Merge pull request #3359 from ClearlyClaire/glitch-soc/merge-4.3

Merge upstream changes up to fa553d8484 into stable-4.3

.env.production.sample

@@ -73,6 +73,16 @@ DB_PORT=5432
 SECRET_KEY_BASE=
 OTP_SECRET=
 
+# Encryption secrets
+# ------------------
+# Must be available (and set to same values) for all server processes
+# These are private/secret values, do not share outside hosting environment
+# Use `bin/rails db:encryption:init` to generate fresh secrets
+# Do NOT change these secrets once in use, as this would cause data loss and other issues
+# ------------------
+# ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
+# ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
+# ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
 
 # Web Push
 # --------

.github/actions/setup-ruby/action.yml

@@ -21,3 +21,4 @@ runs:
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: true
+        cache-version: 4.3

.github/workflows/build-container-image.yml

@@ -1,14 +1,9 @@
 on:
   workflow_call:
     inputs:
-      platforms:
-        required: true
-        type: string
       cache:
         type: boolean
         default: true
-      use_native_arm64_builder:
-        type: boolean
       push_to_images:
         type: string
       version_prerelease:
@@ -24,42 +19,36 @@ on:
       file_to_build:
         type: string
 
+# This builds multiple images with one runner each, allowing us to build for multiple architectures
+# using Github's runners.
+# The two-step process is adapted form:
+# https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
 jobs:
+  # Build each (amd64 and arm64) image separately
   build-image:
-    runs-on: ubuntu-latest
+    runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
 
     steps:
       - uses: actions/checkout@v4
 
-      - uses: docker/setup-qemu-action@v3
-        if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder
+      - name: Prepare
+        env:
+          PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          # Transform multi-line variable into comma-separated variable
+          image_names=${PUSH_TO_IMAGES//$'\n'/,}
+          echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV
 
       - uses: docker/setup-buildx-action@v3
         id: buildx
-        if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }}
-
-      - name: Start a local Docker Builder
-        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
-        run: |
-          docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234
-
-      - uses: docker/setup-buildx-action@v3
-        id: buildx-native
-        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
-        with:
-          driver: remote
-          endpoint: tcp://localhost:1234
-          platforms: linux/amd64
-          append: |
-            - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865
-              platforms: linux/arm64
-              name: mastodon-docker-builder-arm64-01
-              driver-opts:
-                - servername=mastodon-docker-builder-arm64-01
-        env:
-          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }}
-          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }}
-          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }}
 
       - name: Log in to Docker Hub
         if: contains(inputs.push_to_images, 'tootsuite')
@@ -76,8 +65,91 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/metadata-action@v5
+      - name: Docker meta
         id: meta
+        uses: docker/metadata-action@v5
+        if: ${{ inputs.push_to_images != '' }}
+        with:
+          images: ${{ inputs.push_to_images }}
+          flavor: ${{ inputs.flavor }}
+          labels: ${{ inputs.labels }}
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ inputs.file_to_build }}
+          build-args: |
+            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
+            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
+            SOURCE_COMMIT=${{ github.sha }}
+          platforms: ${{ matrix.platform }}
+          provenance: false
+          push: ${{ inputs.push_to_images != '' }}
+          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
+          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
+          outputs: type=image,"name=${{ env.IMAGE_NAMES }}",push-by-digest=true,name-canonical=true,push=${{ inputs.push_to_images != '' }}
+
+      - name: Export digest
+        if: ${{ inputs.push_to_images != '' }}
+        run: |
+          mkdir -p "${{ runner.temp }}/digests"
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: ${{ inputs.push_to_images != '' }}
+        uses: actions/upload-artifact@v4
+        with:
+          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  # Then merge the docker images into a single one
+  merge-images:
+    if: ${{ inputs.push_to_images != '' }}
+    runs-on: ubuntu-24.04
+    needs:
+      - build-image
+
+    env:
+      PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          pattern: digests-${{ hashFiles(inputs.file_to_build) }}-*
+          merge-multiple: true
+
+      - name: Log in to Docker Hub
+        if: contains(inputs.push_to_images, 'tootsuite')
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to the GitHub Container registry
+        if: contains(inputs.push_to_images, 'ghcr.io')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
         if: ${{ inputs.push_to_images != '' }}
         with:
           images: ${{ inputs.push_to_images }}
@@ -85,18 +157,14 @@ jobs:
           tags: ${{ inputs.tags }}
           labels: ${{ inputs.labels }}
 
-      - uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ${{ inputs.file_to_build }}
-          build-args: |
-            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
-            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
-          platforms: ${{ inputs.platforms }}
-          provenance: false
-          builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }}
-          push: ${{ inputs.push_to_images != '' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
-          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          echo "$PUSH_TO_IMAGES" | xargs -I{} \
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+              $(printf '{}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          echo "$PUSH_TO_IMAGES" | xargs -i{} \
+            docker buildx imagetools inspect {}:${{ steps.meta.outputs.version }}

.github/workflows/build-nightly.yml

@@ -26,8 +26,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
@@ -47,8 +45,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming

.github/workflows/build-push-pr.yml

@@ -21,17 +21,17 @@ jobs:
         uses: actions/checkout@v4
       - id: version_vars
         run: |
-          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT
+          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
+          echo mastodon_short_sha=$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
     outputs:
       metadata: ${{ steps.version_vars.outputs.mastodon_version_metadata }}
+      short_sha: ${{ steps.version_vars.outputs.mastodon_short_sha }}
 
   build-image:
     needs: compute-suffix
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
       version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -39,6 +39,7 @@ jobs:
         latest=auto
       tags: |
         type=ref,event=pr
+        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
     secrets: inherit
 
   build-image-streaming:
@@ -46,8 +47,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming
       version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -55,4 +54,5 @@ jobs:
         latest=auto
       tags: |
         type=ref,event=pr
+        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
     secrets: inherit

.github/workflows/build-releases.yml

@@ -13,8 +13,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
       # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
@@ -22,7 +20,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.2.') }}
+        latest=false
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}
@@ -33,8 +31,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming
       # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
@@ -42,7 +38,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
+        latest=false
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}

.github/workflows/build-security.yml

@@ -23,8 +23,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon
@@ -44,8 +42,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: false
       cache: false
       push_to_images: |
         ghcr.io/${{ github.repository_owner }}/mastodon-streaming

.github/workflows/test-image-build.yml

@@ -20,7 +20,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64 # Testing only on native platform so it is performant
       cache: true
 
   build-image-streaming:
@@ -31,5 +30,4 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64 # Testing only on native platform so it is performant
       cache: true

.github/workflows/test-migrations.yml

@@ -32,6 +32,8 @@ jobs:
         postgres:
           - 14-alpine
           - 15-alpine
+          - 16-alpine
+          - 17-alpine
 
     services:
       postgres:

.github/workflows/test-ruby.yml

@@ -127,6 +127,7 @@ jobs:
           - '3.1'
           - '3.2'
           - '.ruby-version'
+          - '3.4'
     steps:
       - uses: actions/checkout@v4
 
@@ -143,7 +144,7 @@ jobs:
         uses: ./.github/actions/setup-ruby
         with:
           ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg libpam-dev
+          additional-system-dependencies: ffmpeg imagemagick libpam-dev
 
       - name: Load database schema
         run: |
@@ -229,6 +230,7 @@ jobs:
           - '3.1'
           - '3.2'
           - '.ruby-version'
+          - '3.4'
     steps:
       - uses: actions/checkout@v4
 
@@ -245,7 +247,7 @@ jobs:
         uses: ./.github/actions/setup-ruby
         with:
           ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg libpam-dev libyaml-dev
+          additional-system-dependencies: ffmpeg libpam-dev
 
       - name: Load database schema
         run: './bin/rails db:create db:schema:load db:seed'
@@ -308,6 +310,7 @@ jobs:
           - '3.1'
           - '3.2'
           - '.ruby-version'
+          - '3.4'
 
     steps:
       - uses: actions/checkout@v4
@@ -325,7 +328,7 @@ jobs:
         uses: ./.github/actions/setup-ruby
         with:
           ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg
+          additional-system-dependencies: ffmpeg imagemagick
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript
@@ -425,6 +428,7 @@ jobs:
           - '3.1'
           - '3.2'
           - '.ruby-version'
+          - '3.4'
         search-image:
           - docker.elastic.co/elasticsearch/elasticsearch:7.17.13
         include:
@@ -445,7 +449,7 @@ jobs:
         uses: ./.github/actions/setup-ruby
         with:
           ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg
+          additional-system-dependencies: ffmpeg imagemagick
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.rubocop_todo.yml

@@ -21,11 +21,11 @@ Metrics/BlockNesting:
 
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/CyclomaticComplexity:
-  Max: 25
+  Enabled: false
 
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:
-  Max: 27
+  Enabled: false
 
 Rails/OutputSafety:
   Exclude:

CHANGELOG.md

@@ -2,6 +2,339 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.18] - 2026-01-20
+
+### Security
+
+- Fix missing limits on various federated properties [GHSA-gg8q-rcg7-p79g](https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g)
+- Fix remote user suspension bypass [GHSA-5h2f-wg8j-xqwp](https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp)
+- Fix missing length limits on some user-provided fields [GHSA-6x3w-9g92-gvf3](https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3)
+- Fix missing access check for push notification settings update [GHSA-f3q8-7vw3-69v4](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4)
+
+### Fixed
+
+- Fix `FeedManager#filter_from_home` error when handling a reblog of a deleted status (#37486 by @ClearlyClaire)
+- Fix needlessly complicated SQL query in status batch removal (#37469 by @ClearlyClaire)
+- Fix `Vary` parsing in cache control enforcement (#37426 by @MegaManSec)
+- Fix thread-unsafe ActivityPub activity dispatch (#37423 by @MegaManSec)
+- Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375 by @shleeable)
+
+## [4.3.17] - 2026-01-07
+
+### Security
+
+- Fix SSRF protection bypass ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq))
+- Fix missing ownership check in severed relationships controller ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24))
+
+### Fixed
+
+- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
+
+## [4.3.16] - 2025-12-08
+
+### Security
+
+- Fix inconsistent error handling leaking information on existence of private posts ([GHSA-gwhw-gcjx-72v8](https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8))
+
+### Fixed
+
+- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
+- Fix YouTube iframe not being able to start at a defined time (#26584 by @BrunoViveiros)
+- Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
+
+## [4.3.15] - 2025-11-20
+
+### Fixed
+
+- Fix `tootctl upgrade storage-schema` failing with `ArgumentError` (#36914 by @shugo)
+- Fix old previously-undiscovered posts being treated as new when receiving an `Update` (#36848 by @ClearlyClaire)
+
+## [4.3.14] - 2025-10-13
+
+### Security
+
+- Update dependencies `rack` and `uri`
+- Fix streaming server connection not being closed on user suspension (by @ThisIsMissEm, [GHSA-r2fh-jr9c-9pxh](https://github.com/mastodon/mastodon/security/advisories/GHSA-r2fh-jr9c-9pxh))
+- Fix password change through admin CLI not invalidating existing sessions and access tokens (by @ThisIsMissEm, [GHSA-f3q3-rmf7-9655](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655))
+- Fix streaming server allowing access to public timelines even without the `read` or `read:statuses` OAuth scopes (by @ThisIsMissEm, [GHSA-7gwh-mw97-qjgp](https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgp))
+
+### Fixed
+
+- Fix redirect to external object when URL is missing or malformed (#36347 by @ClearlyClaire)
+
+## [4.3.13] - 2025-09-23
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix processing of out-of-order `Update` as implicit updates (#36190 by @ClearlyClaire)
+- Fix getting `Create` and `Update` out of order (#36176 by @ClearlyClaire)
+
+## [4.3.12] - 2025-09-16
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix processing of remote edited statuses with new media and no text (#35970 by @unfokus)
+- Fix “Edit” and “Delete & Redraft” on a poll not inserting empty option (#35892 by @ClearlyClaire)
+- Fix self-destruct scheduler behavior on some Redis setups (#35823 by @ClearlyClaire)
+
+## [4.3.11] - 2025-08-05
+
+### Security
+
+- Update dependencies
+- Fix incorrect rate-limit handling [GHSA-84ch-6436-c7mg](https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg)
+
+### Fixed
+
+- Fix race condition caused by ActiveRecord query cache in `Create` critical path (#35662 by @ClearlyClaire)
+- Fix WebUI crashing for accounts with `null` URL (#35651 by @ClearlyClaire)
+- Fix friends-of-friends recommendations suggesting already-requested accounts (#35604 by @ClearlyClaire)
+
+## [4.3.10] - 2025-07-23
+
+### Security
+
+- Updated dependencies
+
+## [4.3.9] - 2025-07-02
+
+### Changed
+
+- Change passthrough video processing to emit `moov` atom at start of video (#34726 by @ClearlyClaire)
+
+### Fixed
+
+- Fix `NoMethodError` in edge case of emoji cache handling (#34749 by @dariusk)
+- Fix error when viewing statuses to deleted replies in moderation view (#32986 by @ClearlyClaire)
+- Fix search operators sometimes getting lost (#35190 by @ClearlyClaire)
+- Fix “Alt text” button submitting form in moderation interface (#35147 by @ClearlyClaire)
+- Fix handling of remote attachments with multiple media types (#34996 by @ClearlyClaire)
+- Fix blocked accounts not being automatically removed from trending statuses (#34891 by @ClearlyClaire)
+- Fix inconsistent filtering of silenced accounts for other silenced accounts (#34863 by @ClearlyClaire)
+- Fix handling of inlined `featured` collections in ActivityPub actor objects (#34789 and #34811 by @ClearlyClaire)
+- Fix admin dashboard crash on specific Elasticsearch connection errors (#34683 by @ClearlyClaire)
+- Fix OIDC account creation failing for long display names (#34639 by @defnull)
+- Fix `/share` not using server-set characters limit (#33459 by @kescherCode)
+- Fix wrong video dimensions for some rotated videos (#33008 and #33261 by @Gargron and @tribela)
+- Fix missing autofocus on boost modal (#32953 by @tribela)
+
+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
+## [4.3.7] - 2025-04-02
+
+### Added
+
+- Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
+- Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)
+
+### Changed
+
+- Change account suspensions to be federated to recently-followed accounts as well (#34294 by @ClearlyClaire)
+- Change `AccountReachFinder` to consider statuses based on suspension date (#32805 and #34291 by @ClearlyClaire and @mjankowski)
+- Change user archive signed URL TTL from 10 seconds to 1 hour (#34254 by @ClearlyClaire)
+
+### Fixed
+
+- Fix static version of animated PNG emojis not being properly extracted (#34337 by @ClearlyClaire)
+- Fix filters not applying in detailed view, favourites and bookmarks (#34259 and #34260 by @ClearlyClaire)
+- Fix handling of malformed/unusual HTML (#34201 by @ClearlyClaire)
+- Fix `CacheBuster` being queued for missing media attachments (#34253 by @ClearlyClaire)
+- Fix incorrect URL being used when cache busting (#34189 by @ClearlyClaire)
+- Fix streaming server refusing unix socket path in `DATABASE_URL` (#34091 by @ClearlyClaire)
+- Fix “x” hotkey not working on boosted filtered posts (#33758 by @ClearlyClaire)
+
+## [4.3.6] - 2025-03-13
+
+### Security
+
+- Update dependency `omniauth-saml`
+- Update dependency `rack`
+
+### Fixed
+
+- Fix Stoplight errors when using `REDIS_NAMESPACE` (#34126 by @ClearlyClaire)
+
+## [4.3.5] - 2025-03-10
+
+### Changed
+
+- Change hashtag suggestion to prefer personal history capitalization (#34070 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing errors for some HEIF images from iOS 18 (#34086 by @renchap)
+- Fix streaming server not filtering unknown-language posts from public timelines (#33774 by @ClearlyClaire)
+- Fix preview cards under Content Warnings not being shown in detailed statuses (#34068 by @ClearlyClaire)
+- Fix username and display name being hidden on narrow screens in moderation interface (#33064 by @ClearlyClaire)
+
+## [4.3.4] - 2025-02-27
+
+### Security
+
+- Update dependencies
+- Change HTML sanitization to remove unusable and unused `embed` tag (#34021 by @ClearlyClaire, [GHSA-mq2m-hr29-8gqf](https://github.com/mastodon/mastodon/security/advisories/GHSA-mq2m-hr29-8gqf))
+- Fix rate-limit on sign-up email verification ([GHSA-v39f-c9jj-8w7h](https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h))
+- Fix improper disclosure of domain blocks to unverified users ([GHSA-94h4-fj37-c825](https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825))
+
+### Changed
+
+- Change preview cards to be shown when Content Warnings are expanded (#33827 by @ClearlyClaire)
+- Change warnings against changing encryption secrets to be even more noticeable (#33631 by @ClearlyClaire)
+- Change `mastodon:setup` to prevent overwriting already-configured servers (#33603, #33616, and #33684 by @ClearlyClaire and @mjankowski)
+- Change notifications from moderators to not be filtered (#32974 and #33654 by @ClearlyClaire and @mjankowski)
+
+### Fixed
+
+- Fix `GET /api/v2/notifications/:id` and `POST /api/v2/notifications/:id/dismiss` for ungrouped notifications (#33990 by @ClearlyClaire)
+- Fix issue with some versions of libvips on some systems (#33853 by @kleisauke)
+- Fix handling of duplicate mentions in incoming status `Update` (#33911 by @ClearlyClaire)
+- Fix inefficiencies in timeline generation (#33839 and #33842 by @ClearlyClaire)
+- Fix emoji rewrite adding unnecessary curft to the DOM for most emoji (#33818 by @ClearlyClaire)
+- Fix `tootctl feeds build` not building list timelines (#33783 by @ClearlyClaire)
+- Fix flaky test in `/api/v2/notifications` tests (#33773 by @ClearlyClaire)
+- Fix incorrect signature after HTTP redirect (#33757 and #33769 by @ClearlyClaire)
+- Fix polls not being validated on edition (#33755 by @ClearlyClaire)
+- Fix media preview height in compose form when 3 or more images are attached (#33571 by @ClearlyClaire)
+- Fix preview card sizing in “Author attribution” in profile settings (#33482 by @ClearlyClaire)
+- Fix processing of incoming notifications for unfilterable types (#33429 by @ClearlyClaire)
+- Fix featured tags for remote accounts not being kept up to date (#33372, #33406, and #33425 by @ClearlyClaire and @mjankowski)
+- Fix notification polling showing a loading bar in web UI (#32960 by @Gargron)
+- Fix accounts table long display name (#29316 by @WebCoder49)
+- Fix exclusive lists interfering with notifications (#28162 by @ShadowJonathan)
+
+## [4.3.3] - 2025-01-16
+
+### Security
+
+- Fix insufficient validation of account URIs ([GHSA-5wxh-3p65-r4g6](https://github.com/mastodon/mastodon/security/advisories/GHSA-5wxh-3p65-r4g6))
+- Update dependencies
+
+### Fixed
+
+- Fix `libyaml` missing from `Dockerfile` build stage (#33591 by @vmstan)
+- Fix incorrect notification settings migration for non-followers (#33348 by @ClearlyClaire)
+- Fix down clause for notification policy v2 migrations (#33340 by @jesseplusplus)
+- Fix error decrementing status count when `FeaturedTags#last_status_at` is `nil` (#33320 by @ClearlyClaire)
+- Fix last paginated notification group only including data on a single notification (#33271 by @ClearlyClaire)
+- Fix processing of mentions for post edits with an existing corresponding silent mention (#33227 by @ClearlyClaire)
+- Fix deletion of unconfirmed users with Webauthn set (#33186 by @ClearlyClaire)
+- Fix empty authors preview card serialization (#33151, #33466 by @mjankowski and @ClearlyClaire)
+
+## [4.3.2] - 2024-12-03
+
+### Added
+
+- Add `tootctl feeds vacuum` (#33065 by @ClearlyClaire)
+- Add error message when user tries to follow their own account (#31910 by @lenikadali)
+- Add client_secret_expires_at to OAuth Applications (#30317 by @ThisIsMissEm)
+
+### Changed
+
+- Change design of Content Warnings and filters (#32543 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing incoming post edits with mentions to unresolvable accounts (#33129 by @ClearlyClaire)
+- Fix error when including multiple instances of `embed.js` (#33107 by @YKWeyer)
+- Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
+- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
+- Fix `TagFollow` records not being correctly handled in account operations (#33063 by @ClearlyClaire)
+- Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
+- Fix duplicate notifications in notification groups when using slow mode (#33014 by @ClearlyClaire)
+- Fix posts made in the future being allowed to trend (#32996 by @ClearlyClaire)
+- Fix uploading higher-than-wide GIF profile picture with libvips enabled (#32911 by @ClearlyClaire)
+- Fix domain attribution field having autocorrect and autocapitalize enabled (#32903 by @ClearlyClaire)
+- Fix titles being escaped twice (#32889 by @ClearlyClaire)
+- Fix list creation limit check (#32869 by @ClearlyClaire)
+- Fix error in `tootctl email_domain_blocks` when supplying `--with-dns-records` (#32863 by @mjankowski)
+- Fix `min_id` and `max_id` causing error in search API (#32857 by @Gargron)
+- Fix inefficiencies when processing removal of posts that use featured tags (#32787 by @ClearlyClaire)
+- Fix alt-text pop-in not using the translated description (#32766 by @ClearlyClaire)
+- Fix preview cards with long titles erroneously causing layout changes (#32678 by @ClearlyClaire)
+- Fix embed modal layout on mobile (#32641 by @DismalShadowX)
+- Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
+- Fix blocks not being applied on link timeline (#32625 by @tribela)
+- Fix follow counters being incorrectly changed (#32622 by @oneiros)
+- Fix 'unknown' media attachment type rendering (#32613 and #32713 by @ThisIsMissEm and @renatolond)
+- Fix tl language native name (#32606 by @seav)
+
+### Security
+
+- Update dependencies
+
+## [4.3.1] - 2024-10-21
+
+### Added
+
+- Add more explicit explanations about author attribution and `fediverse:creator` (#32383 by @ClearlyClaire)
+- Add ability to group follow notifications in WebUI, can be disabled in the column settings (#32520 by @renchap)
+- Add back a 6 hours mute duration option (#32522 by @renchap)
+- Add note about not changing ActiveRecord encryption secrets once they are set (#32413, #32476, #32512, and #32537 by @ClearlyClaire and @mjankowski)
+
+### Changed
+
+- Change translation feature to translate to selected regional variant (e.g. pt-BR) if available (#32428 by @c960657)
+
+### Removed
+
+- Remove ability to get embed code for remote posts (#32578 by @ClearlyClaire)\
+  Getting the embed code is only reliable for local posts.\
+  It never worked for non-Mastodon servers, and stopped working correctly with the changes made in 4.3.0.\
+  We have therefore decided to remove the menu entry while we investigate solutions.
+
+### Fixed
+
+- Fix follow recommendation moderation page default language when using regional variant (#32580 by @ClearlyClaire)
+- Fix column-settings spacing in local timeline in advanced view (#32567 by @lindwurm)
+- Fix broken i18n in text welcome mailer tags area (#32571 by @mjankowski)
+- Fix missing or incorrect cache-control headers for Streaming server (#32551 by @ThisIsMissEm)
+- Fix only the first paragraph being displayed in some notifications (#32348 by @ClearlyClaire)
+- Fix reblog icons on account media view (#32506 by @tribela)
+- Fix Content-Security-Policy not allowing OpenStack SWIFT object storage URI (#32439 by @kenkiku1021)
+- Fix back arrow pointing to the incorrect direction in RTL languages (#32485 by @renchap)
+- Fix streaming server using `REDIS_USERNAME` instead of `REDIS_USER` (#32493 by @ThisIsMissEm)
+- Fix follow recommendation carrousel scrolling on RTL layouts (#32462 and #32505 by @ClearlyClaire)
+- Fix follow recommendation suppressions not applying immediately (#32392 by @ClearlyClaire)
+- Fix language of push notifications (#32415 by @ClearlyClaire)
+- Fix mute duration not being shown in list of muted accounts in web UI (#32388 by @ClearlyClaire)
+- Fix “Mark every notification as read” not updating the read marker if scrolled down (#32385 by @ClearlyClaire)
+- Fix “Mention” appearing for otherwise filtered posts (#32356 by @ClearlyClaire)
+- Fix notification requests from suspended accounts still being listed (#32354 by @ClearlyClaire)
+- Fix list edition modal styling (#32358 and #32367 by @ClearlyClaire and @vmstan)
+- Fix 4 columns barely not fitting on 1920px screen (#32361 by @ClearlyClaire)
+- Fix icon alignment in applications list (#32293 by @mjankowski)
+
 ## [4.3.0] - 2024-10-08
 
 The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.
@@ -51,7 +384,7 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add notifications of severed relationships** (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)\
   Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.\
   Note that this does not notify remote users.\
-  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`relationship_severance_event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
+  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
 - **Add hover cards in web UI** (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)\
   Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.\
   This can be disabled in the “Animations and accessibility” section of the preferences.
@@ -67,7 +400,7 @@ The following changelog entries focus on changes visible to users, administrator
   ```html
   <meta name="fediverse:creator" content="username@domain" />
   ```
-  On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\
+  On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors \
   Users can allow arbitrary domains to use `fediverse:creator` to credit them by visiting `/settings/verification`.\
   This is federated as a new `attributionDomains` property in the `http://joinmastodon.org/ns` namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1
 - **Add in-app notifications for moderation actions and warnings** (#30065, #30082, and #30081 by @ClearlyClaire)\

Dockerfile

@@ -92,6 +92,9 @@ RUN \
 # Set /opt/mastodon as working directory
 WORKDIR /opt/mastodon
 
+# Add backport repository for some specific packages where we need the latest version
+RUN echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list
+
 # hadolint ignore=DL3008,DL3005
 RUN \
 # Mount Apt cache and lib directories from Docker buildx caches
@@ -150,6 +153,7 @@ RUN \
     libpq-dev \
     libssl-dev \
     libtool \
+    libyaml-dev \
     meson \
     nasm \
     pkg-config \
@@ -160,7 +164,7 @@ RUN \
     libexif-dev \
     libexpat1-dev \
     libgirepository1.0-dev \
-    libheif-dev \
+    libheif-dev/bookworm-backports \
     libimagequant-dev \
     libjpeg62-turbo-dev \
     liblcms2-dev \
@@ -343,7 +347,7 @@ RUN \
   # libvips components
     libcgif0 \
     libexif12 \
-    libheif1 \
+    libheif1/bookworm-backports \
     libimagequant0 \
     libjpeg62-turbo \
     liblcms2-2 \

FEDERATION.md

@@ -47,3 +47,22 @@ Mastodon requires all `POST` requests to be signed, and MAY require `GET` reques
 ### Additional documentation
 
 - [Mastodon documentation](https://docs.joinmastodon.org/)
+
+## Size limits
+
+Mastodon imposes a few hard limits on federated content.
+These limits are intended to be very generous and way above what the Mastodon user experience is optimized for, so as to accomodate future changes and unusual or unforeseen usage patterns, while still providing some limits for performance reasons.
+The following table attempts to summary those limits.
+
+| Limited property                                              | Size limit | Consequence of exceeding the limit |
+| ------------------------------------------------------------- | ---------- | ---------------------------------- |
+| Serialized JSON-LD                                            | 1MB        | **Activity is rejected/dropped**   |
+| Profile fields (actor `PropertyValue` attachments) name/value | 2047       | Field name/value is truncated      |
+| Number of profile fields (actor `PropertyValue` attachments)  | 50         | Fields list is truncated           |
+| Poll options (number of `anyOf`/`oneOf` in a `Question`)      | 500        | Items list is truncated            |
+| Account username (actor `preferredUsername`) length           | 2048       | **Actor will be rejected**         |
+| Account display name (actor `name`) length                    | 2048       | Display name will be truncated     |
+| Account note (actor `summary`) length                         | 20kB       | Account note will be truncated     |
+| Account `attributionDomains`                                  | 256        | List will be truncated             |
+| Account aliases (actor `alsoKnownAs`)                         | 256        | List will be truncated             |
+| Custom emoji shortcode (`Emoji` `name`)                       | 2048       | Emoji will be rejected             |

Gemfile

@@ -158,6 +158,9 @@ group :test do
 
   # Stub web requests for specs
   gem 'webmock', '~> 3.18'
+
+  # Websocket driver for testing integration between rails/sidekiq and streaming
+  gem 'websocket-driver', '~> 0.8', require: false
 end
 
 group :development do

Gemfile.lock

@@ -10,35 +10,35 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.4)
-      actionpack (= 7.1.4)
-      activesupport (= 7.1.4)
+    actioncable (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.4)
-      actionpack (= 7.1.4)
-      activejob (= 7.1.4)
-      activerecord (= 7.1.4)
-      activestorage (= 7.1.4)
-      activesupport (= 7.1.4)
+    actionmailbox (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activestorage (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.1.4)
-      actionpack (= 7.1.4)
-      actionview (= 7.1.4)
-      activejob (= 7.1.4)
-      activesupport (= 7.1.4)
+    actionmailer (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      actionview (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.4)
-      actionview (= 7.1.4)
-      activesupport (= 7.1.4)
+    actionpack (7.1.5.2)
+      actionview (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       nokogiri (>= 1.8.5)
       racc
       rack (>= 2.2.4)
@@ -46,15 +46,15 @@ GEM
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.4)
-      actionpack (= 7.1.4)
-      activerecord (= 7.1.4)
-      activestorage (= 7.1.4)
-      activesupport (= 7.1.4)
+    actiontext (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activestorage (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.4)
-      activesupport (= 7.1.4)
+    actionview (7.1.5.2)
+      activesupport (= 7.1.5.2)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
@@ -64,30 +64,33 @@ GEM
       activemodel (>= 4.1)
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (7.1.4)
-      activesupport (= 7.1.4)
+    activejob (7.1.5.2)
+      activesupport (= 7.1.5.2)
       globalid (>= 0.3.6)
-    activemodel (7.1.4)
-      activesupport (= 7.1.4)
-    activerecord (7.1.4)
-      activemodel (= 7.1.4)
-      activesupport (= 7.1.4)
+    activemodel (7.1.5.2)
+      activesupport (= 7.1.5.2)
+    activerecord (7.1.5.2)
+      activemodel (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       timeout (>= 0.4.0)
-    activestorage (7.1.4)
-      actionpack (= 7.1.4)
-      activejob (= 7.1.4)
-      activerecord (= 7.1.4)
-      activesupport (= 7.1.4)
+    activestorage (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       marcel (~> 1.0)
-    activesupport (7.1.4)
+    activesupport (7.1.5.2)
       base64
+      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
       mutex_m
+      securerandom (>= 0.3)
       tzinfo (~> 2.0)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
@@ -126,6 +129,7 @@ GEM
     base64 (0.2.0)
     bcp47_spec (0.2.1)
     bcrypt (3.1.20)
+    benchmark (0.4.0)
     better_errors (2.10.1)
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
@@ -186,7 +190,7 @@ GEM
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    date (3.3.4)
+    date (3.4.1)
     debug (1.9.2)
       irb (~> 1.10)
       reline (>= 0.3.8)
@@ -262,15 +266,15 @@ GEM
       faraday (~> 1.0)
     fast_blank (1.0.1)
     fastimage (2.3.1)
-    ffi (1.16.3)
+    ffi (1.17.1)
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
-    flatware (2.3.3)
+    flatware (2.3.4)
       drb
       thor (< 2.0)
-    flatware-rspec (2.3.3)
-      flatware (= 2.3.3)
+    flatware-rspec (2.3.4)
+      flatware (= 2.3.4)
       rspec (>= 3.6)
     fog-core (2.5.0)
       builder
@@ -406,7 +410,7 @@ GEM
     llhttp-ffi (0.5.0)
       ffi-compiler (~> 1.0)
       rake (~> 13.0)
-    logger (1.6.1)
+    logger (1.6.6)
     lograge (0.14.0)
       actionpack (>= 4)
       activesupport (>= 4)
@@ -433,7 +437,7 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2024.0820)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.9)
     minitest (5.25.1)
     msgpack (1.7.2)
     multi_json (1.15.0)
@@ -443,7 +447,7 @@ GEM
       uri
     net-http-persistent (4.0.2)
       connection_pool (~> 2.2)
-    net-imap (0.4.15)
+    net-imap (0.5.8)
       date
       net-protocol
     net-ldap (0.19.0)
@@ -451,16 +455,16 @@ GEM
       net-protocol
     net-protocol (0.2.2)
       timeout
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.3)
-    nokogiri (1.16.7)
+    nokogiri (1.18.9)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     oj (3.16.6)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
-    omniauth (2.1.2)
+    omniauth (2.1.3)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
@@ -471,9 +475,9 @@ GEM
     omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-saml (2.2.1)
+    omniauth-saml (2.2.3)
       omniauth (~> 2.1)
-      ruby-saml (~> 1.17)
+      ruby-saml (~> 1.18)
     omniauth_openid_connect (0.6.1)
       omniauth (>= 1.9, < 3)
       openid_connect (~> 1.1)
@@ -488,7 +492,7 @@ GEM
       validate_email
       validate_url
       webfinger (~> 1.2)
-    openssl (3.2.0)
+    openssl (3.2.2)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     opentelemetry-api (1.4.0)
@@ -615,7 +619,7 @@ GEM
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (2.2.9)
+    rack (2.2.20)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-cors (2.0.2)
@@ -638,20 +642,20 @@ GEM
     rackup (1.0.0)
       rack (< 3)
       webrick
-    rails (7.1.4)
-      actioncable (= 7.1.4)
-      actionmailbox (= 7.1.4)
-      actionmailer (= 7.1.4)
-      actionpack (= 7.1.4)
-      actiontext (= 7.1.4)
-      actionview (= 7.1.4)
-      activejob (= 7.1.4)
-      activemodel (= 7.1.4)
-      activerecord (= 7.1.4)
-      activestorage (= 7.1.4)
-      activesupport (= 7.1.4)
+    rails (7.1.5.2)
+      actioncable (= 7.1.5.2)
+      actionmailbox (= 7.1.5.2)
+      actionmailer (= 7.1.5.2)
+      actionpack (= 7.1.5.2)
+      actiontext (= 7.1.5.2)
+      actionview (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activemodel (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activestorage (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       bundler (>= 1.15.0)
-      railties (= 7.1.4)
+      railties (= 7.1.5.2)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -660,15 +664,15 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-i18n (7.0.9)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    railties (7.1.4)
-      actionpack (= 7.1.4)
-      activesupport (= 7.1.4)
+    railties (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
       irb
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -698,7 +702,7 @@ GEM
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.3.8)
+    rexml (3.4.4)
     rotp (6.3.0)
     rouge (4.3.0)
     rpam2 (4.0.2)
@@ -763,10 +767,10 @@ GEM
       rubocop-rspec (~> 3, >= 3.0.1)
     ruby-prof (1.7.0)
     ruby-progressbar (1.13.0)
-    ruby-saml (1.17.0)
+    ruby-saml (1.18.1)
       nokogiri (>= 1.13.10)
       rexml
-    ruby-vips (2.2.2)
+    ruby-vips (2.2.3)
       ffi (~> 1.12)
       logger
     ruby2_keywords (0.0.5)
@@ -781,6 +785,7 @@ GEM
     scenic (1.8.0)
       activerecord (>= 4.0.0)
       railties (>= 4.0.0)
+    securerandom (0.4.1)
     selenium-webdriver (4.25.0)
       base64 (~> 0.2)
       logger (~> 1.4)
@@ -835,9 +840,9 @@ GEM
     terrapin (1.0.1)
       climate_control
     test-prof (1.4.2)
-    thor (1.3.2)
+    thor (1.4.0)
     tilt (2.4.0)
-    timeout (0.4.1)
+    timeout (0.4.3)
     tpm-key_attestation (0.12.1)
       bindata (~> 2.4)
       openssl (> 2.0)
@@ -863,7 +868,7 @@ GEM
       unf_ext
     unf_ext (0.0.9.1)
     unicode-display_width (2.5.0)
-    uri (0.13.1)
+    uri (0.13.3)
     validate_email (0.1.6)
       activemodel (>= 3.0)
       mail (>= 2.2.5)
@@ -895,7 +900,8 @@ GEM
       semantic_range (>= 2.3.0)
     webrick (1.8.2)
     websocket (1.2.11)
-    websocket-driver (0.7.6)
+    websocket-driver (0.8.0)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     wisper (2.0.1)
@@ -1054,10 +1060,11 @@ DEPENDENCIES
   webmock (~> 3.18)
   webpacker (~> 5.4)
   webpush!
+  websocket-driver (~> 0.8)
   xorcist (~> 1.1)
 
 RUBY VERSION
    ruby 3.3.4p94
 
 BUNDLED WITH
-   2.5.18
+   2.6.5

SECURITY.md

@@ -15,7 +15,6 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 
 | Version | Supported        |
 | ------- | ---------------- |
-| 4.3.x   | Yes              |
-| 4.2.x   | Yes              |
-| 4.1.x   | Until 2025-04-08 |
-| < 4.1   | No               |
+| 4.4.x   | Yes              |
+| 4.3.x   | Until 2026-05-06 |
+| < 4.3   | No               |

app/controllers/activitypub/inboxes_controller.rb

@@ -3,6 +3,7 @@
 class ActivityPub::InboxesController < ActivityPub::BaseController
   include JsonLdHelper
 
+  before_action :skip_large_payload
   before_action :skip_unknown_actor_activity
   before_action :require_actor_signature!
   skip_before_action :authenticate_user!
@@ -16,6 +17,10 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
 
   private
 
+  def skip_large_payload
+    head 413 if request.content_length > ActivityPub::Activity::MAX_JSON_SIZE
+  end
+
   def skip_unknown_actor_activity
     head 202 if unknown_affected_account?
   end

app/controllers/activitypub/likes_controller.rb

@@ -22,7 +22,7 @@ class ActivityPub::LikesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/activitypub/replies_controller.rb

@@ -25,7 +25,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/activitypub/shares_controller.rb

@@ -22,7 +22,7 @@ class ActivityPub::SharesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/admin/announcements_controller.rb

@@ -6,6 +6,7 @@ class Admin::AnnouncementsController < Admin::BaseController
 
   def index
     authorize :announcement, :index?
+    @published_announcements_count = Announcement.published.async_count
   end
 
   def new

app/controllers/admin/disputes/appeals_controller.rb

@@ -6,6 +6,7 @@ class Admin::Disputes::AppealsController < Admin::BaseController
   def index
     authorize :appeal, :index?
 
+    @pending_appeals_count = Appeal.pending.async_count
     @appeals = filtered_appeals.page(params[:page])
   end
 

app/controllers/admin/trends/links/preview_card_providers_controller.rb

@@ -4,6 +4,7 @@ class Admin::Trends::Links::PreviewCardProvidersController < Admin::BaseControll
   def index
     authorize :preview_card_provider, :review?
 
+    @pending_preview_card_providers_count = PreviewCardProvider.unreviewed.async_count
     @preview_card_providers = filtered_preview_card_providers.page(params[:page])
     @form = Trends::PreviewCardProviderBatch.new
   end

app/controllers/admin/trends/tags_controller.rb

@@ -4,6 +4,7 @@ class Admin::Trends::TagsController < Admin::BaseController
   def index
     authorize :tag, :review?
 
+    @pending_tags_count = Tag.pending_review.async_count
     @tags = filtered_tags.page(params[:page])
     @form = Trends::TagBatch.new
   end

app/controllers/api/base_controller.rb

@@ -72,6 +72,13 @@ class Api::BaseController < ApplicationController
     end
   end
 
+  # Redefine `require_functional!` to properly output JSON instead of HTML redirects
+  def require_functional!
+    return if current_user.functional?
+
+    require_user!
+  end
+
   def render_empty
     render json: {}, status: 200
   end

app/controllers/api/v1/accounts/credentials_controller.rb

@@ -14,7 +14,7 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
     @account = current_account
     UpdateAccountService.new.call(@account, account_params, raise_error: true)
     current_user.update(user_params) if user_params
-    ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
     render json: @account, serializer: REST::CredentialAccountSerializer
   rescue ActiveRecord::RecordInvalid => e
     render json: ValidationErrorFormatter.new(e).as_json, status: 422

app/controllers/api/v1/accounts_controller.rb

@@ -16,6 +16,7 @@ class Api::V1::AccountsController < Api::BaseController
   before_action :check_account_confirmation, except: [:index, :create]
   before_action :check_enabled_registrations, only: [:create]
   before_action :check_accounts_limit, only: [:index]
+  before_action :check_following_self, only: [:follow]
 
   skip_before_action :require_authenticated_user!, only: :create
 
@@ -101,6 +102,10 @@ class Api::V1::AccountsController < Api::BaseController
     raise(Mastodon::ValidationError) if account_ids.size > DEFAULT_ACCOUNTS_LIMIT
   end
 
+  def check_following_self
+    render json: { error: I18n.t('accounts.self_follow_error') }, status: 403 if current_user.account.id == @account.id
+  end
+
   def relationships(**options)
     AccountRelationshipsPresenter.new([@account], current_user.account_id, **options)
   end

app/controllers/api/v1/instances/domain_blocks_controller.rb

@@ -31,7 +31,7 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
   end
 
   def show_domain_blocks_to_user?
-    Setting.show_domain_blocks == 'users' && user_signed_in?
+    Setting.show_domain_blocks == 'users' && user_signed_in? && current_user.functional_or_moved?
   end
 
   def set_domain_blocks
@@ -47,6 +47,6 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
   end
 
   def show_rationale_for_user?
-    Setting.show_domain_blocks_rationale == 'users' && user_signed_in?
+    Setting.show_domain_blocks_rationale == 'users' && user_signed_in? && current_user.functional_or_moved?
   end
 end

app/controllers/api/v1/notifications/requests_controller.rb

@@ -52,7 +52,7 @@ class Api::V1::Notifications::RequestsController < Api::BaseController
   private
 
   def load_requests
-    requests = NotificationRequest.where(account: current_account).includes(:last_status, from_account: [:account_stat, :user]).to_a_paginated_by_id(
+    requests = NotificationRequest.where(account: current_account).without_suspended.includes(:last_status, from_account: [:account_stat, :user]).to_a_paginated_by_id(
       limit_param(DEFAULT_ACCOUNTS_LIMIT),
       params_slice(:max_id, :since_id, :min_id)
     )

app/controllers/api/v1/polls/votes_controller.rb

@@ -17,7 +17,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
   def set_poll
     @poll = Poll.attached.find(params[:poll_id])
     authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/polls_controller.rb

@@ -17,7 +17,7 @@ class Api::V1::PollsController < Api::BaseController
   def set_poll
     @poll = Poll.attached.find(params[:id])
     authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/profile/avatars_controller.rb

@@ -7,7 +7,7 @@ class Api::V1::Profile::AvatarsController < Api::BaseController
   def destroy
     @account = current_account
     UpdateAccountService.new.call(@account, { avatar: nil }, raise_error: true)
-    ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
     render json: @account, serializer: REST::CredentialAccountSerializer
   end
 end

app/controllers/api/v1/profile/headers_controller.rb

@@ -7,7 +7,7 @@ class Api::V1::Profile::HeadersController < Api::BaseController
   def destroy
     @account = current_account
     UpdateAccountService.new.call(@account, { header: nil }, raise_error: true)
-    ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
     render json: @account, serializer: REST::CredentialAccountSerializer
   end
 end

app/controllers/api/v1/statuses/base_controller.rb

@@ -10,7 +10,7 @@ class Api::V1::Statuses::BaseController < Api::BaseController
   def set_status
     @status = Status.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/bookmarks_controller.rb

@@ -23,7 +23,7 @@ class Api::V1::Statuses::BookmarksController < Api::V1::Statuses::BaseController
     bookmark&.destroy!
 
     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/favourites_controller.rb

@@ -25,7 +25,7 @@ class Api::V1::Statuses::FavouritesController < Api::V1::Statuses::BaseControlle
 
     relationships = StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }, attributes_map: { @status.id => { favourites_count: count } })
     render json: @status, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/reblogs_controller.rb

@@ -36,7 +36,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
 
     relationships = StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false }, attributes_map: { @reblog.id => { reblogs_count: count } })
     render json: @reblog, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
@@ -45,7 +45,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
   def set_reblog
     @reblog = Status.find(params[:status_id])
     authorize @reblog, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/statuses/translations_controller.rb

@@ -23,6 +23,6 @@ class Api::V1::Statuses::TranslationsController < Api::V1::Statuses::BaseControl
   private
 
   def set_translation
-    @translation = TranslateStatusService.new.call(@status, content_locale)
+    @translation = TranslateStatusService.new.call(@status, I18n.locale.to_s)
   end
 end

app/controllers/api/v1/statuses_controller.rb

@@ -127,7 +127,7 @@ class Api::V1::StatusesController < Api::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v2/notifications_controller.rb

@@ -46,7 +46,7 @@ class Api::V2::NotificationsController < Api::BaseController
   end
 
   def show
-    @notification = current_account.notifications.without_suspended.find_by!(group_key: params[:group_key])
+    @notification = current_account.notifications.without_suspended.by_group_key(params[:group_key]).take!
     presenter = GroupedNotificationsPresenter.new(NotificationGroup.from_notifications([@notification]))
     render json: presenter, serializer: REST::DedupNotificationGroupSerializer
   end
@@ -57,7 +57,7 @@ class Api::V2::NotificationsController < Api::BaseController
   end
 
   def dismiss
-    current_account.notifications.where(group_key: params[:group_key]).destroy_all
+    current_account.notifications.by_group_key(params[:group_key]).destroy_all
     render_empty
   end
 
@@ -80,10 +80,31 @@ class Api::V2::NotificationsController < Api::BaseController
     return [] if @notifications.empty?
 
     MastodonOTELTracer.in_span('Api::V2::NotificationsController#load_grouped_notifications') do
-      NotificationGroup.from_notifications(@notifications, pagination_range: (@notifications.last.id)..(@notifications.first.id), grouped_types: params[:grouped_types])
+      pagination_range = (@notifications.last.id)..@notifications.first.id
+
+      # If the page is incomplete, we know we are on the last page
+      if incomplete_page?
+        if paginating_up?
+          pagination_range = @notifications.last.id...(params[:max_id]&.to_i)
+        else
+          range_start = params[:since_id]&.to_i
+          range_start += 1 unless range_start.nil?
+          pagination_range = range_start..(@notifications.first.id)
+        end
+      end
+
+      NotificationGroup.from_notifications(@notifications, pagination_range: pagination_range, grouped_types: params[:grouped_types])
     end
   end
 
+  def incomplete_page?
+    @notifications.size < limit_param(DEFAULT_NOTIFICATIONS_LIMIT)
+  end
+
+  def paginating_up?
+    params[:min_id].present?
+  end
+
   def browserable_account_notifications
     current_account.notifications.without_suspended.browserable(
       types: Array(browserable_params[:types]),

app/controllers/api/web/embeds_controller.rb

@@ -30,7 +30,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/web/push_subscriptions_controller.rb

@@ -55,7 +55,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def set_push_subscription
-    @push_subscription = ::Web::PushSubscription.find(params[:id])
+    @push_subscription = ::Web::PushSubscription.where(user_id: active_session.user_id).find(params[:id])
   end
 
   def subscription_params

app/controllers/application_controller.rb

@@ -74,7 +74,23 @@ class ApplicationController < ActionController::Base
   end
 
   def require_functional!
-    redirect_to edit_user_registration_path unless current_user.functional?
+    return if current_user.functional?
+
+    respond_to do |format|
+      format.any do
+        redirect_to edit_user_registration_path
+      end
+
+      format.json do
+        if !current_user.confirmed?
+          render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403
+        elsif !current_user.approved?
+          render json: { error: 'Your login is currently pending approval' }, status: 403
+        elsif !current_user.functional?
+          render json: { error: 'Your login is currently disabled' }, status: 403
+        end
+      end
+    end
   end
 
   def skip_csrf_meta_tags?

app/controllers/authorize_interactions_controller.rb

@@ -21,7 +21,7 @@ class AuthorizeInteractionsController < ApplicationController
   def set_resource
     @resource = located_resource
     authorize(@resource, :show?) if @resource.is_a?(Status)
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/backups_controller.rb

@@ -9,13 +9,15 @@ class BackupsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_backup
 
+  BACKUP_LINK_TIMEOUT = 1.hour.freeze
+
   def download
     case Paperclip::Attachment.default_options[:storage]
     when :s3, :azure
-      redirect_to @backup.dump.expiring_url(10), allow_other_host: true
+      redirect_to @backup.dump.expiring_url(BACKUP_LINK_TIMEOUT.to_i), allow_other_host: true
     when :fog
       if Paperclip::Attachment.default_options.dig(:fog_credentials, :openstack_temp_url_key).present?
-        redirect_to @backup.dump.expiring_url(Time.now.utc + 10), allow_other_host: true
+        redirect_to @backup.dump.expiring_url(BACKUP_LINK_TIMEOUT.from_now), allow_other_host: true
       else
         redirect_to full_asset_url(@backup.dump.url), allow_other_host: true
       end

app/controllers/concerns/cache_concern.rb

@@ -19,7 +19,7 @@ module CacheConcern
   # from being used as cache keys, while allowing to `Vary` on them (to not serve
   # anonymous cached data to authenticated requests when authentication matters)
   def enforce_cache_control!
-    vary = response.headers['Vary']&.split&.map { |x| x.strip.downcase }
+    vary = response.headers['Vary'].to_s.split(',').map { |x| x.strip.downcase }.reject(&:empty?)
     return unless vary.present? && %w(cookie authorization signature).any? { |header| vary.include?(header) && request.headers[header].present? }
 
     response.cache_control.replace(private: true, no_store: true)

app/controllers/concerns/signature_verification.rb

@@ -117,7 +117,7 @@ module SignatureVerification
 
   def verify_signature_strength!
     raise SignatureVerificationError, 'Mastodon requires the Date header or (created) pseudo-header to be signed' unless signed_headers.include?('date') || signed_headers.include?('(created)')
-    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(Request::REQUEST_TARGET) || signed_headers.include?('digest')
+    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(HttpSignatureDraft::REQUEST_TARGET) || signed_headers.include?('digest')
     raise SignatureVerificationError, 'Mastodon requires the Host header to be signed when doing a GET request' if request.get? && !signed_headers.include?('host')
     raise SignatureVerificationError, 'Mastodon requires the Digest header to be signed when doing a POST request' if request.post? && !signed_headers.include?('digest')
   end
@@ -155,14 +155,14 @@ module SignatureVerification
   def build_signed_string(include_query_string: true)
     signed_headers.map do |signed_header|
       case signed_header
-      when Request::REQUEST_TARGET
+      when HttpSignatureDraft::REQUEST_TARGET
         if include_query_string
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
         else
           # Current versions of Mastodon incorrectly omit the query string from the (request-target) pseudo-header.
           # Therefore, temporarily support such incorrect signatures for compatibility.
           # TODO: remove eventually some time after release of the fixed version
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
         end
       when '(created)'
         raise SignatureVerificationError, 'Invalid pseudo-header (created) for rsa-sha256' unless signature_algorithm == 'hs2019'

app/controllers/media_controller.rb

@@ -34,7 +34,7 @@ class MediaController < ApplicationController
 
   def verify_permitted_status!
     authorize @media_attachment.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/settings/pictures_controller.rb

@@ -8,7 +8,7 @@ module Settings
     def destroy
       if valid_picture?
         if UpdateAccountService.new.call(@account, { @picture => nil, "#{@picture}_remote_url" => '' })
-          ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+          ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
           redirect_to settings_profile_path, notice: I18n.t('generic.changes_saved_msg'), status: 303
         else
           redirect_to settings_profile_path

app/controllers/settings/privacy_controller.rb

@@ -8,7 +8,7 @@ class Settings::PrivacyController < Settings::BaseController
   def update
     if UpdateAccountService.new.call(@account, account_params.except(:settings))
       current_user.update!(settings_attributes: account_params[:settings])
-      ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+      ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
       redirect_to settings_privacy_path, notice: I18n.t('generic.changes_saved_msg')
     else
       render :show

app/controllers/settings/profiles_controller.rb

@@ -9,7 +9,7 @@ class Settings::ProfilesController < Settings::BaseController
 
   def update
     if UpdateAccountService.new.call(@account, account_params)
-      ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+      ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
       redirect_to settings_profile_path, notice: I18n.t('generic.changes_saved_msg')
     else
       @account.build_fields

app/controllers/settings/verifications_controller.rb

@@ -8,7 +8,7 @@ class Settings::VerificationsController < Settings::BaseController
 
   def update
     if UpdateAccountService.new.call(@account, account_params)
-      ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
+      ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
       redirect_to settings_verification_path, notice: I18n.t('generic.changes_saved_msg')
     else
       render :show

app/controllers/severed_relationships_controller.rb

@@ -27,7 +27,7 @@ class SeveredRelationshipsController < ApplicationController
   private
 
   def set_event
-    @event = AccountRelationshipSeveranceEvent.find(params[:id])
+    @event = AccountRelationshipSeveranceEvent.where(account: current_account).find(params[:id])
   end
 
   def following_data

app/controllers/statuses_controller.rb

@@ -59,7 +59,7 @@ class StatusesController < ApplicationController
   def set_status
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/helpers/admin/trends/statuses_helper.rb

@@ -2,11 +2,18 @@
 
 module Admin::Trends::StatusesHelper
   def one_line_preview(status)
-    text = if status.local?
-             status.text.split("\n").first
-           else
-             Nokogiri::HTML5(status.text).css('html > body > *').first&.text
-           end
+    text = begin
+      if status.local?
+        status.text.split("\n").first
+      else
+        Nokogiri::HTML5(status.text).css('html > body > *').first&.text
+      end
+    rescue ArgumentError
+      # This can happen if one of the Nokogumbo limits is encountered
+      # Unfortunately, it does not use a more precise error class
+      # nor allows more graceful handling
+      ''
+    end
 
     return '' if text.blank?
 

app/helpers/application_helper.rb

@@ -79,7 +79,7 @@ module ApplicationHelper
 
   def html_title
     safe_join(
-      [content_for(:page_title).to_s.chomp, title]
+      [content_for(:page_title), title]
       .compact_blank,
       ' - '
     )
@@ -245,6 +245,11 @@ module ApplicationHelper
     tag.input(type: :text, maxlength: 999, spellcheck: false, readonly: true, **options)
   end
 
+  def recent_tag_usage(tag)
+    people = tag.history.aggregate(2.days.ago.to_date..Time.zone.today).accounts
+    I18n.t 'user_mailer.welcome.hashtags_recent_count', people: number_with_delimiter(people), count: people
+  end
+
   # glitch-soc addition to handle the multiple flavors
   def preload_locale_pack
     supported_locales = Themes.instance.flavour(current_flavour)['locales']

app/helpers/context_helper.rb

@@ -26,6 +26,13 @@ module ContextHelper
     voters_count: { 'toot' => 'http://joinmastodon.org/ns#', 'votersCount' => 'toot:votersCount' },
     suspended: { 'toot' => 'http://joinmastodon.org/ns#', 'suspended' => 'toot:suspended' },
     attribution_domains: { 'toot' => 'http://joinmastodon.org/ns#', 'attributionDomains' => { '@id' => 'toot:attributionDomains', '@type' => '@id' } },
+    interaction_policies: {
+      'gts' => 'https://gotosocial.org/ns#',
+      'interactionPolicy' => { '@id' => 'gts:interactionPolicy', '@type' => '@id' },
+      'canQuote' => { '@id' => 'gts:canQuote', '@type' => '@id' },
+      'automaticApproval' => { '@id' => 'gts:automaticApproval', '@type' => '@id' },
+      'manualApproval' => { '@id' => 'gts:manualApproval', '@type' => '@id' },
+    },
   }.freeze
 
   def full_context

app/helpers/jsonld_helper.rb

@@ -26,6 +26,8 @@ module JsonLdHelper
   # The url attribute can be a string, an array of strings, or an array of objects.
   # The objects could include a mimeType. Not-included mimeType means it's text/html.
   def url_to_href(value, preferred_type = nil)
+    value = [value] if value.is_a?(Hash)
+
     single_value = if value.is_a?(Array) && !value.first.is_a?(String)
                      value.find { |link| preferred_type.nil? || ((link['mimeType'].presence || 'text/html') == preferred_type) }
                    elsif value.is_a?(Array)
@@ -41,6 +43,15 @@ module JsonLdHelper
     end
   end
 
+  def url_to_media_type(value, preferred_type = nil)
+    value = [value] if value.is_a?(Hash)
+    return unless value.is_a?(Array) && !value.first.is_a?(String)
+
+    single_value = value.find { |link| preferred_type.nil? || ((link['mimeType'].presence || 'text/html') == preferred_type) }
+
+    single_value['mediaType'] unless single_value.nil?
+  end
+
   def as_array(value)
     if value.nil?
       []

app/helpers/languages_helper.rb

@@ -162,7 +162,7 @@ module LanguagesHelper
     th: ['Thai', 'ไทย'].freeze,
     ti: ['Tigrinya', 'ትግርኛ'].freeze,
     tk: ['Turkmen', 'Türkmen'].freeze,
-    tl: ['Tagalog', 'Wikang Tagalog'].freeze,
+    tl: ['Tagalog', 'Tagalog'].freeze,
     tn: ['Tswana', 'Setswana'].freeze,
     to: ['Tonga', 'faka Tonga'].freeze,
     tr: ['Turkish', 'Türkçe'].freeze,

app/javascript/entrypoints/sign_up.ts

@@ -4,9 +4,12 @@ import axios from 'axios';
 import ready from '../mastodon/ready';
 
 async function checkConfirmation() {
-  const response = await axios.get('/api/v1/emails/check_confirmation');
+  const response = await axios.get('/api/v1/emails/check_confirmation', {
+    headers: { Accept: 'application/json' },
+    withCredentials: true,
+  });
 
-  if (response.data) {
+  if (response.status === 200 && response.data === true) {
     window.location.href = '/start';
   }
 }

app/javascript/flavours/glitch/actions/compose.js

@@ -102,12 +102,17 @@ export const ensureComposeIsVisible = (getState) => {
 };
 
 export function setComposeToStatus(status, text, spoiler_text, content_type) {
-  return{
-    type: COMPOSE_SET_STATUS,
-    status,
-    text,
-    spoiler_text,
-    content_type,
+  return (dispatch, getState) => {
+    const maxOptions = getState().server.getIn(['server', 'configuration', 'polls', 'max_options']);
+
+    dispatch({
+      type: COMPOSE_SET_STATUS,
+      status,
+      text,
+      spoiler_text,
+      content_type,
+      maxOptions
+    });
   };
 }
 

app/javascript/flavours/glitch/actions/importer/normalizer.js

@@ -72,6 +72,17 @@ export function normalizeStatus(status, normalOldStatus, settings) {
     normalStatus.contentHtml  = emojify(normalStatus.content, emojiMap);
     normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
     normalStatus.hidden       = (spoilerText.length > 0 || normalStatus.sensitive) && autoHideCW(settings, spoilerText);
+
+    if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
+      normalStatus.url = null;
+    }
+
+    normalStatus.url ||= normalStatus.uri;
+
+    normalStatus.media_attachments.forEach(item => {
+      if (item.remote_url && !(item.remote_url.startsWith('http://') || item.remote_url.startsWith('https://')))
+        item.remote_url = null;
+    });
   }
 
   if (normalOldStatus) {

app/javascript/flavours/glitch/actions/notification_groups.ts

@@ -8,6 +8,7 @@ import type { ApiAccountJSON } from 'flavours/glitch/api_types/accounts';
 import type {
   ApiNotificationGroupJSON,
   ApiNotificationJSON,
+  NotificationType,
 } from 'flavours/glitch/api_types/notifications';
 import { allNotificationTypes } from 'flavours/glitch/api_types/notifications';
 import type { ApiStatusJSON } from 'flavours/glitch/api_types/statuses';
@@ -15,6 +16,7 @@ import { usePendingItems } from 'flavours/glitch/initial_state';
 import type { NotificationGap } from 'flavours/glitch/reducers/notification_groups';
 import {
   selectSettingsNotificationsExcludedTypes,
+  selectSettingsNotificationsGroupFollows,
   selectSettingsNotificationsQuickFilterActive,
   selectSettingsNotificationsShows,
 } from 'flavours/glitch/selectors/settings';
@@ -68,17 +70,19 @@ function dispatchAssociatedRecords(
     dispatch(importFetchedStatuses(fetchedStatuses));
 }
 
-const supportedGroupedNotificationTypes = ['favourite', 'reblog'];
+function selectNotificationGroupedTypes(state: RootState) {
+  const types: NotificationType[] = ['favourite', 'reblog'];
 
-export function shouldGroupNotificationType(type: string) {
-  return supportedGroupedNotificationTypes.includes(type);
+  if (selectSettingsNotificationsGroupFollows(state)) types.push('follow');
+
+  return types;
 }
 
 export const fetchNotifications = createDataLoadingThunk(
   'notificationGroups/fetch',
   async (_params, { getState }) =>
     apiFetchNotificationGroups({
-      grouped_types: supportedGroupedNotificationTypes,
+      grouped_types: selectNotificationGroupedTypes(getState()),
       exclude_types: getExcludedTypes(getState()),
     }),
   ({ notifications, accounts, statuses }, { dispatch }) => {
@@ -102,7 +106,7 @@ export const fetchNotificationsGap = createDataLoadingThunk(
   'notificationGroups/fetchGap',
   async (params: { gap: NotificationGap }, { getState }) =>
     apiFetchNotificationGroups({
-      grouped_types: supportedGroupedNotificationTypes,
+      grouped_types: selectNotificationGroupedTypes(getState()),
       max_id: params.gap.maxId,
       exclude_types: getExcludedTypes(getState()),
     }),
@@ -119,7 +123,7 @@ export const pollRecentNotifications = createDataLoadingThunk(
   'notificationGroups/pollRecentNotifications',
   async (_params, { getState }) => {
     return apiFetchNotificationGroups({
-      grouped_types: supportedGroupedNotificationTypes,
+      grouped_types: selectNotificationGroupedTypes(getState()),
       max_id: undefined,
       exclude_types: getExcludedTypes(getState()),
       // In slow mode, we don't want to include notifications that duplicate the already-displayed ones
@@ -137,6 +141,9 @@ export const pollRecentNotifications = createDataLoadingThunk(
 
     return { notifications };
   },
+  {
+    useLoadingBar: false,
+  },
 );
 
 export const processNewNotificationForGroups = createAppAsyncThunk(
@@ -168,7 +175,10 @@ export const processNewNotificationForGroups = createAppAsyncThunk(
 
     dispatchAssociatedRecords(dispatch, [notification]);
 
-    return notification;
+    return {
+      notification,
+      groupedTypes: selectNotificationGroupedTypes(state),
+    };
   },
 );
 

app/javascript/flavours/glitch/actions/statuses.js

@@ -90,11 +90,16 @@ export function fetchStatusFail(id, error, skipLoading) {
 }
 
 export function redraft(status, raw_text, content_type) {
-  return {
-    type: REDRAFT,
-    status,
-    raw_text,
-    content_type,
+  return (dispatch, getState) => {
+    const maxOptions = getState().server.getIn(['server', 'configuration', 'polls', 'max_options']);
+
+    dispatch({
+      type: REDRAFT,
+      status,
+      raw_text,
+      content_type,
+      maxOptions,
+    });
   };
 }
 

app/javascript/flavours/glitch/api/interactions.ts

@@ -1,10 +1,11 @@
 import { apiRequestPost } from 'flavours/glitch/api';
-import type { Status, StatusVisibility } from 'flavours/glitch/models/status';
+import type { ApiStatusJSON } from 'flavours/glitch/api_types/statuses';
+import type { StatusVisibility } from 'flavours/glitch/models/status';
 
 export const apiReblog = (statusId: string, visibility: StatusVisibility) =>
-  apiRequestPost<{ reblog: Status }>(`v1/statuses/${statusId}/reblog`, {
+  apiRequestPost<{ reblog: ApiStatusJSON }>(`v1/statuses/${statusId}/reblog`, {
     visibility,
   });
 
 export const apiUnreblog = (statusId: string) =>
-  apiRequestPost<Status>(`v1/statuses/${statusId}/unreblog`);
+  apiRequestPost<ApiStatusJSON>(`v1/statuses/${statusId}/unreblog`);

app/javascript/flavours/glitch/api_types/accounts.ts

@@ -13,7 +13,7 @@ export interface ApiAccountRoleJSON {
 }
 
 // See app/serializers/rest/account_serializer.rb
-export interface ApiAccountJSON {
+export interface BaseApiAccountJSON {
   acct: string;
   avatar: string;
   avatar_static: string;
@@ -45,3 +45,12 @@ export interface ApiAccountJSON {
   memorial?: boolean;
   hide_collections: boolean;
 }
+
+// See app/serializers/rest/muted_account_serializer.rb
+export interface ApiMutedAccountJSON extends BaseApiAccountJSON {
+  mute_expires_at?: string | null;
+}
+
+// For now, we have the same type representing both `Account` and `MutedAccount`
+// objects, but we should refactor this in the future.
+export type ApiAccountJSON = ApiMutedAccountJSON;

app/javascript/flavours/glitch/components/alt_text_badge.tsx

@@ -28,6 +28,7 @@ export const AltTextBadge: React.FC<{
   return (
     <>
       <button
+        type='button'
         ref={anchorRef}
         className='media-gallery__alt__label'
         onClick={handleClick}

app/javascript/flavours/glitch/components/collapse_button.jsx

@@ -19,6 +19,7 @@ export const CollapseButton = ({ collapsed, setCollapsed }) => {
     if (e.button === 0) {
       setCollapsed(!collapsed);
       e.preventDefault();
+      e.stopPropagation();
     }
   }, [collapsed, setCollapsed]);
 

app/javascript/flavours/glitch/components/content_warning.tsx

@@ -17,9 +17,15 @@ export const ContentWarning: React.FC<{
       aria-expanded={expanded}
     >
       {expanded ? (
-        <FormattedMessage id='status.show_less' defaultMessage='Show less' />
+        <FormattedMessage
+          id='content_warning.hide'
+          defaultMessage='Hide post'
+        />
       ) : (
-        <FormattedMessage id='status.show_more' defaultMessage='Show more' />
+        <FormattedMessage
+          id='content_warning.show_more'
+          defaultMessage='Show more'
+        />
       )}
       {icons}
     </button>

app/javascript/flavours/glitch/components/filter_warning.tsx

@@ -10,13 +10,16 @@ export const FilterWarning: React.FC<{
   <StatusBanner
     expanded={expanded}
     onClick={onClick}
-    variant={BannerVariant.Blue}
+    variant={BannerVariant.Filter}
   >
     <p>
       <FormattedMessage
         id='filter_warning.matches_filter'
-        defaultMessage='Matches filter “{title}”'
-        values={{ title }}
+        defaultMessage='Matches filter “<span>{title}</span>”'
+        values={{
+          title,
+          span: (chunks) => <span className='filter-name'>{chunks}</span>,
+        }}
       />
     </p>
   </StatusBanner>

app/javascript/flavours/glitch/components/media_gallery.jsx

@@ -98,12 +98,12 @@ class Item extends PureComponent {
       height = 50;
     }
 
-    if (attachment.get('description')?.length > 0) {
-      badges.push(<AltTextBadge key='alt' description={attachment.get('description')} />);
-    }
-
     const description = attachment.getIn(['translation', 'description']) || attachment.get('description');
 
+    if (description?.length > 0) {
+      badges.push(<AltTextBadge key='alt' description={description} />);
+    }
+
     if (attachment.get('type') === 'unknown') {
       return (
         <div className={classNames('media-gallery__item', { standalone, 'media-gallery__item--tall': height === 100, 'media-gallery__item--wide': width === 100 })} key={attachment.get('id')}>

app/javascript/flavours/glitch/components/status.jsx

@@ -372,26 +372,29 @@ class Status extends ImmutablePureComponent {
     const { isCollapsed } = this.state;
     if (!history) return;
 
-    if (e.button === 0 && !(e.ctrlKey || e.altKey || e.metaKey)) {
-      if (isCollapsed) this.setCollapsed(false);
-      else if (e.shiftKey) {
-        this.setCollapsed(true);
-        document.getSelection().removeAllRanges();
-      } else if (this.props.onClick) {
-        this.props.onClick();
-        return;
-      } else {
-        if (destination === undefined) {
-          destination = `/@${
-            status.getIn(['reblog', 'account', 'acct'], status.getIn(['account', 'acct']))
-          }/${
-            status.getIn(['reblog', 'id'], status.get('id'))
-          }`;
-        }
-        history.push(destination);
-      }
-      e.preventDefault();
+    if (e.button !== 0 || e.ctrlKey || e.altKey || e.metaKey) {
+      return;
     }
+
+    if (isCollapsed) this.setCollapsed(false);
+    else if (e.shiftKey) {
+      this.setCollapsed(true);
+      document.getSelection().removeAllRanges();
+    } else if (this.props.onClick) {
+      this.props.onClick();
+      return;
+    } else {
+      if (destination === undefined) {
+        destination = `/@${
+          status.getIn(['reblog', 'account', 'acct'], status.getIn(['account', 'acct']))
+        }/${
+          status.getIn(['reblog', 'id'], status.get('id'))
+        }`;
+      }
+      history.push(destination);
+    }
+
+    e.preventDefault();
   };
 
   handleToggleMediaVisibility = () => {
@@ -648,7 +651,7 @@ class Status extends ImmutablePureComponent {
             media={status.get('media_attachments')}
           />,
         );
-      } else if (['image', 'gifv'].includes(status.getIn(['media_attachments', 0, 'type'])) || status.get('media_attachments').size > 1) {
+      } else if (['image', 'gifv', 'unknown'].includes(status.getIn(['media_attachments', 0, 'type'])) || status.get('media_attachments').size > 1) {
         media.push(
           <Bundle fetchComponent={MediaGallery} loading={this.renderLoadingMediaGallery}>
             {Component => (
@@ -806,7 +809,8 @@ class Status extends ImmutablePureComponent {
             {(connectReply || connectUp || connectToRoot) && <div className={classNames('status__line', { 'status__line--full': connectReply, 'status__line--first': !status.get('in_reply_to_id') && !connectToRoot })} />}
 
             {(!muted || !isCollapsed) && (
-              <header className='status__info'>
+              /* eslint-disable-next-line jsx-a11y/no-static-element-interactions */
+              <header onClick={this.parseClick} className='status__info'>
                 <StatusHeader
                   status={status}
                   friend={account}

app/javascript/flavours/glitch/components/status_action_bar.jsx

@@ -233,7 +233,7 @@ class StatusActionBar extends ImmutablePureComponent {
       menu.push({ text: intl.formatMessage(messages.share), action: this.handleShareClick });
     }
 
-    if (publicStatus && (signedIn || !isRemote)) {
+    if (publicStatus && !isRemote) {
       menu.push({ text: intl.formatMessage(messages.embed), action: this.handleEmbed });
     }
 

app/javascript/flavours/glitch/components/status_banner.tsx

@@ -1,8 +1,8 @@
 import { FormattedMessage } from 'react-intl';
 
 export enum BannerVariant {
-  Yellow = 'yellow',
-  Blue = 'blue',
+  Warning = 'warning',
+  Filter = 'filter',
 }
 
 export const StatusBanner: React.FC<{
@@ -11,9 +11,9 @@ export const StatusBanner: React.FC<{
   expanded?: boolean;
   onClick?: () => void;
 }> = ({ children, variant, expanded, onClick }) => (
-  <div
+  <label
     className={
-      variant === BannerVariant.Yellow
+      variant === BannerVariant.Warning
         ? 'content-warning'
         : 'content-warning content-warning--filter'
     }
@@ -26,6 +26,11 @@ export const StatusBanner: React.FC<{
           id='content_warning.hide'
           defaultMessage='Hide post'
         />
+      ) : variant === BannerVariant.Warning ? (
+        <FormattedMessage
+          id='content_warning.show_more'
+          defaultMessage='Show more'
+        />
       ) : (
         <FormattedMessage
           id='content_warning.show'
@@ -33,5 +38,5 @@ export const StatusBanner: React.FC<{
         />
       )}
     </button>
-  </div>
+  </label>
 );

app/javascript/flavours/glitch/components/status_header.jsx

@@ -18,15 +18,10 @@ export default class StatusHeader extends PureComponent {
     parseClick: PropTypes.func.isRequired,
   };
 
-  //  Handles clicks on account name/image
-  handleClick = (acct, e) => {
-    const { parseClick } = this.props;
-    parseClick(e, `/@${acct}`);
-  };
-
   handleAccountClick = (e) => {
-    const { status } = this.props;
-    this.handleClick(status.getIn(['account', 'acct']), e);
+    const { status, parseClick } = this.props;
+    parseClick(e, `/@${status.getIn(['account', 'acct'])}`);
+    e.stopPropagation();
   };
 
   //  Rendering.

app/javascript/flavours/glitch/containers/compose_container.jsx

@@ -1,6 +1,7 @@
 import { Provider } from 'react-redux';
 
 import { fetchCustomEmojis } from 'flavours/glitch/actions/custom_emojis';
+import { fetchServer } from 'flavours/glitch/actions/server';
 import { hydrateStore } from 'flavours/glitch/actions/store';
 import { Router } from 'flavours/glitch/components/router';
 import Compose from 'flavours/glitch/features/standalone/compose';
@@ -13,6 +14,7 @@ if (initialState) {
 }
 
 store.dispatch(fetchCustomEmojis());
+store.dispatch(fetchServer());
 
 const ComposeContainer = () => (
   <IntlProvider>

app/javascript/flavours/glitch/entrypoints/sign_up.ts

@@ -4,9 +4,12 @@ import axios from 'axios';
 import ready from 'flavours/glitch/ready';
 
 async function checkConfirmation() {
-  const response = await axios.get('/api/v1/emails/check_confirmation');
+  const response = await axios.get('/api/v1/emails/check_confirmation', {
+    headers: { Accept: 'application/json' },
+    withCredentials: true,
+  });
 
-  if (response.data) {
+  if (response.status === 200 && response.data === true) {
     window.location.href = '/start';
   }
 }

app/javascript/flavours/glitch/features/bookmarked_statuses/index.jsx

@@ -100,6 +100,7 @@ class Bookmarks extends ImmutablePureComponent {
           onLoadMore={this.handleLoadMore}
           emptyMessage={emptyMessage}
           bindToDocument={!multiColumn}
+          timelineId='bookmarks'
         />
 
         <Helmet>

app/javascript/flavours/glitch/features/community_timeline/components/column_settings.jsx

@@ -27,15 +27,19 @@ class ColumnSettings extends PureComponent {
 
     return (
       <div className='column-settings'>
-        <div className='column-settings__row'>
-          <SettingToggle settings={settings} settingPath={['other', 'onlyMedia']} onChange={onChange} label={<FormattedMessage id='community.column_settings.media_only' defaultMessage='Media only' />} />
-        </div>
+        <section>
+          <div className='column-settings__row'>
+            <SettingToggle settings={settings} settingPath={['other', 'onlyMedia']} onChange={onChange} label={<FormattedMessage id='community.column_settings.media_only' defaultMessage='Media only' />} />
+          </div>
+        </section>
 
-        <span className='column-settings__section'><FormattedMessage id='home.column_settings.advanced' defaultMessage='Advanced' /></span>
+        <section>
+          <span className='column-settings__section'><FormattedMessage id='home.column_settings.advanced' defaultMessage='Advanced' /></span>
 
-        <div className='column-settings__row'>
-          <SettingText settings={settings} settingPath={['regex', 'body']} onChange={onChange} label={intl.formatMessage(messages.filter_regex)} />
-        </div>
+          <div className='column-settings__row'>
+            <SettingText settings={settings} settingPath={['regex', 'body']} onChange={onChange} label={intl.formatMessage(messages.filter_regex)} />
+          </div>
+        </section>
       </div>
     );
   }

app/javascript/flavours/glitch/features/emoji/emoji.js

@@ -97,30 +97,30 @@ const emojifyTextNode = (node, customEmojis) => {
       const { filename, shortCode } = unicodeMapping[unicode_emoji];
       const title = shortCode ? `:${shortCode}:` : '';
 
-      replacement = document.createElement('picture');
-
       const isSystemTheme = !!document.body?.classList.contains('theme-system');
 
-      if(isSystemTheme) {
-        let source = document.createElement('source');
-        source.setAttribute('media', '(prefers-color-scheme: dark)');
-        source.setAttribute('srcset', `${assetHost}/emoji/${emojiFilename(filename, "dark")}.svg`);
-        replacement.appendChild(source);
-      }
+      const theme = (isSystemTheme || document.body?.classList.contains('theme-mastodon-light')) ? 'light' : 'dark';
 
-      let img = document.createElement('img');
+      const imageFilename = emojiFilename(filename, theme);
+
+      const img = document.createElement('img');
       img.setAttribute('draggable', 'false');
       img.setAttribute('class', 'emojione');
       img.setAttribute('alt', unicode_emoji);
       img.setAttribute('title', title);
+      img.setAttribute('src', `${assetHost}/emoji/${imageFilename}.svg`);
 
-      let theme = "light";
+      if (isSystemTheme && imageFilename !== emojiFilename(filename, 'dark')) {
+        replacement = document.createElement('picture');
 
-      if(!isSystemTheme && !document.body?.classList.contains('skin-mastodon-light'))
-        theme = "dark";
-
-      img.setAttribute('src', `${assetHost}/emoji/${emojiFilename(filename, theme)}.svg`);
-      replacement.appendChild(img);
+        const source = document.createElement('source');
+        source.setAttribute('media', '(prefers-color-scheme: dark)');
+        source.setAttribute('srcset', `${assetHost}/emoji/${emojiFilename(filename, 'dark')}.svg`);
+        replacement.appendChild(source);
+        replacement.appendChild(img);
+      } else {
+        replacement = img;
+      }
     }
 
     // Add the processed-up-to-now string and the emoji replacement
@@ -135,7 +135,7 @@ const emojifyTextNode = (node, customEmojis) => {
 };
 
 const emojifyNode = (node, customEmojis) => {
-  for (const child of node.childNodes) {
+  for (const child of Array.from(node.childNodes)) {
     switch(child.nodeType) {
     case Node.TEXT_NODE:
       emojifyTextNode(child, customEmojis);

app/javascript/flavours/glitch/features/favourited_statuses/index.jsx

@@ -100,6 +100,7 @@ class Favourites extends ImmutablePureComponent {
           onLoadMore={this.handleLoadMore}
           emptyMessage={emptyMessage}
           bindToDocument={!multiColumn}
+          timelineId='favourites'
         />
 
         <Helmet>

app/javascript/flavours/glitch/features/home_timeline/components/inline_follow_suggestions.jsx

@@ -129,8 +129,13 @@ export const InlineFollowSuggestions = ({ hidden }) => {
       return;
     }
 
-    setCanScrollLeft(bodyRef.current.scrollLeft > 0);
-    setCanScrollRight((bodyRef.current.scrollLeft + bodyRef.current.clientWidth) < bodyRef.current.scrollWidth);
+    if (getComputedStyle(bodyRef.current).direction === 'rtl') {
+      setCanScrollLeft((bodyRef.current.clientWidth - bodyRef.current.scrollLeft) < bodyRef.current.scrollWidth);
+      setCanScrollRight(bodyRef.current.scrollLeft < 0);
+    } else {
+      setCanScrollLeft(bodyRef.current.scrollLeft > 0);
+      setCanScrollRight((bodyRef.current.scrollLeft + bodyRef.current.clientWidth) < bodyRef.current.scrollWidth);
+    }
   }, [setCanScrollRight, setCanScrollLeft, bodyRef, suggestions]);
 
   const handleLeftNav = useCallback(() => {
@@ -146,8 +151,13 @@ export const InlineFollowSuggestions = ({ hidden }) => {
       return;
     }
 
-    setCanScrollLeft(bodyRef.current.scrollLeft > 0);
-    setCanScrollRight((bodyRef.current.scrollLeft + bodyRef.current.clientWidth) < bodyRef.current.scrollWidth);
+    if (getComputedStyle(bodyRef.current).direction === 'rtl') {
+      setCanScrollLeft((bodyRef.current.clientWidth - bodyRef.current.scrollLeft) < bodyRef.current.scrollWidth);
+      setCanScrollRight(bodyRef.current.scrollLeft < 0);
+    } else {
+      setCanScrollLeft(bodyRef.current.scrollLeft > 0);
+      setCanScrollRight((bodyRef.current.scrollLeft + bodyRef.current.clientWidth) < bodyRef.current.scrollWidth);
+    }
   }, [setCanScrollRight, setCanScrollLeft, bodyRef]);
 
   const handleDismiss = useCallback(() => {

app/javascript/flavours/glitch/features/local_settings/page/index.jsx

@@ -169,6 +169,15 @@ class LocalSettingsPage extends PureComponent {
             <FormattedMessage id='settings.wide_view' defaultMessage='Wide view (Desktop mode only)' />
             <span className='hint'><FormattedMessage id='settings.wide_view_hint' defaultMessage='Stretches columns to better fill the available space.' /></span>
           </LocalSettingsPageItem>
+          <LocalSettingsPageItem
+            settings={settings}
+            item={['fullwidth_columns']}
+            id='mastodon-settings--fullwidth_columns'
+            onChange={onChange}
+          >
+            <FormattedMessage id='settings.fullwidth_view' defaultMessage='Stretch columns to full width (Desktop mode only)' />
+            <span className='hint'><FormattedMessage id='settings.fullwidth_view_hint' defaultMessage='Stretches columns to fill all the available space.' /></span>
+          </LocalSettingsPageItem>
         </section>
       </div>
     ),

app/javascript/flavours/glitch/features/notifications/components/column_settings.jsx

@@ -40,6 +40,7 @@ class ColumnSettings extends PureComponent {
     const alertStr = <FormattedMessage id='notifications.column_settings.alert' defaultMessage='Desktop notifications' />;
     const showStr = <FormattedMessage id='notifications.column_settings.show' defaultMessage='Show in column' />;
     const soundStr = <FormattedMessage id='notifications.column_settings.sound' defaultMessage='Play sound' />;
+    const groupStr = <FormattedMessage id='notifications.column_settings.group' defaultMessage='Group' />;
 
     const showPushSettings = pushSettings.get('browserSupport') && pushSettings.get('isSubscribed');
     const pushStr = showPushSettings && <FormattedMessage id='notifications.column_settings.push' defaultMessage='Push notifications' />;
@@ -96,6 +97,10 @@ class ColumnSettings extends PureComponent {
             <PillBarButton prefix='notifications' settings={settings} settingPath={['shows', 'follow']} onChange={onChange} label={showStr} />
             <PillBarButton prefix='notifications' settings={settings} settingPath={['sounds', 'follow']} onChange={onChange} label={soundStr} />
           </div>
+
+          <div className='column-settings__row'>
+            <SettingToggle prefix='notifications' settings={settings} settingPath={['group', 'follow']} onChange={onChange} label={groupStr} />
+          </div>
         </section>
 
         <section role='group' aria-labelledby='notifications-follow-request'>

app/javascript/flavours/glitch/features/notifications/containers/column_settings_container.js

@@ -56,11 +56,12 @@ const mapDispatchToProps = (dispatch) => ({
       } else {
         dispatch(changeSetting(['notifications', ...path], checked));
       }
-    } else if(path[0] === 'groupingBeta') {
-      dispatch(changeSetting(['notifications', ...path], checked));
-      dispatch(initializeNotifications());
     } else {
       dispatch(changeSetting(['notifications', ...path], checked));
+
+      if(path[0] === 'group' && path[1] === 'follow') {
+        dispatch(initializeNotifications());
+      }
     }
   },
 

app/javascript/flavours/glitch/features/notifications_v2/components/notification_follow.tsx

@@ -1,16 +1,19 @@
 import { FormattedMessage } from 'react-intl';
 
+import { Link } from 'react-router-dom';
+
 import PersonAddIcon from '@/material-icons/400-24px/person_add-fill.svg?react';
 import { FollowersCounter } from 'flavours/glitch/components/counters';
 import { FollowButton } from 'flavours/glitch/components/follow_button';
 import { ShortNumber } from 'flavours/glitch/components/short_number';
+import { me } from 'flavours/glitch/initial_state';
 import type { NotificationGroupFollow } from 'flavours/glitch/models/notification_group';
 import { useAppSelector } from 'flavours/glitch/store';
 
 import type { LabelRenderer } from './notification_group_with_status';
 import { NotificationGroupWithStatus } from './notification_group_with_status';
 
-const labelRenderer: LabelRenderer = (displayedName, total) => {
+const labelRenderer: LabelRenderer = (displayedName, total, seeMoreHref) => {
   if (total === 1)
     return (
       <FormattedMessage
@@ -23,10 +26,12 @@ const labelRenderer: LabelRenderer = (displayedName, total) => {
   return (
     <FormattedMessage
       id='notification.follow.name_and_others'
-      defaultMessage='{name} and {count, plural, one {# other} other {# others}} followed you'
+      defaultMessage='{name} and <a>{count, plural, one {# other} other {# others}}</a> followed you'
       values={{
         name: displayedName,
         count: total - 1,
+        a: (chunks) =>
+          seeMoreHref ? <Link to={seeMoreHref}>{chunks}</Link> : chunks,
       }}
     />
   );
@@ -46,6 +51,10 @@ export const NotificationFollow: React.FC<{
   notification: NotificationGroupFollow;
   unread: boolean;
 }> = ({ notification, unread }) => {
+  const username = useAppSelector(
+    (state) => state.accounts.getIn([me, 'username']) as string,
+  );
+
   let actions: JSX.Element | undefined;
   let additionalContent: JSX.Element | undefined;
 
@@ -68,6 +77,7 @@ export const NotificationFollow: React.FC<{
       timestamp={notification.latest_page_notification_at}
       count={notification.notifications_count}
       labelRenderer={labelRenderer}
+      labelSeeMoreHref={`/@${username}/followers`}
       unread={unread}
       actions={actions}
       additionalContent={additionalContent}

app/javascript/flavours/glitch/features/notifications_v2/components/notification_with_status.tsx

@@ -16,6 +16,7 @@ import {
 import type { IconProp } from 'flavours/glitch/components/icon';
 import { Icon } from 'flavours/glitch/components/icon';
 import Status from 'flavours/glitch/containers/status_container';
+import { getStatusHidden } from 'flavours/glitch/selectors/filters';
 import { useAppSelector, useAppDispatch } from 'flavours/glitch/store';
 
 import { DisplayedName } from './displayed_name';
@@ -51,6 +52,12 @@ export const NotificationWithStatus: React.FC<{
     (state) => state.statuses.getIn([statusId, 'visibility']) === 'direct',
   );
 
+  const isFiltered = useAppSelector(
+    (state) =>
+      statusId &&
+      getStatusHidden(state, { id: statusId, contextType: 'notifications' }),
+  );
+
   const handlers = useMemo(
     () => ({
       open: () => {
@@ -77,7 +84,7 @@ export const NotificationWithStatus: React.FC<{
     [dispatch, statusId],
   );
 
-  if (!statusId) return null;
+  if (!statusId || isFiltered) return null;
 
   return (
     <HotKeys handlers={handlers}>

app/javascript/flavours/glitch/features/notifications_v2/filter_bar.tsx

@@ -14,6 +14,7 @@ import { Icon } from 'flavours/glitch/components/icon';
 import {
   selectSettingsNotificationsQuickFilterActive,
   selectSettingsNotificationsQuickFilterAdvanced,
+  selectSettingsNotificationsQuickFilterShow,
 } from 'flavours/glitch/selectors/settings';
 import { useAppDispatch, useAppSelector } from 'flavours/glitch/store';
 
@@ -65,6 +66,11 @@ export const FilterBar: React.FC = () => {
   const advancedMode = useAppSelector(
     selectSettingsNotificationsQuickFilterAdvanced,
   );
+  const useFilterBar = useAppSelector(
+    selectSettingsNotificationsQuickFilterShow,
+  );
+
+  if (!useFilterBar) return null;
 
   if (advancedMode)
     return (

app/javascript/flavours/glitch/features/picture_in_picture/components/footer.jsx

@@ -14,6 +14,8 @@ import RepeatIcon from '@/material-icons/400-24px/repeat.svg?react';
 import ReplyIcon from '@/material-icons/400-24px/reply.svg?react';
 import ReplyAllIcon from '@/material-icons/400-24px/reply_all.svg?react';
 import StarIcon from '@/material-icons/400-24px/star.svg?react';
+import RepeatDisabledIcon from '@/svg-icons/repeat_disabled.svg?react';
+import RepeatPrivateIcon from '@/svg-icons/repeat_private.svg?react';
 import { replyCompose } from 'flavours/glitch/actions/compose';
 import { toggleReblog, toggleFavourite } from 'flavours/glitch/actions/interactions';
 import { openModal } from 'flavours/glitch/actions/modal';
@@ -161,16 +163,20 @@ class Footer extends ImmutablePureComponent {
       replyTitle = intl.formatMessage(messages.replyAll);
     }
 
-    let reblogTitle = '';
+    let reblogTitle, reblogIconComponent;
 
     if (status.get('reblogged')) {
       reblogTitle = intl.formatMessage(messages.cancel_reblog_private);
+      reblogIconComponent = publicStatus ? RepeatIcon : RepeatPrivateIcon;
     } else if (publicStatus) {
       reblogTitle = intl.formatMessage(messages.reblog);
+      reblogIconComponent = RepeatIcon;
     } else if (reblogPrivate) {
       reblogTitle = intl.formatMessage(messages.reblog_private);
+      reblogIconComponent = RepeatPrivateIcon;
     } else {
       reblogTitle = intl.formatMessage(messages.cannot_reblog);
+      reblogIconComponent = RepeatDisabledIcon;
     }
 
     let replyButton = null;
@@ -201,7 +207,7 @@ class Footer extends ImmutablePureComponent {
     return (
       <div className='picture-in-picture__footer'>
         {replyButton}
-        <IconButton className={classNames('status__action-bar-button', { reblogPrivate })} disabled={!publicStatus && !reblogPrivate}  active={status.get('reblogged')} title={reblogTitle} icon='retweet' iconComponent={RepeatIcon} onClick={this.handleReblogClick} counter={status.get('reblogs_count')} />
+        <IconButton className={classNames('status__action-bar-button', { reblogPrivate })} disabled={!publicStatus && !reblogPrivate}  active={status.get('reblogged')} title={reblogTitle} icon='retweet' iconComponent={reblogIconComponent} onClick={this.handleReblogClick} counter={status.get('reblogs_count')} />
         <IconButton className='status__action-bar-button star-icon' animate active={status.get('favourited')} title={intl.formatMessage(messages.favourite)} icon='star' iconComponent={StarIcon} onClick={this.handleFavouriteClick} counter={status.get('favourites_count')} />
         {withOpenButton && <IconButton className='status__action-bar-button' title={intl.formatMessage(messages.open)} icon='external-link' iconComponent={OpenInNewIcon} onClick={this.handleOpenClick} href={status.get('url')} />}
       </div>

app/javascript/flavours/glitch/features/status/components/card.jsx

@@ -26,18 +26,23 @@ const getHostname = url => {
 
 const domParser = new DOMParser();
 
-const addAutoPlay = html => {
+const handleIframeUrl = (html, url, providerName) => {
   const document = domParser.parseFromString(html, 'text/html').documentElement;
   const iframe = document.querySelector('iframe');
+  const startTime = new URL(url).searchParams.get('t');
 
   if (iframe) {
-    if (iframe.src.indexOf('?') !== -1) {
-      iframe.src += '&';
-    } else {
-      iframe.src += '?';
+    const iframeUrl = new URL(iframe.src);
+
+    iframeUrl.searchParams.set('autoplay', 1);
+    iframeUrl.searchParams.set('auto_play', 1);
+
+    if (providerName === 'YouTube') {
+      iframeUrl.searchParams.set('start', startTime || '');
+      iframe.referrerPolicy = 'strict-origin-when-cross-origin';
     }
 
-    iframe.src += 'autoplay=1&auto_play=1';
+    iframe.src = iframeUrl.href;
 
     // DOM parser creates html/body elements around original HTML fragment,
     // so we need to get innerHTML out of the body and not the entire document
@@ -103,7 +108,7 @@ export default class Card extends PureComponent {
 
   renderVideo () {
     const { card } = this.props;
-    const content = { __html: addAutoPlay(card.get('html')) };
+    const content = { __html: handleIframeUrl(card.get('html'), card.get('url'), card.get('provider_name')) };
 
     return (
       <div

app/javascript/flavours/glitch/features/status/components/detailed_status.tsx

@@ -14,6 +14,7 @@ import { Link } from 'react-router-dom';
 import { AnimatedNumber } from 'flavours/glitch/components/animated_number';
 import AttachmentList from 'flavours/glitch/components/attachment_list';
 import EditedTimestamp from 'flavours/glitch/components/edited_timestamp';
+import { FilterWarning } from 'flavours/glitch/components/filter_warning';
 import type { StatusLike } from 'flavours/glitch/components/hashtag_bar';
 import { getHashtagBarForStatus } from 'flavours/glitch/components/hashtag_bar';
 import { IconLogo } from 'flavours/glitch/components/logo';
@@ -72,6 +73,7 @@ export const DetailedStatus: React.FC<{
 }) => {
   const properStatus = status?.get('reblog') ?? status;
   const [height, setHeight] = useState(0);
+  const [showDespiteFilter, setShowDespiteFilter] = useState(false);
   const nodeRef = useRef<HTMLDivElement>();
   const history = useAppHistory();
 
@@ -108,6 +110,10 @@ export const DetailedStatus: React.FC<{
     [onOpenVideo, status],
   );
 
+  const handleFilterToggle = useCallback(() => {
+    setShowDespiteFilter(!showDespiteFilter);
+  }, [showDespiteFilter, setShowDespiteFilter]);
+
   const _measureHeight = useCallback(
     (heightJustChanged?: boolean) => {
       if (measureHeight && nodeRef.current) {
@@ -196,7 +202,7 @@ export const DetailedStatus: React.FC<{
     ) {
       media.push(<AttachmentList media={status.get('media_attachments')} />);
     } else if (
-      ['image', 'gifv'].includes(
+      ['image', 'gifv', 'unknown'].includes(
         status.getIn(['media_attachments', 0, 'type']) as string,
       ) ||
       status.get('media_attachments').size > 1
@@ -273,12 +279,12 @@ export const DetailedStatus: React.FC<{
       );
       mediaIcons.push('video-camera');
     }
-  } else if (status.get('spoiler_text').length === 0) {
+  } else if (status.get('card')) {
     media.push(
       <Card
         sensitive={status.get('sensitive')}
         onOpenMedia={onOpenMedia}
-        card={status.get('card', null)}
+        card={status.get('card')}
       />,
     );
     mediaIcons.push('link');
@@ -358,6 +364,8 @@ export const DetailedStatus: React.FC<{
   );
   contentMedia.push(hashtagBar);
 
+  const matchedFilters = status.get('matched_filters');
+
   return (
     <div style={outerStyle}>
       <div
@@ -386,22 +394,32 @@ export const DetailedStatus: React.FC<{
           )}
         </Permalink>
 
-        <StatusContent
-          status={status}
-          media={contentMedia}
-          extraMedia={extraMedia}
-          mediaIcons={contentMediaIcons}
-          expanded={expanded}
-          collapsed={false}
-          onExpandedToggle={onToggleHidden}
-          onTranslate={handleTranslate}
-          onUpdate={handleChildUpdate}
-          tagLinks={tagMisleadingLinks}
-          rewriteMentions={rewriteMentions}
-          parseClick={parseClick}
-          disabled
-          {...(statusContentProps as any)}
-        />
+        {matchedFilters && (
+          <FilterWarning
+            title={matchedFilters.join(', ')}
+            expanded={showDespiteFilter}
+            onClick={handleFilterToggle}
+          />
+        )}
+
+        {(!matchedFilters || showDespiteFilter) && (
+          <StatusContent
+            status={status}
+            media={contentMedia}
+            extraMedia={extraMedia}
+            mediaIcons={contentMediaIcons}
+            expanded={expanded}
+            collapsed={false}
+            onExpandedToggle={onToggleHidden}
+            onTranslate={handleTranslate}
+            onUpdate={handleChildUpdate}
+            tagLinks={tagMisleadingLinks}
+            rewriteMentions={rewriteMentions}
+            parseClick={parseClick}
+            disabled
+            {...(statusContentProps as any)}
+          />
+        )}
 
         <div className='detailed-status__meta'>
           <div className='detailed-status__meta__line'>

app/javascript/flavours/glitch/features/status/index.jsx

@@ -133,7 +133,7 @@ const makeMapStateToProps = () => {
   });
 
   const mapStateToProps = (state, props) => {
-    const status = getStatus(state, { id: props.params.statusId });
+    const status = getStatus(state, { id: props.params.statusId, contextType: 'detailed' });
 
     let ancestorsIds   = Immutable.List();
     let descendantsIds = Immutable.List();

app/javascript/flavours/glitch/features/ui/components/boost_modal.tsx

@@ -136,6 +136,8 @@ export const BoostModal: React.FC<{
                 ? messages.cancel_reblog
                 : messages.reblog,
             )}
+            /* eslint-disable-next-line jsx-a11y/no-autofocus -- We are in the modal */
+            autoFocus
           />
         </div>
       </div>

app/javascript/flavours/glitch/features/ui/components/mute_modal.jsx

@@ -116,6 +116,7 @@ export const MuteModal = ({ accountId, acct }) => {
         <div className='safety-action-modal__bottom__collapsible'>
           <div className='safety-action-modal__field-group'>
             <RadioButtonLabel name='duration' value='0' label={intl.formatMessage(messages.indefinite)} currentValue={muteDuration} onChange={handleChangeMuteDuration} />
+            <RadioButtonLabel name='duration' value='21600' label={intl.formatMessage(messages.hours, { number: 6 })} currentValue={muteDuration} onChange={handleChangeMuteDuration} />
             <RadioButtonLabel name='duration' value='86400' label={intl.formatMessage(messages.hours, { number: 24 })} currentValue={muteDuration} onChange={handleChangeMuteDuration} />
             <RadioButtonLabel name='duration' value='604800' label={intl.formatMessage(messages.days, { number: 7 })} currentValue={muteDuration} onChange={handleChangeMuteDuration} />
             <RadioButtonLabel name='duration' value='2592000' label={intl.formatMessage(messages.days, { number: 30 })} currentValue={muteDuration} onChange={handleChangeMuteDuration} />

app/javascript/flavours/glitch/features/ui/index.jsx

@@ -21,6 +21,7 @@ import { Permalink } from 'flavours/glitch/components/permalink';
 import { PictureInPicture } from 'flavours/glitch/features/picture_in_picture';
 import { identityContextPropShape, withIdentity } from 'flavours/glitch/identity_context';
 import { layoutFromWindow } from 'flavours/glitch/is_mobile';
+import { selectUnreadNotificationGroupsCount } from 'flavours/glitch/selectors/notifications';
 import { WithRouterPropTypes } from 'flavours/glitch/utils/react_router';
 
 import { uploadCompose, resetCompose, changeComposeSpoilerness } from '../../actions/compose';
@@ -90,7 +91,8 @@ const mapStateToProps = state => ({
   hasMediaAttachments: state.getIn(['compose', 'media_attachments']).size > 0,
   canUploadMore: !state.getIn(['compose', 'media_attachments']).some(x => ['audio', 'video'].includes(x.get('type'))) && state.getIn(['compose', 'media_attachments']).size < 4,
   isWide: state.getIn(['local_settings', 'stretch']),
-  unreadNotifications: state.getIn(['notifications', 'unread']),
+  fullWidthColumns: state.getIn(['local_settings', 'fullwidth_columns']),
+  unreadNotifications: selectUnreadNotificationGroupsCount(state),
   showFaviconBadge: state.getIn(['local_settings', 'notifications', 'favicon_badge']),
   hicolorPrivacyIcons: state.getIn(['local_settings', 'hicolor_privacy_icons']),
   moved: state.getIn(['accounts', me, 'moved']) && state.getIn(['accounts', state.getIn(['accounts', me, 'moved'])]),
@@ -269,6 +271,7 @@ class UI extends PureComponent {
     dispatch: PropTypes.func.isRequired,
     children: PropTypes.node,
     isWide: PropTypes.bool,
+    fullWidthColumns: PropTypes.bool,
     systemFontUi: PropTypes.bool,
     isComposing: PropTypes.bool,
     hasComposingText: PropTypes.bool,
@@ -607,6 +610,7 @@ class UI extends PureComponent {
 
     const className = classNames('ui', {
       'wide': isWide,
+      'fullwidth-columns': this.props.fullWidthColumns,
       'system-font': this.props.systemFontUi,
       'hicolor-privacy-icons': this.props.hicolorPrivacyIcons,
     });

app/javascript/flavours/glitch/locales/cs.json

@@ -1,17 +1,55 @@
 {
   "about.fork_disclaimer": "Glitch-soc je svobodný software s otevřeným zdrojovým kódem založený na Mastodonu.",
+  "account.disclaimer_full": "Níže uvedené informace mohou popisovat uživatelský profil neúplně.",
+  "account.follows": "Sleduje",
+  "account.follows_you": "Sleduje vás",
+  "account.suspended_disclaimer_full": "Tento uživatel byl pozastaven moderátorem.",
+  "account.view_full_profile": "Zobrazit celý profil",
   "boost_modal.missing_description": "Příspěvek obsahuje obrázky bez popisků",
+  "column.favourited_by": "Oblíbeno uživatelem",
+  "column.heading": "Různé",
+  "column.reblogged_by": "Boostnuto uživatelem",
   "column.subheading": "Různé",
+  "column_header.profile": "Profil",
+  "column_subheading.lists": "Seznamy",
+  "column_subheading.navigation": "Navigace",
+  "community.column_settings.allow_local_only": "Zobrazit pouze místní tooty",
+  "compose.attach.doodle": "Nakreslete něco",
+  "compose.change_federation": "Změnit nastavení federace",
+  "compose.content-type.change": "Změnit pokročilé možnosti formátování",
+  "compose.content-type.html": "HTML",
+  "compose.content-type.html_meta": "Formátovat příspěvky pomocí HTML",
+  "compose.content-type.markdown": "Markdown",
+  "compose.content-type.markdown_meta": "Formátovat příspěvky pomocí Markdown",
   "compose.content-type.plain": "Prostý text",
+  "compose.content-type.plain_meta": "Psát bez pokročilého formátování",
+  "compose.disable_threaded_mode": "Zakázat režim vláken",
+  "compose.enable_threaded_mode": "Povolit režim vláken",
+  "compose_form.sensitive.hide": "{count, plural, one {Označit médium za citlivé} other {Označit média za citlivá}}",
+  "compose_form.sensitive.marked": "{count, plural, one {Médium je označeno jako citlivé} other {Média jsou označena jako citlivá}}",
+  "compose_form.sensitive.unmarked": "{count, plural, one {Médium není označeno za citlivé} other {Média nejsou označena za citlivá}}",
   "confirmation_modal.do_not_ask_again": "Příště se už neptat",
+  "confirmations.deprecated_settings.confirm": "Použít nastavení Mastodon",
+  "confirmations.deprecated_settings.message": "Některé z glitch-soc, zařízeních specifických {app_settings}, které používáte, byly nahrazeny {preferences} Mastodonu a budou přepsány:",
+  "confirmations.missing_media_description.confirm": "Přesto odeslat",
+  "confirmations.missing_media_description.edit": "Upravit média",
+  "confirmations.missing_media_description.message": "Alespoň jedna příloha nemá popisek. Zvažte popsání všech příloh pro zrakově postižené před odesláním tootu.",
   "direct.group_by_conversations": "Seskupit do konverzací",
   "endorsed_accounts_editor.endorsed_accounts": "Vybrané účty",
+  "favourite_modal.favourite": "Oblíbit si příspěvek?",
+  "federation.federated.long": "Povolit tomuto příspěvku přístup na jiné servery",
+  "federation.federated.short": "Federováno",
+  "federation.local_only.long": "Zabránit tomuto příspěvku v přístupu k jiným serverům",
+  "federation.local_only.short": "Lokální příspěvek",
+  "firehose.column_settings.allow_local_only": "Zobrazit pouze lokální příspěvky ve \"Vše\"",
   "home.column_settings.advanced": "Pokročilé",
   "home.column_settings.filter_regex": "Filtrovat podle regulárních výrazů",
-  "home.column_settings.show_direct": "Zobrazit přímé zprávy",
+  "home.column_settings.show_direct": "Zobrazit soukromé zmínky",
+  "home.settings": "Nastavení sloupců",
   "keyboard_shortcuts.bookmark": "Přidat do záložek",
-  "keyboard_shortcuts.secondary_toot": "Odeslat příspěvek s druhotným nastavením soukromí",
+  "keyboard_shortcuts.secondary_toot": "pro odeslání příspěvku s sekundárním nastavením soukromí",
   "keyboard_shortcuts.toggle_collapse": "Sbalit/rozbalit příspěvek",
+  "moved_to_warning": "Tento účet je označen jako přesunut na {moved_to_link}, a proto nemusí přijímat nové sledování.",
   "navigation_bar.app_settings": "Nastavení aplikace",
   "navigation_bar.featured_users": "Vybraní uživatelé",
   "navigation_bar.keyboard_shortcuts": "Klávesové zkratky",
@@ -22,11 +60,13 @@
   "notification_purge.btn_invert": "Obrátit\nvýběr",
   "notification_purge.btn_none": "Nevybrat\nnic",
   "notification_purge.start": "Čistící režim",
+  "notifications.column_settings.filter_bar.show_bar": "Zobrazit panel filtrů",
   "notifications.marked_clear": "Smazat vybraná oznámení",
   "notifications.marked_clear_confirmation": "Určitě chcete trvale smazat všechna vybraná oznámení?",
   "settings.always_show_spoilers_field": "Vždy zobrazit pole pro varování o obsahu",
   "settings.auto_collapse": "Automaticky sbalit",
   "settings.auto_collapse_all": "Všechno",
+  "settings.auto_collapse_height": "Výška (v pixelech) pro toot považována za dlouhou",
   "settings.auto_collapse_lengthy": "Dlouhé příspěvky",
   "settings.auto_collapse_media": "Příspěvky s přílohami",
   "settings.auto_collapse_notifications": "Oznámení",
@@ -50,6 +90,8 @@
   "settings.enable_collapsed": "Povolit sbalené příspěvky",
   "settings.enable_collapsed_hint": "U sbalených příspěvků je část jejich obsahu skrytá, aby zabraly méně místa na obrazovce. (Tohle není stejná funkce jako varování o obsahu.)",
   "settings.enable_content_warnings_auto_unfold": "Vždy rozbalit příspěvky označené varováním o obsahu",
+  "settings.fullwidth_view": "Roztáhnout sloupce na celou šířku (pouze ve verzi pro počítač)",
+  "settings.fullwidth_view_hint": "Sloupce se roztáhnou, aby vyplnily veškerý dostupný prostor.",
   "settings.general": "Obecné",
   "settings.hicolor_privacy_icons": "Barevné ikony soukromí",
   "settings.hicolor_privacy_icons.hint": "Zobrazit ikony úrovně soukromí příspěvků v jasných, snadno rozlišitelných barvách",
@@ -73,17 +115,18 @@
   "settings.pop_in_player": "Povolit plovoucí okno přehrávače",
   "settings.pop_in_position": "Pozice plovoucího okna:",
   "settings.pop_in_right": "Vpravo",
-  "settings.preferences": "Předvolby",
+  "settings.preferences": "Uživatelské předvolby",
   "settings.prepend_cw_re": "Při odpovídání přidat před varování o obsahu “re: ”",
-  "settings.preselect_on_reply": "Při odpovědi označit uživatelská jména",
+  "settings.preselect_on_reply": "Při odpovědi před-vybrat uživatelská jména",
   "settings.preselect_on_reply_hint": "Při odpovídání na konverzaci s více účastníky se jména všech kromě prvního označí, aby šla jednoduše smazat",
   "settings.rewrite_mentions": "Přepsat zmínky v zobrazených příspěvcích",
   "settings.rewrite_mentions_acct": "Přepsat uživatelským jménem a doménou (pokud je účet na jiném serveru)",
   "settings.rewrite_mentions_no": "Nepřepisovat zmínky",
   "settings.rewrite_mentions_username": "Přepsat uživatelským jménem",
-  "settings.shared_settings_link": "předvolbách Mastodonu",
+  "settings.shared_settings_link": "uživatelské předvolby",
   "settings.show_action_bar": "Zobrazit ve sbalených příspěvcích tlačítka s akcemi",
   "settings.show_content_type_choice": "Zobrazit volbu formátu příspěvku",
+  "settings.show_published_toast": "Zobrazit gratulaci při publikování/ukládání příspěvku",
   "settings.show_reply_counter": "Zobrazit odhad počtu odpovědí",
   "settings.side_arm": "Vedlejší odesílací tlačítko:",
   "settings.side_arm.none": "Žádné",
@@ -92,22 +135,26 @@
   "settings.side_arm_reply_mode.keep": "Použít svou nastavenou úroveň soukromí",
   "settings.side_arm_reply_mode.restrict": "Zvýšit úroveň soukromí nejméně na úroveň příspěvku, na který odpovídáte",
   "settings.status_icons": "Ikony u příspěvků",
-  "settings.status_icons_language": "Indikace jazyk",
+  "settings.status_icons_language": "Indikátor jazyka",
   "settings.status_icons_local_only": "Indikace lokálního příspěvku",
   "settings.status_icons_media": "Indikace obrázků a anket",
   "settings.status_icons_reply": "Indikace odpovědi",
   "settings.status_icons_visibility": "Indikace úrovně soukromí",
+  "settings.swipe_to_change_columns": "Povolit změnu sloupců přejetím (pouze na mobilním telefonu)",
   "settings.tag_misleading_links": "Označit zavádějící odkazy",
   "settings.tag_misleading_links.hint": "Zobrazit skutečný cíl u každého odkazu, který ho explicitně nezmiňuje",
   "settings.wide_view": "Široké sloupce (pouze v režimu Desktop)",
-  "settings.wide_view_hint": "Sloupce se roztáhnout, aby lépe vyplnily dostupný prostor.",
+  "settings.wide_view_hint": "Sloupce se roztáhnou, aby lépe vyplnily dostupný prostor.",
   "status.collapse": "Sbalit",
+  "status.filtered": "Filtrováno",
   "status.has_audio": "Obsahuje audio",
   "status.has_pictures": "Obsahuje obrázky",
   "status.has_preview_card": "Obsahuje náhled odkazu",
   "status.has_video": "Obsahuje video",
+  "status.hide": "Skrýt příspěvek",
   "status.in_reply_to": "Tento příspěvek je odpověď",
   "status.is_poll": "Tento příspěvek je anketa",
   "status.local_only": "Viditelné pouze z vaší instance",
+  "status.show_filter_reason": "Přesto zobrazit",
   "status.uncollapse": "Rozbalit"
 }

app/javascript/flavours/glitch/locales/de.json

@@ -154,7 +154,5 @@
   "status.is_poll": "Dieser Toot ist eine Umfrage",
   "status.local_only": "Nur auf deiner Instanz sichtbar",
   "status.show_filter_reason": "Trotzdem anzeigen",
-  "status.show_less": "Weniger anzeigen",
-  "status.show_more": "Mehr anzeigen",
   "status.uncollapse": "Ausklappen"
 }

app/javascript/flavours/glitch/locales/el.json

@@ -1,4 +1,134 @@
 {
-  "settings.content_warnings": "Content warnings",
-  "settings.preferences": "Preferences"
+  "about.fork_disclaimer": "Το Glitch-soc είναι ελεύθερο λογισμικό ανοιχτού κώδικα που είναι αντιγραφή από το Mastodon.",
+  "account.disclaimer_full": "Οι παρακάτω πληροφορίες μπορεί να αντικατοπτρίζουν το προφίλ του χρήστη ελλιπώς.",
+  "account.follows": "Ακολουθεί",
+  "account.follows_you": "Σε ακολουθεί",
+  "account.suspended_disclaimer_full": "Αυτός ο χρήστης έχει ανασταλεί από έναν συντονιστή.",
+  "account.view_full_profile": "Προβολή πλήρους προφίλ",
+  "boost_modal.missing_description": "Αυτό το τουτ περιέχει κάποια μέσα χωρίς περιγραφή",
+  "column.favourited_by": "Αγαπήθηκε από",
+  "column.heading": "Διάφορα",
+  "column.reblogged_by": "Ενισχύθηκε από",
+  "column.subheading": "Διάφορες επιλογές",
+  "column_header.profile": "Προφίλ",
+  "column_subheading.lists": "Λίστες",
+  "column_subheading.navigation": "Πλοήγηση",
+  "community.column_settings.allow_local_only": "Εμφάνιση τοπικών τουτ",
+  "compose.attach.doodle": "Σχεδίασε κάτι",
+  "compose.change_federation": "Αλλαγή ρυθμίσεων ομοσπονδίας",
+  "compose.content-type.change": "Αλλαγή προηγμένων επιλογών μορφοποίησης",
+  "compose.content-type.html": "HTML",
+  "compose.content-type.html_meta": "Μορφοποίηση των αναρτήσεων σας με χρήση HTML",
+  "compose.content-type.markdown": "Markdown",
+  "compose.content-type.markdown_meta": "Μορφοποίηση των αναρτήσεων σας με χρήση Markdown",
+  "compose.content-type.plain": "Απλό κείμενο",
+  "compose.content-type.plain_meta": "Γράψιμο χωρίς προηγμένη μορφοποίηση",
+  "compose.disable_threaded_mode": "Απενεργοποίηση λειτουργίας νημάτων",
+  "compose.enable_threaded_mode": "Ενεργοποίηση λειτουργίας νημάτων",
+  "compose_form.sensitive.hide": "{count, plural, one {Επισήμανση πολυμέσου ως ευαίσθητο} other {Επισήμανση πολυμέσων ως ευαίσθητα}}",
+  "compose_form.sensitive.marked": "{count, plural, one {Το πολυμέσο έχει σημανθεί ως ευαίσθητο} other {Τα πολυμέσα έχουν σημανθεί ως ευαίσθητα}}",
+  "compose_form.sensitive.unmarked": "{count, plural, one {Το πολυμέσο δεν έχει σημανθεί ως ευαίσθητο} other {Τα πολυμέσα δεν έχουν σημανθεί ως ευαίσθητα}}",
+  "confirmation_modal.do_not_ask_again": "Να μην ζητηθεί επιβεβαίωση ξανά",
+  "confirmations.deprecated_settings.confirm": "Χρήση προτιμήσεων του Mastodon",
+  "confirmations.missing_media_description.confirm": "Αποστολή ούτως ή άλλως",
+  "confirmations.missing_media_description.edit": "Επεξεργασία πολυμέσου",
+  "confirmations.missing_media_description.message": "Τουλάχιστον ένα συνημμένο πολυμέσων δεν έχει περιγραφή. Σκεφτείτε να προσθέσετε περιγραφή σε όλα τα συνημμένα πολυμέσων για τα άτομα με προβλήματα όρασης πριν από την αποστολή του τουτ σας.",
+  "direct.group_by_conversations": "Ομαδοποίηση ανά συζήτηση",
+  "endorsed_accounts_editor.endorsed_accounts": "Αναδεικνυόμενοι λογαριασμοί",
+  "favourite_modal.favourite": "Αγάπησε την ανάρτηση;",
+  "federation.federated.long": "Επιτρέψτε σε αυτήν την ανάρτηση να φτάσει σε άλλους διακομιστές",
+  "federation.local_only.long": "Αποτρέψτε αυτήν την ανάρτηση να φτάσει σε άλλους διακομιστές",
+  "federation.local_only.short": "Τοπικά μόνο",
+  "firehose.column_settings.allow_local_only": "Εμφάνιση τοπικών αναρτήσεων σε \"Όλα\"",
+  "home.column_settings.advanced": "Για προχωρημένους",
+  "home.column_settings.filter_regex": "Φιλτράρισμα βάσει των κανονικών εκφράσεων",
+  "home.column_settings.show_direct": "Εμφάνιση ιδιωτικών επισημάνσεων",
+  "home.settings": "Ρυθμίσεις στήλης",
+  "keyboard_shortcuts.bookmark": "για να σελιδοποιήσει",
+  "keyboard_shortcuts.secondary_toot": "για αποστολή τουτ χρησιμοποιώντας δευτερεύουσα ρύθμιση απορρήτου",
+  "keyboard_shortcuts.toggle_collapse": "για να συμπτύξει/επεκτείνει τα τουτς",
+  "moved_to_warning": "Αυτός ο λογαριασμός έχει σημανθεί ως μετακινημένος στο {moved_to_link} και έτσι δεν μπορεί να δεχτεί νέους ακολούθους.",
+  "navigation_bar.app_settings": "Ρυθμίσεις εφαρμογής",
+  "navigation_bar.featured_users": "Αναδεικνυόμενοι χρήστες",
+  "navigation_bar.keyboard_shortcuts": "Συντομεύσεις πληκτρολογίου",
+  "navigation_bar.misc": "Διάφορα",
+  "notification.markForDeletion": "Σήμανση για διαγραφή",
+  "notification_purge.btn_all": "Επιλογή\nόλων",
+  "notification_purge.btn_apply": "Εκκαθάριση\nεπιλεγμένων",
+  "notification_purge.btn_invert": "Αντιστροφή\nεπιλογής",
+  "notification_purge.btn_none": "Επιλογή\nκανενός",
+  "notification_purge.start": "Εισαγωγή στη λειτουργία καθαρισμού ειδοποιήσεων",
+  "notifications.column_settings.filter_bar.show_bar": "Εμφάνιση μπάρας φίλτρου",
+  "notifications.marked_clear": "Εκκαθάριση επιλεγμένων ειδοποιήσεων",
+  "notifications.marked_clear_confirmation": "Είστε βέβαιοι ότι θέλετε να καθαρίσετε μόνιμα όλες τις επιλεγμένες ειδοποιήσεις;",
+  "settings.always_show_spoilers_field": "Πάντα ενεργοποίηση του πεδίου Προειδοποίηση Περιεχομένου",
+  "settings.auto_collapse": "Αυτόματη σύμπτυξη",
+  "settings.auto_collapse_all": "Τα πάντα",
+  "settings.auto_collapse_height": "Ύψος (σε pixels) για να θεωρηθεί ένα τουτ μακροσκελές",
+  "settings.auto_collapse_lengthy": "Μακροσκελή τουτς",
+  "settings.auto_collapse_media": "Τουτς με πολυμέσα",
+  "settings.auto_collapse_notifications": "Ειδοποιήσεις",
+  "settings.auto_collapse_reblogs": "Ενισχύσεις",
+  "settings.auto_collapse_replies": "Απαντήσεις",
+  "settings.close": "Κλείσιμο",
+  "settings.collapsed_statuses": "Συμπτυγμένα τουτς",
+  "settings.compose_box_opts": "Πλαίσιο σύνθεσης",
+  "settings.confirm_missing_media_description": "Εμφάνιση διαλόγου επιβεβαίωσης πριν την αποστολή τουτς χωρίς περιγραφές πολυμέσων",
+  "settings.content_warnings": "Προειδοποιήσεις περιεχομένου",
+  "settings.content_warnings.regexp": "Κανονική έκφραση (regex)",
+  "settings.content_warnings_filter": "Προειδοποιήσεις περιεχομένου να μην ξεδιπλώνονται αυτόματα:",
+  "settings.content_warnings_media_outside": "Εμφάνιση συνημμένων πολυμέσων έξω από τις προειδοποιήσεις περιεχομένου",
+  "settings.content_warnings_media_outside_hint": "Αναπαράγει την συμπεριφορά του Mastodon έχοντας την εναλλαγή προειδοποίησης περιεχομένου να μην επηρεάζει τα συνημμένα πολυμέσων",
+  "settings.content_warnings_shared_state": "Εμφάνιση/απόκρυψη περιεχομένου όλων των αντιγράφων ταυτόχρονα",
+  "settings.content_warnings_unfold_opts": "Επιλογές αυτόματου ξεδιπλώματος",
+  "settings.deprecated_setting": "Αυτή η ρύθμιση τώρα ελέγχεται από τις {settings_page_link} του Mastodon",
+  "settings.enable_collapsed": "Ενεργοποίηση συμπτυγμένων τουτς",
+  "settings.enable_collapsed_hint": "Τα συμπτηγμένα τουτ έχουν τμήματα του περιεχομένου τους κρυμμένα για να καταλαμβάνουν λιγότερο χώρο στην οθόνη. Αυτό είναι διαφορετικό από τη λειτουργία Προειδοποίησης Περιεχομένου",
+  "settings.enable_content_warnings_auto_unfold": "Αυτόματη ξεδίπλωμα προειδοποιήσεων περιεχομένου",
+  "settings.general": "Γενικά",
+  "settings.image_backgrounds": "Εικόνες φόντου",
+  "settings.image_backgrounds_media": "Προεπισκόπηση συμπτυγμένων πολυμέσων τουτ",
+  "settings.image_backgrounds_media_hint": "Αν η δημοσίευση έχει οποιοδήποτε συνημμένο πολυμέσων, χρησιμοποιήστε το πρώτο ως φόντο",
+  "settings.image_backgrounds_users": "Δώστε στα συμπτυγμένα τουτ μια εικόνα φόντου",
+  "settings.layout_opts": "Επιλογές διάταξης",
+  "settings.media": "Πολυμέσα",
+  "settings.notifications.tab_badge": "Σήμα μη αναγνωσμένων ειδοποιήσεων",
+  "settings.notifications.tab_badge.hint": "Εμφανίζει ένα σήμα για μη αναγνωσμένες ειδοποιήσεις στα εικονίδια της στήλης όταν η στήλη ειδοποιήσεων δεν είναι ανοιχτή",
+  "settings.notifications_opts": "Ρυθμίσεις ειδοποιήσεων",
+  "settings.pop_in_left": "Αριστερά",
+  "settings.pop_in_right": "Δεξιά",
+  "settings.preferences": "Προτιμήσεις χρήστη",
+  "settings.preselect_on_reply": "Προεπιλογή ονομάτων χρηστών στην απάντηση",
+  "settings.preselect_on_reply_hint": "Όταν απαντάτε σε μια συνομιλία με πολλαπλούς συμμετέχοντες, προεπιλέξτε τα ονόματα χρηστών μετά τον πρώτο",
+  "settings.rewrite_mentions": "Ξαναγράψε επισημάνσεις στις προβαλλόμενες καταστάσεις",
+  "settings.rewrite_mentions_acct": "Ξαναγράψε με όνομα χρήστη και τομέα (όταν ο λογαριασμός είναι απομακρυσμένος)",
+  "settings.rewrite_mentions_no": "Μην ξαναγράψεις επισημάνσεις",
+  "settings.rewrite_mentions_username": "Ξαναγράψε με όνομα χρήστη",
+  "settings.shared_settings_link": "προτιμήσεις χρήστη",
+  "settings.show_action_bar": "Εμφάνιση κουμπιών ενεργειών σε συμπτυγμένα τουτ",
+  "settings.side_arm": "Δευτερεύον κουμπί τουτ:",
+  "settings.side_arm.none": "Κανένα",
+  "settings.side_arm_reply_mode": "Όταν απαντάτε σε ένα τουτ, το κουμπί δευτερεύοντος τουτ πρέπει να:",
+  "settings.side_arm_reply_mode.copy": "Αντιγράψει τη ρύθμιση απορρήτου του τουτ που απαντάται",
+  "settings.side_arm_reply_mode.keep": "Διατηρήσει το καθορισμένο απόρρητο",
+  "settings.side_arm_reply_mode.restrict": "Περιορίσει τη ρύθμιση απορρήτου σε εκείνη του τουτ που απαντάται",
+  "settings.status_icons": "Εικονίδια τουτ",
+  "settings.status_icons_language": "Ένδειξη γλώσσας",
+  "settings.status_icons_local_only": "Ένδειξη τοπικό μόνο",
+  "settings.status_icons_media": "Ενδείξεις μέσων και δημοσκοπήσεων",
+  "settings.status_icons_reply": "Ένδειξη απαντήσεων",
+  "settings.status_icons_visibility": "Ένδειξη απορρήτου τουτ",
+  "settings.tag_misleading_links": "Σήμανση παραπλανητικών συνδέσμων",
+  "settings.tag_misleading_links.hint": "Προσθήκη οπτικής ένδειξης με τον εξυπηρετητή στόχο του συνδέσμου σε κάθε σύνδεσμο που δεν αναφέρεται ρητά",
+  "status.collapse": "Σύμπτυξη",
+  "status.filtered": "Φιλτραρισμένο",
+  "status.has_audio": "Διαθέτει συνημμένα αρχεία ήχου",
+  "status.has_pictures": "Διαθέτει συνημμένες εικόνες",
+  "status.has_preview_card": "Διαθέτει συνημμένη κάρτα προεπισκόπησης",
+  "status.has_video": "Διαθέτει συνημμένα βίντεο",
+  "status.hide": "Απόκρυψη ανάρτησης",
+  "status.in_reply_to": "Αυτό το τουτ είναι απάντηση",
+  "status.is_poll": "Αυτό το τουτ είναι δημοσκόπηση",
+  "status.show_filter_reason": "Εμφάνιση ούτως ή άλλως",
+  "status.uncollapse": "Επέκταση"
 }

app/javascript/flavours/glitch/locales/en.json

@@ -90,6 +90,8 @@
   "settings.enable_collapsed": "Enable collapsed toots",
   "settings.enable_collapsed_hint": "Collapsed posts have parts of their contents hidden to take up less screen space. This is distinct from the Content Warning feature",
   "settings.enable_content_warnings_auto_unfold": "Automatically unfold content-warnings",
+  "settings.fullwidth_view": "Stretch columns to full width (Desktop mode only)",
+  "settings.fullwidth_view_hint": "Stretches columns to fill all the available space.",
   "settings.general": "General",
   "settings.hicolor_privacy_icons": "High color privacy icons",
   "settings.hicolor_privacy_icons.hint": "Display privacy icons in bright and easily distinguishable colors",
@@ -154,7 +156,5 @@
   "status.is_poll": "This toot is a poll",
   "status.local_only": "Only visible from your instance",
   "status.show_filter_reason": "Show anyway",
-  "status.show_less": "Show less",
-  "status.show_more": "Show more",
   "status.uncollapse": "Uncollapse"
 }