelemetry-api (~> 1.0)
     opentelemetry-exporter-otlp (0.30.0)
@@ -517,7 +515,7 @@ GEM
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-active_support (~> 0.7)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-action_pack (0.13.0)
+    opentelemetry-instrumentation-action_pack (0.12.1)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
       opentelemetry-instrumentation-rack (~> 0.21)
@@ -549,19 +547,19 @@ GEM
     opentelemetry-instrumentation-concurrent_ruby (0.22.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-excon (0.24.0)
+    opentelemetry-instrumentation-excon (0.23.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-faraday (0.28.0)
+    opentelemetry-instrumentation-faraday (0.27.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-http (0.25.1)
+    opentelemetry-instrumentation-http (0.25.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-http_client (0.24.0)
+    opentelemetry-instrumentation-http_client (0.23.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-net_http (0.24.0)
+    opentelemetry-instrumentation-net_http (0.23.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
     opentelemetry-instrumentation-pg (0.30.1)
@@ -569,13 +567,13 @@ GEM
       opentelemetry-helpers-sql
       opentelemetry-helpers-sql-obfuscation
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-rack (0.27.1)
+    opentelemetry-instrumentation-rack (0.26.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.23.0)
-    opentelemetry-instrumentation-rails (0.37.0)
+    opentelemetry-instrumentation-rails (0.36.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-action_mailer (~> 0.4.0)
-      opentelemetry-instrumentation-action_pack (~> 0.13.0)
+      opentelemetry-instrumentation-action_pack (~> 0.12.0)
       opentelemetry-instrumentation-action_view (~> 0.9.0)
       opentelemetry-instrumentation-active_job (~> 0.8.0)
       opentelemetry-instrumentation-active_record (~> 0.9.0)
@@ -591,28 +589,28 @@ GEM
       opentelemetry-instrumentation-base (~> 0.23.0)
     opentelemetry-registry (0.4.0)
       opentelemetry-api (~> 1.1)
-    opentelemetry-sdk (1.9.0)
+    opentelemetry-sdk (1.8.0)
       opentelemetry-api (~> 1.1)
       opentelemetry-common (~> 0.20)
       opentelemetry-registry (~> 0.2)
       opentelemetry-semantic_conventions
-    opentelemetry-semantic_conventions (1.36.0)
+    opentelemetry-semantic_conventions (1.11.0)
       opentelemetry-api (~> 1.0)
     orm_adapter (0.5.0)
-    ostruct (0.6.3)
+    ostruct (0.6.1)
     ox (2.14.23)
       bigdecimal (>= 3.0)
     parallel (1.27.0)
-    parser (3.3.9.0)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
     parslet (2.0.0)
     pastel (0.8.0)
       tty-color (~> 0.5)
-    pg (1.6.2)
+    pg (1.5.9)
     pghero (3.7.0)
       activerecord (>= 7.1)
-    playwright-ruby-client (1.55.0)
+    playwright-ruby-client (1.52.0)
       concurrent-ruby (>= 1.1.6)
       mime-types (>= 3.0)
     pp (0.6.2)
@@ -627,23 +625,24 @@ GEM
       premailer (~> 1.7, >= 1.7.9)
     prettyprint (0.2.0)
     prism (1.4.0)
-    prometheus_exporter (2.3.0)
+    prometheus_exporter (2.2.0)
       webrick
-    propshaft (1.2.1)
+    propshaft (1.1.0)
       actionpack (>= 7.0.0)
       activesupport (>= 7.0.0)
       rack
+      railties (>= 7.0.0)
     psych (5.2.6)
       date
       stringio
     public_suffix (6.0.2)
-    puma (6.6.1)
+    puma (6.6.0)
       nio4r (~> 2.0)
-    pundit (2.5.1)
+    pundit (2.5.0)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.1.16)
+    rack (3.1.18)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-cors (3.0.0)
@@ -683,14 +682,14 @@ GEM
       activesupport (= 8.0.2.1)
       bundler (>= 1.15.0)
       railties (= 8.0.2.1)
-    rails-dom-testing (2.3.0)
+    rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    rails-i18n (8.0.2)
+    rails-i18n (8.0.1)
       i18n (>= 0.7, < 2)
       railties (>= 8.0.0, < 9)
     railties (8.0.2.1)
@@ -703,26 +702,23 @@ GEM
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.3.0)
-    rdf (3.3.4)
+    rdf (3.3.2)
       bcp47_spec (~> 0.2)
       bigdecimal (~> 3.1, >= 3.1.5)
       link_header (~> 0.0, >= 0.0.8)
-      logger (~> 1.5)
-      ostruct (~> 0.6)
-      readline (~> 0.0)
     rdf-normalize (0.7.0)
       rdf (~> 3.3)
-    rdoc (6.14.2)
+    rdoc (6.14.1)
       erb
       psych (>= 4.0.0)
-    readline (0.0.4)
-      reline
     redcarpet (3.6.1)
     redis (4.8.1)
-    redis-client (0.25.3)
+    redis-client (0.24.0)
       connection_pool
-    regexp_parser (2.11.2)
-    reline (0.6.2)
+    redlock (1.3.2)
+      redis (>= 3.0.0, < 6.0)
+    regexp_parser (2.10.0)
+    reline (0.6.1)
       io-console (~> 0.5)
     request_store (1.7.0)
       rack (>= 1.4)
@@ -731,17 +727,17 @@ GEM
       railties (>= 5.2)
     rexml (3.4.4)
     rotp (6.3.0)
-    rouge (4.6.0)
+    rouge (4.5.2)
     rpam2 (4.0.2)
     rqrcode (3.1.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 2.0)
     rqrcode_core (2.0.0)
-    rspec (3.13.1)
+    rspec (3.13.0)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.5)
+    rspec-core (3.13.4)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
@@ -751,7 +747,7 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (8.0.2)
+    rspec-rails (8.0.1)
       actionpack (>= 7.2)
       activesupport (>= 7.2)
       railties (>= 7.2)
@@ -759,13 +755,13 @@ GEM
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
-    rspec-sidekiq (5.2.0)
+    rspec-sidekiq (5.1.0)
       rspec-core (~> 3.0)
       rspec-expectations (~> 3.0)
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 9)
     rspec-support (3.13.4)
-    rubocop (1.80.2)
+    rubocop (1.77.0)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -773,10 +769,10 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.46.0, < 2.0)
+      rubocop-ast (>= 1.45.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.46.0)
+    rubocop-ast (1.45.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     rubocop-capybara (2.22.1)
@@ -785,17 +781,17 @@ GEM
     rubocop-i18n (3.2.3)
       lint_roller (~> 1.1)
       rubocop (>= 1.72.1)
-    rubocop-performance (1.26.0)
+    rubocop-performance (1.25.0)
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
-      rubocop-ast (>= 1.44.0, < 2.0)
-    rubocop-rails (2.33.3)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rails (2.32.0)
       activesupport (>= 4.2.0)
       lint_roller (~> 1.1)
       rack (>= 1.1)
       rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.44.0, < 2.0)
-    rubocop-rspec (3.7.0)
+    rubocop-rspec (3.6.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
     rubocop-rspec_rails (2.31.0)
@@ -808,10 +804,10 @@ GEM
     ruby-saml (1.18.1)
       nokogiri (>= 1.13.10)
       rexml
-    ruby-vips (2.2.5)
+    ruby-vips (2.2.4)
       ffi (~> 1.12)
       logger
-    rubyzip (3.1.0)
+    rubyzip (2.4.1)
     rufus-scheduler (3.9.2)
       fugit (~> 1.1, >= 1.11.1)
     safety_net_attestation (0.4.0)
@@ -819,23 +815,24 @@ GEM
     sanitize (7.0.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.16.8)
-    scenic (1.9.0)
+    scenic (1.8.0)
       activerecord (>= 4.0.0)
       railties (>= 4.0.0)
     securerandom (0.4.1)
     shoulda-matchers (6.5.0)
       activesupport (>= 5.2.0)
-    sidekiq (8.0.7)
-      connection_pool (>= 2.5.0)
-      json (>= 2.9.0)
-      logger (>= 1.6.2)
-      rack (>= 3.1.0)
-      redis-client (>= 0.23.2)
+    sidekiq (7.3.9)
+      base64
+      connection_pool (>= 2.3.0)
+      logger
+      rack (>= 2.2.4)
+      redis-client (>= 0.22.2)
     sidekiq-bulk (0.2.0)
       sidekiq
-    sidekiq-scheduler (6.0.1)
+    sidekiq-scheduler (5.0.6)
       rufus-scheduler (~> 3.2)
-      sidekiq (>= 7.3, < 9)
+      sidekiq (>= 6, < 8)
+      tilt (>= 1.4.0, < 3)
     sidekiq-unique-jobs (8.0.11)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       sidekiq (>= 7.0.0, < 9.0.0)
@@ -849,16 +846,16 @@ GEM
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.13.2)
-    simplecov-lcov (0.9.0)
+    simplecov-html (0.13.1)
+    simplecov-lcov (0.8.0)
     simplecov_json_formatter (0.1.4)
     stackprof (0.2.27)
     starry (0.2.0)
       base64
-    stoplight (5.3.8)
-      zeitwerk
+    stoplight (4.1.1)
+      redlock (~> 1.0)
     stringio (3.1.7)
-    strong_migrations (2.5.0)
+    strong_migrations (2.4.0)
       activerecord (>= 7.1)
     swd (2.0.3)
       activesupport (>= 3)
@@ -866,14 +863,14 @@ GEM
       faraday (~> 2.0)
       faraday-follow_redirects
     sysexits (1.2.0)
-    temple (0.10.4)
+    temple (0.10.3)
     terminal-table (4.0.0)
       unicode-display_width (>= 1.1.1, < 4)
-    terrapin (1.1.1)
+    terrapin (1.1.0)
       climate_control
     test-prof (1.4.4)
     thor (1.4.0)
-    tilt (2.6.1)
+    tilt (2.6.0)
     timeout (0.4.3)
     tpm-key_attestation (0.14.1)
       bindata (~> 2.4)
@@ -899,10 +896,10 @@ GEM
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.9.1)
-    unicode-display_width (3.1.5)
+    unicode-display_width (3.1.4)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
-    uri (1.0.3)
+    uri (1.0.4)
     useragent (0.16.11)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
@@ -1005,13 +1002,13 @@ DEPENDENCIES
   jd-paperclip-azure (~> 3.0)
   json-ld
   json-ld-preloaded (~> 3.2)
-  json-schema (~> 6.0)
+  json-schema (~> 5.0)
   kaminari (~> 1.2)
   kt-paperclip (~> 7.2)
   letter_opener (~> 1.8)
   letter_opener_web (~> 3.0)
   link_header (~> 0.0)
-  linzer (~> 0.7.7)
+  linzer (~> 0.7.2)
   lograge (~> 0.12)
   mail (~> 2.8)
   mario-redis-lock (~> 1.2)
@@ -1027,19 +1024,19 @@ DEPENDENCIES
   omniauth-rails_csrf_protection (~> 1.0)
   omniauth-saml (~> 2.0)
   omniauth_openid_connect (~> 0.8.0)
-  opentelemetry-api (~> 1.7.0)
+  opentelemetry-api (~> 1.5.0)
   opentelemetry-exporter-otlp (~> 0.30.0)
   opentelemetry-instrumentation-active_job (~> 0.8.0)
   opentelemetry-instrumentation-active_model_serializers (~> 0.22.0)
   opentelemetry-instrumentation-concurrent_ruby (~> 0.22.0)
-  opentelemetry-instrumentation-excon (~> 0.24.0)
-  opentelemetry-instrumentation-faraday (~> 0.28.0)
+  opentelemetry-instrumentation-excon (~> 0.23.0)
+  opentelemetry-instrumentation-faraday (~> 0.27.0)
   opentelemetry-instrumentation-http (~> 0.25.0)
-  opentelemetry-instrumentation-http_client (~> 0.24.0)
-  opentelemetry-instrumentation-net_http (~> 0.24.0)
+  opentelemetry-instrumentation-http_client (~> 0.23.0)
+  opentelemetry-instrumentation-net_http (~> 0.23.0)
   opentelemetry-instrumentation-pg (~> 0.30.0)
-  opentelemetry-instrumentation-rack (~> 0.27.0)
-  opentelemetry-instrumentation-rails (~> 0.37.0)
+  opentelemetry-instrumentation-rack (~> 0.26.0)
+  opentelemetry-instrumentation-rails (~> 0.36.0)
   opentelemetry-instrumentation-redis (~> 0.26.0)
   opentelemetry-instrumentation-sidekiq (~> 0.26.0)
   opentelemetry-sdk (~> 1.4)
@@ -1047,7 +1044,6 @@ DEPENDENCIES
   parslet
   pg (~> 1.5)
   pghero
-  playwright-ruby-client (= 1.55.0)
   premailer-rails
   prometheus_exporter (~> 2.2)
   propshaft
@@ -1076,20 +1072,20 @@ DEPENDENCIES
   ruby-prof
   ruby-progressbar (~> 1.13)
   ruby-vips (~> 2.2)
-  rubyzip (~> 3.0)
+  rubyzip (~> 2.3)
   sanitize (~> 7.0)
   scenic (~> 1.7)
   shoulda-matchers
-  sidekiq (< 9)
+  sidekiq (< 8)
   sidekiq-bulk (~> 0.2.0)
-  sidekiq-scheduler (~> 6.0)
+  sidekiq-scheduler (~> 5.0)
   sidekiq-unique-jobs (> 8)
   simple-navigation (~> 4.4)
   simple_form (~> 5.2)
   simplecov (~> 0.22)
   simplecov-lcov (~> 0.8)
   stackprof
-  stoplight
+  stoplight (~> 4.1)
   strong_migrations
   test-prof
   thor (~> 1.2)
@@ -1100,10 +1096,11 @@ DEPENDENCIES
   webauthn (~> 3.0)
   webmock (~> 3.18)
   webpush!
+  websocket-driver (~> 0.8)
   xorcist (~> 1.1)
 
 RUBY VERSION
    ruby 3.4.1p0
 
 BUNDLED WITH
-   2.7.1
+   2.6.9

README.md

@@ -33,71 +33,71 @@ Mastodon Glitch Edition is a fork of [Mastodon](https://github.com/mastodon/mast
     <img src="https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg" alt="Crowdin" /></a>
 </p>
 
-Mastodon is a **free, open-source social network server** based on [ActivityPub](https://www.w3.org/TR/activitypub/) where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub!)
+Mastodon is a **free, open-source social network server** based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub!)
 
 ## Navigation
 
 - [Project homepage 🐘](https://joinmastodon.org)
-- [Donate to support development 🎁](https://joinmastodon.org/sponsors#donate)
-  - [View sponsors](https://joinmastodon.org/sponsors)
-- [Blog 📰](https://blog.joinmastodon.org)
-- [Documentation 📚](https://docs.joinmastodon.org)
-- [Official container image 🚢](https://github.com/mastodon/mastodon/pkgs/container/mastodon)
+- [Support the development via Patreon][patreon]
+- [View sponsors](https://joinmastodon.org/sponsors)
+- [Blog](https://blog.joinmastodon.org)
+- [Documentation](https://docs.joinmastodon.org)
+- [Roadmap](https://joinmastodon.org/roadmap)
+- [Official Docker image](https://github.com/mastodon/mastodon/pkgs/container/mastodon)
+- [Browse Mastodon servers](https://joinmastodon.org/communities)
+- [Browse Mastodon apps](https://joinmastodon.org/apps)
+
+[patreon]: https://www.patreon.com/mastodon
 
 ## Features
 
-<img src="./app/javascript/images/elephant_ui_working.svg?raw=true" align="right" width="30%" />
+<img src="/app/javascript/images/elephant_ui_working.svg?raw=true" align="right" width="30%" />
 
-**Part of the Fediverse. Based on open standards, with no vendor lock-in.** - the network goes beyond just Mastodon; anything that implements ActivityPub is part of a broader social network known as [the Fediverse](https://jointhefediverse.net/). You can follow and interact with users on other servers (including those running different software), and they can follow you back.
+**No vendor lock-in: Fully interoperable with any conforming platform** - It doesn't have to be Mastodon; whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
 
-**Real-time, chronological timeline updates** - updates of people you're following appear in real-time in the UI.
+**Real-time, chronological timeline updates** - updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
 
-**Media attachments** - upload and view images and videos attached to the updates. Videos with no audio track are treated like animated GIFs; normal videos loop continuously.
+**Media attachments like images and short videos** - upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos loop continuously!
 
-**Safety and moderation tools** - Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and many other features, along with a reporting and moderation system.
+**Safety and moderation tools** - Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
 
-**OAuth2 and a straightforward REST API** - Mastodon acts as an OAuth2 provider, and third party apps can use the REST and Streaming APIs. This results in a [rich app ecosystem](https://joinmastodon.org/apps) with a variety of choices!
+**OAuth2 and a straightforward REST API** - Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Streaming APIs. This results in a rich app ecosystem with a lot of choices!
 
 ## Deployment
 
 ### Tech stack
 
-- [Ruby on Rails](https://github.com/rails/rails) powers the REST API and other web pages.
-- [PostgreSQL](https://www.postgresql.org/) is the main database.
-- [Redis](https://redis.io/) and [Sidekiq](https://sidekiq.org/) are used for caching and queueing.
-- [Node.js](https://nodejs.org/) powers the streaming API.
-- [React.js](https://reactjs.org/) and [Redux](https://redux.js.org/) are used for the dynamic parts of the interface.
-- [BrowserStack](https://www.browserstack.com/) supports testing on real devices and browsers. (This project is tested with BrowserStack)
-- [Chromatic](https://www.chromatic.com/) provides visual regression testing. (This project is tested with Chromatic)
+- **Ruby on Rails** powers the REST API and other web pages
+- **React.js** and **Redux** are used for the dynamic parts of the interface
+- **Node.js** powers the streaming API
 
 ### Requirements
 
-- **Ruby** 3.2+
 - **PostgreSQL** 13+
-- **Redis** 7.0+
+- **Redis** 6.2+
+- **Ruby** 3.2+
 - **Node.js** 20+
 
-This repository includes deployment configurations for **Docker and docker-compose**, as well as for other environments like Heroku and Scalingo. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). A [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the main documentation.
+The repository includes deployment configurations for **Docker and docker-compose** as well as specific platforms like **Heroku**, and **Scalingo**. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). The [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
 
 ## Contributing
 
-Mastodon is **free, open-source software** licensed under **AGPLv3**. We welcome contributions and help from anyone who wants to improve the project.
+Mastodon is **free, open-source software** licensed under **AGPLv3**.
 
-You should read the overall [CONTRIBUTING](https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md) guide, which covers our development processes.
+You can open issues for bugs you've found or features you think are missing. You
+can also submit pull requests to this repository or translations via Crowdin. To
+get started, look at the [CONTRIBUTING] and [DEVELOPMENT] guides. For changes
+accepted into Mastodon, you can request to be paid through our [OpenCollective].
 
-You should also read and understand the [CODE OF CONDUCT](https://github.com/mastodon/.github/blob/main/CODE_OF_CONDUCT.md) that enables us to maintain a welcoming and inclusive community. Collaboration begins with mutual respect and understanding.
+**IRC channel**: #mastodon on [`irc.libera.chat`](https://libera.chat)
 
-You can learn about setting up a development environment in the [DEVELOPMENT](docs/DEVELOPMENT.md) documentation.
-
-If you would like to help with translations 🌐 you can do so on [Crowdin](https://crowdin.com/project/mastodon).
-
-## LICENSE
+## License
 
 Copyright (c) 2016-2025 Eugen Rochko (+ [`mastodon authors`](AUTHORS.md))
 
 Licensed under GNU Affero General Public License as stated in the [LICENSE](LICENSE):
 
-```text
+```
 Copyright (c) 2016-2025 Eugen Rochko & other Mastodon contributors
 
 This program is free software: you can redistribute it and/or modify it under
@@ -113,3 +113,7 @@ details.
 You should have received a copy of the GNU Affero General Public License along
 with this program. If not, see https://www.gnu.org/licenses/
 ```
+
+[CONTRIBUTING]: CONTRIBUTING.md
+[DEVELOPMENT]: docs/DEVELOPMENT.md
+[OpenCollective]: https://opencollective.com/mastodon

SECURITY.md

@@ -16,6 +16,5 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 | Version | Supported        |
 | ------- | ---------------- |
 | 4.4.x   | Yes              |
-| 4.3.x   | Yes              |
-| 4.2.x   | Until 2026-01-08 |
-| < 4.2   | No               |
+| 4.3.x   | Until 2026-05-06 |
+| < 4.3   | No               |

Vagrantfile

@@ -54,7 +54,6 @@ sudo apt-get install \
   pkg-config \
   protobuf-compiler \
   zlib1g-dev \
-  libvips42t64 \
   -y
 
 # Install rvm
@@ -135,7 +134,7 @@ VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
-  config.vm.box = "bento/ubuntu-24.04"
+  config.vm.box = "ubuntu/focal64"
 
   config.vm.provider :virtualbox do |vb|
     vb.name = "mastodon"

app/controllers/activitypub/collections_controller.rb

@@ -4,17 +4,31 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
   vary_by -> { 'Signature' if authorized_fetch_mode? }
 
   before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :check_authorization
   before_action :set_items
   before_action :set_size
   before_action :set_type
 
   def show
     expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+
+    if @unauthorized
+      render json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    else
+      render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    end
   end
 
   private
 
+  def check_authorization
+    # Because in public fetch mode we cache the response, there would be no
+    # benefit from performing the check below, since a blocked account or domain
+    # would likely be served the cache from the reverse proxy anyway
+
+    @unauthorized = authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+  end
+
   def set_items
     case params[:id]
     when 'featured'
@@ -57,11 +71,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
   end
 
   def for_signed_account
-    # Because in public fetch mode we cache the response, there would be no
-    # benefit from performing the check below, since a blocked account or domain
-    # would likely be served the cache from the reverse proxy anyway
-
-    if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+    if @unauthorized
       []
     else
       yield

app/controllers/activitypub/contexts_controller.rb

@@ -1,82 +0,0 @@
-# frozen_string_literal: true
-
-class ActivityPub::ContextsController < ActivityPub::BaseController
-  vary_by -> { 'Signature' if authorized_fetch_mode? }
-
-  before_action :require_account_signature!, if: :authorized_fetch_mode?
-  before_action :set_conversation
-  before_action :set_items
-
-  DESCENDANTS_LIMIT = 60
-
-  def show
-    expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: context_presenter, serializer: ActivityPub::ContextSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
-  end
-
-  def items
-    expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: items_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
-  end
-
-  private
-
-  def account_required?
-    false
-  end
-
-  def set_conversation
-    account_id, status_id = params[:id].split('-')
-    @conversation = Conversation.local.find_by(parent_account_id: account_id, parent_status_id: status_id)
-  end
-
-  def set_items
-    @items = @conversation.statuses.distributable_visibility.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
-  end
-
-  def context_presenter
-    first_page = ActivityPub::CollectionPresenter.new(
-      id: items_context_url(@conversation, page_params),
-      type: :unordered,
-      part_of: items_context_url(@conversation),
-      next: next_page,
-      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
-    )
-
-    ActivityPub::ContextPresenter.from_conversation(@conversation).tap do |presenter|
-      presenter.first = first_page
-    end
-  end
-
-  def items_collection_presenter
-    page = ActivityPub::CollectionPresenter.new(
-      id: items_context_url(@conversation, page_params),
-      type: :unordered,
-      part_of: items_context_url(@conversation),
-      next: next_page,
-      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
-    )
-
-    return page if page_requested?
-
-    ActivityPub::CollectionPresenter.new(
-      id: items_context_url(@conversation),
-      type: :unordered,
-      first: page
-    )
-  end
-
-  def page_requested?
-    truthy_param?(:page)
-  end
-
-  def next_page
-    return nil if @items.size < DESCENDANTS_LIMIT
-
-    items_context_url(@conversation, page: true, min_id: @items.last.id)
-  end
-
-  def page_params
-    params.permit(:page, :min_id)
-  end
-end

app/controllers/activitypub/inboxes_controller.rb

@@ -3,6 +3,7 @@
 class ActivityPub::InboxesController < ActivityPub::BaseController
   include JsonLdHelper
 
+  before_action :skip_large_payload
   before_action :skip_unknown_actor_activity
   before_action :require_actor_signature!
   skip_before_action :authenticate_user!
@@ -16,6 +17,10 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
 
   private
 
+  def skip_large_payload
+    head 413 if request.content_length > ActivityPub::Activity::MAX_JSON_SIZE
+  end
+
   def skip_unknown_actor_activity
     head 202 if unknown_affected_account?
   end

app/controllers/activitypub/likes_controller.rb

@@ -22,7 +22,7 @@ class ActivityPub::LikesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/activitypub/quote_authorizations_controller.rb

@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-class ActivityPub::QuoteAuthorizationsController < ActivityPub::BaseController
-  include Authorization
-
-  vary_by -> { 'Signature' if authorized_fetch_mode? }
-
-  before_action :require_account_signature!, if: :authorized_fetch_mode?
-  before_action :set_quote_authorization
-
-  def show
-    expires_in 30.seconds, public: true if @quote.status.distributable? && public_fetch_mode?
-    render json: @quote, serializer: ActivityPub::QuoteAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
-  end
-
-  private
-
-  def pundit_user
-    signed_request_account
-  end
-
-  def set_quote_authorization
-    @quote = Quote.accepted.where(quoted_account: @account).find(params[:id])
-    return not_found unless @quote.status.present? && @quote.quoted_status.present?
-
-    authorize @quote.status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
-end

app/controllers/activitypub/replies_controller.rb

@@ -25,7 +25,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/activitypub/shares_controller.rb

@@ -22,7 +22,7 @@ class ActivityPub::SharesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/admin/accounts_controller.rb

@@ -16,14 +16,11 @@ module Admin
     def batch
       authorize :account, :index?
 
-      @form = Form::AccountBatch.new(
-        form_account_batch_params.merge(
-          action: action_from_button,
-          current_account:,
-          query: filtered_accounts,
-          select_all_matching: params[:select_all_matching]
-        )
-      )
+      @form = Form::AccountBatch.new(form_account_batch_params)
+      @form.current_account = current_account
+      @form.action = action_from_button
+      @form.select_all_matching = params[:select_all_matching]
+      @form.query = filtered_accounts
       @form.save
     rescue ActionController::ParameterMissing
       flash[:alert] = I18n.t('admin.accounts.no_account_selected')

app/controllers/admin/action_logs_controller.rb

@@ -6,7 +6,7 @@ module Admin
 
     def index
       authorize :audit_log, :index?
-      @auditable_accounts = Account.auditable.select(:id, :username).order(username: :asc)
+      @auditable_accounts = Account.auditable.select(:id, :username)
     end
 
     private

app/controllers/admin/confirmations_controller.rb

@@ -19,13 +19,15 @@ module Admin
 
       log_action :resend, @user
 
-      redirect_to admin_accounts_path, notice: t('admin.accounts.resend_confirmation.success')
+      flash[:notice] = I18n.t('admin.accounts.resend_confirmation.success')
+      redirect_to admin_accounts_path
     end
 
     private
 
     def redirect_confirmed_user
-      redirect_to admin_accounts_path, flash: { error: t('admin.accounts.resend_confirmation.already_confirmed') }
+      flash[:error] = I18n.t('admin.accounts.resend_confirmation.already_confirmed')
+      redirect_to admin_accounts_path
     end
 
     def user_confirmed?

app/controllers/admin/dashboard_controller.rb

@@ -9,10 +9,16 @@ module Admin
 
       @pending_appeals_count = Appeal.pending.async_count
       @pending_reports_count = Report.unresolved.async_count
-      @pending_tags_count    = Tag.pending_review.async_count
+      @pending_tags_count    = pending_tags.async_count
       @pending_users_count   = User.pending.async_count
       @system_checks         = Admin::SystemCheck.perform(current_user)
       @time_period           = (29.days.ago.to_date...Time.now.utc.to_date)
     end
+
+    private
+
+    def pending_tags
+      ::Trends::TagFilter.new(status: :pending_review).results
+    end
   end
 end

app/controllers/admin/disputes/appeals_controller.rb

@@ -18,7 +18,7 @@ class Admin::Disputes::AppealsController < Admin::BaseController
   end
 
   def reject
-    authorize @appeal, :reject?
+    authorize @appeal, :approve?
     log_action :reject, @appeal
     @appeal.reject!(current_account)
     UserMailer.appeal_rejected(@appeal.account.user, @appeal).deliver_later

app/controllers/admin/domain_blocks_controller.rb

@@ -36,7 +36,7 @@ module Admin
     end
 
     def edit
-      authorize :domain_block, :update?
+      authorize :domain_block, :create?
     end
 
     def create
@@ -129,7 +129,7 @@ module Admin
     end
 
     def requires_confirmation?
-      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.suspend? && !params[:confirm]
+      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.severity.to_s == 'suspend' && !params[:confirm]
     end
   end
 end

app/controllers/admin/export_domain_allows_controller.rb

@@ -49,8 +49,8 @@ module Admin
 
     def export_data
       CSV.generate(headers: export_headers, write_headers: true) do |content|
-        DomainAllow.allowed_domains.each do |domain|
-          content << [domain]
+        DomainAllow.allowed_domains.each do |instance|
+          content << [instance.domain]
         end
       end
     end

app/controllers/admin/reports/actions_controller.rb

@@ -13,9 +13,27 @@ class Admin::Reports::ActionsController < Admin::BaseController
 
     case action_from_button
     when 'delete', 'mark_as_sensitive'
-      Admin::StatusBatchAction.new(status_batch_action_params).save!
+      status_batch_action = Admin::StatusBatchAction.new(
+        type: action_from_button,
+        status_ids: @report.status_ids,
+        current_account: current_account,
+        report_id: @report.id,
+        send_email_notification: !@report.spam?,
+        text: params[:text]
+      )
+
+      status_batch_action.save!
     when 'silence', 'suspend'
-      Admin::AccountAction.new(account_action_params).save!
+      account_action = Admin::AccountAction.new(
+        type: action_from_button,
+        report_id: @report.id,
+        target_account: @report.target_account,
+        current_account: current_account,
+        send_email_notification: !@report.spam?,
+        text: params[:text]
+      )
+
+      account_action.save!
     else
       return redirect_to admin_report_path(@report), alert: I18n.t('admin.reports.unknown_action_msg', action: action_from_button)
     end
@@ -25,26 +43,6 @@ class Admin::Reports::ActionsController < Admin::BaseController
 
   private
 
-  def status_batch_action_params
-    shared_params
-      .merge(status_ids: @report.status_ids)
-  end
-
-  def account_action_params
-    shared_params
-      .merge(target_account: @report.target_account)
-  end
-
-  def shared_params
-    {
-      current_account: current_account,
-      report_id: @report.id,
-      send_email_notification: !@report.spam?,
-      text: params[:text],
-      type: action_from_button,
-    }
-  end
-
   def set_report
     @report = Report.find(params[:report_id])
   end

app/controllers/admin/settings_controller.rb

@@ -14,7 +14,8 @@ module Admin
       @admin_settings = Form::AdminSettings.new(settings_params)
 
       if @admin_settings.save
-        redirect_to after_update_redirect_path, notice: t('generic.changes_saved_msg')
+        flash[:notice] = I18n.t('generic.changes_saved_msg')
+        redirect_to after_update_redirect_path
       else
         render :show
       end

app/controllers/admin/tags_controller.rb

@@ -5,7 +5,6 @@ module Admin
     before_action :set_tag, except: [:index]
 
     PER_PAGE = 20
-    PERIOD_DAYS = 6.days
 
     def index
       authorize :tag, :index?
@@ -16,7 +15,7 @@ module Admin
     def show
       authorize @tag, :show?
 
-      @time_period = report_range
+      @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
     end
 
     def update
@@ -25,7 +24,7 @@ module Admin
       if @tag.update(tag_params.merge(reviewed_at: Time.now.utc))
         redirect_to admin_tag_path(@tag.id), notice: I18n.t('admin.tags.updated_msg')
       else
-        @time_period = report_range
+        @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
 
         render :show
       end
@@ -37,10 +36,6 @@ module Admin
       @tag = Tag.find(params[:id])
     end
 
-    def report_range
-      (PERIOD_DAYS.ago.to_date...Time.now.utc.to_date)
-    end
-
     def tag_params
       params
         .expect(tag: [:name, :display_name, :trendable, :usable, :listable])

app/controllers/admin/username_blocks_controller.rb

@@ -1,77 +0,0 @@
-# frozen_string_literal: true
-
-class Admin::UsernameBlocksController < Admin::BaseController
-  before_action :set_username_block, only: [:edit, :update]
-
-  def index
-    authorize :username_block, :index?
-    @username_blocks = UsernameBlock.order(username: :asc).page(params[:page])
-    @form = Form::UsernameBlockBatch.new
-  end
-
-  def batch
-    authorize :username_block, :index?
-
-    @form = Form::UsernameBlockBatch.new(form_username_block_batch_params.merge(current_account: current_account, action: action_from_button))
-    @form.save
-  rescue ActionController::ParameterMissing
-    flash[:alert] = I18n.t('admin.username_blocks.no_username_block_selected')
-  rescue Mastodon::NotPermittedError
-    flash[:alert] = I18n.t('admin.username_blocks.not_permitted')
-  ensure
-    redirect_to admin_username_blocks_path
-  end
-
-  def new
-    authorize :username_block, :create?
-    @username_block = UsernameBlock.new(exact: true)
-  end
-
-  def edit
-    authorize @username_block, :update?
-  end
-
-  def create
-    authorize :username_block, :create?
-
-    @username_block = UsernameBlock.new(resource_params)
-
-    if @username_block.save
-      log_action :create, @username_block
-      redirect_to admin_username_blocks_path, notice: I18n.t('admin.username_blocks.created_msg')
-    else
-      render :new
-    end
-  end
-
-  def update
-    authorize @username_block, :update?
-
-    if @username_block.update(resource_params)
-      log_action :update, @username_block
-      redirect_to admin_username_blocks_path, notice: I18n.t('admin.username_blocks.updated_msg')
-    else
-      render :new
-    end
-  end
-
-  private
-
-  def set_username_block
-    @username_block = UsernameBlock.find(params[:id])
-  end
-
-  def form_username_block_batch_params
-    params
-      .expect(form_username_block_batch: [username_block_ids: []])
-  end
-
-  def resource_params
-    params
-      .expect(username_block: [:username, :comparison, :allow_with_approval])
-  end
-
-  def action_from_button
-    'delete' if params[:delete]
-  end
-end

app/controllers/api/v1/accounts/credentials_controller.rb

@@ -48,7 +48,6 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
         default_privacy: source_params.fetch(:privacy, @account.user.setting_default_privacy),
         default_sensitive: source_params.fetch(:sensitive, @account.user.setting_default_sensitive),
         default_language: source_params.fetch(:language, @account.user.setting_default_language),
-        default_quote_policy: source_params.fetch(:quote_policy, @account.user.setting_default_quote_policy),
       },
     }
   end

app/controllers/api/v1/admin/tags_controller.rb

@@ -2,7 +2,6 @@
 
 class Api::V1::Admin::TagsController < Api::BaseController
   include Authorization
-
   before_action -> { authorize_if_got_token! :'admin:read' }, only: [:index, :show]
   before_action -> { authorize_if_got_token! :'admin:write' }, only: :update
 

app/controllers/api/v1/invites_controller.rb

@@ -7,7 +7,6 @@ class Api::V1::InvitesController < Api::BaseController
   skip_around_action :set_locale
 
   before_action :set_invite
-  before_action :check_valid_usage!
   before_action :check_enabled_registrations!
 
   # Override `current_user` to avoid reading session cookies
@@ -23,11 +22,9 @@ class Api::V1::InvitesController < Api::BaseController
     @invite = Invite.find_by!(code: params[:invite_code])
   end
 
-  def check_valid_usage!
-    render json: { error: I18n.t('invites.invalid') }, status: 401 unless @invite.valid_for_use?
-  end
-
   def check_enabled_registrations!
+    return render json: { error: I18n.t('invites.invalid') }, status: 401 unless @invite.valid_for_use?
+
     raise Mastodon::NotPermittedError unless allowed_registration?(request.remote_ip, @invite)
   end
 end

app/controllers/api/v1/polls/votes_controller.rb

@@ -17,7 +17,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
   def set_poll
     @poll = Poll.find(params[:poll_id])
     authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/polls_controller.rb

@@ -17,7 +17,7 @@ class Api::V1::PollsController < Api::BaseController
   def set_poll
     @poll = Poll.find(params[:id])
     authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/push/subscriptions_controller.rb

@@ -16,7 +16,16 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
   def create
     with_redis_lock("push_subscription:#{current_user.id}") do
       destroy_web_push_subscriptions!
-      @push_subscription = Web::PushSubscription.create!(web_push_subscription_params)
+
+      @push_subscription = Web::PushSubscription.create!(
+        endpoint: subscription_params[:endpoint],
+        key_p256dh: subscription_params[:keys][:p256dh],
+        key_auth: subscription_params[:keys][:auth],
+        standard: subscription_params[:standard] || false,
+        data: data_params,
+        user_id: current_user.id,
+        access_token_id: doorkeeper_token.id
+      )
     end
 
     render json: @push_subscription, serializer: REST::WebPushSubscriptionSerializer
@@ -46,18 +55,6 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
     not_found if @push_subscription.nil?
   end
 
-  def web_push_subscription_params
-    {
-      access_token_id: doorkeeper_token.id,
-      data: data_params,
-      endpoint: subscription_params[:endpoint],
-      key_auth: subscription_params[:keys][:auth],
-      key_p256dh: subscription_params[:keys][:p256dh],
-      standard: subscription_params[:standard] || false,
-      user_id: current_user.id,
-    }
-  end
-
   def subscription_params
     params.expect(subscription: [:endpoint, :standard, keys: [:auth, :p256dh]])
   end

app/controllers/api/v1/statuses/base_controller.rb

@@ -10,7 +10,7 @@ class Api::V1::Statuses::BaseController < Api::BaseController
   def set_status
     @status = Status.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/bookmarks_controller.rb

@@ -23,7 +23,7 @@ class Api::V1::Statuses::BookmarksController < Api::V1::Statuses::BaseController
     bookmark&.destroy!
 
     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/favourites_controller.rb

@@ -25,7 +25,7 @@ class Api::V1::Statuses::FavouritesController < Api::V1::Statuses::BaseControlle
 
     relationships = StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }, attributes_map: { @status.id => { favourites_count: count } })
     render json: @status, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/interaction_policies_controller.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-class Api::V1::Statuses::InteractionPoliciesController < Api::V1::Statuses::BaseController
-  include Api::InteractionPoliciesConcern
-
-  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
-  before_action -> { check_feature_enabled }
-
-  def update
-    authorize @status, :update?
-
-    @status.update!(quote_approval_policy: quote_approval_policy)
-
-    broadcast_updates! if @status.quote_approval_policy_previously_changed?
-
-    render json: @status, serializer: REST::StatusSerializer
-  end
-
-  private
-
-  def status_params
-    params.permit(:quote_approval_policy)
-  end
-
-  def check_feature_enabled
-    raise ActionController::RoutingError unless Mastodon::Feature.outgoing_quotes_enabled?
-  end
-
-  def broadcast_updates!
-    DistributionWorker.perform_async(@status.id, { 'update' => true })
-    ActivityPub::StatusUpdateDistributionWorker.perform_async(@status.id, { 'updated_at' => Time.now.utc.iso8601 })
-  end
-end

app/controllers/api/v1/statuses/quotes_controller.rb

@@ -1,72 +0,0 @@
-# frozen_string_literal: true
-
-class Api::V1::Statuses::QuotesController < Api::V1::Statuses::BaseController
-  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :index
-  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: :revoke
-
-  before_action :check_owner!
-  before_action :set_quote, only: :revoke
-  after_action :insert_pagination_headers, only: :index
-
-  def index
-    cache_if_unauthenticated!
-    @statuses = load_statuses
-    render json: @statuses, each_serializer: REST::StatusSerializer
-  end
-
-  def revoke
-    authorize @quote, :revoke?
-
-    RevokeQuoteService.new.call(@quote)
-
-    render json: @quote.status, serializer: REST::StatusSerializer
-  end
-
-  private
-
-  def check_owner!
-    authorize @status, :list_quotes?
-  end
-
-  def set_quote
-    @quote = @status.quotes.find_by!(status_id: params[:id])
-  end
-
-  def load_statuses
-    scope = default_statuses
-    scope = scope.not_excluded_by_account(current_account) unless current_account.nil?
-    scope.merge(paginated_quotes).to_a
-  end
-
-  def default_statuses
-    Status.includes(:quote).references(:quote)
-  end
-
-  def paginated_quotes
-    @status.quotes.accepted.paginate_by_max_id(
-      limit_param(DEFAULT_STATUSES_LIMIT),
-      params[:max_id],
-      params[:since_id]
-    )
-  end
-
-  def next_path
-    api_v1_status_quotes_url pagination_params(max_id: pagination_max_id) if records_continue?
-  end
-
-  def prev_path
-    api_v1_status_quotes_url pagination_params(since_id: pagination_since_id) unless @statuses.empty?
-  end
-
-  def pagination_max_id
-    @statuses.last.quote.id
-  end
-
-  def pagination_since_id
-    @statuses.first.quote.id
-  end
-
-  def records_continue?
-    @statuses.size == limit_param(DEFAULT_STATUSES_LIMIT)
-  end
-end

app/controllers/api/v1/statuses/reblogs_controller.rb

@@ -36,7 +36,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
 
     relationships = StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false }, attributes_map: { @reblog.id => { reblogs_count: count } })
     render json: @reblog, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
@@ -45,7 +45,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
   def set_reblog
     @reblog = Status.find(params[:status_id])
     authorize @reblog, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/statuses_controller.rb

@@ -2,8 +2,6 @@
 
 class Api::V1::StatusesController < Api::BaseController
   include Authorization
-  include AsyncRefreshesConcern
-  include Api::InteractionPoliciesConcern
 
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }, except: [:create, :update, :destroy]
   before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only:   [:create, :update, :destroy]
@@ -11,7 +9,6 @@ class Api::V1::StatusesController < Api::BaseController
   before_action :set_statuses, only:         [:index]
   before_action :set_status, only:           [:show, :context]
   before_action :set_thread, only:           [:create]
-  before_action :set_quoted_status, only:    [:create]
   before_action :check_statuses_limit, only: [:index]
 
   override_rate_limit_headers :create, family: :statuses
@@ -60,21 +57,9 @@ class Api::V1::StatusesController < Api::BaseController
     @context = Context.new(ancestors: loaded_ancestors, descendants: loaded_descendants)
     statuses = [@status] + @context.ancestors + @context.descendants
 
-    refresh_key = "context:#{@status.id}:refresh"
-    async_refresh = AsyncRefresh.new(refresh_key)
-
-    if async_refresh.running?
-      add_async_refresh_header(async_refresh)
-    elsif !current_account.nil? && @status.should_fetch_replies?
-      add_async_refresh_header(AsyncRefresh.create(refresh_key))
-
-      WorkerBatch.new.within do |batch|
-        batch.connect(refresh_key, threshold: 1.0)
-        ActivityPub::FetchAllRepliesWorker.perform_async(@status.id, { 'batch_id' => batch.id })
-      end
-    end
-
     render json: @context, serializer: REST::ContextSerializer, relationships: StatusRelationshipsPresenter.new(statuses, current_user&.account_id)
+
+    ActivityPub::FetchAllRepliesWorker.perform_async(@status.id) if !current_account.nil? && @status.should_fetch_replies?
   end
 
   def create
@@ -82,8 +67,6 @@ class Api::V1::StatusesController < Api::BaseController
       current_user.account,
       text: status_params[:status],
       thread: @thread,
-      quoted_status: @quoted_status,
-      quote_approval_policy: quote_approval_policy,
       media_ids: status_params[:media_ids],
       sensitive: status_params[:sensitive],
       spoiler_text: status_params[:spoiler_text],
@@ -117,7 +100,6 @@ class Api::V1::StatusesController < Api::BaseController
       language: status_params[:language],
       spoiler_text: status_params[:spoiler_text],
       poll: status_params[:poll],
-      quote_approval_policy: quote_approval_policy,
       content_type: status_params[:content_type]
     )
 
@@ -147,7 +129,7 @@ class Api::V1::StatusesController < Api::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
@@ -158,16 +140,6 @@ class Api::V1::StatusesController < Api::BaseController
     render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
   end
 
-  def set_quoted_status
-    return unless Mastodon::Feature.outgoing_quotes_enabled?
-
-    @quoted_status = Status.find(status_params[:quoted_status_id]) if status_params[:quoted_status_id].present?
-    authorize(@quoted_status, :quote?) if @quoted_status.present?
-  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
-    # TODO: distinguish between non-existing and non-quotable posts
-    render json: { error: I18n.t('statuses.errors.quoted_status_not_found') }, status: 404
-  end
-
   def check_statuses_limit
     raise(Mastodon::ValidationError) if status_ids.size > DEFAULT_STATUSES_LIMIT
   end
@@ -184,8 +156,6 @@ class Api::V1::StatusesController < Api::BaseController
     params.permit(
       :status,
       :in_reply_to_id,
-      :quoted_status_id,
-      :quote_approval_policy,
       :sensitive,
       :spoiler_text,
       :visibility,

app/controllers/api/v2/search_controller.rb

@@ -20,7 +20,7 @@ class Api::V2::SearchController < Api::BaseController
     @search = Search.new(search_results)
     render json: @search, serializer: REST::SearchSerializer
   rescue Mastodon::SyntaxError
-    unprocessable_content
+    unprocessable_entity
   rescue ActiveRecord::RecordNotFound
     not_found
   end

app/controllers/api/web/embeds_controller.rb

@@ -30,7 +30,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/web/push_subscriptions_controller.rb

@@ -49,7 +49,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
     {
       policy: 'all',
       alerts: Notification::TYPES.index_with { alerts_enabled },
-    }.deep_stringify_keys
+    }
   end
 
   def alerts_enabled
@@ -62,7 +62,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def set_push_subscription
-    @push_subscription = ::Web::PushSubscription.find(params[:id])
+    @push_subscription = ::Web::PushSubscription.where(user_id: active_session.user_id).find(params[:id])
   end
 
   def subscription_params

app/controllers/application_controller.rb

@@ -31,7 +31,7 @@ class ApplicationController < ActionController::Base
   rescue_from Mastodon::NotPermittedError, with: :forbidden
   rescue_from ActionController::RoutingError, ActiveRecord::RecordNotFound, with: :not_found
   rescue_from ActionController::UnknownFormat, with: :not_acceptable
-  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_content
+  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_entity
   rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests
 
   rescue_from(*Mastodon::HTTP_CONNECTION_ERRORS, with: :internal_server_error)
@@ -126,7 +126,7 @@ class ApplicationController < ActionController::Base
     respond_with_error(410)
   end
 
-  def unprocessable_content
+  def unprocessable_entity
     respond_with_error(422)
   end
 

app/controllers/auth/omniauth_callbacks_controller.rb

@@ -38,7 +38,8 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   private
 
   def record_login_activity
-    @user.login_activities.create(
+    LoginActivity.create(
+      user: @user,
       success: true,
       authentication_method: :omniauth,
       provider: @provider,

app/controllers/auth/passwords_controller.rb

@@ -19,7 +19,8 @@ class Auth::PasswordsController < Devise::PasswordsController
   private
 
   def redirect_invalid_reset_token
-    redirect_to new_password_path(resource_name), flash: { error: t('auth.invalid_reset_password_token') }
+    flash[:error] = I18n.t('auth.invalid_reset_password_token')
+    redirect_to new_password_path(resource_name)
   end
 
   def reset_password_token_is_valid?

app/controllers/auth/registrations_controller.rb

@@ -23,11 +23,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
     super(&:build_invite_request)
   end
 
-  def edit
+  def edit # rubocop:disable Lint/UselessMethodDefinition
     super
   end
 
-  def create
+  def create # rubocop:disable Lint/UselessMethodDefinition
     super
   end
 

app/controllers/auth/sessions_controller.rb

@@ -12,8 +12,6 @@ class Auth::SessionsController < Devise::SessionsController
   skip_before_action :require_functional!
   skip_before_action :update_user_sign_in
 
-  around_action :preserve_stored_location, only: :destroy, if: :continue_after?
-
   prepend_before_action :check_suspicious!, only: [:create]
 
   include Auth::TwoFactorAuthenticationConcern
@@ -33,9 +31,11 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def destroy
+    tmp_stored_location = stored_location_for(:user)
     super
     session.delete(:challenge_passed_at)
     flash.delete(:notice)
+    store_location_for(:user, tmp_stored_location) if continue_after?
   end
 
   def webauthn_options
@@ -96,12 +96,6 @@ class Auth::SessionsController < Devise::SessionsController
 
   private
 
-  def preserve_stored_location
-    original_stored_location = stored_location_for(:user)
-    yield
-    store_location_for(:user, original_stored_location)
-  end
-
   def check_suspicious!
     user = find_user
     @login_is_suspicious = suspicious_sign_in?(user) unless user.nil?
@@ -157,11 +151,12 @@ class Auth::SessionsController < Devise::SessionsController
     sign_in(user)
     flash.delete(:notice)
 
-    user.login_activities.create(
-      request_details.merge(
-        authentication_method: security_measure,
-        success: true
-      )
+    LoginActivity.create(
+      user: user,
+      success: true,
+      authentication_method: security_measure,
+      ip: request.remote_ip,
+      user_agent: request.user_agent
     )
 
     UserMailer.suspicious_sign_in(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later! if @login_is_suspicious
@@ -172,12 +167,13 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def on_authentication_failure(user, security_measure, failure_reason)
-    user.login_activities.create(
-      request_details.merge(
-        authentication_method: security_measure,
-        failure_reason: failure_reason,
-        success: false
-      )
+    LoginActivity.create(
+      user: user,
+      success: false,
+      authentication_method: security_measure,
+      failure_reason: failure_reason,
+      ip: request.remote_ip,
+      user_agent: request.user_agent
     )
 
     # Only send a notification email every hour at most
@@ -186,13 +182,6 @@ class Auth::SessionsController < Devise::SessionsController
     UserMailer.failed_2fa(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later!
   end
 
-  def request_details
-    {
-      ip: request.remote_ip,
-      user_agent: request.user_agent,
-    }
-  end
-
   def second_factor_attempts_key(user)
     "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
   end

app/controllers/authorize_interactions_controller.rb

@@ -21,7 +21,7 @@ class AuthorizeInteractionsController < ApplicationController
   def set_resource
     @resource = located_resource
     authorize(@resource, :show?) if @resource.is_a?(Status)
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/concerns/api/interaction_policies_concern.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Api::InteractionPoliciesConcern
-  extend ActiveSupport::Concern
-
-  def quote_approval_policy
-    return nil unless Mastodon::Feature.outgoing_quotes_enabled?
-
-    case status_params[:quote_approval_policy].presence || current_user.setting_default_quote_policy
-    when 'public'
-      Status::QUOTE_APPROVAL_POLICY_FLAGS[:public] << 16
-    when 'followers'
-      Status::QUOTE_APPROVAL_POLICY_FLAGS[:followers] << 16
-    when 'nobody'
-      0
-    else
-      # TODO: raise more useful message
-      raise ActiveRecord::RecordInvalid
-    end
-  end
-end

app/controllers/concerns/auth/captcha_concern.rb

@@ -5,18 +5,6 @@ module Auth::CaptchaConcern
 
   include Hcaptcha::Adapters::ViewMethods
 
-  CAPTCHA_DIRECTIVES = %w(
-    connect_src
-    frame_src
-    script_src
-    style_src
-  ).freeze
-
-  CAPTCHA_SOURCES = %w(
-    https://*.hcaptcha.com
-    https://hcaptcha.com
-  ).freeze
-
   included do
     helper_method :render_captcha
   end
@@ -54,9 +42,20 @@ module Auth::CaptchaConcern
   end
 
   def extend_csp_for_captcha!
-    return unless captcha_required? && request.content_security_policy.present?
+    policy = request.content_security_policy&.clone
 
-    request.content_security_policy = captcha_adjusted_policy
+    return unless captcha_required? && policy.present?
+
+    %w(script_src frame_src style_src connect_src).each do |directive|
+      values = policy.send(directive)
+
+      values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') || values.include?('https:')
+      values << 'https://*.hcaptcha.com' unless values.include?('https://*.hcaptcha.com') || values.include?('https:')
+
+      policy.send(directive, *values)
+    end
+
+    request.content_security_policy = policy
   end
 
   def render_captcha
@@ -64,24 +63,4 @@ module Auth::CaptchaConcern
 
     hcaptcha_tags
   end
-
-  private
-
-  def captcha_adjusted_policy
-    request.content_security_policy.clone.tap do |policy|
-      populate_captcha_policy(policy)
-    end
-  end
-
-  def populate_captcha_policy(policy)
-    CAPTCHA_DIRECTIVES.each do |directive|
-      values = policy.send(directive)
-
-      CAPTCHA_SOURCES.each do |source|
-        values << source unless values.include?(source) || values.include?('https:')
-      end
-
-      policy.send(directive, *values)
-    end
-  end
 end

app/controllers/concerns/cache_concern.rb

@@ -19,7 +19,7 @@ module CacheConcern
   # from being used as cache keys, while allowing to `Vary` on them (to not serve
   # anonymous cached data to authenticated requests when authentication matters)
   def enforce_cache_control!
-    vary = response.headers['Vary']&.split&.map { |x| x.strip.downcase }
+    vary = response.headers['Vary'].to_s.split(',').map { |x| x.strip.downcase }.reject(&:empty?)
     return unless vary.present? && %w(cookie authorization signature).any? { |header| vary.include?(header) && request.headers[header].present? }
 
     response.cache_control.replace(private: true, no_store: true)

app/controllers/concerns/signature_verification.rb

@@ -9,8 +9,6 @@ module SignatureVerification
 
   EXPIRATION_WINDOW_LIMIT = 12.hours
   CLOCK_SKEW_MARGIN       = 1.hour
-  STOPLIGHT_COOL_OFF_TIME = 5.minutes.seconds
-  STOPLIGHT_THRESHOLD = 1
 
   def require_account_signature!
     render json: signature_verification_failure_reason, status: signature_verification_failure_code unless signed_request_account
@@ -72,10 +70,13 @@ module SignatureVerification
   rescue Mastodon::SignatureVerificationError => e
     fail_with! e.message
   rescue *Mastodon::HTTP_CONNECTION_ERRORS => e
+    @signature_verification_failure_code ||= 503
     fail_with! "Failed to fetch remote data: #{e.message}"
   rescue Mastodon::UnexpectedResponseError
+    @signature_verification_failure_code ||= 503
     fail_with! 'Failed to fetch remote data (got unexpected reply from server)'
   rescue Stoplight::Error::RedLight
+    @signature_verification_failure_code ||= 503
     fail_with! 'Fetching attempt skipped because of recent connection failure'
   end
 
@@ -109,12 +110,10 @@ module SignatureVerification
   end
 
   def stoplight_wrapper
-    Stoplight(
-      "source:#{request.remote_ip}",
-      cool_off_time: STOPLIGHT_COOL_OFF_TIME,
-      threshold: STOPLIGHT_THRESHOLD,
-      tracked_errors: [HTTP::Error, OpenSSL::SSL::SSLError]
-    )
+    Stoplight("source:#{request.remote_ip}")
+      .with_threshold(1)
+      .with_cool_off_time(5.minutes.seconds)
+      .with_error_handler { |error, handle| error.is_a?(HTTP::Error) || error.is_a?(OpenSSL::SSL::SSLError) ? handle.call(error) : raise(error) }
   end
 
   def actor_refresh_key!(actor)

app/controllers/media_controller.rb

@@ -34,7 +34,7 @@ class MediaController < ApplicationController
 
   def verify_permitted_status!
     authorize @media_attachment.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/settings/login_activities_controller.rb

@@ -5,6 +5,6 @@ class Settings::LoginActivitiesController < Settings::BaseController
   skip_before_action :require_functional!
 
   def index
-    @login_activities = current_user.login_activities.order(id: :desc).page(params[:page])
+    @login_activities = LoginActivity.where(user: current_user).order(id: :desc).page(params[:page])
   end
 end

app/controllers/settings/migration/redirects_controller.rb

@@ -22,7 +22,7 @@ class Settings::Migration::RedirectsController < Settings::BaseController
   end
 
   def destroy
-    if current_account.moved?
+    if current_account.moved_to_account_id.present?
       current_account.update!(moved_to_account: nil)
       ActivityPub::UpdateDistributionWorker.perform_async(current_account.id)
     end

app/controllers/settings/preferences/posting_defaults_controller.rb

@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-class Settings::Preferences::PostingDefaultsController < Settings::Preferences::BaseController
-  private
-
-  def after_update_redirect_path
-    settings_preferences_posting_defaults_path
-  end
-
-  def user_params
-    super.tap do |params|
-      params[:settings_attributes][:default_quote_policy] = 'nobody' if params[:settings_attributes][:default_privacy] == 'private'
-    end
-  end
-end

app/controllers/settings/sessions_controller.rb

@@ -8,7 +8,8 @@ class Settings::SessionsController < Settings::BaseController
 
   def destroy
     @session.destroy!
-    redirect_to edit_user_registration_path, notice: t('sessions.revoke_success')
+    flash[:notice] = I18n.t('sessions.revoke_success')
+    redirect_to edit_user_registration_path
   end
 
   private

app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb

@@ -52,7 +52,7 @@ module Settings
             end
           else
             flash[:error] = I18n.t('webauthn_credentials.create.error')
-            status = :unprocessable_content
+            status = :unprocessable_entity
           end
         else
           flash[:error] = t('webauthn_credentials.create.error')
@@ -86,11 +86,13 @@ module Settings
       private
 
       def redirect_invalid_otp
-        redirect_to settings_two_factor_authentication_methods_path, flash: { error: t('webauthn_credentials.otp_required') }
+        flash[:error] = t('webauthn_credentials.otp_required')
+        redirect_to settings_two_factor_authentication_methods_path
       end
 
       def redirect_invalid_webauthn
-        redirect_to settings_two_factor_authentication_methods_path, flash: { error: t('webauthn_credentials.not_enabled') }
+        flash[:error] = t('webauthn_credentials.not_enabled')
+        redirect_to settings_two_factor_authentication_methods_path
       end
     end
   end

app/controllers/severed_relationships_controller.rb

@@ -26,7 +26,7 @@ class SeveredRelationshipsController < ApplicationController
   private
 
   def set_event
-    @event = AccountRelationshipSeveranceEvent.find(params[:id])
+    @event = AccountRelationshipSeveranceEvent.where(account: current_account).find(params[:id])
   end
 
   def following_data

app/controllers/statuses_controller.rb

@@ -11,7 +11,6 @@ class StatusesController < ApplicationController
   before_action :require_account_signature!, only: [:show, :activity], if: -> { request.format == :json && authorized_fetch_mode? }
   before_action :set_status
   before_action :redirect_to_original, only: :show
-  before_action :verify_embed_allowed, only: :embed
 
   after_action :set_link_headers
 
@@ -41,6 +40,8 @@ class StatusesController < ApplicationController
   end
 
   def embed
+    return not_found if @status.hidden? || @status.reblog?
+
     expires_in 180, public: true
     response.headers.delete('X-Frame-Options')
 
@@ -49,10 +50,6 @@ class StatusesController < ApplicationController
 
   private
 
-  def verify_embed_allowed
-    not_found if @status.hidden? || @status.reblog?
-  end
-
   def set_link_headers
     response.headers['Link'] = LinkHeader.new(
       [[ActivityPub::TagManager.instance.uri_for(@status), [%w(rel alternate), %w(type application/activity+json)]]]
@@ -62,7 +59,7 @@ class StatusesController < ApplicationController
   def set_status
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/helpers/admin/action_logs_helper.rb

@@ -13,8 +13,6 @@ module Admin::ActionLogsHelper
       end
     when 'UserRole'
       link_to log.human_identifier, admin_roles_path(log.target_id)
-    when 'UsernameBlock'
-      link_to log.human_identifier, edit_admin_username_block_path(log.target_id)
     when 'Report'
       link_to "##{log.human_identifier.presence || log.target_id}", admin_report_path(log.target_id)
     when 'Instance', 'DomainBlock', 'DomainAllow', 'UnavailableDomain'

app/helpers/application_helper.rb

@@ -244,10 +244,6 @@ module ApplicationHelper
     tag.input(type: :text, maxlength: 999, spellcheck: false, readonly: true, **options)
   end
 
-  def recent_tag_users(tag)
-    tag.statuses.public_visibility.joins(:account).merge(Account.without_suspended.without_silenced).includes(:account).limit(3).map(&:account)
-  end
-
   def recent_tag_usage(tag)
     people = tag.history.aggregate(2.days.ago.to_date..Time.zone.today).accounts
     I18n.t 'user_mailer.welcome.hashtags_recent_count', people: number_with_delimiter(people), count: people
@@ -261,10 +257,6 @@ module ApplicationHelper
     'https://play.google.com/store/apps/details?id=org.joinmastodon.android'
   end
 
-  def within_authorization_flow?
-    session[:user_return_to].present? && Rails.application.routes.recognize_path(session[:user_return_to])[:controller] == 'oauth/authorizations'
-  end
-
   # glitch-soc addition to handle the multiple flavors
   def flavoured_vite_typescript_tag(pack_name, **)
     vite_typescript_tag("#{Themes.instance.flavour(current_flavour)['pack_directory'].delete_prefix('app/javascript/')}/#{pack_name}", **)

app/helpers/context_helper.rb

@@ -40,12 +40,6 @@ module ContextHelper
       'automaticApproval' => { '@id' => 'gts:automaticApproval', '@type' => '@id' },
       'manualApproval' => { '@id' => 'gts:manualApproval', '@type' => '@id' },
     },
-    quote_authorizations: {
-      'gts' => 'https://gotosocial.org/ns#',
-      'quoteAuthorization' => { '@id' => 'https://w3id.org/fep/044f#quoteAuthorization', '@type' => '@id' },
-      'interactingObject' => { '@id' => 'gts:interactingObject' },
-      'interactionTarget' => { '@id' => 'gts:interactionTarget' },
-    },
   }.freeze
 
   def full_context

app/helpers/email_helper.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module EmailHelper
+  def self.included(base)
+    base.extend(self)
+  end
+
+  def email_to_canonical_email(str)
+    username, domain = str.downcase.split('@', 2)
+    username, = username.delete('.').split('+', 2)
+
+    "#{username}@#{domain}"
+  end
+
+  def email_to_canonical_email_hash(str)
+    Digest::SHA2.new(256).hexdigest(email_to_canonical_email(str))
+  end
+end

app/helpers/formatting_helper.rb

@@ -27,9 +27,7 @@ module FormattingHelper
   module_function :extract_status_plain_text
 
   def status_content_format(status)
-    quoted_status = status.quote&.quoted_status if status.local?
-
-    html_aware_format(status.text, status.local?, preloaded_accounts: [status.account] + (status.respond_to?(:active_mentions) ? status.active_mentions.map(&:account) : []), quoted_status: quoted_status, content_type: status.content_type)
+    html_aware_format(status.text, status.local?, preloaded_accounts: [status.account] + (status.respond_to?(:active_mentions) ? status.active_mentions.map(&:account) : []), content_type: status.content_type)
   end
 
   def rss_status_content_format(status)
@@ -67,12 +65,12 @@ module FormattingHelper
   end
 
   def rss_content_preroll(status)
-    return unless status.spoiler_text?
-
-    safe_join [
-      tag.p { spoiler_with_warning(status) },
-      tag.hr,
-    ]
+    if status.spoiler_text?
+      safe_join [
+        tag.p { spoiler_with_warning(status) },
+        tag.hr,
+      ]
+    end
   end
 
   def spoiler_with_warning(status)
@@ -83,10 +81,10 @@ module FormattingHelper
   end
 
   def rss_content_postroll(status)
-    return unless status.preloadable_poll
-
-    tag.p do
-      poll_option_tags(status)
+    if status.preloadable_poll
+      tag.p do
+        poll_option_tags(status)
+      end
     end
   end
 

app/helpers/home_helper.rb

@@ -39,8 +39,18 @@ module HomeHelper
     end
   end
 
-  def field_verified_class(verified)
-    if verified
+  def obscured_counter(count)
+    if count <= 0
+      '0'
+    elsif count == 1
+      '1'
+    else
+      '1+'
+    end
+  end
+
+  def custom_field_classes(field)
+    if field.verified?
       'verified'
     else
       'emojify'

app/helpers/json_ld_helper.rb

@@ -134,7 +134,7 @@ module JsonLdHelper
         patch_for_forwarding!(value, compacted_value)
       elsif value.is_a?(Array)
         compacted_value = [compacted_value] unless compacted_value.is_a?(Array)
-        return nil if value.size != compacted_value.size
+        return if value.size != compacted_value.size
 
         compacted[key] = value.zip(compacted_value).map do |v, vc|
           if v.is_a?(Hash) && vc.is_a?(Hash)

app/helpers/languages_helper.rb

@@ -107,7 +107,6 @@ module LanguagesHelper
     mk: ['Macedonian', 'македонски јазик'].freeze,
     ml: ['Malayalam', 'മലയാളം'].freeze,
     mn: ['Mongolian', 'Монгол хэл'].freeze,
-    'mn-Mong': ['Traditional Mongolian', 'ᠮᠣᠩᠭᠣᠯ ᠬᠡᠯᠡ'].freeze,
     mr: ['Marathi', 'मराठी'].freeze,
     ms: ['Malay', 'Bahasa Melayu'].freeze,
     'ms-Arab': ['Jawi Malay', 'بهاس ملايو'].freeze,

app/helpers/statuses_helper.rb

@@ -64,16 +64,4 @@ module StatusesHelper
   def prefers_autoplay?
     ActiveModel::Type::Boolean.new.cast(params[:autoplay]) || current_user&.setting_auto_play_gif
   end
-
-  def render_seo_schema(status)
-    json = ActiveModelSerializers::SerializableResource.new(
-      status,
-      serializer: SEO::SocialMediaPostingSerializer,
-      adapter: SEO::Adapter
-    ).to_json
-
-    # rubocop:disable Rails/OutputSafety
-    content_tag(:script, json_escape(json).html_safe, type: 'application/ld+json')
-    # rubocop:enable Rails/OutputSafety
-  end
 end

app/helpers/theme_helper.rb

@@ -28,24 +28,24 @@ module ThemeHelper
   end
 
   def custom_stylesheet
-    return if active_custom_stylesheet.blank?
-
-    stylesheet_link_tag(
-      custom_css_path(active_custom_stylesheet),
-      host: root_url,
-      media: :all,
-      skip_pipeline: true
-    )
+    if active_custom_stylesheet.present?
+      stylesheet_link_tag(
+        custom_css_path(active_custom_stylesheet),
+        host: root_url,
+        media: :all,
+        skip_pipeline: true
+      )
+    end
   end
 
   private
 
   def active_custom_stylesheet
-    return if cached_custom_css_digest.blank?
-
-    [:custom, cached_custom_css_digest.to_s.first(8)]
-      .compact_blank
-      .join('-')
+    if cached_custom_css_digest.present?
+      [:custom, cached_custom_css_digest.to_s.first(8)]
+        .compact_blank
+        .join('-')
+    end
   end
 
   def cached_custom_css_digest

app/javascript/entrypoints/public.tsx

@@ -145,10 +145,6 @@ function loaded() {
       );
     });
 
-  updateDefaultQuotePrivacyFromPrivacy(
-    document.querySelector('#user_settings_attributes_default_privacy'),
-  );
-
   const reactComponents = document.querySelectorAll('[data-component]');
 
   if (reactComponents.length > 0) {
@@ -351,31 +347,6 @@ const setInputDisabled = (
   }
 };
 
-const setInputHint = (
-  input: HTMLInputElement | HTMLSelectElement,
-  hintPrefix: string,
-) => {
-  const fieldWrapper = input.closest<HTMLElement>('.fields-group > .input');
-  if (!fieldWrapper) return;
-
-  const hint = fieldWrapper.dataset[`${hintPrefix}Hint`];
-  const hintElement =
-    fieldWrapper.querySelector<HTMLSpanElement>(':scope > .hint');
-
-  if (hint) {
-    if (hintElement) {
-      hintElement.textContent = hint;
-    } else {
-      const newHintElement = document.createElement('span');
-      newHintElement.className = 'hint';
-      newHintElement.textContent = hint;
-      fieldWrapper.appendChild(newHintElement);
-    }
-  } else {
-    hintElement?.remove();
-  }
-};
-
 Rails.delegate(
   document,
   '#account_statuses_cleanup_policy_enabled',
@@ -393,36 +364,6 @@ Rails.delegate(
   },
 );
 
-const updateDefaultQuotePrivacyFromPrivacy = (
-  privacySelect: EventTarget | null,
-) => {
-  if (!(privacySelect instanceof HTMLSelectElement) || !privacySelect.form)
-    return;
-
-  const select = privacySelect.form.querySelector<HTMLSelectElement>(
-    'select#user_settings_attributes_default_quote_policy',
-  );
-  if (!select) return;
-
-  setInputHint(select, privacySelect.value);
-
-  if (privacySelect.value === 'private') {
-    select.value = 'nobody';
-    setInputDisabled(select, true);
-  } else {
-    setInputDisabled(select, false);
-  }
-};
-
-Rails.delegate(
-  document,
-  '#user_settings_attributes_default_privacy',
-  'change',
-  ({ target }) => {
-    updateDefaultQuotePrivacyFromPrivacy(target);
-  },
-);
-
 // Empty the honeypot fields in JS in case something like an extension
 // automatically filled them.
 Rails.delegate(document, '#registration_new_user,#new_user', 'submit', () => {

app/javascript/flavours/glitch/actions/compose.js

@@ -89,7 +89,6 @@ export const COMPOSE_FOCUS = 'COMPOSE_FOCUS';
 const messages = defineMessages({
   uploadErrorLimit: { id: 'upload_error.limit', defaultMessage: 'File upload limit exceeded.' },
   uploadErrorPoll:  { id: 'upload_error.poll', defaultMessage: 'File upload not allowed with polls.' },
-  uploadQuote: { id: 'upload_error.quote', defaultMessage: 'File upload not allowed with quotes.' },
   open: { id: 'compose.published.open', defaultMessage: 'Open' },
   published: { id: 'compose.published.body', defaultMessage: 'Post published.' },
   saved: { id: 'compose.saved.body', defaultMessage: 'Post saved.' },
@@ -111,9 +110,9 @@ export function setComposeToStatus(status, text, spoiler_text, content_type) {
       text,
       spoiler_text,
       content_type,
-      maxOptions,
+      maxOptions
     });
-  }
+  };
 }
 
 export function changeCompose(text) {
@@ -160,7 +159,7 @@ export function resetCompose() {
   };
 }
 
-export const focusCompose = (defaultText = '') => (dispatch, getState) => {
+export const focusCompose = (defaultText) => (dispatch, getState) => {
   dispatch({
     type: COMPOSE_FOCUS,
     defaultText,
@@ -239,7 +238,6 @@ export function submitCompose(overridePrivacy = null, successCallback = undefine
       });
     }
 
-    const visibility = overridePrivacy || getState().getIn(['compose', 'privacy']);
     api().request({
       url: statusId === null ? '/api/v1/statuses' : `/api/v1/statuses/${statusId}`,
       method: statusId === null ? 'post' : 'put',
@@ -251,11 +249,9 @@ export function submitCompose(overridePrivacy = null, successCallback = undefine
         media_attributes,
         sensitive: getState().getIn(['compose', 'sensitive']) || (spoilerText.length > 0 && media.size !== 0),
         spoiler_text: spoilerText,
-        visibility: visibility,
+        visibility: overridePrivacy || getState().getIn(['compose', 'privacy']),
         poll: getState().getIn(['compose', 'poll'], null),
         language: getState().getIn(['compose', 'language']),
-        quoted_status_id: getState().getIn(['compose', 'quoted_status_id']),
-        quote_approval_policy: visibility === 'private' || visibility === 'direct' ? 'nobody' : getState().getIn(['compose', 'quote_policy']),
       },
       headers: {
         'Idempotency-Key': getState().getIn(['compose', 'idempotencyKey']),
@@ -343,11 +339,6 @@ export function doodleSet(options) {
 
 export function uploadCompose(files) {
   return function (dispatch, getState) {
-    // Exit if there's a quote.
-    if (getState().compose.get('quoted_status_id')) {
-      dispatch(showAlert({ message: messages.uploadQuote }));
-      return;
-    }
     const uploadLimit = getState().getIn(['server', 'server', 'configuration', 'statuses', 'max_media_attachments']);
     const media = getState().getIn(['compose', 'media_attachments']);
     const pending = getState().getIn(['compose', 'pending_media_attachments']);

app/javascript/flavours/glitch/actions/compose_typed.ts

@@ -1,41 +1,9 @@
-import { defineMessages } from 'react-intl';
-
-import { createAction } from '@reduxjs/toolkit';
 import type { List as ImmutableList, Map as ImmutableMap } from 'immutable';
 
 import { apiUpdateMedia } from 'flavours/glitch/api/compose';
 import type { ApiMediaAttachmentJSON } from 'flavours/glitch/api_types/media_attachments';
 import type { MediaAttachment } from 'flavours/glitch/models/media_attachment';
-import {
-  createDataLoadingThunk,
-  createAppThunk,
-} from 'flavours/glitch/store/typed_functions';
-
-import type { ApiQuotePolicy } from '../api_types/quotes';
-import type { Status } from '../models/status';
-
-import { showAlert } from './alerts';
-import { focusCompose } from './compose';
-import { openModal } from './modal';
-
-const messages = defineMessages({
-  quoteErrorUpload: {
-    id: 'quote_error.upload',
-    defaultMessage: 'Quoting is not allowed with media attachments.',
-  },
-  quoteErrorPoll: {
-    id: 'quote_error.poll',
-    defaultMessage: 'Quoting is not allowed with polls.',
-  },
-  quoteErrorQuote: {
-    id: 'quote_error.quote',
-    defaultMessage: 'Only one quote at a time is allowed.',
-  },
-  quoteErrorUnauthorized: {
-    id: 'quote_error.unauthorized',
-    defaultMessage: 'You are not authorized to quote this post.',
-  },
-});
+import { createDataLoadingThunk } from 'flavours/glitch/store/typed_functions';
 
 type SimulatedMediaAttachmentJSON = ApiMediaAttachmentJSON & {
   unattached?: boolean;
@@ -100,73 +68,3 @@ export const changeUploadCompose = createDataLoadingThunk(
     useLoadingBar: false,
   },
 );
-
-export const quoteCompose = createAppThunk(
-  'compose/quoteComposeStatus',
-  (status: Status, { dispatch }) => {
-    dispatch(focusCompose());
-    return status;
-  },
-);
-
-export const quoteComposeByStatus = createAppThunk(
-  (status: Status, { dispatch, getState }) => {
-    const state = getState();
-    const composeState = state.compose;
-    const mediaAttachments = composeState.get('media_attachments');
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-    const wasQuietPostHintModalDismissed: boolean =
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
-      state.settings.getIn(
-        ['dismissed_banners', 'quote/quiet_post_hint'],
-        false,
-      );
-
-    if (composeState.get('poll')) {
-      dispatch(showAlert({ message: messages.quoteErrorPoll }));
-    } else if (
-      composeState.get('is_uploading') ||
-      (mediaAttachments &&
-        typeof mediaAttachments !== 'string' &&
-        typeof mediaAttachments !== 'number' &&
-        typeof mediaAttachments !== 'boolean' &&
-        mediaAttachments.size !== 0)
-    ) {
-      dispatch(showAlert({ message: messages.quoteErrorUpload }));
-    } else if (composeState.get('quoted_status_id')) {
-      dispatch(showAlert({ message: messages.quoteErrorQuote }));
-    } else if (
-      status.getIn(['quote_approval', 'current_user']) !== 'automatic' &&
-      status.getIn(['quote_approval', 'current_user']) !== 'manual'
-    ) {
-      dispatch(showAlert({ message: messages.quoteErrorUnauthorized }));
-    } else if (
-      status.get('visibility') === 'unlisted' &&
-      !wasQuietPostHintModalDismissed
-    ) {
-      dispatch(
-        openModal({
-          modalType: 'CONFIRM_QUIET_QUOTE',
-          modalProps: { status },
-        }),
-      );
-    } else {
-      dispatch(quoteCompose(status));
-    }
-  },
-);
-
-export const quoteComposeById = createAppThunk(
-  (statusId: string, { dispatch, getState }) => {
-    const status = getState().statuses.get(statusId);
-    if (status) {
-      dispatch(quoteComposeByStatus(status));
-    }
-  },
-);
-
-export const quoteComposeCancel = createAction('compose/quoteComposeCancel');
-
-export const setComposeQuotePolicy = createAction<ApiQuotePolicy>(
-  'compose/setQuotePolicy',
-);

app/javascript/flavours/glitch/actions/interactions_typed.ts

@@ -1,13 +1,8 @@
-import {
-  apiReblog,
-  apiUnreblog,
-  apiRevokeQuote,
-  apiGetQuotes,
-} from 'flavours/glitch/api/interactions';
+import { apiReblog, apiUnreblog } from 'flavours/glitch/api/interactions';
 import type { StatusVisibility } from 'flavours/glitch/models/status';
 import { createDataLoadingThunk } from 'flavours/glitch/store/typed_functions';
 
-import { importFetchedStatus, importFetchedStatuses } from './importer';
+import { importFetchedStatus } from './importer';
 
 export const reblog = createDataLoadingThunk(
   'status/reblog',
@@ -38,35 +33,3 @@ export const unreblog = createDataLoadingThunk(
     return discardLoadData;
   },
 );
-
-export const revokeQuote = createDataLoadingThunk(
-  'status/revoke_quote',
-  ({
-    statusId,
-    quotedStatusId,
-  }: {
-    statusId: string;
-    quotedStatusId: string;
-  }) => apiRevokeQuote(quotedStatusId, statusId),
-  (data, { dispatch, discardLoadData }) => {
-    dispatch(importFetchedStatus(data));
-
-    return discardLoadData;
-  },
-);
-
-export const fetchQuotes = createDataLoadingThunk(
-  'status/fetch_quotes',
-  async ({ statusId, next }: { statusId: string; next?: string }) => {
-    const { links, statuses } = await apiGetQuotes(statusId, next);
-
-    return {
-      links,
-      statuses,
-      replace: !next,
-    };
-  },
-  (payload, { dispatch }) => {
-    dispatch(importFetchedStatuses(payload.statuses));
-  },
-);

app/javascript/flavours/glitch/actions/notification_groups.ts

@@ -30,21 +30,8 @@ import { importFetchedAccounts, importFetchedStatuses } from './importer';
 import { NOTIFICATIONS_FILTER_SET } from './notifications';
 import { saveSettings } from './settings';
 
-function notificationTypeForFilter(type: NotificationType) {
-  if (type === 'quoted_update') return 'update';
-  else return type;
-}
-
-function notificationTypeForQuickFilter(type: NotificationType) {
-  if (type === 'quoted_update') return 'update';
-  else if (type === 'quote') return 'mention';
-  else return type;
-}
-
 function excludeAllTypesExcept(filter: string) {
-  return allNotificationTypes.filter(
-    (item) => notificationTypeForQuickFilter(item) !== filter,
-  );
+  return allNotificationTypes.filter((item) => item !== filter);
 }
 
 function getExcludedTypes(state: RootState) {
@@ -168,17 +155,13 @@ export const processNewNotificationForGroups = createAppAsyncThunk(
 
     const showInColumn =
       activeFilter === 'all'
-        ? notificationShows[notificationTypeForFilter(notification.type)] !==
-          false
-        : activeFilter === notificationTypeForQuickFilter(notification.type);
+        ? notificationShows[notification.type] !== false
+        : activeFilter === notification.type;
 
     if (!showInColumn) return;
 
     if (
-      (notification.type === 'mention' ||
-        notification.type === 'quote' ||
-        notification.type === 'update' ||
-        notification.type === 'quoted_update') &&
+      (notification.type === 'mention' || notification.type === 'update') &&
       notification.status?.filtered
     ) {
       const filters = notification.status.filtered.filter((result) =>

app/javascript/flavours/glitch/actions/notifications.js

@@ -31,7 +31,7 @@ export function updateNotifications(notification, intlMessages, intlLocale) {
 
     let filtered = false;
 
-    if (['mention', 'quote', 'status'].includes(notification.type) && notification.status.filtered) {
+    if (['mention', 'status'].includes(notification.type) && notification.status.filtered) {
       const filters = notification.status.filtered.filter(result => result.filter.context.includes('notifications'));
 
       if (filters.some(result => result.filter.filter_action === 'hide')) {

app/javascript/flavours/glitch/actions/statuses.js

@@ -1,10 +1,7 @@
-import { defineMessages } from 'react-intl';
-
 import { browserHistory } from 'flavours/glitch/components/router';
 
 import api from '../api';
 
-import { showAlert } from './alerts';
 import { ensureComposeIsVisible, setComposeToStatus } from './compose';
 import { importFetchedStatus, importFetchedAccount } from './importer';
 import { fetchContext } from './statuses_typed';
@@ -43,10 +40,6 @@ export const STATUS_TRANSLATE_SUCCESS = 'STATUS_TRANSLATE_SUCCESS';
 export const STATUS_TRANSLATE_FAIL    = 'STATUS_TRANSLATE_FAIL';
 export const STATUS_TRANSLATE_UNDO    = 'STATUS_TRANSLATE_UNDO';
 
-const messages = defineMessages({
-  deleteSuccess: { id: 'status.delete.success', defaultMessage: 'Post deleted' },
-});
-
 export function fetchStatusRequest(id, skipLoading) {
   return {
     type: STATUS_FETCH_REQUEST,
@@ -85,6 +78,8 @@ export function fetchStatus(id, {
       dispatch(fetchStatusSuccess(skipLoading));
     }).catch(error => {
       dispatch(fetchStatusFail(id, error, skipLoading, parentQuotePostId));
+      if (error.status === 404)
+        dispatch(deleteFromTimelines(id));
     });
   };
 }
@@ -162,7 +157,7 @@ export function deleteStatus(id, withRedraft = false) {
 
     dispatch(deleteStatusRequest(id));
 
-    return api().delete(`/api/v1/statuses/${id}`, { params: { delete_media: !withRedraft } }).then(response => {
+    api().delete(`/api/v1/statuses/${id}`, { params: { delete_media: !withRedraft } }).then(response => {
       dispatch(deleteStatusSuccess(id));
       dispatch(deleteFromTimelines(id));
       dispatch(importFetchedAccount(response.data.account));
@@ -170,14 +165,9 @@ export function deleteStatus(id, withRedraft = false) {
       if (withRedraft) {
         dispatch(redraft(status, response.data.text, response.data.content_type));
         ensureComposeIsVisible(getState);
-      } else {
-        dispatch(showAlert({ message: messages.deleteSuccess }));
       }
-
-      return response;
     }).catch(error => {
       dispatch(deleteStatusFail(id, error));
-      throw error;
     });
   };
 }

app/javascript/flavours/glitch/actions/statuses_typed.ts

@@ -1,34 +1,18 @@
-import { createAction } from '@reduxjs/toolkit';
-
-import { apiGetContext, apiSetQuotePolicy } from 'flavours/glitch/api/statuses';
+import { apiGetContext } from 'flavours/glitch/api/statuses';
 import { createDataLoadingThunk } from 'flavours/glitch/store/typed_functions';
 
-import type { ApiQuotePolicy } from '../api_types/quotes';
-
 import { importFetchedStatuses } from './importer';
 
 export const fetchContext = createDataLoadingThunk(
   'status/context',
   ({ statusId }: { statusId: string }) => apiGetContext(statusId),
-  ({ context, refresh }, { dispatch }) => {
+  (context, { dispatch }) => {
     const statuses = context.ancestors.concat(context.descendants);
 
     dispatch(importFetchedStatuses(statuses));
 
     return {
       context,
-      refresh,
     };
   },
 );
-
-export const completeContextRefresh = createAction<{ statusId: string }>(
-  'status/context/complete',
-);
-
-export const setStatusQuotePolicy = createDataLoadingThunk(
-  'status/setQuotePolicy',
-  ({ statusId, policy }: { statusId: string; policy: ApiQuotePolicy }) => {
-    return apiSetQuotePolicy(statusId, policy);
-  },
-);

app/javascript/flavours/glitch/api.ts

@@ -15,50 +15,6 @@ export const getLinks = (response: AxiosResponse) => {
   return LinkHeader.parse(value);
 };
 
-export interface AsyncRefreshHeader {
-  id: string;
-  retry: number;
-}
-
-const isAsyncRefreshHeader = (obj: object): obj is AsyncRefreshHeader =>
-  'id' in obj && 'retry' in obj;
-
-export const getAsyncRefreshHeader = (
-  response: AxiosResponse,
-): AsyncRefreshHeader | null => {
-  const value = response.headers['mastodon-async-refresh'] as
-    | string
-    | undefined;
-
-  if (!value) {
-    return null;
-  }
-
-  const asyncRefreshHeader: Record<string, unknown> = {};
-
-  value.split(/,\s*/).forEach((pair) => {
-    const [key, val] = pair.split('=', 2);
-
-    let typedValue: string | number;
-
-    if (key && ['id', 'retry'].includes(key) && val) {
-      if (val.startsWith('"')) {
-        typedValue = val.slice(1, -1);
-      } else {
-        typedValue = parseInt(val);
-      }
-
-      asyncRefreshHeader[key] = typedValue;
-    }
-  });
-
-  if (isAsyncRefreshHeader(asyncRefreshHeader)) {
-    return asyncRefreshHeader;
-  }
-
-  return null;
-};
-
 const csrfHeader: RawAxiosRequestHeaders = {};
 
 const setCSRFHeader = () => {
@@ -106,7 +62,7 @@ export default function api(withAuthorization = true) {
   });
 }
 
-type ApiUrl = `v${1 | '1_alpha' | 2}/${string}`;
+type ApiUrl = `v${1 | 2}/${string}`;
 type RequestParamsOrData = Record<string, unknown>;
 
 export async function apiRequest<ApiResponse = unknown>(

app/javascript/flavours/glitch/api/async_refreshes.ts

@@ -1,5 +0,0 @@
-import { apiRequestGet } from 'flavours/glitch/api';
-import type { ApiAsyncRefreshJSON } from 'flavours/glitch/api_types/async_refreshes';
-
-export const apiGetAsyncRefresh = (id: string) =>
-  apiRequestGet<ApiAsyncRefreshJSON>(`v1_alpha/async_refreshes/${id}`);

app/javascript/flavours/glitch/api/interactions.ts

@@ -1,4 +1,4 @@
-import api, { apiRequestPost, getLinks } from 'flavours/glitch/api';
+import { apiRequestPost } from 'flavours/glitch/api';
 import type { ApiStatusJSON } from 'flavours/glitch/api_types/statuses';
 import type { StatusVisibility } from 'flavours/glitch/models/status';
 
@@ -9,20 +9,3 @@ export const apiReblog = (statusId: string, visibility: StatusVisibility) =>
 
 export const apiUnreblog = (statusId: string) =>
   apiRequestPost<ApiStatusJSON>(`v1/statuses/${statusId}/unreblog`);
-
-export const apiRevokeQuote = (quotedStatusId: string, statusId: string) =>
-  apiRequestPost<ApiStatusJSON>(
-    `v1/statuses/${quotedStatusId}/quotes/${statusId}/revoke`,
-  );
-
-export const apiGetQuotes = async (statusId: string, url?: string) => {
-  const response = await api().request<ApiStatusJSON[]>({
-    method: 'GET',
-    url: url ?? `/api/v1/statuses/${statusId}/quotes`,
-  });
-
-  return {
-    statuses: response.data,
-    links: getLinks(response),
-  };
-};

app/javascript/flavours/glitch/api/statuses.ts

@@ -1,31 +1,5 @@
-import api, { apiRequestPut, getAsyncRefreshHeader } from 'flavours/glitch/api';
-import type {
-  ApiContextJSON,
-  ApiStatusJSON,
-} from 'flavours/glitch/api_types/statuses';
+import { apiRequestGet } from 'flavours/glitch/api';
+import type { ApiContextJSON } from 'flavours/glitch/api_types/statuses';
 
-import type { ApiQuotePolicy } from '../api_types/quotes';
-
-export const apiGetContext = async (statusId: string) => {
-  const response = await api().request<ApiContextJSON>({
-    method: 'GET',
-    url: `/api/v1/statuses/${statusId}/context`,
-  });
-
-  return {
-    context: response.data,
-    refresh: getAsyncRefreshHeader(response),
-  };
-};
-
-export const apiSetQuotePolicy = async (
-  statusId: string,
-  policy: ApiQuotePolicy,
-) => {
-  return apiRequestPut<ApiStatusJSON>(
-    `v1/statuses/${statusId}/interaction_policy`,
-    {
-      quote_approval_policy: policy,
-    },
-  );
-};
+export const apiGetContext = (statusId: string) =>
+  apiRequestGet<ApiContextJSON>(`v1/statuses/${statusId}/context`);

app/javascript/flavours/glitch/api_types/accounts.ts

@@ -37,7 +37,7 @@ export interface BaseApiAccountJSON {
   roles?: ApiAccountJSON[];
   statuses_count: number;
   uri: string;
-  url?: string;
+  url: string;
   username: string;
   moved?: ApiAccountJSON;
   suspended?: boolean;

app/javascript/flavours/glitch/api_types/async_refreshes.ts

@@ -1,7 +0,0 @@
-export interface ApiAsyncRefreshJSON {
-  async_refresh: {
-    id: string;
-    status: 'running' | 'finished';
-    result_count: number;
-  };
-}

app/javascript/flavours/glitch/api_types/notifications.ts

@@ -7,13 +7,12 @@ import type { ApiReportJSON } from './reports';
 import type { ApiStatusJSON } from './statuses';
 
 // See app/model/notification.rb
-export const allNotificationTypes: NotificationType[] = [
+export const allNotificationTypes = [
   'follow',
   'follow_request',
   'favourite',
   'reblog',
   'mention',
-  'quote',
   'poll',
   'status',
   'update',
@@ -29,10 +28,8 @@ export type NotificationWithStatusType =
   | 'reblog'
   | 'status'
   | 'mention'
-  | 'quote'
   | 'poll'
-  | 'update'
-  | 'quoted_update';
+  | 'update';
 
 export type NotificationType =
   | NotificationWithStatusType

app/javascript/flavours/glitch/api_types/quotes.ts

@@ -1,39 +0,0 @@
-import type { ApiStatusJSON } from './statuses';
-
-export type ApiQuoteState = 'accepted' | 'pending' | 'revoked' | 'unauthorized';
-export type ApiQuotePolicy =
-  | 'public'
-  | 'followers'
-  | 'following'
-  | 'nobody'
-  | 'unsupported_policy';
-export type ApiUserQuotePolicy = 'automatic' | 'manual' | 'denied' | 'unknown';
-
-interface ApiQuoteEmptyJSON {
-  state: Exclude<ApiQuoteState, 'accepted'>;
-  quoted_status: null;
-}
-
-interface ApiNestedQuoteJSON {
-  state: 'accepted';
-  quoted_status_id: string;
-}
-
-interface ApiQuoteAcceptedJSON {
-  state: 'accepted';
-  quoted_status: Omit<ApiStatusJSON, 'quote'> & {
-    quote: ApiNestedQuoteJSON | ApiQuoteEmptyJSON;
-  };
-}
-
-export type ApiQuoteJSON = ApiQuoteAcceptedJSON | ApiQuoteEmptyJSON;
-
-export interface ApiQuotePolicyJSON {
-  automatic: ApiQuotePolicy[];
-  manual: ApiQuotePolicy[];
-  current_user: ApiUserQuotePolicy;
-}
-
-export function isQuotePolicy(policy: string): policy is ApiQuotePolicy {
-  return ['public', 'followers', 'nobody'].includes(policy);
-}