Merge pull request #3117 from ClearlyClaire/glitch-soc/merge-4.3

Merge upstream changes up to f6dbb2206c
[Glitch] Fix “Alt text” button submitting form in moderation interface
2025-12-14 16:28:59 +00:00 · 2025-07-02 19:21:12 +02:00 · 2025-07-02 19:06:58 +02:00 · 2025-07-02 19:06:58 +02:00 · 2025-07-02 19:06:58 +02:00 · 2025-07-02 19:06:55 +02:00
1927 changed files with 39648 additions and 23082 deletions
--- a/.browserslistrc
+++ b/.browserslistrc
@@ -1,6 +1,7 @@
 [production]
 defaults
 > 0.2%
 firefox >= 78
 ios >= 15.6
 not dead
 not OperaMini all
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -11,5 +11,8 @@ RUN apt-get update && \
    export DEBIAN_FRONTEND=noninteractive && \
    apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg imagemagick libvips42 libpam-dev
 # Disable download prompt for Corepack
 ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 # Move welcome message to where VS Code expects it
 COPY .devcontainer/welcome-message.txt /usr/local/etc/vscode-dev-containers/first-run-notice.txt
--- a/.devcontainer/codespaces/devcontainer.json
+++ b/.devcontainer/codespaces/devcontainer.json
@@ -39,7 +39,7 @@
  },
  "onCreateCommand": "git config --global --add safe.directory ${containerWorkspaceFolder}",
-  "postCreateCommand": "COREPACK_ENABLE_DOWNLOAD_PROMPT=0 bin/setup",
+  "postCreateCommand": "bin/setup",
  "waitFor": "postCreateCommand",
  "customizations": {
--- a/.devcontainer/compose.yaml
+++ b/.devcontainer/compose.yaml
@@ -69,7 +69,7 @@ services:
        hard: -1
  libretranslate:
-    image: libretranslate/libretranslate:v1.5.7
+    image: libretranslate/libretranslate:v1.6.1
    restart: unless-stopped
    volumes:
      - lt-data:/home/libretranslate/.local
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -73,6 +73,16 @@ DB_PORT=5432
 SECRET_KEY_BASE=
 OTP_SECRET=
 # Encryption secrets
 # ------------------
 # Must be available (and set to same values) for all server processes
 # These are private/secret values, do not share outside hosting environment
 # Use `bin/rails db:encryption:init` to generate fresh secrets
 # Do NOT change these secrets once in use, as this would cause data loss and other issues
 # ------------------
 # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
 # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
 # ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
 # Web Push
 # --------
--- a/.eslintrc.js
+++ b/.eslintrc.js
@@ -333,7 +333,7 @@ module.exports = defineConfig({
      ],
      parserOptions: {
-        project: true,
+        projectService: true,
        tsconfigRootDir: __dirname,
      },
--- a/.github/actions/setup-ruby/action.yml
+++ b/.github/actions/setup-ruby/action.yml
@@ -21,3 +21,4 @@ runs:
      with:
        ruby-version: ${{ inputs.ruby-version }}
        bundler-cache: true
        cache-version: 4.3
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@@ -9,3 +9,5 @@ coverage:
      default:
        # GitHub status check is not blocking
        informational: true
 github_checks:
  annotations: false
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -7,6 +7,7 @@
    ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
    ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
  ],
  rebaseWhen: 'conflicted',
  minimumReleaseAge: '3', // Wait 3 days after the package has been published before upgrading it
  // packageRules order is important, they are applied from top to bottom and are merged,
  // meaning the most important ones must be at the bottom, for example grouping rules
--- a/.github/workflows/build-container-image.yml
+++ b/.github/workflows/build-container-image.yml
@@ -1,14 +1,9 @@
 on:
  workflow_call:
    inputs:
      platforms:
        required: true
        type: string
      cache:
        type: boolean
        default: true
      use_native_arm64_builder:
        type: boolean
      push_to_images:
        type: string
      version_prerelease:
@@ -24,42 +19,36 @@ on:
      file_to_build:
        type: string
 # This builds multiple images with one runner each, allowing us to build for multiple architectures
 # using Github's runners.
 # The two-step process is adapted form:
 # https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
 jobs:
  # Build each (amd64 and arm64) image separately
  build-image:
-    runs-on: ubuntu-latest
+    runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    steps:
      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
+      - name: Prepare
-        if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder
+        env:
          PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
          # Transform multi-line variable into comma-separated variable
          image_names=${PUSH_TO_IMAGES//$'\n'/,}
          echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV
      - uses: docker/setup-buildx-action@v3
        id: buildx
        if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }}
      - name: Start a local Docker Builder
        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
        run: |
          docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234
      - uses: docker/setup-buildx-action@v3
        id: buildx-native
        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
        with:
          driver: remote
          endpoint: tcp://localhost:1234
          platforms: linux/amd64
          append: |
            - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865
              platforms: linux/arm64
              name: mastodon-docker-builder-arm64-01
              driver-opts:
                - servername=mastodon-docker-builder-arm64-01
        env:
          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }}
          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }}
          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }}
      - name: Log in to Docker Hub
        if: contains(inputs.push_to_images, 'tootsuite')
@@ -76,8 +65,91 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v5
+      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        if: ${{ inputs.push_to_images != '' }}
        with:
          images: ${{ inputs.push_to_images }}
          flavor: ${{ inputs.flavor }}
          labels: ${{ inputs.labels }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ${{ inputs.file_to_build }}
          build-args: |
            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
            SOURCE_COMMIT=${{ github.sha }}
          platforms: ${{ matrix.platform }}
          provenance: false
          push: ${{ inputs.push_to_images != '' }}
          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
          outputs: type=image,"name=${{ env.IMAGE_NAMES }}",push-by-digest=true,name-canonical=true,push=${{ inputs.push_to_images != '' }}
      - name: Export digest
        if: ${{ inputs.push_to_images != '' }}
        run: |
          mkdir -p "${{ runner.temp }}/digests"
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
        if: ${{ inputs.push_to_images != '' }}
        uses: actions/upload-artifact@v4
        with:
          # `hashFiles` is used to disambiguate between streaming and non-streaming images
          name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
  # Then merge the docker images into a single one
  merge-images:
    if: ${{ inputs.push_to_images != '' }}
    runs-on: ubuntu-24.04
    needs:
      - build-image
    env:
      PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
    steps:
      - uses: actions/checkout@v4
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          # `hashFiles` is used to disambiguate between streaming and non-streaming images
          pattern: digests-${{ hashFiles(inputs.file_to_build) }}-*
          merge-multiple: true
      - name: Log in to Docker Hub
        if: contains(inputs.push_to_images, 'tootsuite')
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Log in to the GitHub Container registry
        if: contains(inputs.push_to_images, 'ghcr.io')
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        if: ${{ inputs.push_to_images != '' }}
        with:
          images: ${{ inputs.push_to_images }}
@@ -85,18 +157,14 @@ jobs:
          tags: ${{ inputs.tags }}
          labels: ${{ inputs.labels }}
-      - uses: docker/build-push-action@v6
+      - name: Create manifest list and push
-        with:
+        working-directory: ${{ runner.temp }}/digests
-          context: .
+        run: |
-          file: ${{ inputs.file_to_build }}
+          echo "$PUSH_TO_IMAGES" | xargs -I{} \
-          build-args: |
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
+              $(printf '{}@sha256:%s ' *)
-            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
+
-          platforms: ${{ inputs.platforms }}
+      - name: Inspect image
-          provenance: false
+        run: |
-          builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }}
+          echo "$PUSH_TO_IMAGES" | xargs -i{} \
-          push: ${{ inputs.push_to_images != '' }}
+            docker buildx imagetools inspect {}:${{ steps.meta.outputs.version }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
--- a/.github/workflows/build-nightly.yml
+++ b/.github/workflows/build-nightly.yml
@@ -26,8 +26,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      cache: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon
@@ -47,8 +45,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      cache: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon-streaming
--- a/.github/workflows/build-push-pr.yml
+++ b/.github/workflows/build-push-pr.yml
@@ -21,17 +21,17 @@ jobs:
        uses: actions/checkout@v4
      - id: version_vars
        run: |
-          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT
+          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
          echo mastodon_short_sha=$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
    outputs:
      metadata: ${{ steps.version_vars.outputs.mastodon_version_metadata }}
      short_sha: ${{ steps.version_vars.outputs.mastodon_short_sha }}
  build-image:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon
      version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -39,6 +39,7 @@ jobs:
        latest=auto
      tags: |
        type=ref,event=pr
        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
    secrets: inherit
  build-image-streaming:
@@ -46,8 +47,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon-streaming
      version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -55,4 +54,5 @@ jobs:
        latest=auto
      tags: |
        type=ref,event=pr
        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
    secrets: inherit
--- a/.github/workflows/build-releases.yml
+++ b/.github/workflows/build-releases.yml
@@ -13,8 +13,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon
      # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
@@ -22,7 +20,7 @@ jobs:
      # Only tag with latest when ran against the latest stable branch
      # This needs to be updated after each minor version release
      flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.2.') }}
+        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
      tags: |
        type=pep440,pattern={{raw}}
        type=pep440,pattern=v{{major}}.{{minor}}
@@ -33,8 +31,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon-streaming
      # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
--- a/.github/workflows/build-security.yml
+++ b/.github/workflows/build-security.yml
@@ -23,8 +23,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      cache: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon
@@ -44,8 +42,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: false
      cache: false
      push_to_images: |
        ghcr.io/${{ github.repository_owner }}/mastodon-streaming
--- a/.github/workflows/crowdin-download-stable.yml
+++ b/.github/workflows/crowdin-download-stable.yml
@@ -0,0 +1,70 @@
 name: Crowdin / Download translations (stable branches)
 on:
  workflow_dispatch:
 permissions:
  contents: write
  pull-requests: write
 jobs:
  download-translations-stable:
    runs-on: ubuntu-latest
    if: github.repository == 'glitch-soc/mastodon'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Increase Git http.postBuffer
        # This is needed due to a bug in Ubuntu's cURL version?
        # See https://github.com/orgs/community/discussions/55820
        run: |
          git config --global http.version HTTP/1.1
          git config --global http.postBuffer 157286400
      # Download the translation files from Crowdin
      - name: crowdin action
        uses: crowdin/github-action@v2
        with:
          config: crowdin-glitch.yml
          upload_sources: false
          upload_translations: false
          download_translations: true
          crowdin_branch_name: ${{ github.base_ref || github.ref_name }}
          push_translations: false
          create_pull_request: false
        env:
          CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}
          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
      # As the files are extracted from a Docker container, they belong to root:root
      # We need to fix this before the next steps
      - name: Fix file permissions
        run: sudo chown -R runner:docker .
      # This is needed to run the normalize step
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
      - name: Run i18n normalize task
        run: bundle exec i18n-tasks normalize
      # Create or update the pull request
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v7.0.5
        with:
          commit-message: 'New Crowdin translations'
          title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'
          author: 'GitHub Actions <noreply@github.com>'
          body: |
            New Crowdin translations, automated with GitHub Actions
            See `.github/workflows/crowdin-download.yml`
            This PR will be updated every day with new translations.
            Due to a limitation in GitHub Actions, checks are not running on this PR without manual action.
            If you want to run the checks, then close and re-open it.
          branch: i18n/crowdin/translations-${{ github.base_ref || github.ref_name }}
          base: ${{ github.base_ref || github.ref_name }}
          labels: i18n
--- a/.github/workflows/crowdin-download.yml
+++ b/.github/workflows/crowdin-download.yml
@@ -53,7 +53,7 @@ jobs:
      # Create or update the pull request
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6.0.5
+        uses: peter-evans/create-pull-request@v7.0.5
        with:
          commit-message: 'New Crowdin translations'
          title: 'New Crowdin Translations (automated)'
--- a/.github/workflows/crowdin-upload.yml
+++ b/.github/workflows/crowdin-upload.yml
@@ -1,7 +1,6 @@
 name: Crowdin / Upload translations
 on:
  merge_group:
  push:
    branches:
      - 'main'
@@ -19,7 +18,7 @@ on:
 jobs:
  upload-translations:
    runs-on: ubuntu-latest
-    if: github.repository == 'mastodon/mastodon'
+    if: github.repository == 'glitch-soc/mastodon'
    steps:
      - name: Checkout
@@ -32,7 +31,7 @@ jobs:
          upload_sources: true
          upload_translations: false
          download_translations: false
-          crowdin_branch_name: main
+          crowdin_branch_name: ${{ github.base_ref || github.ref_name }}
        env:
          CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}
--- a/.github/workflows/test-image-build.yml
+++ b/.github/workflows/test-image-build.yml
@@ -20,7 +20,6 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      platforms: linux/amd64 # Testing only on native platform so it is performant
      cache: true
  build-image-streaming:
@@ -31,5 +30,4 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      platforms: linux/amd64 # Testing only on native platform so it is performant
      cache: true
--- a/.github/workflows/test-migrations.yml
+++ b/.github/workflows/test-migrations.yml
@@ -32,6 +32,8 @@ jobs:
        postgres:
          - 14-alpine
          - 15-alpine
          - 16-alpine
          - 17-alpine
    services:
      postgres:
--- a/.github/workflows/test-ruby.yml
+++ b/.github/workflows/test-ruby.yml
@@ -42,11 +42,24 @@ jobs:
        with:
          onlyProduction: 'true'
      - name: Cache assets from compilation
        uses: actions/cache@v4
        with:
          path: |
            public/assets
            public/packs
            public/packs-test
            tmp/cache/webpacker
          key: ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
          restore-keys: |
            ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
            ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}
            ${{ matrix.mode }}-assets-main
            ${{ matrix.mode }}-assets
      - name: Precompile assets
        # Previously had set this, but it's not supported
        # export NODE_OPTIONS=--openssl-legacy-provider
        run: |-
-          ./bin/rails assets:precompile
+          bin/rails assets:precompile
      - name: Archive asset artifacts
        run: |
@@ -114,6 +127,7 @@ jobs:
          - '3.1'
          - '3.2'
          - '.ruby-version'
          - '3.4'
    steps:
      - uses: actions/checkout@v4
@@ -130,13 +144,26 @@ jobs:
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg libpam-dev
+          additional-system-dependencies: ffmpeg imagemagick libpam-dev
      - name: Load database schema
        run: |
          bin/rails db:setup
          bin/flatware fan bin/rails db:test:prepare
      - name: Cache RSpec persistence file
        uses: actions/cache@v4
        with:
          path: |
            tmp/rspec/examples.txt
          key: rspec-persistence-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
          restore-keys: |
            rspec-persistence-${{ github.head_ref || github.ref_name }}-${{ github.sha }}-${{ matrix.ruby-version }}
            rspec-persistence-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
            rspec-persistence-${{ github.head_ref || github.ref_name }}
            rspec-persistence-main
            rspec-persistence
      - run: bin/flatware rspec -r ./spec/flatware_helper.rb
      - name: Upload coverage reports to Codecov
@@ -203,6 +230,7 @@ jobs:
          - '3.1'
          - '3.2'
          - '.ruby-version'
          - '3.4'
    steps:
      - uses: actions/checkout@v4
@@ -219,7 +247,7 @@ jobs:
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg libpam-dev libyaml-dev
+          additional-system-dependencies: ffmpeg libpam-dev
      - name: Load database schema
        run: './bin/rails db:create db:schema:load db:seed'
@@ -282,6 +310,7 @@ jobs:
          - '3.1'
          - '3.2'
          - '.ruby-version'
          - '3.4'
    steps:
      - uses: actions/checkout@v4
@@ -299,7 +328,7 @@ jobs:
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg
+          additional-system-dependencies: ffmpeg imagemagick
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
@@ -399,6 +428,7 @@ jobs:
          - '3.1'
          - '3.2'
          - '.ruby-version'
          - '3.4'
        search-image:
          - docker.elastic.co/elasticsearch/elasticsearch:7.17.13
        include:
@@ -419,7 +449,7 @@ jobs:
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg
+          additional-system-dependencies: ffmpeg imagemagick
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
--- a/.gitignore
+++ b/.gitignore
@@ -71,3 +71,6 @@ docker-compose.override.yml
 # Ignore dotenv .local files
 .env*.local
 # Ignore local-only rspec configuration
 .rspec-local
--- a/.profile
+++ b/.profile
@@ -1 +0,0 @@
 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/.apt/lib/x86_64-linux-gnu:/app/.apt/usr/lib/x86_64-linux-gnu/mesa:/app/.apt/usr/lib/x86_64-linux-gnu/pulseaudio:/app/.apt/usr/lib/x86_64-linux-gnu/openblas-pthread
--- a/.rspec
+++ b/.rspec
@@ -1,3 +1,2 @@
 --color
 --require spec_helper
 --format Fuubar
--- a/.rubocop/strict.yml
+++ b/.rubocop/strict.yml
@@ -7,8 +7,13 @@ RSpec/Focus: # Require full spec run on CI
  Exclude: []
 Rails/Output: # Remove any `puts` debugging
  inherit_mode:
    merge:
      - Include
  Enabled: true
  Exclude: []
  Include:
    - spec/**/*.rb
 Rails/FindEach: # Using `each` could impact performance, use `find_each`
  Enabled: true
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-offense-counts --no-auto-gen-timestamp`
-# using RuboCop version 1.65.0.
+# using RuboCop version 1.66.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -35,7 +35,6 @@ Rails/OutputSafety:
 # Configuration parameters: AllowedVars.
 Style/FetchEnvVar:
  Exclude:
    - 'app/lib/redis_configuration.rb'
    - 'app/lib/translation_service.rb'
    - 'config/environments/production.rb'
    - 'config/initializers/2_limited_federation_mode.rb'
@@ -44,7 +43,6 @@ Style/FetchEnvVar:
    - 'config/initializers/devise.rb'
    - 'config/initializers/paperclip.rb'
    - 'config/initializers/vapid.rb'
    - 'lib/mastodon/redis_config.rb'
    - 'lib/tasks/repo.rake'
 # This cop supports safe autocorrection (--autocorrect).
@@ -93,7 +91,6 @@ Style/OptionalBooleanParameter:
    - 'app/services/fetch_resource_service.rb'
    - 'app/workers/domain_block_worker.rb'
    - 'app/workers/unfollow_follow_worker.rb'
    - 'lib/mastodon/redis_config.rb'
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-3.3.4
+3.3.5
--- a/10
+++ b/10
@@ -1,5 +1,5 @@
-ffmpeg
+libidn12
-libopenblas0-pthread
+# for idn-ruby on heroku-24 stack
-libpq-dev
+
-libxdamage1
+# use https://github.com/heroku/heroku-buildpack-activestorage-preview
-libxfixes3
+# in place for ffmpeg and its dependent packages to reduce slag size
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,238 @@
 All notable changes to this project will be documented in this file.
-## [4.3.0] - UNRELEASED
+## [4.3.9] - 2025-07-02
 ### Changed
 - Change passthrough video processing to emit `moov` atom at start of video (#34726 by @ClearlyClaire)
 ### Fixed
 - Fix `NoMethodError` in edge case of emoji cache handling (#34749 by @dariusk)
 - Fix error when viewing statuses to deleted replies in moderation view (#32986 by @ClearlyClaire)
 - Fix search operators sometimes getting lost (#35190 by @ClearlyClaire)
 - Fix “Alt text” button submitting form in moderation interface (#35147 by @ClearlyClaire)
 - Fix handling of remote attachments with multiple media types (#34996 by @ClearlyClaire)
 - Fix blocked accounts not being automatically removed from trending statuses (#34891 by @ClearlyClaire)
 - Fix inconsistent filtering of silenced accounts for other silenced accounts (#34863 by @ClearlyClaire)
 - Fix handling of inlined `featured` collections in ActivityPub actor objects (#34789 and #34811 by @ClearlyClaire)
 - Fix admin dashboard crash on specific Elasticsearch connection errors (#34683 by @ClearlyClaire)
 - Fix OIDC account creation failing for long display names (#34639 by @defnull)
 - Fix `/share` not using server-set characters limit (#33459 by @kescherCode)
 - Fix wrong video dimensions for some rotated videos (#33008 and #33261 by @Gargron and @tribela)
 - Fix missing autofocus on boost modal (#32953 by @tribela)
 ## [4.3.8] - 2025-05-06
 ### Security
 - Update dependencies
 - Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
 ### Added
 - Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
 - Add built-in context for interaction policies (#34574 by @ClearlyClaire)
 ### Changed
 - Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
 ### Removed
 - Remove double-query for signed query strings (#34610 by @ClearlyClaire)
 ### Fixed
 - Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
 - Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
 ## [4.3.7] - 2025-04-02
 ### Added
 - Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
 - Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)
 ### Changed
 - Change account suspensions to be federated to recently-followed accounts as well (#34294 by @ClearlyClaire)
 - Change `AccountReachFinder` to consider statuses based on suspension date (#32805 and #34291 by @ClearlyClaire and @mjankowski)
 - Change user archive signed URL TTL from 10 seconds to 1 hour (#34254 by @ClearlyClaire)
 ### Fixed
 - Fix static version of animated PNG emojis not being properly extracted (#34337 by @ClearlyClaire)
 - Fix filters not applying in detailed view, favourites and bookmarks (#34259 and #34260 by @ClearlyClaire)
 - Fix handling of malformed/unusual HTML (#34201 by @ClearlyClaire)
 - Fix `CacheBuster` being queued for missing media attachments (#34253 by @ClearlyClaire)
 - Fix incorrect URL being used when cache busting (#34189 by @ClearlyClaire)
 - Fix streaming server refusing unix socket path in `DATABASE_URL` (#34091 by @ClearlyClaire)
 - Fix “x” hotkey not working on boosted filtered posts (#33758 by @ClearlyClaire)
 ## [4.3.6] - 2025-03-13
 ### Security
 - Update dependency `omniauth-saml`
 - Update dependency `rack`
 ### Fixed
 - Fix Stoplight errors when using `REDIS_NAMESPACE` (#34126 by @ClearlyClaire)
 ## [4.3.5] - 2025-03-10
 ### Changed
 - Change hashtag suggestion to prefer personal history capitalization (#34070 by @ClearlyClaire)
 ### Fixed
 - Fix processing errors for some HEIF images from iOS 18 (#34086 by @renchap)
 - Fix streaming server not filtering unknown-language posts from public timelines (#33774 by @ClearlyClaire)
 - Fix preview cards under Content Warnings not being shown in detailed statuses (#34068 by @ClearlyClaire)
 - Fix username and display name being hidden on narrow screens in moderation interface (#33064 by @ClearlyClaire)
 ## [4.3.4] - 2025-02-27
 ### Security
 - Update dependencies
 - Change HTML sanitization to remove unusable and unused `embed` tag (#34021 by @ClearlyClaire, [GHSA-mq2m-hr29-8gqf](https://github.com/mastodon/mastodon/security/advisories/GHSA-mq2m-hr29-8gqf))
 - Fix rate-limit on sign-up email verification ([GHSA-v39f-c9jj-8w7h](https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h))
 - Fix improper disclosure of domain blocks to unverified users ([GHSA-94h4-fj37-c825](https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825))
 ### Changed
 - Change preview cards to be shown when Content Warnings are expanded (#33827 by @ClearlyClaire)
 - Change warnings against changing encryption secrets to be even more noticeable (#33631 by @ClearlyClaire)
 - Change `mastodon:setup` to prevent overwriting already-configured servers (#33603, #33616, and #33684 by @ClearlyClaire and @mjankowski)
 - Change notifications from moderators to not be filtered (#32974 and #33654 by @ClearlyClaire and @mjankowski)
 ### Fixed
 - Fix `GET /api/v2/notifications/:id` and `POST /api/v2/notifications/:id/dismiss` for ungrouped notifications (#33990 by @ClearlyClaire)
 - Fix issue with some versions of libvips on some systems (#33853 by @kleisauke)
 - Fix handling of duplicate mentions in incoming status `Update` (#33911 by @ClearlyClaire)
 - Fix inefficiencies in timeline generation (#33839 and #33842 by @ClearlyClaire)
 - Fix emoji rewrite adding unnecessary curft to the DOM for most emoji (#33818 by @ClearlyClaire)
 - Fix `tootctl feeds build` not building list timelines (#33783 by @ClearlyClaire)
 - Fix flaky test in `/api/v2/notifications` tests (#33773 by @ClearlyClaire)
 - Fix incorrect signature after HTTP redirect (#33757 and #33769 by @ClearlyClaire)
 - Fix polls not being validated on edition (#33755 by @ClearlyClaire)
 - Fix media preview height in compose form when 3 or more images are attached (#33571 by @ClearlyClaire)
 - Fix preview card sizing in “Author attribution” in profile settings (#33482 by @ClearlyClaire)
 - Fix processing of incoming notifications for unfilterable types (#33429 by @ClearlyClaire)
 - Fix featured tags for remote accounts not being kept up to date (#33372, #33406, and #33425 by @ClearlyClaire and @mjankowski)
 - Fix notification polling showing a loading bar in web UI (#32960 by @Gargron)
 - Fix accounts table long display name (#29316 by @WebCoder49)
 - Fix exclusive lists interfering with notifications (#28162 by @ShadowJonathan)
 ## [4.3.3] - 2025-01-16
 ### Security
 - Fix insufficient validation of account URIs ([GHSA-5wxh-3p65-r4g6](https://github.com/mastodon/mastodon/security/advisories/GHSA-5wxh-3p65-r4g6))
 - Update dependencies
 ### Fixed
 - Fix `libyaml` missing from `Dockerfile` build stage (#33591 by @vmstan)
 - Fix incorrect notification settings migration for non-followers (#33348 by @ClearlyClaire)
 - Fix down clause for notification policy v2 migrations (#33340 by @jesseplusplus)
 - Fix error decrementing status count when `FeaturedTags#last_status_at` is `nil` (#33320 by @ClearlyClaire)
 - Fix last paginated notification group only including data on a single notification (#33271 by @ClearlyClaire)
 - Fix processing of mentions for post edits with an existing corresponding silent mention (#33227 by @ClearlyClaire)
 - Fix deletion of unconfirmed users with Webauthn set (#33186 by @ClearlyClaire)
 - Fix empty authors preview card serialization (#33151, #33466 by @mjankowski and @ClearlyClaire)
 ## [4.3.2] - 2024-12-03
 ### Added
 - Add `tootctl feeds vacuum` (#33065 by @ClearlyClaire)
 - Add error message when user tries to follow their own account (#31910 by @lenikadali)
 - Add client_secret_expires_at to OAuth Applications (#30317 by @ThisIsMissEm)
 ### Changed
 - Change design of Content Warnings and filters (#32543 by @ClearlyClaire)
 ### Fixed
 - Fix processing incoming post edits with mentions to unresolvable accounts (#33129 by @ClearlyClaire)
 - Fix error when including multiple instances of `embed.js` (#33107 by @YKWeyer)
 - Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
 - Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
 - Fix `TagFollow` records not being correctly handled in account operations (#33063 by @ClearlyClaire)
 - Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
 - Fix duplicate notifications in notification groups when using slow mode (#33014 by @ClearlyClaire)
 - Fix posts made in the future being allowed to trend (#32996 by @ClearlyClaire)
 - Fix uploading higher-than-wide GIF profile picture with libvips enabled (#32911 by @ClearlyClaire)
 - Fix domain attribution field having autocorrect and autocapitalize enabled (#32903 by @ClearlyClaire)
 - Fix titles being escaped twice (#32889 by @ClearlyClaire)
 - Fix list creation limit check (#32869 by @ClearlyClaire)
 - Fix error in `tootctl email_domain_blocks` when supplying `--with-dns-records` (#32863 by @mjankowski)
 - Fix `min_id` and `max_id` causing error in search API (#32857 by @Gargron)
 - Fix inefficiencies when processing removal of posts that use featured tags (#32787 by @ClearlyClaire)
 - Fix alt-text pop-in not using the translated description (#32766 by @ClearlyClaire)
 - Fix preview cards with long titles erroneously causing layout changes (#32678 by @ClearlyClaire)
 - Fix embed modal layout on mobile (#32641 by @DismalShadowX)
 - Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
 - Fix blocks not being applied on link timeline (#32625 by @tribela)
 - Fix follow counters being incorrectly changed (#32622 by @oneiros)
 - Fix 'unknown' media attachment type rendering (#32613 and #32713 by @ThisIsMissEm and @renatolond)
 - Fix tl language native name (#32606 by @seav)
 ### Security
 - Update dependencies
 ## [4.3.1] - 2024-10-21
 ### Added
 - Add more explicit explanations about author attribution and `fediverse:creator` (#32383 by @ClearlyClaire)
 - Add ability to group follow notifications in WebUI, can be disabled in the column settings (#32520 by @renchap)
 - Add back a 6 hours mute duration option (#32522 by @renchap)
 - Add note about not changing ActiveRecord encryption secrets once they are set (#32413, #32476, #32512, and #32537 by @ClearlyClaire and @mjankowski)
 ### Changed
 - Change translation feature to translate to selected regional variant (e.g. pt-BR) if available (#32428 by @c960657)
 ### Removed
 - Remove ability to get embed code for remote posts (#32578 by @ClearlyClaire)\
  Getting the embed code is only reliable for local posts.\
  It never worked for non-Mastodon servers, and stopped working correctly with the changes made in 4.3.0.\
  We have therefore decided to remove the menu entry while we investigate solutions.
 ### Fixed
 - Fix follow recommendation moderation page default language when using regional variant (#32580 by @ClearlyClaire)
 - Fix column-settings spacing in local timeline in advanced view (#32567 by @lindwurm)
 - Fix broken i18n in text welcome mailer tags area (#32571 by @mjankowski)
 - Fix missing or incorrect cache-control headers for Streaming server (#32551 by @ThisIsMissEm)
 - Fix only the first paragraph being displayed in some notifications (#32348 by @ClearlyClaire)
 - Fix reblog icons on account media view (#32506 by @tribela)
 - Fix Content-Security-Policy not allowing OpenStack SWIFT object storage URI (#32439 by @kenkiku1021)
 - Fix back arrow pointing to the incorrect direction in RTL languages (#32485 by @renchap)
 - Fix streaming server using `REDIS_USERNAME` instead of `REDIS_USER` (#32493 by @ThisIsMissEm)
 - Fix follow recommendation carrousel scrolling on RTL layouts (#32462 and #32505 by @ClearlyClaire)
 - Fix follow recommendation suppressions not applying immediately (#32392 by @ClearlyClaire)
 - Fix language of push notifications (#32415 by @ClearlyClaire)
 - Fix mute duration not being shown in list of muted accounts in web UI (#32388 by @ClearlyClaire)
 - Fix “Mark every notification as read” not updating the read marker if scrolled down (#32385 by @ClearlyClaire)
 - Fix “Mention” appearing for otherwise filtered posts (#32356 by @ClearlyClaire)
 - Fix notification requests from suspended accounts still being listed (#32354 by @ClearlyClaire)
 - Fix list edition modal styling (#32358 and #32367 by @ClearlyClaire and @vmstan)
 - Fix 4 columns barely not fitting on 1920px screen (#32361 by @ClearlyClaire)
 - Fix icon alignment in applications list (#32293 by @mjankowski)
 ## [4.3.0] - 2024-10-08
 The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
@@ -10,21 +241,25 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources** (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)\
  This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.
 - Fix ReDoS vulnerability on some Ruby versions ([GHSA-jpxp-r43f-rhvx](https://github.com/mastodon/mastodon/security/advisories/GHSA-jpxp-r43f-rhvx))
 - Change `form-action` Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire)
 - Update dependencies
 ### Added
- **Add experimental server-side notification grouping** (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)\
+- **Add server-side notification grouping** (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610, #31929, #32089, #32085, #32243, #32179 and #32254 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)\
  Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.\
  This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.\
  As part of this, the visual design of the entire notifications feature has been revamped.\
  This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.\
  The API is not final yet, but it consists of:
  - a new `group_key` attribute to `Notification` entities
-  - `GET /api/v2_alpha/notifications`: https://docs.joinmastodon.org/methods/notifications_alpha/#get-grouped
+  - `GET /api/v2/notifications`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped
-  - `GET /api/v2_alpha/notifications/:group_key`: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-group
+  - `GET /api/v2/notifications/:group_key`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-notification-group
-  - `POST /api/v2_alpha/notifications/:group_key/dimsiss`: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-group
+  - `GET /api/v2/notifications/:group_key/accounts`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts
-  - `GET /api/v2_alpha/notifications/:unread_count`: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count
+  - `POST /api/v2/notifications/:group_key/dimsiss`: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-group
- **Add notification policies, filtered notifications and notification requests** (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, and #31541 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)\
+  - `GET /api/v2/notifications/:unread_count`: https://docs.joinmastodon.org/methods/grouped_notifications/#unread-group-count
 - **Add notification policies, filtered notifications and notification requests** (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, #31723, #32062 and #32281 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)\
  The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.\
  You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.\
  Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.\
@@ -47,7 +282,7 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add notifications of severed relationships** (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)\
  Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.\
  Note that this does not notify remote users.\
-  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`relationship_severance_event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
+  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
 - **Add hover cards in web UI** (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)\
  Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.\
  This can be disabled in the “Animations and accessibility” section of the preferences.
@@ -57,26 +292,35 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add timeline of public posts about a trending link** (#30381 and #30840 by @Gargron)\
  You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.\
  This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link
- **Add author highlight for news articles whose authors are on the fediverse** (#30398, #30670, #30521, and #30846 by @Gargron)\
+- **Add author highlight for news articles whose authors are on the fediverse** (#30398, #30670, #30521, #30846, #31819, #31900 and #32188 by @Gargron, @mjankowski and @oneiros)\
  This adds a mechanism to [highlight the author of news articles](https://blog.joinmastodon.org/2024/07/highlighting-journalism-on-mastodon/) shared on Mastodon.\
  Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:
  ```html
  <meta name="fediverse:creator" content="username@domain" />
  ```
-  On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\
+  On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors \
-  Note that this feature is still work in progress and the tagging format and verification mechanisms may change in future releases.
+  Users can allow arbitrary domains to use `fediverse:creator` to credit them by visiting `/settings/verification`.\
  This is federated as a new `attributionDomains` property in the `http://joinmastodon.org/ns` namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1
 - **Add in-app notifications for moderation actions and warnings** (#30065, #30082, and #30081 by @ClearlyClaire)\
  In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.\
  This adds the `moderation_warning` notification type to the REST API and streaming, with a new [`moderation_warning` attribute](https://docs.joinmastodon.org/entities/Notification/#moderation_warning).
 - **Add domain information to profiles in web UI** (#29602 by @Gargron)\
  Clicking the domain of a user in their profile will now open a tooltip with a short explanation about servers and federation.
- Add ability to reorder uploaded media before posting in web UI (#28456 by @Gargron)
+- **Add support for Redis sentinel** (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)\
  See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel
 - **Add ability to reorder uploaded media before posting in web UI** (#28456 and #32093 by @Gargron)
 - Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
 - Add ability to view alt text by clicking the ALT badge in web UI (#32058 by @Gargron)
 - Add preview of followers removed in domain block modal in web UI (#32032 and #32105 by @ClearlyClaire and @Gargron)
 - Add reblogs and favourites counts to statuses in ActivityPub (#32007 by @Gargron)
 - Add moderation interface for searching hashtags (#30880 by @ThisIsMissEm)
 - Add ability for admins to configure instance favicon and logo (#30040, #30208, #30259, #30375, #30734, #31016, and #30205 by @ClearlyClaire, @FawazFarid, @JasonPunyon, @mgmn, and @renchap)\
  This is also exposed through the REST API: https://docs.joinmastodon.org/entities/Instance/#icon
 - Add `api_versions` to `/api/v2/instance` (#31354 by @ClearlyClaire)\
  Add API version number to make it easier for clients to detect compatible features going forward.\
  See API documentation at https://docs.joinmastodon.org/entities/Instance/#api-versions
 - Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm)
 - Add link to `/admin/roles` in moderation interface when changing someone's role (#31791 by @ClearlyClaire)
 - Add recent audit log entries in federation moderation interface (#27386 by @ThisIsMissEm)
 - Add profile setup to onboarding in web UI (#27829, #27876, and #28453 by @Gargron)
 - Add prominent share/copy button on profiles in web UI (#27865 and #27889 by @ClearlyClaire and @Gargron)
@@ -113,17 +357,19 @@ The following changelog entries focus on changes visible to users, administrator
 - Add support for multiple `redirect_uris` when creating OAuth 2.0 Applications (#29192 by @ThisIsMissEm)
 - Add Interlingue and Interlingua to interface languages (#28630 and #30828 by @Dhghomon and @renchap)
 - Add Kashubian, Pennsylvania Dutch, Vai, Jawi Malay, Mohawk and Low German to posting languages (#26024, #26634, #27136, #29098, #27115, and #27434 by @EngineerDali, @HelgeKrueger, and @gunchleoc)
 - Add validations to `Web::PushSubscription` (#30540 and #30542 by @ThisIsMissEm)
 - Add option to use native Ruby driver for Redis through `REDIS_DRIVER=ruby` (#30717 by @vmstan)
- Add support for libvips in addition to ImageMagick (#30090, #30590, #30597, #30632, #30857, #30869, and #30858 by @ClearlyClaire, @Gargron, and @mjankowski)\
+- Add support for libvips in addition to ImageMagick (#30090, #30590, #30597, #30632, #30857, #30869, #30858 and #32104 by @ClearlyClaire, @Gargron, and @mjankowski)\
  Server admins can now use libvips as a faster and lighter alternative to ImageMagick for processing user-uploaded images.\
  This requires libvips 8.13 or newer, and needs to be enabled with `MASTODON_USE_LIBVIPS=true`.\
  This is enabled by default in the official Docker images, and is intended to completely replace ImageMagick in the future.
 - Add validations to `Web::PushSubscription` (#30540 and #30542 by @ThisIsMissEm)
 - Add anchors to each authorized application in `/oauth/authorized_applications` (#31677 by @fowl2)
 - Add active animation to header settings button (#30221, #30307, and #30388 by @daudix)
- Add OpenTelemetry instrumentation (#30130, #30322, #30353, and #30350 by @julianocosta89, @renchap, and @robbkidd)\
+- Add OpenTelemetry instrumentation (#30130, #30322, #30353, #30350 and #31998 by @julianocosta89, @renchap, @robbkidd and @timetinytim)\
  See https://docs.joinmastodon.org/admin/config/#otel for documentation
 - Add API to get multiple accounts and statuses (#27871 and #30465 by @ClearlyClaire)\
  This adds `GET /api/v1/accounts` and `GET /api/v1/statuses` to the REST API, see https://docs.joinmastodon.org/methods/accounts/#index and https://docs.joinmastodon.org/methods/statuses/#index
 - Add support for CORS to `POST /oauth/revoke` (#31743 by @ClearlyClaire)
 - Add redirection back to previous page after site upload deletion (#30141 by @FawazFarid)
 - Add RFC8414 OAuth 2.0 server metadata (#29191 by @ThisIsMissEm)
 - Add loading indicator and empty result message to advanced interface search (#30085 by @ClearlyClaire)
@@ -135,10 +381,12 @@ The following changelog entries focus on changes visible to users, administrator
 - Add groundwork for annual reports for accounts (#28693 by @Gargron)\
  This lays the groundwork for a “year-in-review”/“wrapped” style report for local users, but is currently not in use.
 - Add notification email on invalid second authenticator (#28822 by @ClearlyClaire)
 - Add date of account deletion in list of accounts in the admin interface (#25640 by @tribela)
 - Add new emojis from `jdecked/twemoji` 15.0 (#28404 by @TheEssem)
 - Add configurable error handling in attachment batch deletion (#28184 by @vmstan)\
  This makes the S3 batch size configurable through the `S3_BATCH_DELETE_LIMIT` environment variable (defaults to 1000), and adds some retry logic, configurable through the `S3_BATCH_DELETE_RETRY` environment variable (defaults to 3).
 - Add VAPID public key to instance serializer (#28006 by @ThisIsMissEm)
 - Add support for serving JRD `/.well-known/host-meta.json` in addition to XRD host-meta (#32206 by @c960657)
 - Add `nodeName` and `nodeDescription` to nodeinfo `metadata` (#28079 by @6543)
 - Add Thai diacritics and tone marks in `HASHTAG_INVALID_CHARS_RE` (#26576 by @ppnplus)
 - Add variable delay before link verification of remote account links (#27774 by @ClearlyClaire)
@@ -153,37 +401,53 @@ The following changelog entries focus on changes visible to users, administrator
 ### Changed
- **Change icons throughout the web interface** (#27385, #27539, #27555, #27579, #27700, #27817, #28519, #28709, #28064, #28775, #28780, #27924, #29294, #29395, #29537, #29569, #29610, #29612, #29649, #29844, #27780, #30974, #30963, #30962, #30961, #31362, #31363, #31359, #31371, #31360, #31512, #31511, and #31525 by @ClearlyClaire, @Gargron, @arbolitoloco1, @mjankowski, @nclm, @renchap, @ronilaukkarinen, and @zunda)\
+- **Change icons throughout the web interface** (#27385, #27539, #27555, #27579, #27700, #27817, #28519, #28709, #28064, #28775, #28780, #27924, #29294, #29395, #29537, #29569, #29610, #29612, #29649, #29844, #27780, #30974, #30963, #30962, #30961, #31362, #31363, #31359, #31371, #31360, #31512, #31511, #31525, #32153, and #32201 by @ClearlyClaire, @Gargron, @arbolitoloco1, @mjankowski, @nclm, @renchap, @ronilaukkarinen, and @zunda)\
  This changes all the interface icons from FontAwesome to Material Symbols for a more modern look, consistent with the official Mastodon Android app.\
  In addition, better care is given to pixel alignment, and icon variants are used to better highlight active/inactive state.
- **Change design of compose form in web UI** (#28119, #29059, #29248, #29372, #29384, #29417, #29456, #29406, #29651, and #29659 by @ClearlyClaire, @Gargron, @eai04191, @hinaloe, and @ronilaukkarinen)\
+- **Change design of compose form in web UI** (#28119, #29059, #29248, #29372, #29384, #29417, #29456, #29406, #29651, #29659, #31889 and #32033 by @ClearlyClaire, @Gargron, @eai04191, @hinaloe, and @ronilaukkarinen)\
  The compose form has been completely redesigned for a more modern and consistent look, as well as spelling out the chosen privacy setting and language name at all times.\
  As part of this, the “Unlisted” privacy setting has been renamed to “Quiet public”.
- **Change design of confirmation modals in the web UI** (#29576, #29614, #29640, #29644, #30131, #30884, and #31399 by @ClearlyClaire, @Gargron, and @tribela)\
+- **Change design of modals in the web UI** (#29576, #29614, #29640, #29644, #30131, #30884, #31399, #31555, #31752, #31801, #31883, #31844, #31864, and #31943 by @ClearlyClaire, @Gargron, @tribela and @vmstan)\
  The mute, block, and domain block confirmation modals have been completely redesigned to be clearer and include more detailed information on the action to be performed.\
  They also have a more modern and consistent design, along with other confirmation modals in the application.
- **Change colors throughout the web UI** (#29522, #29584, #29653, #29779, #29803, #29809, #29808, #29828, #31034, #31168, #31266, #31348, #31349, #31361, and #31510 by @ClearlyClaire, @Gargron, @renchap, and @vmstan)
+- **Change colors throughout the web UI** (#29522, #29584, #29653, #29779, #29803, #29809, #29808, #29828, #31034, #31168, #31266, #31348, #31349, #31361, #31510 and #32128 by @ClearlyClaire, @Gargron, @mjankowski, @renchap, and @vmstan)
- **Change onboarding prompt to follow suggestions carousel in web UI** (#28878 and #29272 by @Gargron)
+- **Change onboarding prompt to follow suggestions carousel in web UI** (#28878, #29272, and #31912 by @Gargron)
- **Change email templates** (#28416, #28755, #28814, #29064, #28883, #29470, #29607, #29761, #29760, and #29879 by @ClearlyClaire, @Gargron, @hteumeuleu, and @mjankowski)\
+- **Change email templates** (#28416, #28755, #28814, #29064, #28883, #29470, #29607, #29761, #29760, #29879, #32073 and #32132 by @c960657, @ClearlyClaire, @Gargron, @hteumeuleu, and @mjankowski)\
-  All emails to end-users have been completely redesigned with a fresh new look, providing more information while making them easier to reand and keeping maximum compatibility across mail clients.
+  All emails to end-users have been completely redesigned with a fresh new look, providing more information while making them easier to read and keeping maximum compatibility across mail clients.
 - **Change follow recommendations algorithm** (#28314, #28433, #29017, #29108, #29306, #29550, #29619, and #31474 by @ClearlyClaire, @Gargron, @kernal053, @mjankowski, and @wheatear-dev)\
  This replaces the “past interactions” recommendation algorithm with a “friends of friends” algorithm that suggests accounts followed by people you follow, and a “similar profiles” algorithm that suggests accounts with a profile similar to your most recent follows.\
  In addition, the implementation has been significantly reworked, and all follow recommendations are now dismissable.\
  This change deprecates the `source` attribute in `Suggestion` entities in the REST API, and replaces it with the new [`sources` attribute](https://docs.joinmastodon.org/entities/Suggestion/#sources).
 - Change account search algorithm (#30803 by @Gargron)
- **Change streaming server to use its own dependencies and its own docker image** (#24702, #27967, #26850, #28112, #28115, #28137, #28138, #28497, #28548, and #30795 by @TheEssem, @ThisIsMissEm, @jippi, @timetinytim, and @vmstan)\
+- **Change streaming server to use its own dependencies and its own docker image** (#24702, #27967, #26850, #28112, #28115, #28137, #28138, #28497, #28548, #30795, #31612, and #31615 by @TheEssem, @ThisIsMissEm, @jippi, @renchap, @timetinytim, and @vmstan)\
  In order to reduce the amount of runtime dependencies, the streaming server has been moved into a separate package and Docker image.\
  The `mastodon` image does not contain the streaming server anymore, as it has been moved to its own `mastodon-streaming` image.\
  Administrators may need to update their setup accordingly.
- Change how content warnings and filters are displayed in web UI (#31365 by @Gargron)
+- Change how content warnings and filters are displayed in web UI (#31365, and #31761 by @Gargron)
 - Change preview card processing to ignore `undefined` as canonical url (#31882 by @oneiros)
 - Change embedded posts to use web UI (#31766, #32135 and #32271 by @Gargron)
 - Change inner borders in media galleries in web UI (#31852 by @Gargron)
 - Change design of media attachments and profile media tab in web UI (#31807, #32048, #31967, #32217, #32224 and #32257 by @ClearlyClaire and @Gargron)
 - Change labels on thread indicators in web UI (#31806 by @Gargron)
 - Change label of "Data export" menu item in settings interface (#32099 by @c960657)
 - Change responsive break points on navigation panel in web UI (#32034 by @Gargron)
 - Change cursor to `not-allowed` on disabled buttons (#32076 by @mjankowski)
 - Change OAuth authorization prompt to not refer to apps as “third-party” (#32005 by @Gargron)
 - Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
 - Change zoom icon in web UI (#29683 by @Gargron)
 - Change directory page to use URL query strings for options (#31980, #31977 and #31984 by @ClearlyClaire and @renchap)
 - Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm)
 - Change width of columns in advanced web UI (#31762 by @Gargron)
 - Change design of unread conversations in web UI (#31763 by @Gargron)
 - Change Web UI to allow viewing and severing relationships with suspended accounts (#27667 by @ClearlyClaire)\
  This also adds a `with_suspended` parameter to `GET /api/v1/accounts/relationships` in the REST API.
 - Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire)
 - Change avatars border radius (#31390 by @renchap)
 - Change counters to be displayed on profile timelines in web UI (#30525 by @Gargron)
 - Change disabled buttons color in light mode to make the difference more visible (#30998 by @renchap)
 - Change design of people tab on explore in web UI (#30059 by @Gargron)
 - Change sidebar text in web UI (#30696 by @Gargron)
- Change "Follow" to "Follow back" and "Mutual" when appropriate in web UI (#28452 and #28465 by @Gargron and @renchap)
+- Change "Follow" to "Follow back" and "Mutual" when appropriate in web UI (#28452, #28465, and #31934 by @ClearlyClaire, @Gargron and @renchap)
 - Change media to be hidden/blurred by default in report modal (#28522 by @ClearlyClaire)
 - Change order of the "muting" and "blocking" list options in “Data Exports” (#26088 by @fixermark)
 - Change admin and moderation notes character limit from 500 to 2000 characters (#30288 by @ThisIsMissEm)
@@ -197,6 +461,7 @@ The following changelog entries focus on changes visible to users, administrator
 - Change dropdown menu icon to not be replaced by close icon when open in web UI (#29532 by @Gargron)
 - Change back button to always appear in advanced web UI (#29551 and #29669 by @Gargron)
 - Change border of active compose field search inputs (#29832 and #29839 by @vmstan)
 - Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones)
 - Change link detection to allow `@` at the end of an URL (#31124 by @adamniedzielski)
 - Change User-Agent to use Mastodon as the product, and http.rb as platform details (#31192 by @ClearlyClaire)
 - Change layout and wording of the Content Retention server settings page (#27733 by @vmstan)
@@ -233,6 +498,7 @@ The following changelog entries focus on changes visible to users, administrator
 ### Removed
 - Remove unused E2EE messaging code and related `crypto` OAuth scope (#31193, #31945, #31963, and #31964 by @ClearlyClaire and @mjankowski)
 - Remove StatsD integration (replaced by OpenTelemetry) (#30240 by @mjankowski)
 - Remove `CacheBuster` default options (#30718 by @mjankowski)
 - Remove home marker updates from the Web UI (#22721 by @davbeck)\
@@ -248,17 +514,41 @@ The following changelog entries focus on changes visible to users, administrator
 - Fix log out from user menu not working on Safari (#31402 by @renchap)
 - Fix various issues when in link preview card generation (#28748, #30017, #30362, #30173, #30853, #30929, #30933, #30957, #30987, and #31144 by @adamniedzielski, @oneiros, @phocks, @timothyjrogers, and @tribela)
 - Fix handling of missing links in Webfinger responses (#31030 by @adamniedzielski)
 - Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
 - Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
 - Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
 - Fix unresolvable mentions sometimes preventing processing incoming posts (#29215 by @tribela and @ClearlyClaire)
 - Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
 - Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
 - Fix the appearance of avatars when they do not load (#31966 and #32270 by @Gargron and @renchap)
 - Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)
 - Fix HTTP 500 error in `/api/v1/polls/:id/votes` when required `choices` parameter is missing (#25598 by @danielmbrasil)
 - Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
 - Fix cross-origin loading of `inert.css` polyfill (#30687 by @louis77)
 - Fix wrapping in dashboard quick access buttons (#32043 by @renchap)
 - Fix recently used tags hint being displayed in profile edition page when there is none (#32120 by @mjankowski)
 - Fix checkbox lists on narrow screens in the settings interface (#32112 by @mjankowski)
 - Fix the position of status action buttons being affected by interaction counters (#32084 by @renchap)
 - Fix the summary of converted ActivityPub object types to be treated as HTML (#28629 by @Menrath)
 - Fix cutoff of instance name in sign-up form (#30598 by @oneiros)
 - Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
 - Fix invalid `visibility` values in `POST /api/v1/statuses` returning 500 errors (#31571 by @c960657)
 - Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
 - Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
 - Fix email language when recipient has no selected locale (#31747 by @ClearlyClaire)
 - Fix frequently-used languages not correctly updating in the web UI (#31386 by @c960657)
 - Fix `POST /api/v1/statuses` silently ignoring invalid `media_ids` parameter (#31681 by @c960657)
 - Fix handling of the `BIND` environment variable in the streaming server (#31624 by @ThisIsMissEm)
 - Fix empty `aria-hidden` attribute value in logo resources area (#30570 by @mjankowski)
 - Fix “Redirect URI” field not being marked as required in “New application” form (#30311 by @ThisIsMissEm)
 - Fix right-to-left text in preview cards (#30930 by @ClearlyClaire)
 - Fix rack attack `match_type` value typo in logging config (#30514 by @mjankowski)
- Fix various cases of duplicate, missing, or inconsistent borders or scrollbar styles (#31068, #31286, #31268, #31275, #31284, #31305, #31346, #31372, #31373, #31389, #31432, #31391, and #31445 by @valtlai and @vmstan)
+- Fix various cases of duplicate, missing, or inconsistent borders or scrollbar styles (#31068, #31286, #31268, #31275, #31284, #31305, #31346, #31372, #31373, #31389, #31432, #31391, #31445, #32091, #32147 and #32137 by @ClearlyClaire, @mjankowski, @valtlai and @vmstan)
 - Fix editing description of media uploads with custom thumbnails (#32221 by @ClearlyClaire)
 - Fix race condition in `POST /api/v1/push/subscription` (#30166 by @ClearlyClaire)
 - Fix post deletion not being delayed when those are part of an account warning (#30163 by @ClearlyClaire)
 - Fix rendering error on `/start` when not logged in (#30023 by @timothyjrogers)
 - Fix unneeded requests to blocked domains when receiving relayed signed activities from them (#31161 by @ClearlyClaire)
 - Fix logo pushing header buttons out of view on certain conditions in mobile layout (#29787 by @ClearlyClaire)
 - Fix notification-related records not being reattributed when merging accounts (#29694 by @ClearlyClaire)
 - Fix results/query in `api/v1/featured_tags/suggestions` (#29597 by @mjankowski)
@@ -268,6 +558,7 @@ The following changelog entries focus on changes visible to users, administrator
 - Fix full date display not respecting the locale 12/24h format (#29448 by @renchap)
 - Fix filters title and keywords overflow (#29396 by @GeopJr)
 - Fix incorrect date format in “Follows and followers” (#29390 by @JasonPunyon)
 - Fix navigation item active highlight for some paths (#32159 by @mjankowski)
 - Fix “Edit media” modal sizing and layout when space-constrained (#27095 by @ronilaukkarinen)
 - Fix modal container bounds (#29185 by @nico3333fr)
 - Fix inefficient HTTP signature parsing using regexps and `StringScanner` (#29133 by @ClearlyClaire)
--- a/10
+++ b/10
@@ -12,7 +12,7 @@ ARG BUILDPLATFORM=${BUILDPLATFORM}
 # Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.3.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.3.4"
+ARG RUBY_VERSION="3.3.5"
 # # Node version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
 # renovate: datasource=node-version depName=node
 ARG NODE_MAJOR_VERSION="20"
@@ -92,6 +92,9 @@ RUN \
 # Set /opt/mastodon as working directory
 WORKDIR /opt/mastodon
 # Add backport repository for some specific packages where we need the latest version
 RUN echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list
 # hadolint ignore=DL3008,DL3005
 RUN \
 # Mount Apt cache and lib directories from Docker buildx caches
@@ -150,6 +153,7 @@ RUN \
    libpq-dev \
    libssl-dev \
    libtool \
    libyaml-dev \
    meson \
    nasm \
    pkg-config \
@@ -160,7 +164,7 @@ RUN \
    libexif-dev \
    libexpat1-dev \
    libgirepository1.0-dev \
-    libheif-dev \
+    libheif-dev/bookworm-backports \
    libimagequant-dev \
    libjpeg62-turbo-dev \
    liblcms2-dev \
@@ -343,7 +347,7 @@ RUN \
  # libvips components
    libcgif0 \
    libexif12 \
-    libheif1 \
+    libheif1/bookworm-backports \
    libimagequant0 \
    libjpeg62-turbo \
    liblcms2-2 \
--- a/16
+++ b/16
@@ -47,7 +47,6 @@ gem 'color_diff', '~> 0.1'
 gem 'csv', '~> 3.2'
 gem 'discard', '~> 1.2'
 gem 'doorkeeper', '~> 5.6'
 gem 'ed25519', '~> 1.3'
 gem 'fast_blank', '~> 1.0'
 gem 'fastimage'
 gem 'hiredis', '~> 0.6'
@@ -99,10 +98,10 @@ gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.2'
 gem 'rdf-normalize', '~> 0.5'
-gem 'opentelemetry-api', '~> 1.3.0'
+gem 'opentelemetry-api', '~> 1.4.0'
 group :opentelemetry do
-  gem 'opentelemetry-exporter-otlp', '~> 0.28.0', require: false
+  gem 'opentelemetry-exporter-otlp', '~> 0.29.0', require: false
  gem 'opentelemetry-instrumentation-active_job', '~> 0.7.1', require: false
  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.20.1', require: false
  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.21.2', require: false
@@ -111,7 +110,7 @@ group :opentelemetry do
  gem 'opentelemetry-instrumentation-http', '~> 0.23.2', require: false
  gem 'opentelemetry-instrumentation-http_client', '~> 0.22.3', require: false
  gem 'opentelemetry-instrumentation-net_http', '~> 0.22.4', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.29.0', require: false
  gem 'opentelemetry-instrumentation-rack', '~> 0.24.1', require: false
  gem 'opentelemetry-instrumentation-rails', '~> 0.31.0', require: false
  gem 'opentelemetry-instrumentation-redis', '~> 0.25.3', require: false
@@ -126,9 +125,6 @@ group :test do
  # Adds RSpec Error/Warning annotations to GitHub PRs on the Files tab
  gem 'rspec-github', '~> 2.4', require: false
  # RSpec progress bar formatter
  gem 'fuubar', '~> 2.5'
  # RSpec helpers for email specs
  gem 'email_spec'
@@ -149,11 +145,13 @@ group :test do
  gem 'rails-controller-testing', '~> 1.0'
  # Validate schemas in specs
-  gem 'json-schema', '~> 4.0'
+  gem 'json-schema', '~> 5.0'
  # Test harness fo rack components
  gem 'rack-test', '~> 2.1'
  gem 'shoulda-matchers'
  # Coverage formatter for RSpec test if DISABLE_SIMPLECOV is false
  gem 'simplecov', '~> 0.22', require: false
  gem 'simplecov-lcov', '~> 0.8', require: false
@@ -210,7 +208,7 @@ group :development, :test do
  gem 'test-prof'
  # RSpec runner for rails
-  gem 'rspec-rails', '~> 6.0'
+  gem 'rspec-rails', '~> 7.0'
 end
 group :production do
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -10,35 +10,35 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (7.1.3.4)
+    actioncable (7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
      zeitwerk (~> 2.6)
-    actionmailbox (7.1.3.4)
+    actionmailbox (7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      activejob (= 7.1.3.4)
+      activejob (= 7.1.5.1)
-      activerecord (= 7.1.3.4)
+      activerecord (= 7.1.5.1)
-      activestorage (= 7.1.3.4)
+      activestorage (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      mail (>= 2.7.1)
      net-imap
      net-pop
      net-smtp
-    actionmailer (7.1.3.4)
+    actionmailer (7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      actionview (= 7.1.3.4)
+      actionview (= 7.1.5.1)
-      activejob (= 7.1.3.4)
+      activejob (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      mail (~> 2.5, >= 2.5.4)
      net-imap
      net-pop
      net-smtp
      rails-dom-testing (~> 2.2)
-    actionpack (7.1.3.4)
+    actionpack (7.1.5.1)
-      actionview (= 7.1.3.4)
+      actionview (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4)
@@ -46,15 +46,15 @@ GEM
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3.4)
+    actiontext (7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      activerecord (= 7.1.3.4)
+      activerecord (= 7.1.5.1)
-      activestorage (= 7.1.3.4)
+      activestorage (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (7.1.3.4)
+    actionview (7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
@@ -64,30 +64,33 @@ GEM
      activemodel (>= 4.1)
      case_transform (>= 0.2)
      jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (7.1.3.4)
+    activejob (7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      globalid (>= 0.3.6)
-    activemodel (7.1.3.4)
+    activemodel (7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
-    activerecord (7.1.3.4)
+    activerecord (7.1.5.1)
-      activemodel (= 7.1.3.4)
+      activemodel (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      timeout (>= 0.4.0)
-    activestorage (7.1.3.4)
+    activestorage (7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      activejob (= 7.1.3.4)
+      activejob (= 7.1.5.1)
-      activerecord (= 7.1.3.4)
+      activerecord (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      marcel (~> 1.0)
-    activesupport (7.1.3.4)
+    activesupport (7.1.5.1)
      base64
      benchmark (>= 0.3)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
      mutex_m
      securerandom (>= 0.3)
      tzinfo (~> 2.0)
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
@@ -100,20 +103,20 @@ GEM
    attr_required (1.0.2)
    awrence (1.2.1)
    aws-eventstream (1.3.0)
-    aws-partitions (1.966.0)
+    aws-partitions (1.978.0)
-    aws-sdk-core (3.201.5)
+    aws-sdk-core (3.209.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.9)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.88.0)
+    aws-sdk-kms (1.94.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+      aws-sdk-core (~> 3, >= 3.207.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.159.0)
+    aws-sdk-s3 (1.166.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+      aws-sdk-core (~> 3, >= 3.207.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.9.1)
+    aws-sigv4 (1.10.0)
      aws-eventstream (~> 1, >= 1.0.2)
    azure-storage-blob (2.0.3)
      azure-storage-common (~> 2.0)
@@ -126,6 +129,7 @@ GEM
    base64 (0.2.0)
    bcp47_spec (0.2.1)
    bcrypt (3.1.20)
    benchmark (0.4.0)
    better_errors (2.10.1)
      erubi (>= 1.0.0)
      rack (>= 0.9.0)
@@ -134,17 +138,17 @@ GEM
    bindata (2.5.0)
    binding_of_caller (1.0.1)
      debug_inspector (>= 1.2.0)
-    blurhash (0.1.7)
+    blurhash (0.1.8)
    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    brakeman (6.1.2)
+    brakeman (6.2.1)
      racc
    browser (5.3.1)
    brpoplpush-redis_script (0.1.3)
      concurrent-ruby (~> 1.0, >= 1.0.5)
      redis (>= 1.0, < 6)
    builder (3.3.0)
-    bundler-audit (0.9.1)
+    bundler-audit (0.9.2)
      bundler (>= 1.2.0, < 3)
      thor (~> 1.0)
    capybara (3.40.0)
@@ -164,27 +168,29 @@ GEM
      activesupport (>= 5.2)
      elasticsearch (>= 7.14.0, < 8)
      elasticsearch-dsl
    childprocess (5.1.0)
      logger (~> 1.5)
    chunky_png (1.4.0)
    climate_control (1.2.0)
    cocoon (1.2.15)
    color_diff (0.1)
    concurrent-ruby (1.3.4)
    connection_pool (2.4.1)
-    cose (1.3.0)
+    cose (1.3.1)
      cbor (~> 0.5.9)
      openssl-signature_algorithm (~> 1.0)
    crack (1.0.0)
      bigdecimal
      rexml
    crass (1.0.6)
-    css_parser (1.17.1)
+    css_parser (1.19.0)
      addressable
    csv (3.3.0)
    database_cleaner-active_record (2.2.0)
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0.0)
    database_cleaner-core (2.0.1)
-    date (3.3.4)
+    date (3.4.1)
    debug (1.9.2)
      irb (~> 1.10)
      reline (>= 0.3.8)
@@ -195,7 +201,7 @@ GEM
      railties (>= 4.1.0)
      responders
      warden (~> 1.2.3)
-    devise-two-factor (5.1.0)
+    devise-two-factor (6.0.0)
      activesupport (~> 7.0)
      devise (~> 4.0)
      railties (~> 7.0)
@@ -206,20 +212,20 @@ GEM
    diff-lcs (1.5.1)
    discard (1.3.0)
      activerecord (>= 4.2, < 8)
-    docile (1.4.0)
+    docile (1.4.1)
    domain_name (0.6.20240107)
    doorkeeper (5.7.1)
      railties (>= 5)
-    dotenv (3.1.2)
+    dotenv (3.1.4)
    drb (2.2.1)
-    ed25519 (1.3.0)
+    elasticsearch (7.17.11)
-    elasticsearch (7.17.10)
+      elasticsearch-api (= 7.17.11)
-      elasticsearch-api (= 7.17.10)
+      elasticsearch-transport (= 7.17.11)
-      elasticsearch-transport (= 7.17.10)
+    elasticsearch-api (7.17.11)
    elasticsearch-api (7.17.10)
      multi_json
    elasticsearch-dsl (0.1.10)
-    elasticsearch-transport (7.17.10)
+    elasticsearch-transport (7.17.11)
      base64
      faraday (>= 1, < 3)
      multi_json
    email_spec (2.3.0)
@@ -251,7 +257,7 @@ GEM
    faraday-httpclient (1.0.1)
    faraday-multipart (1.0.4)
      multipart-post (~> 2)
-    faraday-net_http (1.0.1)
+    faraday-net_http (1.0.2)
    faraday-net_http_persistent (1.2.0)
    faraday-patron (1.0.0)
    faraday-rack (1.0.0)
@@ -260,14 +266,15 @@ GEM
      faraday (~> 1.0)
    fast_blank (1.0.1)
    fastimage (2.3.1)
-    ffi (1.16.3)
+    ffi (1.17.1)
    ffi-compiler (1.3.2)
      ffi (>= 1.15.5)
      rake
-    flatware (2.3.2)
+    flatware (2.3.4)
      drb
      thor (< 2.0)
-    flatware-rspec (2.3.2)
+    flatware-rspec (2.3.4)
-      flatware (= 2.3.2)
+      flatware (= 2.3.4)
      rspec (>= 3.6)
    fog-core (2.5.0)
      builder
@@ -284,14 +291,11 @@ GEM
    fugit (1.11.1)
      et-orbi (~> 1, >= 1.2.11)
      raabro (~> 1.4)
    fuubar (2.5.1)
      rspec-core (~> 3.0)
      ruby-progressbar (~> 1.4)
    globalid (1.2.1)
      activesupport (>= 6.1)
-    google-protobuf (3.25.4)
+    google-protobuf (3.25.5)
-    googleapis-common-protos-types (1.14.0)
+    googleapis-common-protos-types (1.15.0)
-      google-protobuf (~> 3.18)
+      google-protobuf (>= 3.18, < 5.a)
    haml (6.3.0)
      temple (>= 0.8.2)
      thor
@@ -307,11 +311,12 @@ GEM
      rainbow
      rubocop (>= 1.0)
      sysexits (~> 1.1)
-    hashdiff (1.1.0)
+    hashdiff (1.1.1)
    hashie (5.0.0)
    hcaptcha (7.1.0)
      json
-    highline (3.0.1)
+    highline (3.1.1)
      reline
    hiredis (0.6.3)
    hkdf (0.3.0)
    htmlentities (4.3.4)
@@ -329,7 +334,7 @@ GEM
    httplog (1.7.0)
      rack (>= 2.0)
      rainbow (>= 2.0.0)
-    i18n (1.14.5)
+    i18n (1.14.6)
      concurrent-ruby (~> 1.0)
    i18n-tasks (1.0.14)
      activesupport (>= 4.0.2)
@@ -342,11 +347,11 @@ GEM
      rainbow (>= 2.2.2, < 4.0)
      terminal-table (>= 1.5.1)
    idn-ruby (0.1.5)
-    inline_svg (1.9.0)
+    inline_svg (1.10.0)
      activesupport (>= 3.0)
      nokogiri (>= 1.6)
    io-console (0.7.2)
-    irb (1.14.0)
+    irb (1.14.1)
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
    jmespath (1.6.2)
@@ -368,8 +373,8 @@ GEM
    json-ld-preloaded (3.3.0)
      json-ld (~> 3.3)
      rdf (~> 3.3)
-    json-schema (4.3.1)
+    json-schema (5.0.0)
-      addressable (>= 2.8)
+      addressable (~> 2.8)
    jsonapi-renderer (0.2.2)
    jwt (2.7.1)
    kaminari (1.2.2)
@@ -391,8 +396,9 @@ GEM
      mime-types
      terrapin (>= 0.6.0, < 2.0)
    language_server-protocol (3.17.0.3)
-    launchy (2.5.2)
+    launchy (3.0.1)
      addressable (~> 2.8)
      childprocess (~> 5.0)
    letter_opener (1.10.0)
      launchy (>= 2.2, < 4)
    letter_opener_web (3.0.0)
@@ -404,7 +410,7 @@ GEM
    llhttp-ffi (0.5.0)
      ffi-compiler (~> 1.0)
      rake (~> 13.0)
-    logger (1.6.0)
+    logger (1.6.6)
    lograge (0.14.0)
      actionpack (>= 4)
      activesupport (>= 4)
@@ -426,22 +432,22 @@ GEM
      addressable (~> 2.5)
      azure-storage-blob (~> 2.0.1)
      hashie (~> 5.0)
-    memory_profiler (1.0.2)
+    memory_profiler (1.1.0)
    mime-types (3.5.2)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0702)
+    mime-types-data (3.2024.0820)
    mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
-    minitest (5.24.1)
+    minitest (5.25.1)
    msgpack (1.7.2)
    multi_json (1.15.0)
-    multipart-post (2.4.0)
+    multipart-post (2.4.1)
    mutex_m (0.2.0)
    net-http (0.4.1)
      uri
    net-http-persistent (4.0.2)
      connection_pool (~> 2.2)
-    net-imap (0.4.14)
+    net-imap (0.5.8)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -449,16 +455,16 @@ GEM
      net-protocol
    net-protocol (0.2.2)
      timeout
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
      net-protocol
    nio4r (2.7.3)
-    nokogiri (1.16.7)
+    nokogiri (1.18.8)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    oj (3.16.5)
+    oj (3.16.6)
      bigdecimal (>= 3.0)
      ostruct (>= 0.2)
-    omniauth (2.1.2)
+    omniauth (2.1.3)
      hashie (>= 3.4.6)
      rack (>= 2.2.3)
      rack-protection
@@ -466,12 +472,12 @@ GEM
      addressable (~> 2.8)
      nokogiri (~> 1.12)
      omniauth (~> 2.1)
-    omniauth-rails_csrf_protection (1.0.1)
+    omniauth-rails_csrf_protection (1.0.2)
      actionpack (>= 4.2)
      omniauth (~> 2.0)
-    omniauth-saml (2.1.0)
+    omniauth-saml (2.2.3)
-      omniauth (~> 2.0)
+      omniauth (~> 2.1)
-      ruby-saml (~> 1.12)
+      ruby-saml (~> 1.18)
    omniauth_openid_connect (0.6.1)
      omniauth (>= 1.9, < 3)
      openid_connect (~> 1.1)
@@ -489,18 +495,18 @@ GEM
    openssl (3.2.0)
    openssl-signature_algorithm (1.3.0)
      openssl (> 2.0)
-    opentelemetry-api (1.3.0)
+    opentelemetry-api (1.4.0)
-    opentelemetry-common (0.20.1)
+    opentelemetry-common (0.21.0)
      opentelemetry-api (~> 1.0)
-    opentelemetry-exporter-otlp (0.28.1)
+    opentelemetry-exporter-otlp (0.29.0)
      google-protobuf (>= 3.18)
      googleapis-common-protos-types (~> 1.3)
      opentelemetry-api (~> 1.1)
      opentelemetry-common (~> 0.20)
      opentelemetry-sdk (~> 1.2)
      opentelemetry-semantic_conventions
-    opentelemetry-helpers-sql-obfuscation (0.1.0)
+    opentelemetry-helpers-sql-obfuscation (0.2.0)
-      opentelemetry-common (~> 0.20)
+      opentelemetry-common (~> 0.21)
    opentelemetry-instrumentation-action_mailer (0.1.0)
      opentelemetry-api (~> 1.0)
      opentelemetry-instrumentation-active_support (~> 0.1)
@@ -525,8 +531,9 @@ GEM
    opentelemetry-instrumentation-active_support (0.6.0)
      opentelemetry-api (~> 1.0)
      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-base (0.22.3)
+    opentelemetry-instrumentation-base (0.22.6)
      opentelemetry-api (~> 1.0)
      opentelemetry-common (~> 0.21)
      opentelemetry-registry (~> 0.1)
    opentelemetry-instrumentation-concurrent_ruby (0.21.4)
      opentelemetry-api (~> 1.0)
@@ -546,7 +553,7 @@ GEM
    opentelemetry-instrumentation-net_http (0.22.7)
      opentelemetry-api (~> 1.0)
      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-pg (0.28.0)
+    opentelemetry-instrumentation-pg (0.29.0)
      opentelemetry-api (~> 1.0)
      opentelemetry-helpers-sql-obfuscation
      opentelemetry-instrumentation-base (~> 0.22.1)
@@ -580,25 +587,25 @@ GEM
    orm_adapter (0.5.0)
    ostruct (0.6.0)
    ox (2.14.18)
-    parallel (1.25.1)
+    parallel (1.26.3)
-    parser (3.3.4.0)
+    parser (3.3.5.0)
      ast (~> 2.4.1)
      racc
    parslet (2.0.0)
    pastel (0.8.0)
      tty-color (~> 0.5)
-    pg (1.5.7)
+    pg (1.5.8)
    pghero (3.6.0)
      activerecord (>= 6.1)
-    premailer (1.23.0)
+    premailer (1.27.0)
      addressable
-      css_parser (>= 1.12.0)
+      css_parser (>= 1.19.0)
      htmlentities (>= 4.0.0)
    premailer-rails (1.12.0)
      actionmailer (>= 3)
      net-smtp
      premailer (~> 1.7, >= 1.7.9)
-    propshaft (0.9.1)
+    propshaft (1.1.0)
      actionpack (>= 7.0.0)
      activesupport (>= 7.0.0)
      rack
@@ -606,13 +613,13 @@ GEM
    psych (5.1.2)
      stringio
    public_suffix (6.0.1)
-    puma (6.4.2)
+    puma (6.4.3)
      nio4r (~> 2.0)
-    pundit (2.3.2)
+    pundit (2.4.0)
      activesupport (>= 3.0.0)
    raabro (1.4.0)
    racc (1.8.1)
-    rack (2.2.9)
+    rack (2.2.13)
    rack-attack (6.7.0)
      rack (>= 1.0, < 4)
    rack-cors (2.0.2)
@@ -635,20 +642,20 @@ GEM
    rackup (1.0.0)
      rack (< 3)
      webrick
-    rails (7.1.3.4)
+    rails (7.1.5.1)
-      actioncable (= 7.1.3.4)
+      actioncable (= 7.1.5.1)
-      actionmailbox (= 7.1.3.4)
+      actionmailbox (= 7.1.5.1)
-      actionmailer (= 7.1.3.4)
+      actionmailer (= 7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      actiontext (= 7.1.3.4)
+      actiontext (= 7.1.5.1)
-      actionview (= 7.1.3.4)
+      actionview (= 7.1.5.1)
-      activejob (= 7.1.3.4)
+      activejob (= 7.1.5.1)
-      activemodel (= 7.1.3.4)
+      activemodel (= 7.1.5.1)
-      activerecord (= 7.1.3.4)
+      activerecord (= 7.1.5.1)
-      activestorage (= 7.1.3.4)
+      activestorage (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      bundler (>= 1.15.0)
-      railties (= 7.1.3.4)
+      railties (= 7.1.5.1)
    rails-controller-testing (1.0.5)
      actionpack (>= 5.0.1.rc1)
      actionview (>= 5.0.1.rc1)
@@ -657,15 +664,15 @@ GEM
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
    rails-i18n (7.0.9)
      i18n (>= 0.7, < 2)
      railties (>= 6.0.0, < 8)
-    railties (7.1.3.4)
+    railties (7.1.5.1)
-      actionpack (= 7.1.3.4)
+      actionpack (= 7.1.5.1)
-      activesupport (= 7.1.3.4)
+      activesupport (= 7.1.5.1)
      irb
      rackup (>= 1.0.0)
      rake (>= 12.2)
@@ -688,17 +695,16 @@ GEM
    redlock (1.3.2)
      redis (>= 3.0.0, < 6.0)
    regexp_parser (2.9.2)
-    reline (0.5.9)
+    reline (0.5.10)
      io-console (~> 0.5)
    request_store (1.6.0)
      rack (>= 1.4)
    responders (3.1.1)
      actionpack (>= 5.2)
      railties (>= 5.2)
-    rexml (3.3.4)
+    rexml (3.3.9)
      strscan
    rotp (6.3.0)
-    rouge (4.2.1)
+    rouge (4.3.0)
    rpam2 (4.0.2)
    rqrcode (2.2.0)
      chunky_png (~> 1.0)
@@ -708,9 +714,9 @@ GEM
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.0)
+    rspec-core (3.13.1)
      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.1)
+    rspec-expectations (3.13.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-github (2.4.0)
@@ -718,10 +724,10 @@ GEM
    rspec-mocks (3.13.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.4)
+    rspec-rails (7.0.1)
-      actionpack (>= 6.1)
+      actionpack (>= 7.0)
-      activesupport (>= 6.1)
+      activesupport (>= 7.0)
-      railties (>= 6.1)
+      railties (>= 7.0)
      rspec-core (~> 3.13)
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
@@ -732,40 +738,39 @@ GEM
      rspec-mocks (~> 3.0)
      sidekiq (>= 5, < 8)
    rspec-support (3.13.1)
-    rubocop (1.65.1)
+    rubocop (1.66.1)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 2.4, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.32.2, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
+    rubocop-ast (1.32.3)
      parser (>= 3.3.1.0)
    rubocop-capybara (2.21.0)
      rubocop (~> 1.41)
-    rubocop-performance (1.21.1)
+    rubocop-performance (1.22.1)
      rubocop (>= 1.48.1, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.25.1)
+    rubocop-rails (2.26.2)
      activesupport (>= 4.2.0)
      rack (>= 1.1)
-      rubocop (>= 1.33.0, < 2.0)
+      rubocop (>= 1.52.0, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rspec (3.0.4)
+    rubocop-rspec (3.0.5)
      rubocop (~> 1.61)
    rubocop-rspec_rails (2.30.0)
      rubocop (~> 1.61)
      rubocop-rspec (~> 3, >= 3.0.1)
    ruby-prof (1.7.0)
    ruby-progressbar (1.13.0)
-    ruby-saml (1.16.0)
+    ruby-saml (1.18.0)
      nokogiri (>= 1.13.10)
      rexml
-    ruby-vips (2.2.2)
+    ruby-vips (2.2.3)
      ffi (~> 1.12)
      logger
    ruby2_keywords (0.0.5)
@@ -780,13 +785,16 @@ GEM
    scenic (1.8.0)
      activerecord (>= 4.0.0)
      railties (>= 4.0.0)
-    selenium-webdriver (4.23.0)
+    securerandom (0.4.1)
    selenium-webdriver (4.25.0)
      base64 (~> 0.2)
      logger (~> 1.4)
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 3.0)
      websocket (~> 1.0)
    semantic_range (3.0.0)
    shoulda-matchers (6.4.0)
      activesupport (>= 5.2.0)
    sidekiq (6.5.12)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
@@ -821,7 +829,6 @@ GEM
    stringio (3.1.1)
    strong_migrations (2.0.0)
      activerecord (>= 6.1)
    strscan (3.1.0)
    swd (1.3.0)
      activesupport (>= 3)
      attr_required (>= 0.0.5)
@@ -832,11 +839,11 @@ GEM
      unicode-display_width (>= 1.1.1, < 3)
    terrapin (1.0.1)
      climate_control
-    test-prof (1.4.0)
+    test-prof (1.4.2)
-    thor (1.3.1)
+    thor (1.3.2)
-    tilt (2.3.0)
+    tilt (2.4.0)
-    timeout (0.4.1)
+    timeout (0.4.3)
-    tpm-key_attestation (0.12.0)
+    tpm-key_attestation (0.12.1)
      bindata (~> 2.4)
      openssl (> 2.0)
      openssl-signature_algorithm (~> 1.0)
@@ -855,13 +862,13 @@ GEM
      unf (~> 0.1.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2024.1)
+    tzinfo-data (1.2024.2)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.9.1)
    unicode-display_width (2.5.0)
-    uri (0.13.0)
+    uri (0.13.2)
    validate_email (0.1.6)
      activemodel (>= 3.0)
      mail (>= 2.2.5)
@@ -882,7 +889,7 @@ GEM
    webfinger (1.2.0)
      activesupport
      httpclient (>= 2.4)
-    webmock (3.23.1)
+    webmock (3.24.0)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
@@ -891,7 +898,7 @@ GEM
      rack-proxy (>= 0.6.1)
      railties (>= 5.2)
      semantic_range (>= 2.3.0)
-    webrick (1.8.1)
+    webrick (1.8.2)
    websocket (1.2.11)
    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
@@ -900,7 +907,7 @@ GEM
    xorcist (1.1.3)
    xpath (3.2.0)
      nokogiri (~> 1.8)
-    zeitwerk (2.6.17)
+    zeitwerk (2.6.18)
 PLATFORMS
  ruby
@@ -934,7 +941,6 @@ DEPENDENCIES
  discard (~> 1.2)
  doorkeeper (~> 5.6)
  dotenv
  ed25519 (~> 1.3)
  email_spec
  fabrication (~> 2.30)
  faker (~> 3.2)
@@ -943,7 +949,6 @@ DEPENDENCIES
  flatware-rspec
  fog-core (<= 2.5.0)
  fog-openstack (~> 1.0)
  fuubar (~> 2.5)
  haml-rails (~> 2.0)
  haml_lint
  hcaptcha (~> 7.1)
@@ -959,7 +964,7 @@ DEPENDENCIES
  irb (~> 1.8)
  json-ld
  json-ld-preloaded (~> 3.2)
-  json-schema (~> 4.0)
+  json-schema (~> 5.0)
  kaminari (~> 1.2)
  kt-paperclip (~> 7.2)
  letter_opener (~> 1.8)
@@ -980,8 +985,8 @@ DEPENDENCIES
  omniauth-rails_csrf_protection (~> 1.0)
  omniauth-saml (~> 2.0)
  omniauth_openid_connect (~> 0.6.1)
-  opentelemetry-api (~> 1.3.0)
+  opentelemetry-api (~> 1.4.0)
-  opentelemetry-exporter-otlp (~> 0.28.0)
+  opentelemetry-exporter-otlp (~> 0.29.0)
  opentelemetry-instrumentation-active_job (~> 0.7.1)
  opentelemetry-instrumentation-active_model_serializers (~> 0.20.1)
  opentelemetry-instrumentation-concurrent_ruby (~> 0.21.2)
@@ -990,7 +995,7 @@ DEPENDENCIES
  opentelemetry-instrumentation-http (~> 0.23.2)
  opentelemetry-instrumentation-http_client (~> 0.22.3)
  opentelemetry-instrumentation-net_http (~> 0.22.4)
-  opentelemetry-instrumentation-pg (~> 0.28.0)
+  opentelemetry-instrumentation-pg (~> 0.29.0)
  opentelemetry-instrumentation-rack (~> 0.24.1)
  opentelemetry-instrumentation-rails (~> 0.31.0)
  opentelemetry-instrumentation-redis (~> 0.25.3)
@@ -1018,7 +1023,7 @@ DEPENDENCIES
  redis-namespace (~> 1.10)
  rqrcode (~> 2.2)
  rspec-github (~> 2.4)
-  rspec-rails (~> 6.0)
+  rspec-rails (~> 7.0)
  rspec-sidekiq (~> 5.0)
  rubocop
  rubocop-capybara
@@ -1033,6 +1038,7 @@ DEPENDENCIES
  sanitize (~> 6.0)
  scenic (~> 1.7)
  selenium-webdriver
  shoulda-matchers
  sidekiq (~> 6.5)
  sidekiq-bulk (~> 0.2.0)
  sidekiq-scheduler (~> 5.0)
@@ -1056,7 +1062,7 @@ DEPENDENCIES
  xorcist (~> 1.1)
 RUBY VERSION
-   ruby 3.3.2p78
+   ruby 3.3.4p94
 BUNDLED WITH
-   2.5.11
+   2.6.5
--- a/2
+++ b/2
@@ -11,4 +11,4 @@ worker: bundle exec sidekiq
 #
 # and let the main app use the separate app:
 #
-# heroku config:set STREAMING_API_BASE_URL=wss://<streaming-app>.herokuapp.com -a <main-app>
+# heroku config:set STREAMING_API_BASE_URL=wss://<streaming-app-random>.herokuapp.com -a <main-app>
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -13,8 +13,9 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 ## Supported Versions
-| Version | Supported |
+| Version | Supported        |
-| ------- | --------- |
+| ------- | ---------------- |
-| 4.2.x   | Yes       |
+| 4.3.x   | Yes              |
-| 4.1.x   | Yes       |
+| 4.2.x   | Yes              |
-| < 4.1   | No        |
+| 4.1.x   | Until 2025-04-08 |
 | < 4.1   | No               |
--- a/app.json
+++ b/app.json
@@ -90,9 +90,15 @@
    }
  },
  "buildpacks": [
    {
      "url": "https://github.com/heroku/heroku-buildpack-activestorage-preview"
    },
    {
      "url": "https://github.com/heroku/heroku-buildpack-apt"
    },
    {
      "url": "heroku/nodejs"
    },
    {
      "url": "heroku/ruby"
    }
@@ -100,5 +106,6 @@
  "scripts": {
    "postdeploy": "bundle exec rails db:migrate && bundle exec rails db:seed"
  },
-  "addons": ["heroku-postgresql", "heroku-redis"]
+  "addons": ["heroku-postgresql", "heroku-redis"],
  "stack": "heroku-24"
 }
--- a/app/controllers/activitypub/claims_controller.rb
+++ b/app/controllers/activitypub/claims_controller.rb
@@ -1,18 +0,0 @@
 # frozen_string_literal: true
 class ActivityPub::ClaimsController < ActivityPub::BaseController
  skip_before_action :authenticate_user!
  before_action :require_account_signature!
  before_action :set_claim_result
  def create
    render json: @claim_result, serializer: ActivityPub::OneTimeKeySerializer
  end
  private
  def set_claim_result
    @claim_result = ::Keys::ClaimService.new.call(@account.id, params[:id])
  end
 end
--- a/app/controllers/activitypub/collections_controller.rb
+++ b/app/controllers/activitypub/collections_controller.rb
@@ -22,8 +22,6 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
      @items = @items.map { |item| item.distributable? ? item : ActivityPub::TagManager.instance.uri_for(item) }
    when 'tags'
      @items = for_signed_account { @account.featured_tags }
    when 'devices'
      @items = @account.devices
    else
      not_found
    end
@@ -31,7 +29,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
  def set_size
    case params[:id]
-    when 'featured', 'devices', 'tags'
+    when 'featured', 'tags'
      @size = @items.size
    else
      not_found
@@ -42,7 +40,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
    case params[:id]
    when 'featured'
      @type = :ordered
-    when 'devices', 'tags'
+    when 'tags'
      @type = :unordered
    else
      not_found
--- a/app/controllers/activitypub/likes_controller.rb
+++ b/app/controllers/activitypub/likes_controller.rb
@@ -0,0 +1,36 @@
 # frozen_string_literal: true
 class ActivityPub::LikesController < ActivityPub::BaseController
  include Authorization
  vary_by -> { 'Signature' if authorized_fetch_mode? }
  before_action :require_account_signature!, if: :authorized_fetch_mode?
  before_action :set_status
  def index
    expires_in 0, public: @status.distributable? && public_fetch_mode?
    render json: likes_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
  end
  private
  def pundit_user
    signed_request_account
  end
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
    not_found
  end
  def likes_collection_presenter
    ActivityPub::CollectionPresenter.new(
      id: account_status_likes_url(@account, @status),
      type: :unordered,
      size: @status.favourites_count
    )
  end
 end
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@@ -12,7 +12,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
  before_action :set_replies
  def index
-    expires_in 0, public: public_fetch_mode?
+    expires_in 0, public: @status.distributable? && public_fetch_mode?
    render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true
  end
--- a/app/controllers/activitypub/shares_controller.rb
+++ b/app/controllers/activitypub/shares_controller.rb
@@ -0,0 +1,36 @@
 # frozen_string_literal: true
 class ActivityPub::SharesController < ActivityPub::BaseController
  include Authorization
  vary_by -> { 'Signature' if authorized_fetch_mode? }
  before_action :require_account_signature!, if: :authorized_fetch_mode?
  before_action :set_status
  def index
    expires_in 0, public: @status.distributable? && public_fetch_mode?
    render json: shares_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
  end
  private
  def pundit_user
    signed_request_account
  end
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
    not_found
  end
  def shares_collection_presenter
    ActivityPub::CollectionPresenter.new(
      id: account_status_shares_url(@account, @status),
      type: :unordered,
      size: @status.reblogs_count
    )
  end
 end
--- a/app/controllers/admin/account_moderation_notes_controller.rb
+++ b/app/controllers/admin/account_moderation_notes_controller.rb
@@ -13,7 +13,7 @@ module Admin
        redirect_to admin_account_path(@account_moderation_note.target_account_id), notice: I18n.t('admin.account_moderation_notes.created_msg')
      else
        @account          = @account_moderation_note.target_account
-        @moderation_notes = @account.targeted_moderation_notes.latest
+        @moderation_notes = @account.targeted_moderation_notes.chronological.includes(:account)
        @warnings         = @account.strikes.custom.latest
        render 'admin/accounts/show'
--- a/app/controllers/admin/accounts_controller.rb
+++ b/app/controllers/admin/accounts_controller.rb
@@ -33,7 +33,7 @@ module Admin
      @deletion_request        = @account.deletion_request
      @account_moderation_note = current_account.account_moderation_notes.new(target_account: @account)
-      @moderation_notes        = @account.targeted_moderation_notes.latest
+      @moderation_notes        = @account.targeted_moderation_notes.chronological.includes(:account)
      @warnings                = @account.strikes.includes(:target_account, :account, :appeal).latest
      @domain_block            = DomainBlock.rule_for(@account.domain)
    end
--- a/app/controllers/admin/announcements_controller.rb
+++ b/app/controllers/admin/announcements_controller.rb
@@ -6,6 +6,7 @@ class Admin::AnnouncementsController < Admin::BaseController
  def index
    authorize :announcement, :index?
    @published_announcements_count = Announcement.published.async_count
  end
  def new
--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@@ -7,17 +7,12 @@ module Admin
    layout 'admin'
    before_action :set_body_classes
    before_action :set_cache_headers
    after_action :verify_authorized
    private
    def set_body_classes
      @body_classes = 'admin'
    end
    def set_cache_headers
      response.cache_control.replace(private: true, no_store: true)
    end
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -7,12 +7,12 @@ module Admin
    def index
      authorize :dashboard, :index?
      @pending_appeals_count = Appeal.pending.async_count
      @pending_reports_count = Report.unresolved.async_count
      @pending_tags_count    = Tag.pending_review.async_count
      @pending_users_count   = User.pending.async_count
      @system_checks         = Admin::SystemCheck.perform(current_user)
      @time_period           = (29.days.ago.to_date...Time.now.utc.to_date)
      @pending_users_count   = User.pending.count
      @pending_reports_count = Report.unresolved.count
      @pending_tags_count    = Tag.pending_review.count
      @pending_appeals_count = Appeal.pending.count
    end
  end
 end
--- a/app/controllers/admin/disputes/appeals_controller.rb
+++ b/app/controllers/admin/disputes/appeals_controller.rb
@@ -6,6 +6,7 @@ class Admin::Disputes::AppealsController < Admin::BaseController
  def index
    authorize :appeal, :index?
    @pending_appeals_count = Appeal.pending.async_count
    @appeals = filtered_appeals.page(params[:page])
  end
--- a/app/controllers/admin/report_notes_controller.rb
+++ b/app/controllers/admin/report_notes_controller.rb
@@ -21,7 +21,7 @@ module Admin
        redirect_to after_create_redirect_path, notice: I18n.t('admin.report_notes.created_msg')
      else
-        @report_notes = @report.notes.includes(:account).order(id: :desc)
+        @report_notes = @report.notes.chronological.includes(:account)
        @action_logs  = @report.history.includes(:target)
        @form         = Admin::StatusBatchAction.new
        @statuses     = @report.statuses.with_includes
--- a/app/controllers/admin/reports_controller.rb
+++ b/app/controllers/admin/reports_controller.rb
@@ -13,7 +13,7 @@ module Admin
      authorize @report, :show?
      @report_note  = @report.notes.new
-      @report_notes = @report.notes.includes(:account).order(id: :desc)
+      @report_notes = @report.notes.chronological.includes(:account)
      @action_logs  = @report.history.includes(:target)
      @form         = Admin::StatusBatchAction.new
      @statuses     = @report.statuses.with_includes
--- a/app/controllers/admin/trends/links/preview_card_providers_controller.rb
+++ b/app/controllers/admin/trends/links/preview_card_providers_controller.rb
@@ -4,6 +4,7 @@ class Admin::Trends::Links::PreviewCardProvidersController < Admin::BaseControll
  def index
    authorize :preview_card_provider, :review?
    @pending_preview_card_providers_count = PreviewCardProvider.unreviewed.async_count
    @preview_card_providers = filtered_preview_card_providers.page(params[:page])
    @form = Trends::PreviewCardProviderBatch.new
  end
--- a/app/controllers/admin/trends/tags_controller.rb
+++ b/app/controllers/admin/trends/tags_controller.rb
@@ -4,6 +4,7 @@ class Admin::Trends::TagsController < Admin::BaseController
  def index
    authorize :tag, :review?
    @pending_tags_count = Tag.pending_review.async_count
    @tags = filtered_tags.page(params[:page])
    @form = Trends::TagBatch.new
  end
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -72,6 +72,13 @@ class Api::BaseController < ApplicationController
    end
  end
  # Redefine `require_functional!` to properly output JSON instead of HTML redirects
  def require_functional!
    return if current_user.functional?
    require_user!
  end
  def render_empty
    render json: {}, status: 200
  end
--- a/app/controllers/api/oembed_controller.rb
+++ b/app/controllers/api/oembed_controller.rb
@@ -7,7 +7,7 @@ class Api::OEmbedController < Api::BaseController
  before_action :require_public_status!
  def show
-    render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
+    render json: @status, serializer: OEmbedSerializer, width: params[:maxwidth], height: params[:maxheight]
  end
  private
@@ -23,12 +23,4 @@ class Api::OEmbedController < Api::BaseController
  def status_finder
    StatusFinder.new(params[:url])
  end
  def maxwidth_or_default
    (params[:maxwidth].presence || 400).to_i
  end
  def maxheight_or_default
    params[:maxheight].present? ? params[:maxheight].to_i : nil
  end
 end
--- a/app/controllers/api/v1/accounts/credentials_controller.rb
+++ b/app/controllers/api/v1/accounts/credentials_controller.rb
@@ -14,7 +14,7 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
    @account = current_account
    UpdateAccountService.new.call(@account, account_params, raise_error: true)
    current_user.update(user_params) if user_params
-    ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
    render json: @account, serializer: REST::CredentialAccountSerializer
  rescue ActiveRecord::RecordInvalid => e
    render json: ValidationErrorFormatter.new(e).as_json, status: 422
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@@ -16,6 +16,7 @@ class Api::V1::AccountsController < Api::BaseController
  before_action :check_account_confirmation, except: [:index, :create]
  before_action :check_enabled_registrations, only: [:create]
  before_action :check_accounts_limit, only: [:index]
  before_action :check_following_self, only: [:follow]
  skip_before_action :require_authenticated_user!, only: :create
@@ -101,6 +102,10 @@ class Api::V1::AccountsController < Api::BaseController
    raise(Mastodon::ValidationError) if account_ids.size > DEFAULT_ACCOUNTS_LIMIT
  end
  def check_following_self
    render json: { error: I18n.t('accounts.self_follow_error') }, status: 403 if current_user.account.id == @account.id
  end
  def relationships(**options)
    AccountRelationshipsPresenter.new([@account], current_user.account_id, **options)
  end
--- a/app/controllers/api/v1/crypto/deliveries_controller.rb
+++ b/app/controllers/api/v1/crypto/deliveries_controller.rb
@@ -1,30 +0,0 @@
 # frozen_string_literal: true
 class Api::V1::Crypto::DeliveriesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :crypto }
  before_action :require_user!
  before_action :set_current_device
  def create
    devices.each do |device_params|
      DeliverToDeviceService.new.call(current_account, @current_device, device_params)
    end
    render_empty
  end
  private
  def set_current_device
    @current_device = Device.find_by!(access_token: doorkeeper_token)
  end
  def resource_params
    params.require(:device)
    params.permit(device: [:account_id, :device_id, :type, :body, :hmac])
  end
  def devices
    Array(resource_params[:device])
  end
 end
--- a/app/controllers/api/v1/crypto/encrypted_messages_controller.rb
+++ b/app/controllers/api/v1/crypto/encrypted_messages_controller.rb
@@ -1,47 +0,0 @@
 # frozen_string_literal: true
 class Api::V1::Crypto::EncryptedMessagesController < Api::BaseController
  LIMIT = 80
  before_action -> { doorkeeper_authorize! :crypto }
  before_action :require_user!
  before_action :set_current_device
  before_action :set_encrypted_messages,    only: :index
  after_action  :insert_pagination_headers, only: :index
  def index
    render json: @encrypted_messages, each_serializer: REST::EncryptedMessageSerializer
  end
  def clear
    @current_device.encrypted_messages.up_to(params[:up_to_id]).delete_all
    render_empty
  end
  private
  def set_current_device
    @current_device = Device.find_by!(access_token: doorkeeper_token)
  end
  def set_encrypted_messages
    @encrypted_messages = @current_device.encrypted_messages.to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
  end
  def next_path
    api_v1_crypto_encrypted_messages_url pagination_params(max_id: pagination_max_id) if records_continue?
  end
  def prev_path
    api_v1_crypto_encrypted_messages_url pagination_params(min_id: pagination_since_id) unless @encrypted_messages.empty?
  end
  def pagination_collection
    @encrypted_messages
  end
  def records_continue?
    @encrypted_messages.size == limit_param(LIMIT)
  end
 end
--- a/app/controllers/api/v1/crypto/keys/claims_controller.rb
+++ b/app/controllers/api/v1/crypto/keys/claims_controller.rb
@@ -1,25 +0,0 @@
 # frozen_string_literal: true
 class Api::V1::Crypto::Keys::ClaimsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :crypto }
  before_action :require_user!
  before_action :set_claim_results
  def create
    render json: @claim_results, each_serializer: REST::Keys::ClaimResultSerializer
  end
  private
  def set_claim_results
    @claim_results = devices.filter_map { |device_params| ::Keys::ClaimService.new.call(current_account, device_params[:account_id], device_params[:device_id]) }
  end
  def resource_params
    params.permit(device: [:account_id, :device_id])
  end
  def devices
    Array(resource_params[:device])
  end
 end
--- a/app/controllers/api/v1/crypto/keys/counts_controller.rb
+++ b/app/controllers/api/v1/crypto/keys/counts_controller.rb
@@ -1,17 +0,0 @@
 # frozen_string_literal: true
 class Api::V1::Crypto::Keys::CountsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :crypto }
  before_action :require_user!
  before_action :set_current_device
  def show
    render json: { one_time_keys: @current_device.one_time_keys.count }
  end
  private
  def set_current_device
    @current_device = Device.find_by!(access_token: doorkeeper_token)
  end
 end
--- a/app/controllers/api/v1/crypto/keys/queries_controller.rb
+++ b/app/controllers/api/v1/crypto/keys/queries_controller.rb
@@ -1,26 +0,0 @@
 # frozen_string_literal: true
 class Api::V1::Crypto::Keys::QueriesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :crypto }
  before_action :require_user!
  before_action :set_accounts
  before_action :set_query_results
  def create
    render json: @query_results, each_serializer: REST::Keys::QueryResultSerializer
  end
  private
  def set_accounts
    @accounts = Account.where(id: account_ids).includes(:devices)
  end
  def set_query_results
    @query_results = @accounts.filter_map { |account| ::Keys::QueryService.new.call(account) }
  end
  def account_ids
    Array(params[:id]).map(&:to_i)
  end
 end
--- a/app/controllers/api/v1/crypto/keys/uploads_controller.rb
+++ b/app/controllers/api/v1/crypto/keys/uploads_controller.rb
@@ -1,29 +0,0 @@
 # frozen_string_literal: true
 class Api::V1::Crypto::Keys::UploadsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :crypto }
  before_action :require_user!
  def create
    device = Device.find_or_initialize_by(access_token: doorkeeper_token)
    device.transaction do
      device.account = current_account
      device.update!(resource_params[:device])
      if resource_params[:one_time_keys].present? && resource_params[:one_time_keys].is_a?(Enumerable)
        resource_params[:one_time_keys].each do |one_time_key_params|
          device.one_time_keys.create!(one_time_key_params)
        end
      end
    end
    render json: device, serializer: REST::Keys::DeviceSerializer
  end
  private
  def resource_params
    params.permit(device: [:device_id, :name, :fingerprint_key, :identity_key], one_time_keys: [:key_id, :key, :signature])
  end
 end
--- a/app/controllers/api/v1/domain_blocks/previews_controller.rb
+++ b/app/controllers/api/v1/domain_blocks/previews_controller.rb
@@ -0,0 +1,27 @@
 # frozen_string_literal: true
 class Api::V1::DomainBlocks::PreviewsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :follow, :write, :'write:blocks' }
  before_action :require_user!
  before_action :set_domain
  before_action :set_domain_block_preview
  def show
    render json: @domain_block_preview, serializer: REST::DomainBlockPreviewSerializer
  end
  private
  def set_domain
    @domain = TagManager.instance.normalize_domain(params[:domain])
  end
  def set_domain_block_preview
    @domain_block_preview = with_read_replica do
      DomainBlockPreviewPresenter.new(
        following_count: current_account.following.where(domain: @domain).count,
        followers_count: current_account.followers.where(domain: @domain).count
      )
    end
  end
 end
--- a/app/controllers/api/v1/instances/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/instances/domain_blocks_controller.rb
@@ -31,7 +31,7 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
  end
  def show_domain_blocks_to_user?
-    Setting.show_domain_blocks == 'users' && user_signed_in?
+    Setting.show_domain_blocks == 'users' && user_signed_in? && current_user.functional_or_moved?
  end
  def set_domain_blocks
@@ -47,6 +47,6 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
  end
  def show_rationale_for_user?
-    Setting.show_domain_blocks_rationale == 'users' && user_signed_in?
+    Setting.show_domain_blocks_rationale == 'users' && user_signed_in? && current_user.functional_or_moved?
  end
 end
--- a/app/controllers/api/v1/notifications/requests_controller.rb
+++ b/app/controllers/api/v1/notifications/requests_controller.rb
@@ -52,7 +52,7 @@ class Api::V1::Notifications::RequestsController < Api::BaseController
  private
  def load_requests
-    requests = NotificationRequest.where(account: current_account).includes(:last_status, from_account: [:account_stat, :user]).to_a_paginated_by_id(
+    requests = NotificationRequest.where(account: current_account).without_suspended.includes(:last_status, from_account: [:account_stat, :user]).to_a_paginated_by_id(
      limit_param(DEFAULT_ACCOUNTS_LIMIT),
      params_slice(:max_id, :since_id, :min_id)
    )
--- a/app/controllers/api/v1/peers/search_controller.rb
+++ b/app/controllers/api/v1/peers/search_controller.rb
@@ -7,6 +7,8 @@ class Api::V1::Peers::SearchController < Api::BaseController
  skip_before_action :require_authenticated_user!, unless: :limited_federation_mode?
  skip_around_action :set_locale
  LIMIT = 10
  vary_by ''
  def index
@@ -35,10 +37,10 @@ class Api::V1::Peers::SearchController < Api::BaseController
          field: 'accounts_count',
          modifier: 'log2p',
        },
-      }).limit(10).pluck(:domain)
+      }).limit(LIMIT).pluck(:domain)
    else
      domain = normalized_domain
-      @domains = Instance.searchable.domain_starts_with(domain).limit(10).pluck(:domain)
+      @domains = Instance.searchable.domain_starts_with(domain).limit(LIMIT).pluck(:domain)
    end
  rescue Addressable::URI::InvalidURIError
    @domains = []
--- a/app/controllers/api/v1/profile/avatars_controller.rb
+++ b/app/controllers/api/v1/profile/avatars_controller.rb
@@ -7,7 +7,7 @@ class Api::V1::Profile::AvatarsController < Api::BaseController
  def destroy
    @account = current_account
    UpdateAccountService.new.call(@account, { avatar: nil }, raise_error: true)
-    ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
    render json: @account, serializer: REST::CredentialAccountSerializer
  end
 end
--- a/app/controllers/api/v1/profile/headers_controller.rb
+++ b/app/controllers/api/v1/profile/headers_controller.rb
@@ -7,7 +7,7 @@ class Api::V1::Profile::HeadersController < Api::BaseController
  def destroy
    @account = current_account
    UpdateAccountService.new.call(@account, { header: nil }, raise_error: true)
-    ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
    render json: @account, serializer: REST::CredentialAccountSerializer
  end
 end
--- a/app/controllers/api/v1/statuses/translations_controller.rb
+++ b/app/controllers/api/v1/statuses/translations_controller.rb
@@ -23,6 +23,6 @@ class Api::V1::Statuses::TranslationsController < Api::V1::Statuses::BaseControl
  private
  def set_translation
-    @translation = TranslateStatusService.new.call(@status, content_locale)
+    @translation = TranslateStatusService.new.call(@status, I18n.locale.to_s)
  end
 end
--- a/app/controllers/api/v2/notifications/accounts_controller.rb
+++ b/app/controllers/api/v2/notifications/accounts_controller.rb
@@ -0,0 +1,50 @@
 # frozen_string_literal: true
 class Api::V2::Notifications::AccountsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:notifications' }
  before_action :require_user!
  before_action :set_notifications!
  after_action :insert_pagination_headers, only: :index
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
  private
  def load_accounts
    @paginated_notifications.map(&:from_account)
  end
  def set_notifications!
    @paginated_notifications = begin
      current_account
        .notifications
        .without_suspended
        .where(group_key: params[:notification_group_key])
        .includes(from_account: [:account_stat, :user])
        .paginate_by_max_id(
          limit_param(DEFAULT_ACCOUNTS_LIMIT),
          params[:max_id],
          params[:since_id]
        )
    end
  end
  def next_path
    api_v2_notification_accounts_url pagination_params(max_id: pagination_max_id) if records_continue?
  end
  def prev_path
    api_v2_notification_accounts_url pagination_params(min_id: pagination_since_id) unless @paginated_notifications.empty?
  end
  def pagination_collection
    @paginated_notifications
  end
  def records_continue?
    @paginated_notifications.size == limit_param(DEFAULT_ACCOUNTS_LIMIT)
  end
 end
--- a/app/controllers/api/v2_alpha/notifications_controller.rb
+++ b/app/controllers/api/v2_alpha/notifications_controller.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-class Api::V2Alpha::NotificationsController < Api::BaseController
+class Api::V2::NotificationsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:notifications' }, except: [:clear, :dismiss]
  before_action -> { doorkeeper_authorize! :write, :'write:notifications' }, only: [:clear, :dismiss]
  before_action :require_user!
@@ -13,7 +13,6 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
  def index
    with_read_replica do
      @notifications = load_notifications
      @group_metadata = load_group_metadata
      @grouped_notifications = load_grouped_notifications
      @relationships = StatusRelationshipsPresenter.new(target_statuses_from_notifications, current_user&.account_id)
      @presenter = GroupedNotificationsPresenter.new(@grouped_notifications, expand_accounts: expand_accounts_param)
@@ -22,7 +21,7 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
      ActiveRecord::Associations::Preloader.new(records: @presenter.accounts, associations: [:account_stat, { user: :role }]).call
    end
-    MastodonOTELTracer.in_span('Api::V2Alpha::NotificationsController#index rendering') do |span|
+    MastodonOTELTracer.in_span('Api::V2::NotificationsController#index rendering') do |span|
      statuses = @grouped_notifications.filter_map { |group| group.target_status&.id }
      span.add_attributes(
@@ -34,7 +33,7 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
        'app.notification_grouping.expand_accounts_param' => expand_accounts_param
      )
-      render json: @presenter, serializer: REST::DedupNotificationGroupSerializer, relationships: @relationships, group_metadata: @group_metadata, expand_accounts: expand_accounts_param
+      render json: @presenter, serializer: REST::DedupNotificationGroupSerializer, relationships: @relationships, expand_accounts: expand_accounts_param
    end
  end
@@ -42,13 +41,13 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
    limit = limit_param(DEFAULT_NOTIFICATIONS_COUNT_LIMIT, MAX_NOTIFICATIONS_COUNT_LIMIT)
    with_read_replica do
-      render json: { count: browserable_account_notifications.paginate_groups_by_min_id(limit, min_id: notification_marker&.last_read_id).count }
+      render json: { count: browserable_account_notifications.paginate_groups_by_min_id(limit, min_id: notification_marker&.last_read_id, grouped_types: params[:grouped_types]).count }
    end
  end
  def show
-    @notification = current_account.notifications.without_suspended.find_by!(group_key: params[:id])
+    @notification = current_account.notifications.without_suspended.by_group_key(params[:group_key]).take!
-    presenter = GroupedNotificationsPresenter.new([NotificationGroup.from_notification(@notification)])
+    presenter = GroupedNotificationsPresenter.new(NotificationGroup.from_notifications([@notification]))
    render json: presenter, serializer: REST::DedupNotificationGroupSerializer
  end
@@ -58,17 +57,17 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
  end
  def dismiss
-    current_account.notifications.where(group_key: params[:id]).destroy_all
+    current_account.notifications.by_group_key(params[:group_key]).destroy_all
    render_empty
  end
  private
  def load_notifications
-    MastodonOTELTracer.in_span('Api::V2Alpha::NotificationsController#load_notifications') do
+    MastodonOTELTracer.in_span('Api::V2::NotificationsController#load_notifications') do
      notifications = browserable_account_notifications.includes(from_account: [:account_stat, :user]).to_a_grouped_paginated_by_id(
        limit_param(DEFAULT_NOTIFICATIONS_LIMIT),
-        params_slice(:max_id, :since_id, :min_id)
+        params.slice(:max_id, :since_id, :min_id, :grouped_types).permit(:max_id, :since_id, :min_id, grouped_types: [])
      )
      Notification.preload_cache_collection_target_statuses(notifications) do |target_statuses|
@@ -77,23 +76,33 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
    end
  end
-  def load_group_metadata
+  def load_grouped_notifications
-    return {} if @notifications.empty?
+    return [] if @notifications.empty?
-    MastodonOTELTracer.in_span('Api::V2Alpha::NotificationsController#load_group_metadata') do
+    MastodonOTELTracer.in_span('Api::V2::NotificationsController#load_grouped_notifications') do
-      browserable_account_notifications
+      pagination_range = (@notifications.last.id)..@notifications.first.id
-        .where(group_key: @notifications.filter_map(&:group_key))
+
-        .where(id: (@notifications.last.id)..(@notifications.first.id))
+      # If the page is incomplete, we know we are on the last page
-        .group(:group_key)
+      if incomplete_page?
-        .pluck(:group_key, 'min(notifications.id) as min_id', 'max(notifications.id) as max_id', 'max(notifications.created_at) as latest_notification_at')
+        if paginating_up?
-        .to_h { |group_key, min_id, max_id, latest_notification_at| [group_key, { min_id: min_id, max_id: max_id, latest_notification_at: latest_notification_at }] }
+          pagination_range = @notifications.last.id...(params[:max_id]&.to_i)
        else
          range_start = params[:since_id]&.to_i
          range_start += 1 unless range_start.nil?
          pagination_range = range_start..(@notifications.first.id)
        end
      end
      NotificationGroup.from_notifications(@notifications, pagination_range: pagination_range, grouped_types: params[:grouped_types])
    end
  end
-  def load_grouped_notifications
+  def incomplete_page?
-    MastodonOTELTracer.in_span('Api::V2Alpha::NotificationsController#load_grouped_notifications') do
+    @notifications.size < limit_param(DEFAULT_NOTIFICATIONS_LIMIT)
-      @notifications.map { |notification| NotificationGroup.from_notification(notification, max_id: @group_metadata.dig(notification.group_key, :max_id)) }
+  end
-    end
+
  def paginating_up?
    params[:min_id].present?
  end
  def browserable_account_notifications
@@ -113,11 +122,11 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
  end
  def next_path
-    api_v2_alpha_notifications_url pagination_params(max_id: pagination_max_id) unless @notifications.empty?
+    api_v2_notifications_url pagination_params(max_id: pagination_max_id) unless @notifications.empty?
  end
  def prev_path
-    api_v2_alpha_notifications_url pagination_params(min_id: pagination_since_id) unless @notifications.empty?
+    api_v2_notifications_url pagination_params(min_id: pagination_since_id) unless @notifications.empty?
  end
  def pagination_collection
@@ -125,11 +134,11 @@ class Api::V2Alpha::NotificationsController < Api::BaseController
  end
  def browserable_params
-    params.permit(:include_filtered, types: [], exclude_types: [])
+    params.slice(:include_filtered, :types, :exclude_types, :grouped_types).permit(:include_filtered, types: [], exclude_types: [], grouped_types: [])
  end
  def pagination_params(core_params)
-    params.slice(:limit, :types, :exclude_types, :include_filtered).permit(:limit, :include_filtered, types: [], exclude_types: []).merge(core_params)
+    params.slice(:limit, :include_filtered, :types, :exclude_types, :grouped_types).permit(:limit, :include_filtered, types: [], exclude_types: [], grouped_types: []).merge(core_params)
  end
  def expand_accounts_param
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@@ -9,7 +9,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
    return not_found if @status.hidden?
    if @status.local?
-      render json: @status, serializer: OEmbedSerializer, width: 400
+      render json: @status, serializer: OEmbedSerializer
    else
      return not_found unless user_signed_in?
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -74,7 +74,23 @@ class ApplicationController < ActionController::Base
  end
  def require_functional!
-    redirect_to edit_user_registration_path unless current_user.functional?
+    return if current_user.functional?
    respond_to do |format|
      format.any do
        redirect_to edit_user_registration_path
      end
      format.json do
        if !current_user.confirmed?
          render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403
        elsif !current_user.approved?
          render json: { error: 'Your login is currently pending approval' }, status: 403
        elsif !current_user.functional?
          render json: { error: 'Your login is currently disabled' }, status: 403
        end
      end
    end
  end
  def skip_csrf_meta_tags?
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@@ -11,7 +11,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  before_action :configure_sign_up_params, only: [:create]
  before_action :set_sessions, only: [:edit, :update]
  before_action :set_strikes, only: [:edit, :update]
  before_action :set_body_classes, only: [:new, :create, :edit, :update]
  before_action :require_not_suspended!, only: [:update]
  before_action :set_cache_headers, only: [:edit, :update]
  before_action :set_rules, only: :new
@@ -104,10 +103,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  private
  def set_body_classes
    @body_classes = 'admin' if %w(edit update).include?(action_name)
  end
  def set_invite
    @invite = begin
      invite = Invite.find_by(code: invite_code) if invite_code.present?
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -20,11 +20,6 @@ class Auth::SessionsController < Devise::SessionsController
    p.form_action(false)
  end
  def check_suspicious!
    user = find_user
    @login_is_suspicious = suspicious_sign_in?(user) unless user.nil?
  end
  def create
    super do |resource|
      # We only need to call this if this hasn't already been
@@ -101,6 +96,11 @@ class Auth::SessionsController < Devise::SessionsController
  private
  def check_suspicious!
    user = find_user
    @login_is_suspicious = suspicious_sign_in?(user) unless user.nil?
  end
  def home_paths(resource)
    paths = [about_path, '/explore']
--- a/app/controllers/backups_controller.rb
+++ b/app/controllers/backups_controller.rb
@@ -9,13 +9,15 @@ class BackupsController < ApplicationController
  before_action :authenticate_user!
  before_action :set_backup
  BACKUP_LINK_TIMEOUT = 1.hour.freeze
  def download
    case Paperclip::Attachment.default_options[:storage]
    when :s3, :azure
-      redirect_to @backup.dump.expiring_url(10), allow_other_host: true
+      redirect_to @backup.dump.expiring_url(BACKUP_LINK_TIMEOUT.to_i), allow_other_host: true
    when :fog
      if Paperclip::Attachment.default_options.dig(:fog_credentials, :openstack_temp_url_key).present?
-        redirect_to @backup.dump.expiring_url(Time.now.utc + 10), allow_other_host: true
+        redirect_to @backup.dump.expiring_url(BACKUP_LINK_TIMEOUT.from_now), allow_other_host: true
      else
        redirect_to full_asset_url(@backup.dump.url), allow_other_host: true
      end
--- a/app/controllers/concerns/account_controller_concern.rb
+++ b/app/controllers/concerns/account_controller_concern.rb
@@ -20,7 +20,7 @@ module AccountControllerConcern
        webfinger_account_link,
        actor_url_link,
      ]
-    )
+    ).to_s
  end
  def webfinger_account_link
--- a/app/controllers/concerns/api/pagination.rb
+++ b/app/controllers/concerns/api/pagination.rb
@@ -19,7 +19,7 @@ module Api::Pagination
    links = []
    links << [next_path, [%w(rel next)]] if next_path
    links << [prev_path, [%w(rel prev)]] if prev_path
-    response.headers['Link'] = LinkHeader.new(links) unless links.empty?
+    response.headers['Link'] = LinkHeader.new(links).to_s unless links.empty?
  end
  def require_valid_pagination_options!
--- a/app/controllers/concerns/signature_verification.rb
+++ b/app/controllers/concerns/signature_verification.rb
@@ -117,7 +117,7 @@ module SignatureVerification
  def verify_signature_strength!
    raise SignatureVerificationError, 'Mastodon requires the Date header or (created) pseudo-header to be signed' unless signed_headers.include?('date') || signed_headers.include?('(created)')
-    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(Request::REQUEST_TARGET) || signed_headers.include?('digest')
+    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(HttpSignatureDraft::REQUEST_TARGET) || signed_headers.include?('digest')
    raise SignatureVerificationError, 'Mastodon requires the Host header to be signed when doing a GET request' if request.get? && !signed_headers.include?('host')
    raise SignatureVerificationError, 'Mastodon requires the Digest header to be signed when doing a POST request' if request.post? && !signed_headers.include?('digest')
  end
@@ -155,14 +155,14 @@ module SignatureVerification
  def build_signed_string(include_query_string: true)
    signed_headers.map do |signed_header|
      case signed_header
-      when Request::REQUEST_TARGET
+      when HttpSignatureDraft::REQUEST_TARGET
        if include_query_string
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
        else
          # Current versions of Mastodon incorrectly omit the query string from the (request-target) pseudo-header.
          # Therefore, temporarily support such incorrect signatures for compatibility.
          # TODO: remove eventually some time after release of the fixed version
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
        end
      when '(created)'
        raise SignatureVerificationError, 'Invalid pseudo-header (created) for rsa-sha256' unless signature_algorithm == 'hs2019'
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@@ -8,6 +8,16 @@ module WebAppControllerConcern
    before_action :redirect_unauthenticated_to_permalinks!
    before_action :set_app_body_class
    content_security_policy do |p|
      policy = ContentSecurityPolicy.new
      if policy.sso_host.present?
        p.form_action policy.sso_host, -> { "https://#{request.host}/auth/auth/" }
      else
        p.form_action :none
      end
    end
  end
  def skip_csrf_meta_tags?
@@ -21,7 +31,7 @@ module WebAppControllerConcern
  def redirect_unauthenticated_to_permalinks!
    return if user_signed_in? # NOTE: Different from upstream because we allow moved users to log in
-    permalink_redirector = PermalinkRedirector.new(request.path)
+    permalink_redirector = PermalinkRedirector.new(request.original_fullpath)
    return if permalink_redirector.redirect_path.blank?
    expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.day) unless user_signed_in?
--- a/app/controllers/disputes/base_controller.rb
+++ b/app/controllers/disputes/base_controller.rb
@@ -7,16 +7,11 @@ class Disputes::BaseController < ApplicationController
  skip_before_action :require_functional!
  before_action :set_body_classes
  before_action :authenticate_user!
  before_action :set_cache_headers
  private
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/filters/statuses_controller.rb
+++ b/app/controllers/filters/statuses_controller.rb
@@ -6,7 +6,6 @@ class Filters::StatusesController < ApplicationController
  before_action :authenticate_user!
  before_action :set_filter
  before_action :set_status_filters
  before_action :set_body_classes
  before_action :set_cache_headers
  PER_PAGE = 20
@@ -42,10 +41,6 @@ class Filters::StatusesController < ApplicationController
    'remove' if params[:remove]
  end
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/filters_controller.rb
+++ b/app/controllers/filters_controller.rb
@@ -5,7 +5,6 @@ class FiltersController < ApplicationController
  before_action :authenticate_user!
  before_action :set_filter, only: [:edit, :update, :destroy]
  before_action :set_body_classes
  before_action :set_cache_headers
  def index
@@ -52,10 +51,6 @@ class FiltersController < ApplicationController
    params.require(:custom_filter).permit(:title, :expires_in, :filter_action, context: [], keywords_attributes: [:id, :keyword, :whole_word, :_destroy])
  end
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -6,7 +6,6 @@ class InvitesController < ApplicationController
  layout 'admin'
  before_action :authenticate_user!
  before_action :set_body_classes
  before_action :set_cache_headers
  def index
@@ -47,10 +46,6 @@ class InvitesController < ApplicationController
    params.require(:invite).permit(:max_uses, :expires_in, :autofollow, :comment)
  end
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -19,9 +19,7 @@ class MediaController < ApplicationController
    redirect_to @media_attachment.file.url(:original)
  end
-  def player
+  def player; end
    @body_classes = 'player'
  end
  private
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -6,7 +6,6 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
  before_action :store_current_location
  before_action :authenticate_resource_owner!
  before_action :require_not_suspended!, only: :destroy
  before_action :set_body_classes
  before_action :set_cache_headers
  before_action :set_last_used_at_by_app, only: :index, unless: -> { request.format == :json }
@@ -23,10 +22,6 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
  private
  def set_body_classes
    @body_classes = 'admin'
  end
  def store_current_location
    store_location_for(:user, request.url)
  end
--- a/app/controllers/redirect/base_controller.rb
+++ b/app/controllers/redirect/base_controller.rb
@@ -4,7 +4,6 @@ class Redirect::BaseController < ApplicationController
  vary_by 'Accept-Language'
  before_action :set_resource
  before_action :set_app_body_class
  def show
    @redirect_path = ActivityPub::TagManager.instance.url_for(@resource)
@@ -14,10 +13,6 @@ class Redirect::BaseController < ApplicationController
  private
  def set_app_body_class
    @body_classes = 'app-body'
  end
  def set_resource
    raise NotImplementedError
  end
--- a/app/controllers/relationships_controller.rb
+++ b/app/controllers/relationships_controller.rb
@@ -6,7 +6,6 @@ class RelationshipsController < ApplicationController
  before_action :authenticate_user!
  before_action :set_accounts, only: :show
  before_action :set_relationships, only: :show
  before_action :set_body_classes
  before_action :set_cache_headers
  helper_method :following_relationship?, :followed_by_relationship?, :mutual_relationship?
@@ -68,10 +67,6 @@ class RelationshipsController < ApplicationController
    end
  end
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/settings/base_controller.rb
+++ b/app/controllers/settings/base_controller.rb
@@ -4,15 +4,10 @@ class Settings::BaseController < ApplicationController
  layout 'admin'
  before_action :authenticate_user!
  before_action :set_body_classes
  before_action :set_cache_headers
  private
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/settings/pictures_controller.rb
+++ b/app/controllers/settings/pictures_controller.rb
@@ -8,7 +8,7 @@ module Settings
    def destroy
      if valid_picture?
        if UpdateAccountService.new.call(@account, { @picture => nil, "#{@picture}_remote_url" => '' })
-          ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+          ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
          redirect_to settings_profile_path, notice: I18n.t('generic.changes_saved_msg'), status: 303
        else
          redirect_to settings_profile_path
--- a/app/controllers/settings/privacy_controller.rb
+++ b/app/controllers/settings/privacy_controller.rb
@@ -8,7 +8,7 @@ class Settings::PrivacyController < Settings::BaseController
  def update
    if UpdateAccountService.new.call(@account, account_params.except(:settings))
      current_user.update!(settings_attributes: account_params[:settings])
-      ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+      ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
      redirect_to settings_privacy_path, notice: I18n.t('generic.changes_saved_msg')
    else
      render :show
--- a/app/controllers/settings/profiles_controller.rb
+++ b/app/controllers/settings/profiles_controller.rb
@@ -9,7 +9,7 @@ class Settings::ProfilesController < Settings::BaseController
  def update
    if UpdateAccountService.new.call(@account, account_params)
-      ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+      ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
      redirect_to settings_profile_path, notice: I18n.t('generic.changes_saved_msg')
    else
      @account.build_fields
--- a/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
@@ -15,7 +15,7 @@ module Settings
      end
      def create
-        session[:new_otp_secret] = User.generate_otp_secret(32)
+        session[:new_otp_secret] = User.generate_otp_secret
        redirect_to new_settings_two_factor_authentication_confirmation_path
      end
--- a/app/controllers/settings/verifications_controller.rb
+++ b/app/controllers/settings/verifications_controller.rb
@@ -2,14 +2,30 @@
 class Settings::VerificationsController < Settings::BaseController
  before_action :set_account
  before_action :set_verified_links
-  def show
+  def show; end
-    @verified_links = @account.fields.select(&:verified?)
+
  def update
    if UpdateAccountService.new.call(@account, account_params)
      ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
      redirect_to settings_verification_path, notice: I18n.t('generic.changes_saved_msg')
    else
      render :show
    end
  end
  private
  def account_params
    params.require(:account).permit(:attribution_domains_as_text)
  end
  def set_account
    @account = current_account
  end
  def set_verified_links
    @verified_links = @account.fields.select(&:verified?)
  end
 end
--- a/app/controllers/severed_relationships_controller.rb
+++ b/app/controllers/severed_relationships_controller.rb
@@ -4,7 +4,6 @@ class SeveredRelationshipsController < ApplicationController
  layout 'admin'
  before_action :authenticate_user!
  before_action :set_body_classes
  before_action :set_cache_headers
  before_action :set_event, only: [:following, :followers]
@@ -51,10 +50,6 @@ class SeveredRelationshipsController < ApplicationController
    account.local? ? account.local_username_and_domain : account.acct
  end
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/shares_controller.rb
+++ b/app/controllers/shares_controller.rb
@@ -4,13 +4,6 @@ class SharesController < ApplicationController
  layout 'modal'
  before_action :authenticate_user!
  before_action :set_body_classes
  def show; end
  private
  def set_body_classes
    @body_classes = 'modal-layout compose-standalone'
  end
 end
--- a/app/controllers/statuses_cleanup_controller.rb
+++ b/app/controllers/statuses_cleanup_controller.rb
@@ -5,7 +5,6 @@ class StatusesCleanupController < ApplicationController
  before_action :authenticate_user!
  before_action :set_policy
  before_action :set_body_classes
  before_action :set_cache_headers
  def show; end
@@ -34,10 +33,6 @@ class StatusesCleanupController < ApplicationController
    params.require(:account_statuses_cleanup_policy).permit(:enabled, :min_status_age, :keep_direct, :keep_pinned, :keep_polls, :keep_media, :keep_self_fav, :keep_self_bookmark, :min_favs, :min_reblogs)
  end
  def set_body_classes
    @body_classes = 'admin'
  end
  def set_cache_headers
    response.cache_control.replace(private: true, no_store: true)
  end
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -11,7 +11,6 @@ class StatusesController < ApplicationController
  before_action :require_account_signature!, only: [:show, :activity], if: -> { request.format == :json && authorized_fetch_mode? }
  before_action :set_status
  before_action :redirect_to_original, only: :show
  before_action :set_body_classes, only: :embed
  after_action :set_link_headers
@@ -51,12 +50,10 @@ class StatusesController < ApplicationController
  private
  def set_body_classes
    @body_classes = 'with-modals'
  end
  def set_link_headers
-    response.headers['Link'] = LinkHeader.new([[ActivityPub::TagManager.instance.uri_for(@status), [%w(rel alternate), %w(type application/activity+json)]]])
+    response.headers['Link'] = LinkHeader.new(
      [[ActivityPub::TagManager.instance.uri_for(@status), [%w(rel alternate), %w(type application/activity+json)]]]
    ).to_s
  end
  def set_status
--- a/app/controllers/well_known/host_meta_controller.rb
+++ b/app/controllers/well_known/host_meta_controller.rb
@@ -7,7 +7,23 @@ module WellKnown
    def show
      @webfinger_template = "#{webfinger_url}?resource={uri}"
      expires_in 3.days, public: true
-      render content_type: 'application/xrd+xml', formats: [:xml]
+
      respond_to do |format|
        format.any do
          render content_type: 'application/xrd+xml', formats: [:xml]
        end
        format.json do
          render json: {
            links: [
              {
                rel: 'lrdd',
                template: @webfinger_template,
              },
            ],
          }
        end
      end
    end
  end
 end
--- a/app/helpers/accounts_helper.rb
+++ b/app/helpers/accounts_helper.rb
@@ -19,14 +19,6 @@ module AccountsHelper
    end
  end
  def account_action_button(account)
    return if account.memorial? || account.moved?
    link_to ActivityPub::TagManager.instance.url_for(account), class: 'button logo-button', target: '_new' do
      safe_join([logo_as_symbol, t('accounts.follow')])
    end
  end
  def hide_followers_count?(account)
    Setting.hide_followers_count || account.user&.settings&.[]('hide_followers_count')
  end
--- a/app/helpers/admin/action_logs_helper.rb
+++ b/app/helpers/admin/action_logs_helper.rb
@@ -35,4 +35,11 @@ module Admin::ActionLogsHelper
      end
    end
  end
  def sorted_action_log_types
    Admin::ActionLogFilter::ACTION_TYPE_MAP
      .keys
      .map { |key| [I18n.t("admin.action_logs.action_types.#{key}"), key] }
      .sort_by(&:first)
  end
 end
--- a/app/helpers/admin/dashboard_helper.rb
+++ b/app/helpers/admin/dashboard_helper.rb
@@ -18,6 +18,11 @@ module Admin::DashboardHelper
    end
  end
  def date_range(range)
    [l(range.first), l(range.last)]
      .join(' - ')
  end
  def relevant_account_timestamp(account)
    timestamp, exact = if account.user_current_sign_in_at && account.user_current_sign_in_at < 24.hours.ago
                         [account.user_current_sign_in_at, true]
@@ -25,6 +30,8 @@ module Admin::DashboardHelper
                         [account.user_current_sign_in_at, false]
                       elsif account.user_pending?
                         [account.user_created_at, true]
                       elsif account.suspended_at.present? && account.local? && account.user.nil?
                         [account.suspended_at, true]
                       elsif account.last_status_at.present?
                         [account.last_status_at, true]
                       else
--- a/app/helpers/admin/trends/statuses_helper.rb
+++ b/app/helpers/admin/trends/statuses_helper.rb
@@ -2,11 +2,18 @@
 module Admin::Trends::StatusesHelper
  def one_line_preview(status)
-    text = if status.local?
+    text = begin
-             status.text.split("\n").first
+      if status.local?
-           else
+        status.text.split("\n").first
-             Nokogiri::HTML(status.text).css('html > body > *').first&.text
+      else
-           end
+        Nokogiri::HTML5(status.text).css('html > body > *').first&.text
      end
    rescue ArgumentError
      # This can happen if one of the Nokogumbo limits is encountered
      # Unfortunately, it does not use a more precise error class
      # nor allows more graceful handling
      ''
    end
    return '' if text.blank?
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/.apt/lib/x86_64-linux-gnu:/app/.apt/usr/lib/x86_64-linux-gnu/mesa:/app/.apt/usr/lib/x86_64-linux-gnu/pulseaudio:/app/.apt/usr/lib/x86_64-linux-gnu/openblas-pthread`