42 KiB
v2023.12.9
This release contains a security patch, as well as minor fixes and improvements. Upgrading is strongly recommended for all server operators.
Highlights
- Several DoS vulnerabilities - allowing remote attackers to allocate arbitrary amounts of memory - were patched
- Corrupt jobs now get discarded instead of clogging up the failed queues
Backend
- Fetched JSON-LD contexts are now limited to 1MiB, resolving a DoS attack vector
- Fetched node-fetch responses are now limited to 1MiB/10MiB, resolving a DoS attack vector
Miscellaneous
- The docker images now use the bundled libvips version shipping with sharp instead of the system-wide one, reducing the image size by ~60MB
- The example docker-compose.yml file was updated
- The iceshrimp-js package was renamed to iceshrimp-sdk in order to prevent confusion should this repository be renamed to iceshrimp-js in the future (to distinguish it from Iceshrimp.NET)
- Various dependency updates
- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ & Laura Hausmann
v2023.12.8
This release contains minor fixes and improvements. Upgrading is recommended for all server operators.
Highlights
- AiScript has been updated to v0.17.0
- Several new MFM functions have been added
Backend
- Pinned notes are rendered as links instead of objects, improving privacy
- Sporadic errors while scrolling through followers/following lists were fixed
- The link preview generator now sends a proper user agent instead of identifying itself as a generic bot
- The home timeline query heuristic now gets reset when follow lists are being imported, resolving a timeline performance edge case
Mastodon client API
- The verify_credentials response now includes the follow_requests_count property, improving compatibiltiy with certain Mastodon clients
- Attachments will now fall back to their full res version if they don't have a thumbnail, fixing a crash with the official Mastodon for Android app
Frontend
- The placeholder timetravel buttons have been removed
- The experiments page has been removed
Miscellaneous
- The helm chart was updated and now has more configuration options
- The yarn version was updated to v4.3.1
- The README was updated to better reflect the current development situation in relation to the rewrite
- The project now builds against NodeJS 22
- The dockerfile was updated & now builds against alpine 3.20
- Backend dependencies have been updated
- The recommended key/value store was switched to valkey
- The CI configuration has been updated
- Various translation updates
Attribution
This release was made possible by project contributors: AverageDood, Gersonzao, Kopper, Laura Hausmann, Mae Dartmann, Pyrox, Tournesol, ari melody, limepotato, mia & zotan
It also includes cherry-picked contributions from external contributors: naskya (firefish), ChaoticLeah (cutiekey)
v2023.12.7
This is a security release. Upgrading is therefore strongly recommended.
Backend
- Incoming LD-signed activities are now compacted against a well-known context to defend against spoofing attacks
- The automatically followed account property no longer gets set to a random (possibly non-local) user on instance settings updates
- The TypeORM logger is now much more configurable
- The bull dashboard now has the correct cache-control headers set
Mastodon client API
- The quote_id property is now returned for note responses
- The note search query now sets the userId property correctly, solving the problem of mismatching search results between the web client and the Mastodon client API
- The user profile html cache now gets updated and queried using the correct timestamp for local users, resolving an issue of stale data being displayed in some circumstances
Miscellaneous
- The yarn version was updated to 4.1.1
- The Dockerfile was updated to work better with some build systems that don't support cp -Tr
- The helm chart now has an option to set the number of worker threads
Attribution
This release was made possible by project contributors: Ezeani Emmanuel, Laura Hausmann, Mae Dartmann & mei23
Furthermore, I want to give special thanks to tesaguri for the security disclosure.
v2023.12.6
This is a security release. Upgrading is therefore strongly recommended.
Backend
- When fetching activities, their identifiers are now validated much more strictly
- Drive files now have the
X-Content-Type-Options
header set tonosniff
- The queue dashboard path is now validated more strictly
- The AP object resolver logic was improved to better handle edge cases
- Poll notifications are no longer generated for muted notes
Frontend
- Remote (cross-origin) videos now plays properly
- Emoji reactions on the landing page timeline preview are now aligned properly
Mastodon client API
- The default reaction is now returned with /v1/instance
Miscellaneous
- The podman documentation was improved
- The example nginx config now has gzip enabled
- The Dockerfile now references the required dependencies for decoding AVIF images
- The installation requirements now mention postgresql-contrib
- Various translation updates
Attribution
This release was made possible by project contributors: CookiLover311, Crimekillz, Jegler, Laura Hausmann, Lilian, Norm, Salif Mehmed, jeder, konkonkon, naskya & 老周部落
Furthermore, I want to give special thanks to Oneric for the extraordinarily detailed security disclosure.
v2023.12.5
This is a followup security release. Upgrading is recommended.
Backend
- When fetching activities, the JSON-LD profile is now enforced for responses with application/ld+json content type
- Incoming note edits with attachment and no alt text no longer get silently dropped
Attribution
This release was made possible by project contributors: Laura Hausmann
v2023.12.4
This is a security release. Upgrading is therefore strongly recommended.
Backend
- The content type of fetched activities is now enforced
- Fetched activities' IDs must now match the hostname of the final request URL (after redirects)
- A typo in the activity audience parser was fixed, fixing federation of public posts with JSON-LD compliant remote instances
Mastodon client API
- The quote_id parameter is now supported when creating new posts
- The /v2/suggestions endpoint now requires the same scope as Mastodon (which differs from their API documentation)
- Full OAuth scopes (read/write/follow) are now also registered when expanding the authorized scopes list
Frontend
- Migrating from/to the same account twice no longer breaks the migration page
Miscellaneous
- The packaged yarn version (for NixOS) was updated to 4.1.0
- Various translation updates
Attribution
This release was made possible by project contributors: Laura Hausmann, Pyrox & tournesol
v2023.12.3
Release notes
This is a security release. Upgrading is strongly recommended, as is adding an instance-wide announcement informing your users that if they previously imported posts from Mastodon, they should check their imported post history for DMs and follower-only posts that should not be public.
Vulnerability explanation
The Mastodon post import feature (that has been untouched since Iceshrimp was forked from Firefish last year) did not correctly validate/set post visibility on imported posts. Due to the nature of the vulnerability, it's impossible to reconstruct which posts have been imported, and therefore we cannot restrict access to them in an update.
Backend
- Post imports have been disabled
- Existing posts that have the "hidden" visibility are now only accessible to the author
Frontend
- The UI for post imports has been removed
Miscellaneous
- The yarn version was updated to 4.1.0
- The helm chart was updated
Attribution
This release was made possible by project contributors: Laura Hausmann & corite
v2023.12.2
Release notes
This release contains minor fixes and improvements. Upgrading is recommended, especially if you have a lot of delayed jobs in your deliver queue.
Highlights
- Deliver jobs to dead/unresponsive instances will no longer get stuck in the deliver queue after 7 days of them being unresponsive
Backend
- Emojis that contain special characters now work properly
Miscellaneous
- Podman installation docs have been added
- The helm chart has been updated
- Locale files that were named incorrectly have been fixed
- Various translation updates
Attribution
This release was made possible by project contributors: Daks, Jeder, Laura Hausmann, Salif Mehmed, corite & jolupa
It also includes cherry-picked contributions from external contributors: Johann150
v2023.12.1
Release notes
This release contains performance improvements and minor bugfixes. Upgrading is recommended, especially if you are still experiencing performance issues with notifications and/or the home timeline.
Highlights
- Performance issues with the home timeline heuristics query as well as the notifications query have been resolved
UI/UX
- A bug in which an extra colon was shown at the end of some notifications has been resolved
Attribution
This release was made possible by project contributors: Laura Hausmann & mia
v2023.12
Release notes
This release contains only very minor changes if you're upgrading from v2023.12-pre4
, but for users who skipped the prereleases, lots has changed. We primarily spent this release cycle on improving performance, we hope you enjoy a snappier experience!
The information below is an aggregate of all release highlights since the last stable release.
Highlights
- Reworked full text search, retiring Meili/Sonic/Elastic in favor of Postgres gin_trgm with advanced search filter support
- Significantly improved backend & API performance across the board
- A HTML cache was added to the Mastodon client API, drastically improving performance (check the example config for more details & configuration options)
- Word mute filters were completely reworked for better performance, especially at scale
- A couple Mastodon OAuth regressions were fixed
Backend
- Unnecessary table joins were removed for the i/notifications API endpoint, improving performance
UI/UX
- The pages and gallery tab navigation was fixed
- The center and small MFM tags now autocomplete properly
Miscellaneous
- The documentation on creating a database during the install process was improved
- Dependencies were updated and deduplicated, saving disk space
- Migration docs for Firefish were added
- JetBrains AI was disabled globally in the monorepo
- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ, AverageDood, Jeder, Laura Hausmann, Pyrox, Salif Mehmed & Tournesol
v2023.12-pre4
This release preview primarily fixes bugs & regressions. Note: If you are upgrading from -pre3
and had the HTML cache prewarm functionality enabled, you might want to clear it (DELETE FROM "html_note_cache_entry";
), as quote URLs were not stored correctly due to an oversight.
Mastodon client API
- The html cache prewarm functionality now correctly includes quote URLs
- Follow status indicators now work properly in apps that rely on an undocumented Mastodon API behavior (e.g. toot!)
Backend
- Relative URLs are no longer proxied, fixing the local instance icon indicator in the default configuration
UI/UX
- The update check in the admin panel now works as expected
- Toggles now have outlines for better visibility
- The client error screen was improved with new colors and icons
- The Twitter integration was removed, as it hasn't been functional since their API changes
- The apps help button now links to a new page in the repository (APPS.md)
Miscellaneous
- The biome code formatter version and configuration were updated
- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ, AverageDood, Froggo, Laura Hausmann, Minybol & Pyrox
v2023.12-pre3
This release preview primarily contains performance optimizations and regression fixes. Upgrading is recommended especially if you're running a big instance or have more than a couple thousand entries in the muted_note
table.
Highlights
- A HTML cache was added to the Mastodon client API, drastically improving performance (check the example config for more details & configuration options)
- Word mute filters were completely reworked for better performance, especially at scale
- A couple Mastodon OAuth regressions were fixed
Mastodon client API
- Notes that were filtered out due to hard word mutes are now returned to clients with the FilterResult property instead of being silently dropped
- Login with clients that leave a trailing
+
character in the scope parameter has been fixed - Login with clients that depend on the
state
parameter in the OAuth process has been fixed
Backend
- updateUserProfileData now only triggers updateMentions once
- Word mute data is now stored in redis instead of the database, significantly improving timeline query performance for larger instances
- Database columns containing hostnames had their length increased to accomodate longer domain names
UI/UX
- Copy to clipboard now uses the modern async clipboard API and no longer applies weird formatting to copied text
Miscellaneous
- Various translation updates
Attribution
This release was made possible by project contributors: AverageDood, Laura Hausmann & Pyrox
v2023.12-pre2
This release contains an important security fix. Upgrading is therefore strongly recommended. If you are on or want to upgrade to a stable release, please refer to the stable backport release v2023.11.4 instead.
Added features
- A new setting was added that allows admins to specify an account that's automatically followed on user registration
Bug fixes
- HTTP signatures are now properly validated everywhere
UI/UX
- The gradient angles were adjusted to be in line with the design guidelines
Attribution
This release was made possible by project contributors: AntoineÐ, Latte macchiato & Laura Hausmann
It also includes cherry-picked contributions from external contributors: perillamint, yunochi
v2023.12-pre1
It's been a while, but it's time for another prerelease. This release cycle is going to primarily focus on performance, both in the backend and the frontend.
Note: This release preview includes a lot of expensive migrations, which may take a while to run. We promise the performance benefits are worth the wait.
Highlights
- Reworked full text search, retiring Meili/Sonic/Elastic in favor of Postgres gin_trgm with advanced search filter support
- Significantly improved backend & API performance across the board
Backend
- Support for external search backends was removed
- Support for advanced search filters was added to the Postgres search backend
- The
search-by-username-and-host
API endpoint no longer excludes the local user making the request - Renote status is now aggregated and returned with timeline responses instead of the client requesting it for each note individually
- Heuristics for which timeline query to use for each user were added, drastically improving worst case timeline performance
- Timeline queries were streamlined for improved performance, adding new multi-column indicies as appropriate
- User avatar and banner URL & blurhash were duplicated into the user table, drastically improving query performance by saving up to 6 joins per query
- The media proxy was reworked to not require a database query per requested file
- A per-request packed user cache was added to the web API to improve performance, mimicking the existing Mastodon client API implementation
- The web API now only fetches exactly as many notes as have been requested
- The
re2
dependency was updated, fixing builds on NixOS - Environment variables that allow setting alternative locations for the config file, a second config file for secrets, the custom directory as well as the media directory were added
- The
followRequestAccepted
notification is no longer emitted for non-locked accounts - The mfm-to-html renderer for outgoing ActivityPub messages was changed to happy-dom
Mastodon client API
- Search now also supports filters, using the same syntax as the web client
- NoteConverter and UserConverter now pre-aggregate applicable data in their respective
encodeMany
functions for improved performance - The
user
column is now joined where applicable for improved performance - The mfm-to-html renderer was changed to happy-dom, drastically improving timeline performance
UI/UX
- The search dialog was replaced with a proper search page, and now supports additional search filters
- A help page containing a list of all available search filters was added
- All references to post indexing were removed, as manual indexing is no longer required
- The search filter button is no longer visible in guest mode
- Inactive search tabs are no longer loaded
- Overscroll was disabled due to it causing graphical glitches and weird behavior, especially on desktop
- All images in timeline views now have the
loading="lazy"
anddecoding="async"
attributes set - The URL card animation has been removed
- Additional posts are now loaded in before reaching the bottom of the timeline
- VueJS and Vite were updated to their respective latest versions
Infrastructure and governance
- Docker builds with populated BuildKit caches no longer break if the yarn cache changes
Miscellaneous
- References to external search backends were removed from the documentation & example configuration files
- The installation docs now contain information on the available environment variables
- The project readme was updated
- All project imports of the deprecated punycode node module were switched over to the punycode.js replacement
- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ & Laura Hausmann
v2023.11.3
This release contains yet more packaging and distribution-related changes, including some required for packaging the project for NixOS.
Backend
- The backslash character is now correctly escaped in
sqlLikeEscape
, fixing search queries containing backslashes
Infrastructure and governance
- The Dockerfile was streamlined and now builds the project with an immutable lockfile in the first stage
Miscellaneous
- The
focus-production
yarn script now also updates.yarnrc.yml
, fixing builds in some packaging environments - The default locale was changed to
en-US
, which should fix translation-related UI issues - A new yarn script -
pack-yarn
- was added to assist with packaging the project on NixOS
Attribution
This release was made possible by project contributors: Jeder, Laura Hausmann & Pyrox
v2023.11.2
This release primarily contains project maintenance changes. For the first time, we are also distributing binary packages! Currently we support Arch Linux, DEB & RPM based distributions will follow.
Highlights
- Lots of yarn script tweaks and additions, allowing for easier packaging and distribution
- Significantly reduced size of container images
- Binary packages for Arch Linux (DEB/RPM support to follow)
UI/UX
- The local-only icon is now consistent across different parts of the UI
- The
/about-iceshrimp
page was tweaked
Backend
- Running
yarn workspace backend run migration:revert
now exits properly instead of stalling - Enabling 2FA when the instance is in private mode no longer locks users out of their account
- A typo in the name of the scope parameter for the
/oauth/token
endpoint was fixed - The
/oauth/token
endpoint is now strictly compliant with the Mastodon API specification (note: their documentation does not match their implementation)
Infrastructure and governance
- Built Docker images now only contain runtime dependencies, decreasing image size significantly
Miscellaneous
- Yarn is now using the strict PnP mode, all peer dependencies that are broken upstream were patched
- A new yarn script,
focus-production
, was added. Running it will remove all dependencies that are not needed after building the project. Caution: only use for packaging, as this rewrites allpackage.json
files in the project directory. - A new yarn script,
regen-version
, was added. Running it will set theversion
attribute of the mainpackage.json
to${tag}-dev-${git_revision}
. - The installation documentation was updated
- Git LFS disclaimers were added to the documentation
- Yarn was updated to v4.0.2
- Dependencies using
node-gyp
now build with all available threads - The nix flake was updated to work properly with all recent changes
- The documentation no longer recommends git clones with
--depth=1
for most deployment types, as this is not really necessary anymore due to git-lfs - Patches were merged into upstream
re2
and theirinstall-artifact-from-github
dependency, both fixing build on arm64-musl, and allowing for much faster prebuilt artifact installs - The yarn script
dev
now only builds the project once - The nix development documentation was updated
- The README badges were updated
Attribution
This release was made possible by project contributors: Alexis, AntoineÐ, Laura Hausmann & Pyrox
v2023.11.1
Release notes
This release primarily adds polish and fixes bugs and regressions introduced in the previous release cycle. If you are running v2023.11
or earlier, upgrading is strongly recommended.
Highlights
- Builds on docker-arm64 (and on bare metal musl-arm64 distros) work as expected again
- Improved OAuth login page
Bug fixes
- The
node-re2
dependency was migrated to an in-house fork, fixing builds on musl-arm64 - Tags in edited posts are now handled correctly
- Poll are now federating properly to non-*key instances again
- Hovering over a link no longer renders a duplicate popover
- Various client settings that were previously missing from preference backups are now included
- Incoming poll edits are now processed correctly
UI/UX
- The "Centered" layout was removed
- The layout dropdown was replaced with a "toggle layout" button
- The "Modern" CW style now has the visual buttons match the clickable area
- The OAuth login page has been fully reworked to only show essential information
- Tooltips are no longer shown on touchscreen input
- The icon for "mark all notifications as read" was changed to
ph-checks
to better reflect the action - A new client preferences category, "Wellness", was added, currently containing the option to hide certain UI elements like the new posts indicator, with more to come
Mastodon client API
- A regression in which remote posts with quotes attached had the quoteUri duplicated was fixed
Backend
- Local only notes are now not shown to guest users in timeline/non-detail views either
- Channels are no longer visible to guests
- User bios with MFM now federate properly with other *key instances implementing the _misskey_summary field
- The separate cache server was merged back into a unified (cache + queue processor) redis architecture, the respective config fields have been removed
Infrastructure and governance
- The CI workflows no longer reference cargo/rust
- Docker builds now use the yarn version specified in
package.json
instead ofyarn@stable
- The README was updated to better reflect the project values
Miscellaneous
- The code formatter was changed from
rome
tobiome
- The "Twitter (soon)" option for post imports has been removed
- The documentation now contains information on possible conflicts between the corepack and system yarn installations
- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ, Aylam & Laura Hausmann
It also includes cherry-picked contributions from external contributors: kakkokari-gtyih
v2023.11
Release notes
This release contains only very minor changes if you're upgrading from v2023.11-pre5
, but for users who skipped the prereleases, lots has changed. Be sure to read the changelogs of all releases between the one you're upgrading from and this one, especially the sections on breaking changes.
The information below is an aggregate of all breaking changes and release highlights since the last stable release.
Breaking changes
- Lists have been reworked, now only allowing followed users to be added, and support for proxy accounts has been removed. To allow users to follow any users they want to keep on their lists, the migration that removes all list members users are not following will only be activated in the release after the next stable release. It is therefore highly recommended to add an instance announcement informing your users of this change and advising them to follow any affected accounts and to use the new "hide from home timeline" list option if desired.
- The Mastodon client API now uses the same object identifiers as the Misskey API, as well as its own, separate OAuth backend. This means all existing sessions are now invalid. Please log out and back in again in your clients.
Highlights
- The Mastodon client API backend underwent a full rewrite, dropping megalodon as a dependency. Expect:
- Rich text formatting (mentions, links, hashtags, etc. are now properly formatted)
- Significantly improved API responsiveness - performance was improved by a factor of 2-5x (or more!) depending on the endpoint
- Better spec compliance & improved compatibility (we test against: Mona, toot!, Ice Cubes, Tusker, Feditext, Mastodon for iOS, Mastodon for Android/Megalodon/Moshidon, Tusky, Elk, Phanpy, Pinafore/Semaphore/Enafore and more)
- The Mastodon client API now supports the websocket streaming API
- Various bugs in the HTTP Link header pagination implementation were fixed
- The Mastodon client API now uses OAuth instead of MiAuth
- ActivityPub object lookups now respect redirects
- Significantly improved handling of mentions, both in outgoing AP messages and in the Mastodon client API
- Various Mastodon client API regressions are now fixed, improving client compatibility
- HTTP Signature validation error handling has been improved
- The project is now compatible with NodeJS >= 18.6 (tested against v21.1.0 at time of writing)
Miscellaneous
- The project is now compatible with NodeJS v21, tested against v21.1.0 at time of writing
- The nix dev environment was updated
Attribution
This release was made possible by project contributors: AntoineÐ, Aylam, Erin Shepherd, jeder, Laura Hausmann & Pyrox
It also includes cherry-picked contributions from external contributors: Johann150
v2023.11-pre5
Release notes
This release fixes a regression introduced in the last release preview. If you are running v2023.11-pre3
or v2023.11-pre4
, upgrading is strongly recommended.
Miscellaneous
- The commit that removed the
Mk
prefix from VueJS components has been reverted, as it caused various UI issues
Attribution
This release was made possible by project contributors: Laura Hausmann
v2023.11-pre4
Release notes
This release mostly fixes regressions introduced in the last release preview. If you are running v2023.11-pre3
, upgrading is strongly recommended.
Mastodon client API
- The compatible version was bumped to 4.2.1, to indicate support for the "hide list members from home timeline" feature
- Remote users are now automatically refreshed in background
Backend
- Errors in refetchPublicKeyForApId can no longer cause strange inbox queue behavior
- Database transactions were refactored so no non-database code is run in transaction blocks, fixing a possible backend stall condition in which all database connections are blocked by transactions
- User profile mentions resolution no longer recurses infinitely, fixing a possible DoS attack vector
Miscellaneous
- The
Mk
prefix was removed from all custom VueJS components .yarn/sdks
was updated to fix language server problems in VSCode- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ, Aylam, jeder & Laura Hausmann
v2023.11-pre3
Breaking changes
- Lists have been reworked, now only allowing followed users to be added, and support for proxy accounts has been removed. To allow users to follow any users they want to keep on their lists, the migration that removes all list members users are not following will only be activated in the release after the next stable release. It is therefore highly recommended to add an instance announcement informing your users of this change and advising them to follow any affected accounts and to use the new "hide from home timeline" list option if desired.
Highlights
- Significantly improved handling of mentions, both in outgoing AP messages and in the Mastodon client API
- Various Mastodon client API regressions are now fixed, improving client compatibility
- HTTP Signature validation error handling has been improved
- The project is now compatible with NodeJS >= 18.6 (tested against v20.8.1 at time of writing)
Mastodon client API
- Long redirect URIs are now handled correctly
- The
/v1/instance
endpoint now returns the correct streaming URL - The
/v1/apps
response now returns all fields, includingvapid_key
, allowing for implementation of push notifications in the future - Redirect URLs that contain double-urlencoded parts are now handled correctly
- The OAuth process now displays errors properly
- The hashtag timeline query is now case insensitive
- Statuses returned by all endpoints now have the
content_type
field populated - The
/v1/instance
endpoint now correctly lists the supported mime types for statuses - Hashtags now have the
class=hashtag
attribute set correctly - Accounts returned by all endpoints now have the
fqn
field populated - Inline quote URLs are now rendered properly by supported clients (e.g. Enafore)
- Mentions to accounts the instance was unable to resolve are now rendered as plain text
- Profile edits made using
/v1/update_credentials
are now federated properly - An edge case where quotes were incorrectly detected as boosts was resolved
- Boosted quotes are now handled properly
- User profile data is now updated in the background when calling
/v1/accounts/:id
- The
url
field in status objects now contains the url instead of the uri, whenever available - Boosts by boost-muted users are now skipped in the Mastodon streaming API
Backend
- Migrations are finally in sync with the ORM, allowing for proper migrations handling in the future
- Mentions in user profiles are now resolved and stored in the database
- Invalid mentions in outgoing AP messages are now sent as plain text instead of an unreachable link pointing back at the origin instance
- When HTTP signature validation fails, an attempt to refresh the user's public key is now made, fixing federation with Mastodon instances who ran
tootctl accounts rotate
- The error image override config is now loaded properly
- VAPID keys for WebPush are now properly generated when bootstrapping a new instance
- Capitalization of mentions is now corrected automatically, preventing federation issues where remote instances fail to render them
- Authorized fetch is now enabled by default for new instances
- NSFW detection & tensorflow have been removed
- HTTP signature validation now correctly verifies the hostname of the keyId against the hostname of the actor uri instead of the user's account domain, fixing an edge case where federation with split domain instances could fail
- Federation handshakes initiated by GoToSocial when the local instance has authorized fetch enabled are now handled correctly
- The
search-by-username-and-host
endpoint now doesn't filter out inactive users by default
UI/UX
- The default themes were tweaked
- The 'Explore' tab header now uses the correct icon
Miscellaneous
- Some unused files have been removed from the repository
- The code formatter now works properly for .vue files
- The discrepancy of different formatters using different tab widths was resolved
- The documentation now recommends using
git clone --depth=1
when cloning the repository to speed up the process - The Dockerfile now doesn't run
yarn workspaces focus --production
because it doesn't actually save any space in the final image due to yarn zero installs - A new yarn script,
start:debug
, was added to make attaching a debugger to the application easier - Dependencies with critical vulnerabilities have been updated
- Various translation updates
Attribution
This release was made possible by project contributors: AntoineÐ, Aylam, Erin Shepherd & Laura Hausmann
v2023.11-pre2
Highlights
- An oversight in the OAuth helper that was preventing login to work in some Mastodon clients was fixed.
v2023.11-pre1
New versioning scheme
From now on we will use a JetBrains-like versioning scheme. Since our release candidates are more of a release preview, they can now be identified by the -pre
suffix, followed by a number that increments with each following release preview. To maintain lexical sort order with previous releases from this year, we're starting the release counter at 11. That makes this release v2023.11-pre1
.
Breaking changes
- The Mastodon client API now uses its own, separate OAuth backend. This means all existing sessions are now invalid. Please log out and back in again in your clients.
Highlights
- The Mastodon client API now uses OAuth instead of MiAuth
- ActivityPub object lookups now respect redirects
Mastodon client API
- Reactions with 0 reacts are no longer returned
- The 'next' part of the Link pagination header is no longer returned when there are less results than the set limit
- Remote mentions of local users are now rendered correctly
- Mentions now only display the handle, without the instance domain, mimicking Mastodon
- Code blocks are now rendered properly
- Mentions in user bios now work (most of the time)
- Quote URIs are now only appended to the post if the post doesn't already contain them
- Links are now rendered properly
- The streaming API now works for webclients running in Chrome and its derivatives
- /v1/instance now returns the field
max_toot_chars
, improving compatibility with some clients - Edit history is now returned in the correct order
- Invalid remote mentions are now handled correctly
- User search autocomplete now works as one would expect
- The public:allow_local_only stream is now supported
UI/UX
- "NSFW content" was renamed to "sensitive content"
- The user mention picker now works correctly for remote users
Backend
- All migrations are now written in TypeScript
- Mentions in outgoing AP messages are now formatted correctly
- Trailing slashes for links in user profile fields are now only sent in AP messages if explicitly set
- Links in outgoing AP messages are now formatted correctly
- Mention parsing in incoming & outgoing AP messages now matches usernames case-insensitively
- The required VAPID keys for WebPush are now generated automatically
Miscellaneous
- A missing devDependency was added
- The unused check:connect script was removed
Attribution
This release was made possible by project contributors: aylamz & Laura Hausmann
It also includes cherry-picked contributions from external contributors: Johann150
v2023.10.11-rc1
Highlights
- The Mastodon client API now supports the websocket streaming API
- Various bugs in the HTTP Link header pagination implementation were fixed
Attribution
This release was made possible by project contributors: Laura Hausmann
v2023.10.08-rc1
Breaking changes
- The Mastodon client API now uses the standard alphanumeric ID format. This breaks pagination with existing Mastodon client sessions, if they cache user and/or post data. It is therefore strongly recommended that you either clear the client's cache (if it exposes such a button), its data (if your OS supports this), log out and in again, or in the worst case reinstall any clients with active sessions, especially if you notice strange timeline behavior or unexplained "Record not found" errors.
Highlights
- The Mastodon client API backend underwent a full rewrite, dropping megalodon as a dependency. Expect:
- Rich text formatting (mentions, links, hashtags, etc. are now properly formatted)
- Significantly improved API responsiveness - performance was improved by a factor of 2-5x (or more!) depending on the endpoint
- Better spec compliance & improved compatibility (we test against: Mona, toot!, Ice Cubes, Tusker, Feditext, Mastodon for iOS, Mastodon for Android/Megalodon/Moshidon, Tusky, Elk, Phanpy, Pinafore/Semaphore/Enafore and more)
Bug Fixes
- The update checker now works properly with the new versioning scheme
- The control panel indicator is now displayed correctly
- Countless Mastodon client API bugs have been resolved
Backend
- Note edits (of local users) have been completely reworked, now storing the correct history and no longer accepting nonsensical parameters (like changing the reply target) that don't federate properly if at all
UI/UX
- The calendar widget is now disabled by default
- The navigation buttons on mobile have been improved
- The default themes now have proper shadows
- Post headers no longer have text shadow
Miscellaneous
- The documentation now mentions PGTune
- Private mode descriptions now refer to 'allowlists' instead of an outdated term
- Various translation updates
Attribution
- This release was made possible by project contributors: Alexis, AntoineÐ, Aylam & Laura Hausmann
v2023.10.04
Highlights
- New logos, themes & brand colors
- All rust code has been removed (less jank, significantly faster build times)
Bug Fixes
- Post boost counts can no longer become negative
Performance
- User note lookups are now significantly faster
Miscellaneous
- Minor iconograpgy changes
- Translation updates
Infrastructure
- Docker builds are now versioned
Attribution
This release was made possible by project contributors: AntoineÐ, Aylam, Jeder, Laura Hausmann & moshibar
v2023.09.13-rc1
Highlights
- New branding & documentation
- Proper support for split domain deployments, both local and remote
- Configurable automatic remote media pruning (disabled by default)
- Reworked content warnings (three different styles for CW'd posts, 'Expand all CWs in thread' button, 'Expand all CWs by default' client option)
Bug fixes
- CW-only quotes now function correctly
- Relative timestamps (1m ago) are now updated as time passes
- Replies to inaccessible posts are now displayed correctly instead of causing timeline errors
- Antenna pagination is now handled correctly, including for posts received out of order
- Inbox URLs are now checked in the deliver manager (a broken akkoma commit was briefly causing delivery queue crashes)
- The chats page title no longer occasionally displays undefined
- Fixed an edge case where account deletion could time out
- Antennas now also match on CW text
- Local only posts now correctly display on the timeline without having to reload
- The migration that moves antennas to the redis/dragonflydb cache server now works with password protected redis servers
- You can now no longer edit a post to include a quote of itself
- Post edits no longer support post visibility changes
- Full text search is now restricted to logged in users
- Local only posts are no longer accessible to guest users
- The web client now shows local users with the instance account domain instead of the web domain
- New replies in a thread are now displayed correctly
- User update no longer fails for users who don't have a
sharedInbox
- Follow requests now paginate properly
- Fetching pinned posts from users on GoToSocial instances (or other AP implementations that return a collection of URIs instead of objects) now works properly
UI/UX
- Ads, donation nag prompts & the patreon integration have been removed
- The blinking notification indicator has been replaced with a static one
- Replies to inaccessible posts now have an indicator explainin this
- Protected posts now have a lock indicator instead of a disabled boost button
- The navbar editor now has a proper UI
- The instance ticker is now much more readable in light mode
- The post visibility picker is now mobile-optimized
- The search button in the guest view is now a button instead of a fake search bar
- Blur is now disabled by default
- When blur is disabled, UI elements are now properly opaque
- The antenna timeline now has a help text explaining why posts can be out of order
- Status images have been replaced with configurable status emoji
- The navbar layout has been tweaked
- Various inconsistencies as well as alignment & animation issues have been fixed
Mastodon client API
- /api/v1/instance is now more accurate
- Emoji reactions are now supported
- The 'pinned' parameter is now supported for individual profile timelines
- Improved handling for quotes
- Post edits are now supported
- Post deletion now returns the correct response
- OAuth registration now correctly supports multiple callback URIs
Backend
Cache<T>
.getAll
and.delete
functions now work as expected- Deleted users are now purged from user lookup and public key caches
- Proper support for host-meta style WebFinger
- Stricter compliance with the WebFinger spec
- Support for WebFinger remotes that don't handle queries for object URIs correctly
Performance
- The project is now built with yarn berry (with zero installs) instead of pnpm
- The docker build process now properly caches rust and yarn deps
- The migration rust crate now builds much faster
Miscellaneous
- The MFM search engine is now configurable
- Various translation updates
Infrastructure and governance
- Commits are now tested with basic CI on push
- Docker builds are now automatic for amd64 and arm64
- The code of conduct has been updated
Attribution
This release was made possible by project contributors: Anthial, AntoineÐ, April John, aylamz, Froggo, Jeder, Laura Hausmann, Luna, maikelthedev, moshibar, ShittyKopper & Vyr Cossont
It also includes cherry-picked contributions from external contributors: Namekuji, Natty, ThatOneCalculator & Naskya
This file lists all major changes made since the fork from Firefish on 2023-07-21. For changes prior to that date, please reference the Firefish repository.