v4.3.1

Changelog

Added

• Add more explicit explanations about author attribution and fediverse:creator (#32383 by @ClearlyClaire)
• Add ability to group follow notifications in WebUI, can be disabled in the column settings (#32520 by @renchap)
• Add back a 6 hours mute duration option (#32522 by @renchap)
• Add note about not changing ActiveRecord encryption secrets once they are set (#32413, #32476, #32512, and #32537 by @ClearlyClaire and @mjankowski)

Changed

• Change translation feature to translate to selected regional variant (e.g. pt-BR) if available (#32428 by @c960657)

Removed

• Remove ability to get embed code for remote posts (#32578 by @ClearlyClaire)
  Getting the embed code is only reliable for local posts.
  It never worked for non-Mastodon servers, and stopped working correctly with the changes made in 4.3.0.
  We have therefore decided to remove the menu entry while we investigate solutions.

Fixed

• Fix follow recommendation moderation page default language when using regional variant (#32580 by @ClearlyClaire)
• Fix column-settings spacing in local timeline in advanced view (#32567 by @lindwurm)
• Fix broken i18n in text welcome mailer tags area (#32571 by @mjankowski)
• Fix missing or incorrect cache-control headers for Streaming server (#32551 by @ThisIsMissEm)
• Fix only the first paragraph being displayed in some notifications (#32348 by @ClearlyClaire)
• Fix reblog icons on account media view (#32506 by @tribela)
• Fix Content-Security-Policy not allowing OpenStack SWIFT object storage URI (#32439 by @kenkiku1021)
• Fix back arrow pointing to the incorrect direction in RTL languages (#32485 by @renchap)
• Fix streaming server using REDIS_USERNAME instead of REDIS_USER (#32493 by @ThisIsMissEm)
• Fix follow recommendation carrousel scrolling on RTL layouts (#32462 and #32505 by @ClearlyClaire)
• Fix follow recommendation suppressions not applying immediately (#32392 by @ClearlyClaire)
• Fix language of push notifications (#32415 by @ClearlyClaire)
• Fix mute duration not being shown in list of muted accounts in web UI (#32388 by @ClearlyClaire)
• Fix “Mark every notification as read” not updating the read marker if scrolled down (#32385 by @ClearlyClaire)
• Fix “Mention” appearing for otherwise filtered posts (#32356 by @ClearlyClaire)
• Fix notification requests from suspended accounts still being listed (#32354 by @ClearlyClaire)
• Fix list edition modal styling (#32358 and #32367 by @ClearlyClaire and @vmstan)
• Fix 4 columns barely not fitting on 1920px screen (#32361 by @ClearlyClaire)
• Fix icon alignment in applications list (#32293 by @mjankowski)

Upgrade notes

To get the code for v4.3.1, use git fetch && git checkout v4.3.1.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have not changed since v4.3.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.1 or newer
• PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see v4.3.0 release notes)
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 18 or newer
• ImageMagick (optional if using libvips): 6.9.7-7 or newer
• libvips (optional, instead of ImageMagick): 8.13 or newer

Update steps

The following instructions are for updating from 4.3.0.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, please read the v4.3.0 release notes, as there have been multiple important changes.

Non-docker

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

1. Install dependencies with bundle install and yarn install --immutable
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
3. Restart all Mastodon processes.

When using docker

1. Restart all Mastodon processes.

v4.3.0

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12, and PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, view the complete release notes and scroll down to the upgrade instructions section.

Changelog

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

• Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
  This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.
• Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
• Change form-action Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire)
• Update dependencies

Added

• Add server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610, #31929, #32089, #32085, #32243, #32179 and #32254 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)
  Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
  This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
  As part of this, the visual design of the entire notifications feature has been revamped.
  The API consists of:

  • a new group_key attribute to Notification entities
  • GET /api/v2/notifications: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped
  • GET /api/v2/notifications/:group_key: https://docs.joinmastodon.org/methods/grouped_notifications/#get-notification-group
  • GET /api/v2/notifications/:group_key/accounts: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts
  • POST /api/v2/notifications/:group_key/dimsiss: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-group
  • GET /api/v2/notifications/:unread_count: https://docs.joinmastodon.org/methods/grouped_notifications/#unread-group-count

• Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, #31723, #32062 and #32281 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)
  The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.
  You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.
  Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.
  This adds the following REST API endpoints:

  • GET /api/v2/notifications/policy: https://docs.joinmastodon.org/methods/notifications/#get-policy
  • PATCH /api/v2/notifications/policy: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notifications
  • GET /api/v1/notifications/requests: https://docs.joinmastodon.org/methods/notifications/#get-requests
  • GET /api/v1/notifications/requests/:id: https://docs.joinmastodon.org/methods/notifications/#get-one-request
  • POST /api/v1/notifications/requests/:id/accept: https://docs.joinmastodon.org/methods/notifications/#accept-request
  • POST /api/v1/notifications/requests/:id/dismiss: https://docs.joinmastodon.org/methods/notifications/#dismiss-request
  • POST /api/v1/notifications/requests/accept: https://docs.joinmastodon.org/methods/notifications/#accept-multiple-requests
  • POST /api/v1/notifications/requests/dismiss: https://docs.joinmastodon.org/methods/notifications/#dismiss-multiple-requests
  • GET /api/v1/notifications/requests/merged: https://docs.joinmastodon.org/methods/notifications/#requests-merged

  In addition, accepting one or more notification requests generates a new streaming event:

  • notifications_merged: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed

• Add notifications of severed relationships (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)
  Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.
  Note that this does not notify remote users.
  This adds the severed_relationships notification type to the REST API and streaming, with a new relationship_severance_event attribute.

• Add hover cards in web UI (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)
  Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.
  This can be disabled in the “Animations and accessibility” section of the preferences.

• Add "system" theme setting (light/dark theme depending on user system preference) (#29748, #29553, #29795, #29918, #30839, and #30861 by @nshki, @ErikUden, @mjankowski, @renchap, and @vmstan)
  Add a “system” theme that automatically switch between default dark and light themes depending on the user's system preferences.
  Also changes the default server theme to this new “system” theme so that automatic theme selection happens even when logged out.

• Add timeline of public posts about a trending link (#30381 and #30840 by @Gargron)
  You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.
  This adds a new REST API endpoint:

  • GET /api/v1/timelines/link?url=:url: https://docs.joinmastodon.org/methods/timelines/#link

• Add author highlight for news articles whose authors are on the fediverse (#30398, #30670, #30521, #30846, #31819, #31900 and #32188 by @Gargron, @mjankowski and @oneiros)
  This adds a mechanism to highlight the author of news articles shared on Mastodon.
  Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:

  <meta name="fediverse:creator" content="username@domain" />

  On the API side, this is represented by a new authors attribute to the PreviewCard entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors
  Users can allow arbitrary domains to use fediverse:creator to credit them by visiting /settings/verification.
  This is federated as a new attributionDomains property in the http://joinmastodon.org/ns namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1

• Add in-app notifications for moderation actions and warnings (#30065, #30082, and #30081 by @ClearlyClaire)
  In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.
  This adds the...

v4.3.0-rc.1

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog (v4.3.0-rc.1)

Security

• Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)

Added

• Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
• Add ability to view alt text by clicking the ALT badge in web UI (#32058 by @Gargron)
• Add preview of followers removed in domain block modal in web UI (#32032 and #32105 by @ClearlyClaire and @Gargron)
• Add server-side notification grouping for follow notifications (#32085 by @renchap)
• Add reblogs and favourites counts to statuses in ActivityPub (#32007 by @Gargron)
• Add OTEL_SERVICE_NAME_SEPARATOR to further customize OpenTelemetry service names (#31998 by @timetinytim)

Changed

• Change media reordering design in the compose form in web UI (#32093 by @Gargron)
• Change design of media gallery and media tab on profiles in web UI (#31967 by @Gargron)
• Change styling of statuses in email to match that of the web interface (#32073 and #32132 by @c960657)
• Change label of "Data export" menu item in settings interface (#32099 by @c960657)
• Change responsive break points on navigation panel in web UI (#32034 by @Gargron)
• Change cursor to not-allowed on disabled buttons (#32076 by @mjankowski)
• Change hide media button to be in top right corner in web UI (#32048 by @Gargron)
• Change mobile breakpoint back to old version and allow main column to shrink (#32033 by @ClearlyClaire)
• Change OAuth authorization prompt to not refer to apps as “third-party” (#32005 by @Gargron)
• Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
• Change zoom icon in web UI (#29683 by @Gargron)
• Change directory page to use URL query strings for options (#31980, #31977 and #31984 by @ClearlyClaire and @renchap)

Fixed

• Fix missing permission on new embeds making them unclickable (#32135 by @Gargron)
• Fix missing border in some admin UI tables (#32128 by @mjankowski)
• Fix recently used tags hint being displayed in profile edition page when there is none (#32120 by @mjankowski)
• Fix checkbox lists on narrow screens in the settings interface (#32112 by @mjankowski)
• Fix scrollbar width (#32091 by @ClearlyClaire)
• Fix typo causing incorrect error being raised in blurhash processing failure (#32104 by @ClearlyClaire)
• Fix the position of status action buttons being affected by interaction counters (#32084 by @renchap)
• Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
• Fix wrapping in dashboard quick access buttons (#32043 by @renchap)
• Fix the summary of converted ActivityPub object types to be treated as HTML (#28629 by @Menrath)
• Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
• Fix multiple bugs in notification requests and notification policies (#32062 by @ClearlyClaire)
• Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
• Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
• Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
• Fix the appearance of avatars when they do not load (#31966 by @renchap)
• Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)

Removed

• Remove global Regexp timeout (#32169 by @ClearlyClaire)
• Remove deprecated v2_alpha endpoint for grouped notifications (#32089 by @renchap)
• Remove unused E2EE messaging code and related crypto OAuth scope (#31193, #31945, #31963, and #31964 by @ClearlyClaire and @mjankowski)

Changelog (v4.3.0-beta.2)

Security

• Update dependencies
• Change form-action Content-Security-Policy directive to be more restrictive (#26897 by @ClearlyClaire)
• Fix username normalization issue in web interface (GHSA-3m9q-ww7w-qc5j by @Gargron)

Added

• Add global Regexp timeout (#31928 by @ClearlyClaire)
• Add ability to manage which websites can credit you in link previews using fediverse:creator (#31819 and #31900 by @Gargron and @oneiros)
  In 4.3.0-beta.1, fediverse:creator was only taken into account for articles published on providers manually approved for trending by moderators.
  This change adds a section in /settings/verification so that users can themselves list which domains are allowed to credit them.
  This is federated as a new attributionDomains property in the http://joinmastodon.org/ns namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1
• Add link to /admin/roles in moderation interface when changing someone's role (#31791 by @ClearlyClaire)
• Add anchors to each authorized application in /oauth/authorized_applications (#31677 by @fowl2)
• Add support for Redis sentinel (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)
  See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel
• Add support for CORS to POST /oauth/revoke (#31743 by @ClearlyClaire)
• Add GET /api/v2_alpha/notifications/:group_key/accounts (#31725 by @ClearlyClaire)
  See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts
• Add grouped_types parameter to allow clients to restrict which notifications types get grouped (#31594 by @ClearlyClaire)
  See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped
• Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm)

Changed

• Enable grouped notifications unconditionally (#31610 and #31929 by @ClearlyClaire)
• Change grouped notifications API from /api/v2_alpha/notifications* to /api/v2/notifications* (#31840 by @ClearlyClaire)
  See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/
• Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire)
• Change design of embed modal in web UI (#31801 by @Gargron)
• Change preview card processing to ignore undefined as canonical url (#31882 by @oneiros)
• Change embedded posts to use web UI (#31766 by @Gargron)
• Change inner borders in media galleries in web UI (#31852 by @Gargron)
• Change design of hide media button in web UI (#31807 by @Gargron)
• Change labels on thread indicators in web UI (#31806 by @Gargron)
• Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones)
• Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm)
• Change width of columns in advanced web UI (#31762 by @Gargron)
• Change design of unread conversations in web UI (#31763 by @Gargron)
• Change background color of notifications about private messages (#31657 by @ClearlyClaire)
• Change design of boost modal in web UI (#31555 by @Gargron)

Fixed

• Fix single-panel breakpoint being too narrow (#31889 by @ClearlyClaire)
• Fix cancel follow request button sometimes saying “Follow back” (#31934 by @ClearlyClaire)
• Fix horizontal scrollbar on who to follow carousel in web UI (#31912 by @Gargron)
• Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
• Fix invalid visibility values in POST /api/v1/statuses returning 500 errors (#31571 by @c960657)
• Fix the primary button in modals not being auto-focused anymore (#31883 by @ClearlyClaire)
• Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
• Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
• Fix styling of media edition modal (#31844, #31864, and #31943 by @vmstan)
• Fix use of deprecated Remove vendor prefix from apple-mobile-web-app-capable meta tag (#31845 by @mjankowski)
• Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
• Fix radio checkbox visibility in Report dialogs (#31752 by @vmstan)
• Fix wrong width on content warnings and filt...

v4.2.13

Changelog

Security

• Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
• Update dependencies

Added

• Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)

Changed

• Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)

Fixed

• Fix replies collection being cached improperly
• Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
• Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)

Upgrade notes

To get the code for v4.2.13, use git fetch && git checkout v4.2.13.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.12.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.1.20

Changelog

Security

• Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
• Update dependencies

Changed

• Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)

Fixed

• Fix replies collection being cached improperly
• Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
• Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)

Upgrade notes

To get the code for v4.1.20, use git fetch && git checkout v4.1.20.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 7.x
• Redis: 4 or newer
• Node: >= 14, < 18
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.19.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile

Both Docker and non-Docker:

1. Restart all Mastodon processes

v4.3.0-beta.2

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog (v4.3.0-beta.2)

Security

• Update dependencies
• Change form-action Content-Security-Policy directive to be more restrictive (#26897 by @ClearlyClaire)
• Fix username normalization issue in web interface (GHSA-3m9q-ww7w-qc5j by @Gargron)

Added

• Add global Regexp timeout (#31928 by @ClearlyClaire)
• Add ability to manage which websites can credit you in link previews using fediverse:creator (#31819 and #31900 by @Gargron and @oneiros)
  In 4.3.0-beta.1, fediverse:creator was only taken into account for articles published on providers manually approved for trending by moderators.
  This change adds a section in /settings/verification so that users can themselves list which domains are allowed to credit them.
  This is federated as a new attributionDomains property in the http://joinmastodon.org/ns namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1
• Add link to /admin/roles in moderation interface when changing someone's role (#31791 by @ClearlyClaire)
• Add anchors to each authorized application in /oauth/authorized_applications (#31677 by @fowl2)
• Add support for Redis sentinel (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)
  See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel
• Add support for CORS to POST /oauth/revoke (#31743 by @ClearlyClaire)
• Add GET /api/v2_alpha/notifications/:group_key/accounts (#31725 by @ClearlyClaire)
  See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts
• Add grouped_types parameter to allow clients to restrict which notifications types get grouped (#31594 by @ClearlyClaire)
  See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped
• Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm)

Changed

• Enable grouped notifications unconditionally (#31610 and #31929 by @ClearlyClaire)
• Change grouped notifications API from /api/v2_alpha/notifications* to /api/v2/notifications* (#31840 by @ClearlyClaire)
  See documentation: https://docs.joinmastodon.org/methods/grouped_notifications/
• Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire)
• Change design of embed modal in web UI (#31801 by @Gargron)
• Change preview card processing to ignore undefined as canonical url (#31882 by @oneiros)
• Change embedded posts to use web UI (#31766 by @Gargron)
• Change inner borders in media galleries in web UI (#31852 by @Gargron)
• Change design of hide media button in web UI (#31807 by @Gargron)
• Change labels on thread indicators in web UI (#31806 by @Gargron)
• Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones)
• Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm)
• Change width of columns in advanced web UI (#31762 by @Gargron)
• Change design of unread conversations in web UI (#31763 by @Gargron)
• Change background color of notifications about private messages (#31657 by @ClearlyClaire)
• Change design of boost modal in web UI (#31555 by @Gargron)

Fixed

• Fix single-panel breakpoint being too narrow (#31889 by @ClearlyClaire)
• Fix cancel follow request button sometimes saying “Follow back” (#31934 by @ClearlyClaire)
• Fix horizontal scrollbar on who to follow carousel in web UI (#31912 by @Gargron)
• Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
• Fix invalid visibility values in POST /api/v1/statuses returning 500 errors (#31571 by @c960657)
• Fix the primary button in modals not being auto-focused anymore (#31883 by @ClearlyClaire)
• Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
• Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
• Fix styling of media edition modal (#31844, #31864, and #31943 by @vmstan)
• Fix use of deprecated Remove vendor prefix from apple-mobile-web-app-capable meta tag (#31845 by @mjankowski)
• Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
• Fix radio checkbox visibility in Report dialogs (#31752 by @vmstan)
• Fix wrong width on content warnings and filters in web UI (#31761 by @Gargron)
• Fix email language when recipient has no selected locale (#31747 by @ClearlyClaire)
• Fix display name being displayed instead of domain in remote reports (#31613 by @ClearlyClaire)
• Fix all notification types being stored without filtering when polling (#31745 by @ClearlyClaire)
• Fix Corepack prompt on Devcontainer (#31729 by @vmstan)
• Fix Heroku configuration for heroku-24 (#31135 by @zunda)
• Fix frequently-used languages not correctly updating in the web UI (#31386 by @c960657)
• Fix radio buttons styling in web UI (#31723 by @ClearlyClaire)
• Fix not being able to load more notifications after trimming (#31652 and #31709 by @ClearlyClaire and @c960657)
• Fix POST /api/v1/statuses silently ignoring invalid media_ids parameter (#31681 by @c960657)
• Fix N+1s in grouped notifications (#31638 and #31746 by @ClearlyClaire)
• Fix handling of the BIND environment variable in the streaming server (#31624 by @ThisIsMissEm)
• Fix multiple issues in docker-compose file (#31612 and #31615 by @renchap)
• Fix spurious loading bar middleware usage (#31592 by @ClearlyClaire)

Changelog (v4.3.0-beta.1)

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

• Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
  This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

• Add experimental server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)
  Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
  This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
  As part of this, the visual design of the entire notifications feature has been revamped.
  This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.
  The API is not final yet, but it consists of:
  • a new group_key attribute to Notification entities
  • GET /api/v2_alpha/notifications: https://docs.joinmastodon.org/methods/notifications_alpha/#get-grouped
  • GET /api/v2_alpha/notifications/:group_key: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-group
  • POST /api/v2_alpha/notifications/:group_key/dimsiss: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-group
  • GET /api/v2_alpha/notifications/:unread_count: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count
• Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #3131...

v4.3.0-beta.1

Warning

This is a pre-release! This has not been as widely tested as regular releases, although it is still tested on mastodon.social and some other servers. If you update to this release, you will not be able to safely downgrade to the existing stable releases. You will, however, be able to upgrade to later nightly releases, prereleases as well as the upcoming 4.3.0 stable release.

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, scroll down to the upgrade instructions section.

Changelog

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

• Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
  This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.

Added

• Add experimental server-side notification grouping (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)
  Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.
  This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.
  As part of this, the visual design of the entire notifications feature has been revamped.
  This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.
  The API is not final yet, but it consists of:

  • a new group_key attribute to Notification entities
  • GET /api/v2_alpha/notifications: https://docs.joinmastodon.org/methods/notifications_alpha/#get-grouped
  • GET /api/v2_alpha/notifications/:group_key: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-group
  • POST /api/v2_alpha/notifications/:group_key/dimsiss: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-group
  • GET /api/v2_alpha/notifications/:unread_count: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count

• Add notification policies, filtered notifications and notification requests (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, and #31541 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)
  The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.
  You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.
  Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.
  This adds the following REST API endpoints:

  • GET /api/v2/notifications/policy: https://docs.joinmastodon.org/methods/notifications/#get-policy
  • PATCH /api/v2/notifications/policy: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notifications
  • GET /api/v1/notifications/requests: https://docs.joinmastodon.org/methods/notifications/#get-requests
  • GET /api/v1/notifications/requests/:id: https://docs.joinmastodon.org/methods/notifications/#get-one-request
  • POST /api/v1/notifications/requests/:id/accept: https://docs.joinmastodon.org/methods/notifications/#accept-request
  • POST /api/v1/notifications/requests/:id/dismiss: https://docs.joinmastodon.org/methods/notifications/#dismiss-request
  • POST /api/v1/notifications/requests/accept: https://docs.joinmastodon.org/methods/notifications/#accept-multiple-requests
  • POST /api/v1/notifications/requests/dismiss: https://docs.joinmastodon.org/methods/notifications/#dismiss-multiple-requests
  • GET /api/v1/notifications/requests/merged: https://docs.joinmastodon.org/methods/notifications/#requests-merged

  In addition, accepting one or more notification requests generates a new streaming event:

  • notifications_merged: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed

• Add notifications of severed relationships (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)
  Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.
  Note that this does not notify remote users.
  This adds the severed_relationships notification type to the REST API and streaming, with a new relationship_severance_event attribute.

• Add hover cards in web UI (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)
  Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.
  This can be disabled in the “Animations and accessibility” section of the preferences.

• Add "system" theme setting (light/dark theme depending on user system preference) (#29748, #29553, #29795, #29918, #30839, and #30861 by @nshki, @ErikUden, @mjankowski, @renchap, and @vmstan)
  Add a “system” theme that automatically switch between default dark and light themes depending on the user's system preferences.
  Also changes the default server theme to this new “system” theme so that automatic theme selection happens even when logged out.

• Add timeline of public posts about a trending link (#30381 and #30840 by @Gargron)
  You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.
  This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link

• Add author highlight for news articles whose authors are on the fediverse (#30398, #30670, #30521, and #30846 by @Gargron)
  This adds a mechanism to highlight the author of news articles shared on Mastodon.
  Articles hosted outside the fediverse can indicate a fediverse author with a meta tag:

  <meta name="fediverse:creator" content="username@domain" />

  On the API side, this is represented by a new authors attribute to the PreviewCard entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\
  Note that this feature is still work in progress and the tagging format and verification mechanisms may change in future releases.

• Add in-app notifications for moderation actions and warnings (#30065, #30082, and #30081 by @ClearlyClaire)
  In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.
  This adds the moderation_warning notification type to the REST API and streaming, with a new moderation_warning attribute.

• Add domain information to profiles in web UI (#29602 by @Gargron)
  Clicking the domain of a user in their profile will now open a tooltip with a short explanation about servers and federation.

• Add ability to reorder upload...

v4.2.12

Note

This is a hotfix release for an issue introduced in 4.2.11.

Changelog (v4.2.12)

Fixed

• Fix broken notifications for mentions from local moderators (ClearlyClaire)

Changelog (v4.2.11)

Added

• Add support for incoming <s> tag (mediaformat)

Changed

• Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

• Fix incorrect rate limit on PUT requests (ClearlyClaire)
• Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
• Fix processing of webfinger responses with multiple self links (adamniedzielski)
• Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
• Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
• Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
• Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
• Fix division by zero on some video/GIF files (ClearlyClaire)
• Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
• Fix hashtag regexp matching some link anchors (ClearlyClaire)
• Fix local account search on LDAP login being case-sensitive (raucao)
• Fix development environment admin account not being auto-approved (ClearlyClaire)
• Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
• Fix already-invalid reports failing to resolve (ClearlyClaire)
• Fix OCR when using S3/CDN for assets (vmstan)
• Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
• Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
• Fix search popout listing unusable search options when logged out (ClearlyClaire)
• Fix processing of featured collections lacking an items attribute (tribela)
• Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.12, use git fetch && git checkout v4.2.12.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10 or 4.2.11.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
3. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.2.11

Warning

This release has a known issue, causing mentions from local users with elevated roles failing to generate notifications.

Changelog

Added

• Add support for incoming <s> tag (mediaformat)

Changed

• Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers (ClearlyClaire)

Fixed

• Fix incorrect rate limit on PUT requests (ClearlyClaire)
• Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
• Fix processing of webfinger responses with multiple self links (adamniedzielski)
• Fix duplicate orderedItems in user archive's outbox.json (ClearlyClaire)
• Fix click event handling when clicking outside of an open dropdown menu (ClearlyClaire)
• Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
• Fix --verbose option of tootctl media remove, which was previously erroneously removed (mjankowski)
• Fix division by zero on some video/GIF files (ClearlyClaire)
• Fix Web UI trying to save user settings despite being logged out (ClearlyClaire)
• Fix hashtag regexp matching some link anchors (ClearlyClaire)
• Fix local account search on LDAP login being case-sensitive (raucao)
• Fix development environment admin account not being auto-approved (ClearlyClaire)
• Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
• Fix already-invalid reports failing to resolve (ClearlyClaire)
• Fix OCR when using S3/CDN for assets (vmstan)
• Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
• Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)
• Fix search popout listing unusable search options when logged out (ClearlyClaire)
• Fix processing of featured collections lacking an items attribute (tribela)
• Fix mastodon:stats decoration of stats rake task (mjankowski)

Upgrade notes

To get the code for v4.2.11, use git fetch && git checkout v4.2.11.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0 to 3.2
• PostgreSQL: 10 or newer
• Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
• LibreTranslate (optional, for translations): 1.3.3 or newer
• Redis: 4 or newer
• Node: 16 or newer
• ImageMagick: 6.9.7-7 or newer

Update steps

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

The following instructions are for updating from 4.2.10.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
3. Restart all Mastodon processes

Using Docker:

1. Restart all Mastodon processes

v4.1.19

Changelog

Fixed

• Fix incorrect rate limit on PUT requests (ClearlyClaire)
• Fix presence of ß in adjacent word preventing mention and hashtag matching (adamniedzielski)
• Fix processing of webfinger responses with multiple self links (adamniedzielski)
• Fix status processing failing halfway when a remote post has a malformed replies attribute (ClearlyClaire)
• Fix division by zero on some video/GIF files (ClearlyClaire)
• Fix hashtag regexp matching some link anchors (ClearlyClaire)
• Fix local account search on LDAP login being case-sensitive (raucao)
• Fix development environment admin account not being auto-approved (ClearlyClaire)
• Fix report reason selector in moderation interface not unselecting rules when changing category (ClearlyClaire)
• Fix already-invalid reports failing to resolve (ClearlyClaire)
• Fix OCR when using S3/CDN for assets (vmstan)
• Fix error when encountering malformed Tag objects from Kbin (ShadowJonathan)
• Fix not all allowed image formats showing in file picker when uploading custom emoji (june128)

Upgrade notes

To get the code for v4.1.19, use git fetch && git checkout v4.1.19.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Important

Since v4.1.18, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.

Dependencies

Warning

The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.

External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 3.0
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 7.x
• Redis: 4 or newer
• Node: >= 14, < 18
• ImageMagick: 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.1.18.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker only:

1. Install dependencies: bundle install and yarn install --frozen-lockfile
2. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile

Both Docker and non-Docker:

1. Restart all Mastodon processes