##### Changelog
##### Security
- Update dependencies
- Fix private mention filtering ([GHSA-5fq7-3p3j-9vrf](https://togithub.com/mastodon/mastodon/security/advisories/GHSA-5fq7-3p3j-9vrf))
- Fix password change endpoint not being rate-limited ([GHSA-q3rg-xx5v-4mxh](https://togithub.com/mastodon/mastodon/security/advisories/GHSA-q3rg-xx5v-4mxh))
- Add hardening around rate-limit bypass ([GHSA-c2r5-cfqr-c553](https://togithub.com/mastodon/mastodon/security/advisories/GHSA-c2r5-cfqr-c553))
##### Added
- Add rate-limit on OAuth application registration ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/30316))
- Add fallback redirection when getting a webfinger query `WEB_DOMAIN@WEB_DOMAIN` ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/28592))
- Add `digest` attribute to `Admin::DomainBlock` entity in REST API ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/29092))
##### Removed
- Remove superfluous application-level caching in some controllers ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/29862))
- Remove aggressive OAuth application vacuuming ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/30316))
##### Fixed
- Fix leaking Elasticsearch connections in Sidekiq processes ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30450))
- Fix language of remote posts not being recognized when using unusual casing ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30403))
- Fix off-by-one in `tootctl media` commands ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30306))
- Fix removal of allowed domains (in `LIMITED_FEDERATION_MODE`) not being recorded in the audit log ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/30125))
- Fix not being able to block a subdomain of an already-blocked domain through the API ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30119))
- Fix `Idempotency-Key` being ignored when scheduling a post ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30084))
- Fix crash when supplying the `FFMPEG_BINARY` environment variable ([timothyjrogers](https://togithub.com/mastodon/mastodon/pull/30022))
- Fix improper email address validation ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/29838))
- Fix results/query in `api/v1/featured_tags/suggestions` ([mjankowski](https://togithub.com/mastodon/mastodon/pull/29597))
- Fix unblocking internationalized domain names under certain conditions ([tribela](https://togithub.com/mastodon/mastodon/pull/29530))
- Fix admin account created by `mastodon:setup` not being auto-approved ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/29379))
- Fix reference to non-existent var in CLI maintenance command ([mjankowski](https://togithub.com/mastodon/mastodon/pull/28363))
##### Upgrade notes
To get the code for v4.2.9, use `git fetch && git checkout v4.2.9`.
> \[!NOTE]
> As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: `docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump`
> \[!IMPORTANT]
> Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set `TRUSTED_PROXY_IP` accordingly, listing the IP address of every trusted reverse-proxy.
##### Dependencies
With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.0 to 3.2
- PostgreSQL: 10 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 16 or newer
- ImageMagick: 6.9.7-7 or newer
##### Update steps
The following instructions are for updating from 4.2.8.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
**Non-Docker only:**
1. Install dependencies: `bundle install` and `yarn install --frozen-lockfile`
2. Restart all Mastodon processes
**Using Docker:**
1. Restart all Mastodon processes
Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v4.2.8->v4.2.9Release Notes
mastodon/mastodon (tootsuite/mastodon)
### [`v4.2.9`](https://togithub.com/mastodon/mastodon/releases/tag/v4.2.9) [Compare Source](https://togithub.com/mastodon/mastodon/compare/v4.2.8...v4.2.9)
##### Changelog ##### Security - Update dependencies - Fix private mention filtering ([GHSA-5fq7-3p3j-9vrf](https://togithub.com/mastodon/mastodon/security/advisories/GHSA-5fq7-3p3j-9vrf)) - Fix password change endpoint not being rate-limited ([GHSA-q3rg-xx5v-4mxh](https://togithub.com/mastodon/mastodon/security/advisories/GHSA-q3rg-xx5v-4mxh)) - Add hardening around rate-limit bypass ([GHSA-c2r5-cfqr-c553](https://togithub.com/mastodon/mastodon/security/advisories/GHSA-c2r5-cfqr-c553)) ##### Added - Add rate-limit on OAuth application registration ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/30316)) - Add fallback redirection when getting a webfinger query `WEB_DOMAIN@WEB_DOMAIN` ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/28592)) - Add `digest` attribute to `Admin::DomainBlock` entity in REST API ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/29092)) ##### Removed - Remove superfluous application-level caching in some controllers ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/29862)) - Remove aggressive OAuth application vacuuming ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/30316)) ##### Fixed - Fix leaking Elasticsearch connections in Sidekiq processes ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30450)) - Fix language of remote posts not being recognized when using unusual casing ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30403)) - Fix off-by-one in `tootctl media` commands ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30306)) - Fix removal of allowed domains (in `LIMITED_FEDERATION_MODE`) not being recorded in the audit log ([ThisIsMissEm](https://togithub.com/mastodon/mastodon/pull/30125)) - Fix not being able to block a subdomain of an already-blocked domain through the API ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30119)) - Fix `Idempotency-Key` being ignored when scheduling a post ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/30084)) - Fix crash when supplying the `FFMPEG_BINARY` environment variable ([timothyjrogers](https://togithub.com/mastodon/mastodon/pull/30022)) - Fix improper email address validation ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/29838)) - Fix results/query in `api/v1/featured_tags/suggestions` ([mjankowski](https://togithub.com/mastodon/mastodon/pull/29597)) - Fix unblocking internationalized domain names under certain conditions ([tribela](https://togithub.com/mastodon/mastodon/pull/29530)) - Fix admin account created by `mastodon:setup` not being auto-approved ([ClearlyClaire](https://togithub.com/mastodon/mastodon/pull/29379)) - Fix reference to non-existent var in CLI maintenance command ([mjankowski](https://togithub.com/mastodon/mastodon/pull/28363)) ##### Upgrade notes To get the code for v4.2.9, use `git fetch && git checkout v4.2.9`. > \[!NOTE] > As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: `docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump` > \[!IMPORTANT] > Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set `TRUSTED_PROXY_IP` accordingly, listing the IP address of every trusted reverse-proxy. ##### Dependencies With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 3.0 to 3.2 - PostgreSQL: 10 or newer - Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work) - LibreTranslate (optional, for translations): 1.3.3 or newer - Redis: 4 or newer - Node: 16 or newer - ImageMagick: 6.9.7-7 or newer ##### Update steps The following instructions are for updating from 4.2.8. If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. **Non-Docker only:** 1. Install dependencies: `bundle install` and `yarn install --frozen-lockfile` 2. Restart all Mastodon processes **Using Docker:** 1. Restart all Mastodon processesConfiguration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.