Merge tag 'v3.1.5'

2020-07-12 12:54:21 +10:00 · 2020-07-12 12:54:21 +10:00 · 45e447c6aa
parent 2f69e82069 661f3f26b0
commit 45e447c6aa
1190 changed files with 15185 additions and 6764 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -5,11 +5,13 @@ aliases:
    docker:
      - image: circleci/ruby:2.7-buster-node
        environment: &ruby_environment
          BUNDLE_JOBS: 3
          BUNDLE_RETRY: 3
          BUNDLE_APP_CONFIG: ./.bundle/
          BUNDLE_PATH: ./vendor/bundle/
          DB_HOST: localhost
          DB_USER: root
          RAILS_ENV: test
          PARALLEL_TEST_PROCESSORS: 4
          ALLOW_NOPAM: true
          CONTINUOUS_INTEGRATION: true
          DISABLE_SIMPLECOV: true
@ -31,9 +33,9 @@ aliases:
  - &restore_ruby_dependencies
    restore_cache:
      keys:
-        - v2-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-{{ checksum "Gemfile.lock" }}
+        - v3-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-{{ checksum "Gemfile.lock" }}
-        - v2-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-
+        - v3-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-
-        - v2-ruby-dependencies-
+        - v3-ruby-dependencies-
  - &install_steps
    steps:
@ -41,11 +43,13 @@ aliases:
      - *attach_workspace
      - restore_cache:
          keys:
-            - v1-node-dependencies-{{ checksum "yarn.lock" }}
+            - v2-node-dependencies-{{ checksum "yarn.lock" }}
-            - v1-node-dependencies-
+            - v2-node-dependencies-
-      - run: yarn install --frozen-lockfile
+      - run:
          name: Install yarn dependencies
          command: yarn install --frozen-lockfile
      - save_cache:
-          key: v1-node-dependencies-{{ checksum "yarn.lock" }}
+          key: v2-node-dependencies-{{ checksum "yarn.lock" }}
          paths:
            - ./node_modules/
      - *persist_to_workspace
@ -56,27 +60,28 @@ aliases:
        command: |
          sudo apt-get update
          sudo apt-get install -y libicu-dev libidn11-dev libprotobuf-dev protobuf-compiler
          ## TODO: FIX THESE BUSTER DEPENDANCES
          sudo wget http://ftp.au.debian.org/debian/pool/main/i/icu/libicu57_57.1-6+deb9u3_amd64.deb
          sudo dpkg -i libicu57_57.1-6+deb9u3_amd64.deb
          sudo wget http://ftp.au.debian.org/debian/pool/main/p/protobuf/libprotobuf10_3.0.0-9_amd64.deb
          sudo dpkg -i libprotobuf10_3.0.0-9_amd64.deb
  - &install_ruby_dependencies
      steps:
        - *attach_workspace
        - *install_system_dependencies
-        - run: ruby -e 'puts RUBY_VERSION' | tee /tmp/.ruby-version
+        - run:
            name: Set Ruby version
            command: ruby -e 'puts RUBY_VERSION' | tee /tmp/.ruby-version
        - *restore_ruby_dependencies
-        - run: bundle config set clean 'true'
+        - run:
-        - run: bundle config set deployment 'true'
+            name: Set bundler settings
-        - run: bundle config set with 'pam_authentication'
+            command: |
-        - run: bundle config set without 'development production'
+              bundle config clean 'true'
-        - run: bundle config set frozen 'true'
+              bundle config deployment 'true'
-        - run: bundle install --jobs 16 --retry 3 && bundle clean
+              bundle config with 'pam_authentication'
              bundle config without 'development production'
              bundle config frozen 'true'
        - run:
            name: Install bundler dependencies
            command: bundle check || (bundle install && bundle clean)
        - save_cache:
-            key: v2-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-{{ checksum "Gemfile.lock" }}
+            key: v3-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-{{ checksum "Gemfile.lock" }}
            paths:
              - ./.bundle/
              - ./vendor/bundle/
@ -87,17 +92,26 @@ aliases:
                - ./mastodon/vendor/bundle/
  - &test_steps
      parallelism: 4
      steps:
        - *attach_workspace
        - *install_system_dependencies
        - run: sudo apt-get install -y ffmpeg
        - run:
-            name: Prepare Tests
+            name: Install FFMPEG
-            command: ./bin/rails parallel:create parallel:load_schema parallel:prepare
+            command: sudo apt-get install -y ffmpeg
        - run:
-            name: Run Tests
+            name: Load database schema
-            command: ./bin/retry bundle exec parallel_test ./spec/ --group-by filesize --type rspec
+            command: ./bin/rails db:create db:schema:load db:seed
-
+        - run:
            name: Run rspec in parallel
            command: |
              bundle exec rspec --profile 10 \
                                --format RspecJunitFormatter \
                                --out test_results/rspec.xml \
                                --format progress \
                                $(circleci tests glob "spec/**/*_spec.rb" | circleci tests split --split-by=timings)
        - store_test_results:
            path: test_results
 jobs:
  install:
    <<: *defaults
@ -114,19 +128,14 @@ jobs:
        environment: *ruby_environment
    <<: *install_ruby_dependencies
  install-ruby2.5:
    <<: *defaults
    docker:
      - image: circleci/ruby:2.5-buster-node
        environment: *ruby_environment
    <<: *install_ruby_dependencies
  build:
    <<: *defaults
    steps:
      - *attach_workspace
      - *install_system_dependencies
-      - run: ./bin/rails assets:precompile
+      - run:
          name: Precompile assets
          command: ./bin/rails assets:precompile
      - persist_to_workspace:
          root: ~/projects/
          paths:
@ -138,28 +147,30 @@ jobs:
    docker:
      - image: circleci/ruby:2.7-buster-node
        environment: *ruby_environment
-      - image: circleci/postgres:10.6-alpine
+      - image: circleci/postgres:12.2
        environment:
          POSTGRES_USER: root
          POSTGRES_HOST_AUTH_METHOD: trust
      - image: circleci/redis:5-alpine
    steps:
      - *attach_workspace
      - *install_system_dependencies
      - run:
          name: Create database
-          command: ./bin/rails parallel:create
+          command: ./bin/rails db:create
      - run:
          name: Run migrations
-          command: ./bin/rails parallel:migrate
+          command: ./bin/rails db:migrate
  test-ruby2.7:
    <<: *defaults
    docker:
      - image: circleci/ruby:2.7-buster-node
        environment: *ruby_environment
-      - image: circleci/postgres:10.6-alpine
+      - image: circleci/postgres:12.2
        environment:
          POSTGRES_USER: root
          POSTGRES_HOST_AUTH_METHOD: trust
      - image: circleci/redis:5-alpine
    <<: *test_steps
@ -168,20 +179,10 @@ jobs:
    docker:
      - image: circleci/ruby:2.6-buster-node
        environment: *ruby_environment
-      - image: circleci/postgres:10.6-alpine
+      - image: circleci/postgres:12.2
        environment:
          POSTGRES_USER: root
      - image: circleci/redis:5-alpine
    <<: *test_steps
  test-ruby2.5:
    <<: *defaults
    docker:
      - image: circleci/ruby:2.5-buster-node
        environment: *ruby_environment
      - image: circleci/postgres:10.6-alpine
        environment:
          POSTGRES_USER: root
          POSTGRES_HOST_AUTH_METHOD: trust
      - image: circleci/redis:5-alpine
    <<: *test_steps
@ -191,17 +192,27 @@ jobs:
      - image: circleci/node:12-buster
    steps:
      - *attach_workspace
-      - run: ./bin/retry yarn test:jest
+      - run:
          name: Run jest
          command: yarn test:jest
  check-i18n:
    <<: *defaults
    steps:
      - *attach_workspace
      - *install_system_dependencies
-      - run: bundle exec i18n-tasks check-normalized
+      - run:
-      - run: bundle exec i18n-tasks unused -l en
+          name: Check locale file normalization
-      - run: bundle exec i18n-tasks check-consistent-interpolations
+          command: bundle exec i18n-tasks check-normalized
-      - run: bundle exec rake repo:check_locales_files
+      - run:
          name: Check for unused strings
          command: bundle exec i18n-tasks unused -l en
      - run:
          name: Check for wrong string interpolations
          command: bundle exec i18n-tasks check-consistent-interpolations
      - run:
          name: Check that all required locale files exist
          command: bundle exec rake repo:check_locales_files
 workflows:
  version: 2
@ -215,10 +226,6 @@ workflows:
          requires:
            - install
            - install-ruby2.7
      - install-ruby2.5:
          requires:
            - install
            - install-ruby2.7
      - build:
          requires:
            - install-ruby2.7
@ -233,10 +240,6 @@ workflows:
          requires:
            - install-ruby2.6
            - build
      - test-ruby2.5:
          requires:
            - install-ruby2.5
            - build
      - test-webui:
          requires:
            - install
--- a/.codeclimate.yml
+++ b/.codeclimate.yml
@ -30,7 +30,7 @@ plugins:
    channel: eslint-6
  rubocop:
    enabled: true
-    channel: rubocop-0-76
+    channel: rubocop-0-82
  sass-lint:
    enabled: true
 exclude_patterns:
--- a/.dependabot/config.yml
+++ b/.dependabot/config.yml
@ -4,7 +4,25 @@ update_configs:
  - package_manager: "ruby:bundler"
    directory: "/"
    update_schedule: "weekly"
    # Supported update schedule: live daily weekly monthly
    version_requirement_updates: "auto"
    # Supported version requirements: auto widen_ranges increase_versions increase_versions_if_necessary
    allowed_updates:
      - match:
          dependency_type: "all"
          # Supported dependency types: all indirect direct production development
          update_type: "all"
          # Supported update types: all security
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "weekly"
    # Supported update schedule: live daily weekly monthly
    version_requirement_updates: "auto"
    # Supported version requirements: auto widen_ranges increase_versions increase_versions_if_necessary
    allowed_updates:
      - match:
          dependency_type: "all"
          # Supported dependency types: all indirect direct production development
          update_type: "all"
          # Supported update types: all security
--- a/.env.production.sample
+++ b/.env.production.sample
@ -33,7 +33,7 @@ LOCAL_DOMAIN=example.com
 # ALTERNATE_DOMAINS=example1.com,example2.com
 # Application secrets
-# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web bundle exec rake secret` if you use docker compose)
 SECRET_KEY_BASE=
 OTP_SECRET=
@ -42,7 +42,7 @@ OTP_SECRET=
 # You should only generate this once per instance. If you later decide to change it, all push subscription will
 # be invalidated, requiring the users to access the website again to resubscribe.
 #
-# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
+# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key` if you use docker compose)
 #
 # For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
 VAPID_PRIVATE_KEY=
--- a/.gitignore
+++ b/.gitignore
@ -58,7 +58,7 @@ yarn-error.log
 yarn-debug.log
 # Ignore vagrant log files
-ubuntu-xenial-16.04-cloudimg-console.log
+*-cloudimg-console.log
 # Ignore Docker option files
 docker-compose.override.yml
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -2,7 +2,7 @@ require:
  - rubocop-rails
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.4
  Exclude:
  - 'spec/**/*'
  - 'db/**/*'
@ -46,7 +46,7 @@ Metrics/ClassLength:
 Metrics/CyclomaticComplexity:
  Max: 25
-Metrics/LineLength:
+Layout/LineLength:
  AllowURI: true
  Enabled: false
--- a/.ruby-version
+++ b/.ruby-version
@ -1 +1 @@
-2.6.5
+2.6.6
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,153 @@ Changelog
 All notable changes to this project will be documented in this file.
 ## [v3.1.5] - 2020-07-07
 ### Security
 - Fix media attachment enumeration ([ThibG](https://github.com/tootsuite/mastodon/pull/14254))
 - Change rate limits for various paths ([Gargron](https://github.com/tootsuite/mastodon/pull/14253))
 - Fix other sessions not being logged out on password change ([Gargron](https://github.com/tootsuite/mastodon/pull/14252))
 ## [v3.1.4] - 2020-05-14
 ### Added
 - Add `vi` to available locales ([taicv](https://github.com/tootsuite/mastodon/pull/13542))
 - Add ability to remove identity proofs from account ([Gargron](https://github.com/tootsuite/mastodon/pull/13682))
 - Add ability to exclude local content from federated timeline ([noellabo](https://github.com/tootsuite/mastodon/pull/13504), [noellabo](https://github.com/tootsuite/mastodon/pull/13745))
  - Add `remote` param to `GET /api/v1/timelines/public` REST API
  - Add `public/remote` / `public:remote` variants to streaming API
  - "Remote only" option in federated timeline column settings in web UI
 - Add ability to exclude remote content from hashtag timelines in web UI ([noellabo](https://github.com/tootsuite/mastodon/pull/13502))
  - No changes to REST API
  - "Local only" option in hashtag column settings in web UI
 - Add Capistrano tasks that reload the services after deploying ([berkes](https://github.com/tootsuite/mastodon/pull/12642))
 - Add `invites_enabled` attribute to `GET /api/v1/instance` in REST API ([ThibG](https://github.com/tootsuite/mastodon/pull/13501))
 - Add `tootctl emoji export` command ([lfuelling](https://github.com/tootsuite/mastodon/pull/13534))
 - Add separate cache directory for non-local uploads ([Gargron](https://github.com/tootsuite/mastodon/pull/12821), [Hanage999](https://github.com/tootsuite/mastodon/pull/13593), [mayaeh](https://github.com/tootsuite/mastodon/pull/13551))
  - Add `tootctl upgrade storage-schema` command to move old non-local uploads to the cache directory
 - Add buttons to delete header and avatar from profile settings ([sternenseemann](https://github.com/tootsuite/mastodon/pull/13234))
 - Add emoji graphics and shortcodes from Twemoji 12.1.5 ([DeeUnderscore](https://github.com/tootsuite/mastodon/pull/13021))
 ### Changed
 - Change error message when trying to migrate to an account that does not have current account set as an alias to be more clear ([TheEvilSkeleton](https://github.com/tootsuite/mastodon/pull/13746))
 - Change delivery failure tracking to work with hostnames instead of URLs ([Gargron](https://github.com/tootsuite/mastodon/pull/13437), [noellabo](https://github.com/tootsuite/mastodon/pull/13481), [noellabo](https://github.com/tootsuite/mastodon/pull/13482), [noellabo](https://github.com/tootsuite/mastodon/pull/13535))
 - Change Content-Security-Policy to not need unsafe-inline style-src ([ThibG](https://github.com/tootsuite/mastodon/pull/13679), [ThibG](https://github.com/tootsuite/mastodon/pull/13692), [ThibG](https://github.com/tootsuite/mastodon/pull/13576), [ThibG](https://github.com/tootsuite/mastodon/pull/13575), [ThibG](https://github.com/tootsuite/mastodon/pull/13438))
 - Change how RSS items are titled and formatted ([ThibG](https://github.com/tootsuite/mastodon/pull/13592), [ykzts](https://github.com/tootsuite/mastodon/pull/13591))
 ### Fixed
 - Fix dropdown of muted and followed accounts offering option to hide boosts in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13748))
 - Fix "You are already signed in" alert being shown at wrong times ([ThibG](https://github.com/tootsuite/mastodon/pull/13547))
 - Fix retrying of failed-to-download media files not actually working ([noellabo](https://github.com/tootsuite/mastodon/pull/13741))
 - Fix first poll option not being focused when adding a poll in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13740))
 - Fix `sr` locale being selected over `sr-Latn` ([ThibG](https://github.com/tootsuite/mastodon/pull/13693))
 - Fix error within error when limiting backtrace to 3 lines ([Gargron](https://github.com/tootsuite/mastodon/pull/13120))
 - Fix `tootctl media remove-orphans` crashing on "Import" files ([ThibG](https://github.com/tootsuite/mastodon/pull/13685))
 - Fix regression in `tootctl media remove-orphans` ([Gargron](https://github.com/tootsuite/mastodon/pull/13405))
 - Fix old unique jobs digests not having been cleaned up ([Gargron](https://github.com/tootsuite/mastodon/pull/13683))
 - Fix own following/followers not showing muted users ([ThibG](https://github.com/tootsuite/mastodon/pull/13614))
 - Fix list of followed people ignoring sorting on Follows & Followers page  ([taras2358](https://github.com/tootsuite/mastodon/pull/13676))
 - Fix wrong pgHero Content-Security-Policy when `CDN_HOST` is set ([ThibG](https://github.com/tootsuite/mastodon/pull/13595))
 - Fix needlessly deduplicating usernames on collisions with remote accounts when signing-up through SAML/CAS ([kaiyou](https://github.com/tootsuite/mastodon/pull/13581))
 - Fix page incorrectly scrolling when bringing up dropdown menus in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13574))
 - Fix messed up z-index when NoScript blocks media/previews in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13449))
 - Fix "See what's happening" page showing public instead of local timeline for logged-in users ([ThibG](https://github.com/tootsuite/mastodon/pull/13499))
 - Fix not being able to resolve public resources in development environment ([Gargron](https://github.com/tootsuite/mastodon/pull/13505))
 - Fix uninformative error message when uploading unsupported image files ([ThibG](https://github.com/tootsuite/mastodon/pull/13540))
 - Fix expanded video player issues in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13541), [eai04191](https://github.com/tootsuite/mastodon/pull/13533))
 - Fix and refactor keyboard navigation in dropdown menus in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13528))
 - Fix uploaded image orientation being messed up in some browsers in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13493))
 - Fix actions log crash when displaying updates of deleted announcements in admin UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13489))
 - Fix search not working due to proxy settings when using hidden services ([Gargron](https://github.com/tootsuite/mastodon/pull/13488))
 - Fix poll refresh button not being debounced in web UI ([rasjonell](https://github.com/tootsuite/mastodon/pull/13485), [ThibG](https://github.com/tootsuite/mastodon/pull/13490))
 - Fix confusing error when failing to add an alias to an unknown account ([ThibG](https://github.com/tootsuite/mastodon/pull/13480))
 - Fix "Email changed" notification sometimes having wrong e-mail ([ThibG](https://github.com/tootsuite/mastodon/pull/13475))
 - Fix varioues issues on the account aliases page ([ThibG](https://github.com/tootsuite/mastodon/pull/13452))
 - Fix API footer link in web UI ([bubblineyuri](https://github.com/tootsuite/mastodon/pull/13441))
 - Fix pagination of following, followers, follow requests, blocks and mutes lists in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13445))
 - Fix styling of polls in JS-less fallback on public pages ([ThibG](https://github.com/tootsuite/mastodon/pull/13436))
 - Fix trying to delete already deleted file when post-processing ([Gargron](https://github.com/tootsuite/mastodon/pull/13406))
 ### Security
 - Fix Doorkeeper vulnerability that exposed app secret to users who authorized the app and reset secret of the web UI that could have been exposed ([dependabot-preview[bot]](https://github.com/tootsuite/mastodon/pull/13613), [Gargron](https://github.com/tootsuite/mastodon/pull/13688))
  - For apps that self-register on behalf of every individual user (such as most mobile apps), this is a non-issue
  - The issue only affects developers of apps who are shared between multiple users, such as server-side apps like cross-posters
 ## [v3.1.3] - 2020-04-05
 ### Added
 - Add ability to filter audit log in admin UI ([Gargron](https://github.com/tootsuite/mastodon/pull/13381))
 - Add titles to warning presets in admin UI ([Gargron](https://github.com/tootsuite/mastodon/pull/13252))
 - Add option to include resolved DNS records when blacklisting e-mail domains in admin UI ([Gargron](https://github.com/tootsuite/mastodon/pull/13254))
 - Add ability to delete files uploaded for settings in admin UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13192))
 - Add sorting by username, creation and last activity in admin UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13076))
 - Add explanation as to why unlocked accounts may have follow requests in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13385))
 - Add link to bookmarks to dropdown in web UI ([mayaeh](https://github.com/tootsuite/mastodon/pull/13273))
 - Add support for links to statuses in announcements to be opened in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13212), [ThibG](https://github.com/tootsuite/mastodon/pull/13250))
 - Add tooltips to audio/video player buttons in web UI ([ariasuni](https://github.com/tootsuite/mastodon/pull/13203))
 - Add submit button to the top of preferences pages ([guigeekz](https://github.com/tootsuite/mastodon/pull/13068))
 - Add specific rate limits for posting, following and reporting ([Gargron](https://github.com/tootsuite/mastodon/pull/13172), [Gargron](https://github.com/tootsuite/mastodon/pull/13390))
  - 300 posts every 3 hours
  - 400 follows or follow requests every 24 hours
  - 400 reports every 24 hours
 - Add federation support for the "hide network" preference ([ThibG](https://github.com/tootsuite/mastodon/pull/11673))
 - Add `--skip-media-remove` option to `tootctl statuses remove` ([tateisu](https://github.com/tootsuite/mastodon/pull/13080))
 ### Changed
 - **Change design of polls in web UI** ([Sasha-Sorokin](https://github.com/tootsuite/mastodon/pull/13257), [ThibG](https://github.com/tootsuite/mastodon/pull/13313))
 - Change status click areas in web UI to be bigger ([ariasuni](https://github.com/tootsuite/mastodon/pull/13327))
 - **Change `tootctl media remove-orphans` to work for all classes** ([Gargron](https://github.com/tootsuite/mastodon/pull/13316))
 - **Change local media attachments to perform heavy processing asynchronously** ([Gargron](https://github.com/tootsuite/mastodon/pull/13210))
 - Change video uploads to always be converted to H264/MP4 ([Gargron](https://github.com/tootsuite/mastodon/pull/13220), [ThibG](https://github.com/tootsuite/mastodon/pull/13239), [ThibG](https://github.com/tootsuite/mastodon/pull/13242))
 - Change video uploads to enforce certain limits ([Gargron](https://github.com/tootsuite/mastodon/pull/13218))
  - Dimensions smaller than 1920x1200px
  - Frame rate at most 60fps
 - Change the tooltip "Toggle visibility" to "Hide media" in web UI ([ariasuni](https://github.com/tootsuite/mastodon/pull/13199))
 - Change description of privacy levels to be more intuitive in web UI ([ariasuni](https://github.com/tootsuite/mastodon/pull/13197))
 - Change GIF label to be displayed even when autoplay is enabled in web UI ([koyuawsmbrtn](https://github.com/tootsuite/mastodon/pull/13209))
 - Change the string "Hide everything from …" to "Block domain …" in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13178), [mayaeh](https://github.com/tootsuite/mastodon/pull/13221))
 - Change wording of media display preferences to be more intuitive ([ariasuni](https://github.com/tootsuite/mastodon/pull/13198))
 ### Deprecated
 - `POST /api/v1/media` → `POST /api/v2/media` ([Gargron](https://github.com/tootsuite/mastodon/pull/13210))
 ### Fixed
 - Fix `tootctl media remove-orphans` ignoring `PAPERCLIP_ROOT_PATH` ([Gargron](https://github.com/tootsuite/mastodon/pull/13375))
 - Fix returning results when searching for URL with non-zero offset ([Gargron](https://github.com/tootsuite/mastodon/pull/13377))
 - Fix pinning a column in web UI sometimes redirecting out of web UI ([Gargron](https://github.com/tootsuite/mastodon/pull/13376))
 - Fix background jobs not using locks like they are supposed to ([Gargron](https://github.com/tootsuite/mastodon/pull/13361))
 - Fix content warning being unnecessarily cleared when hiding content warning input in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13348))
 - Fix "Show more" not switching to "Show less" on public pages ([ThibG](https://github.com/tootsuite/mastodon/pull/13174))
 - Fix import overwrite option not being selectable ([noellabo](https://github.com/tootsuite/mastodon/pull/13347))
 - Fix wrong color for ellipsis in boost confirmation dialog in web UI ([ariasuni](https://github.com/tootsuite/mastodon/pull/13355))
 - Fix unnecessary unfollowing when importing follows with overwrite option ([noellabo](https://github.com/tootsuite/mastodon/pull/13350))
 - Fix 404 and 410 API errors being silently discarded in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13279))
 - Fix OCR not working on Safari because of unsupported worker-src CSP ([ThibG](https://github.com/tootsuite/mastodon/pull/13323))
 - Fix media not being marked sensitive when a content warning is set with no text ([ThibG](https://github.com/tootsuite/mastodon/pull/13277))
 - Fix crash after deleting announcements in web UI ([codesections](https://github.com/tootsuite/mastodon/pull/13283), [ThibG](https://github.com/tootsuite/mastodon/pull/13312))
 - Fix bookmarks not being searchable ([Kjwon15](https://github.com/tootsuite/mastodon/pull/13271), [noellabo](https://github.com/tootsuite/mastodon/pull/13293))
 - Fix reported accounts not being whitelisted from further spam checks when resolving a spam check report ([ThibG](https://github.com/tootsuite/mastodon/pull/13289))
 - Fix web UI crash in single-column mode on prehistoric browsers ([ThibG](https://github.com/tootsuite/mastodon/pull/13267))
 - Fix some timeouts when searching for URLs ([ThibG](https://github.com/tootsuite/mastodon/pull/13253))
 - Fix detailed view of direct messages displaying a 0 boost count in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13244))
 - Fix regression in “Edit media” modal in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13243))
 - Fix public posts from silenced accounts not being changed to unlisted visibility ([ThibG](https://github.com/tootsuite/mastodon/pull/13096))
 - Fix error when searching for URLs that contain the mention syntax ([ThibG](https://github.com/tootsuite/mastodon/pull/13151))
 - Fix text area above/right of emoji picker being accidentally clickable in web UI ([ariasuni](https://github.com/tootsuite/mastodon/pull/13148))
 - Fix too large announcements not being scrollable in web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13211))
 - Fix `tootctl media remove-orphans` crashing when encountering invalid media ([ThibG](https://github.com/tootsuite/mastodon/pull/13170))
 - Fix installation failing when Redis password contains special characters ([ThibG](https://github.com/tootsuite/mastodon/pull/13156))
 - Fix announcements with fully-qualified mentions to local users crashing web UI ([ThibG](https://github.com/tootsuite/mastodon/pull/13164))
 ### Security
 - Fix re-sending of e-mail confirmation not being rate limited ([Gargron](https://github.com/tootsuite/mastodon/pull/13360))
 ## [v3.1.2] - 2020-02-27
 ### Added
--- a/6
+++ b/6
@ -4,7 +4,7 @@ FROM ubuntu:18.04 as build-dep
 SHELL ["bash", "-c"]
 # Install Node v12 (LTS)
-ENV NODE_VER="12.14.0"  
+ENV NODE_VER="12.16.1"
 RUN	ARCH= && \
    dpkgArch="$(dpkg --print-architecture)" && \
  case "${dpkgArch##*-}" in \
@ -38,8 +38,8 @@ RUN apt update && \
 	make -j$(nproc) > /dev/null && \
 	make install_bin install_include install_lib
-# Install ruby
+# Install Ruby
-ENV RUBY_VER="2.6.5"
+ENV RUBY_VER="2.6.6"
 ENV CPPFLAGS="-I/opt/jemalloc/include"
 ENV LDFLAGS="-L/opt/jemalloc/lib/"
 RUN apt update && \
--- a/53
+++ b/53
@ -1,12 +1,12 @@
 # frozen_string_literal: true
 source 'https://rubygems.org'
-ruby '>= 2.4.0', '< 3.0.0'
+ruby '>= 2.5.0', '< 3.0.0'
 gem 'pkg-config', '~> 1.4'
 gem 'puma', '~> 4.3'
-gem 'rails', '~> 5.2.4'
+gem 'rails', '~> 5.2.4.2'
 gem 'sprockets', '~> 3.7.2'
 gem 'thor', '~> 0.20'
 gem 'rack', '~> 2.2.2'
@ -20,7 +20,7 @@ gem 'makara', '~> 0.4'
 gem 'pghero', '~> 2.4'
 gem 'dotenv-rails', '~> 2.7'
-gem 'aws-sdk-s3', '~> 1.60', require: false
+gem 'aws-sdk-s3', '~> 1.64', require: false
 gem 'fog-core', '<= 2.1.0'
 gem 'fog-openstack', '~> 0.3', require: false
 gem 'paperclip', '~> 6.0'
@ -35,7 +35,7 @@ gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
 gem 'iso-639'
 gem 'chewy', '~> 5.1'
-gem 'cld3', '~> 3.2.6'
+gem 'cld3', '~> 3.3.0'
 gem 'devise', '~> 4.7'
 gem 'devise-two-factor', '~> 3.1'
@ -48,8 +48,8 @@ gem 'omniauth-cas', '~> 1.1'
 gem 'omniauth-saml', '~> 1.10'
 gem 'omniauth', '~> 1.9'
-gem 'discard', '~> 1.1'
+gem 'discard', '~> 1.2'
-gem 'doorkeeper', '~> 5.2'
+gem 'doorkeeper', '~> 5.4'
 gem 'fast_blank', '~> 1.0'
 gem 'fastimage'
 gem 'goldfinger', '~> 2.1'
@ -57,25 +57,25 @@ gem 'hiredis', '~> 0.6'
 gem 'redis-namespace', '~> 1.7'
 gem 'health_check', git: 'https://github.com/ianheggie/health_check', ref: '0b799ead604f900ed50685e9b2d469cd2befba5b'
 gem 'htmlentities', '~> 4.3'
-gem 'http', '~> 4.3'
+gem 'http', '~> 4.4'
 gem 'http_accept_language', '~> 2.1'
 gem 'http_parser.rb', '~> 0.6', git: 'https://github.com/tmm1/http_parser.rb', ref: '54b17ba8c7d8d20a16dfc65d1775241833219cf2', submodules: true
 gem 'httplog', '~> 1.4.2'
 gem 'idn-ruby', require: 'idn'
-gem 'kaminari', '~> 1.1'
+gem 'kaminari', '~> 1.2'
 gem 'link_header', '~> 0.0'
 gem 'mime-types', '~> 3.3.1', require: 'mime/types/columnar'
 gem 'nilsimsa', git: 'https://github.com/witgo/nilsimsa', ref: 'fd184883048b922b176939f851338d0a4971a532'
 gem 'nokogiri', '~> 1.10'
 gem 'nsa', '~> 0.2'
 gem 'oj', '~> 3.10'
-gem 'ox', '~> 2.12'
+gem 'ox', '~> 2.13'
 gem 'parslet'
 gem 'parallel', '~> 1.19'
 gem 'posix-spawn', git: 'https://github.com/rtomayko/posix-spawn', ref: '58465d2e213991f8afb13b984854a49fcdcc980c'
 gem 'pundit', '~> 2.1'
 gem 'premailer-rails'
-gem 'rack-attack', '~> 6.2'
+gem 'rack-attack', '~> 6.3'
 gem 'rack-cors', '~> 1.1', require: 'rack/cors'
 gem 'rails-i18n', '~> 5.1'
 gem 'rails-settings-cached', '~> 0.6'
@ -84,7 +84,7 @@ gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
 gem 'rqrcode', '~> 1.1'
 gem 'ruby-progressbar', '~> 1.10'
 gem 'sanitize', '~> 5.1'
-gem 'sidekiq', '~> 5.2'
+gem 'sidekiq', '~> 6.0'
 gem 'sidekiq-scheduler', '~> 3.0'
 gem 'sidekiq-unique-jobs', '~> 6.0'
 gem 'sidekiq-bulk', '~>0.2.0'
@ -92,12 +92,12 @@ gem 'simple-navigation', '~> 4.1'
 gem 'simple_form', '~> 5.0'
 gem 'sprockets-rails', '~> 3.2', require: 'sprockets/railtie'
 gem 'stoplight', '~> 2.2.0'
-gem 'strong_migrations', '~> 0.5'
+gem 'strong_migrations', '~> 0.6'
 gem 'tty-command', '~> 0.9', require: false
-gem 'tty-prompt', '~> 0.20', require: false
+gem 'tty-prompt', '~> 0.21', require: false
 gem 'twitter-text', '~> 1.14'
-gem 'tzinfo-data', '~> 1.2019'
+gem 'tzinfo-data', '~> 1.2020'
-gem 'webpacker', '~> 4.2'
+gem 'webpacker', '~> 5.1'
 gem 'webpush'
 gem 'json-ld'
@ -108,9 +108,9 @@ group :development, :test do
  gem 'fabrication', '~> 2.21'
  gem 'fuubar', '~> 2.5'
  gem 'i18n-tasks', '~> 0.9', require: false
-  gem 'pry-byebug', '~> 3.8'
+  gem 'pry-byebug', '~> 3.9'
  gem 'pry-rails', '~> 0.3'
-  gem 'rspec-rails', '~> 3.9'
+  gem 'rspec-rails', '~> 4.0'
 end
 group :production, :test do
@ -118,32 +118,33 @@ group :production, :test do
 end
 group :test do
-  gem 'capybara', '~> 3.31'
+  gem 'capybara', '~> 3.32'
  gem 'climate_control', '~> 0.2'
-  gem 'faker', '~> 2.10'
+  gem 'faker', '~> 2.11'
  gem 'microformats', '~> 4.2'
  gem 'rails-controller-testing', '~> 1.0'
  gem 'rspec-sidekiq', '~> 3.0'
  gem 'simplecov', '~> 0.18', require: false
  gem 'webmock', '~> 3.8'
-  gem 'parallel_tests', '~> 2.30'
+  gem 'parallel_tests', '~> 2.32'
  gem 'rspec_junit_formatter', '~> 0.4'
 end
 group :development do
  gem 'active_record_query_trace', '~> 1.7'
-  gem 'annotate', '~> 3.0'
+  gem 'annotate', '~> 3.1'
-  gem 'better_errors', '~> 2.5'
+  gem 'better_errors', '~> 2.7'
  gem 'binding_of_caller', '~> 0.7'
  gem 'bullet', '~> 6.1'
  gem 'letter_opener', '~> 1.7'
  gem 'letter_opener_web', '~> 1.4'
  gem 'memory_profiler'
-  gem 'rubocop', '~> 0.79', require: false
+  gem 'rubocop', '~> 0.82', require: false
-  gem 'rubocop-rails', '~> 2.4', require: false
+  gem 'rubocop-rails', '~> 2.5', require: false
-  gem 'brakeman', '~> 4.7', require: false
+  gem 'brakeman', '~> 4.8', require: false
  gem 'bundler-audit', '~> 0.6', require: false
-  gem 'capistrano', '~> 3.11'
+  gem 'capistrano', '~> 3.14'
  gem 'capistrano-rails', '~> 1.4'
  gem 'capistrano-rbenv', '~> 2.1'
  gem 'capistrano-yarn', '~> 2.0'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -31,25 +31,25 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (5.2.4.1)
+    actioncable (5.2.4.2)
-      actionpack (= 5.2.4.1)
+      actionpack (= 5.2.4.2)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
-    actionmailer (5.2.4.1)
+    actionmailer (5.2.4.2)
-      actionpack (= 5.2.4.1)
+      actionpack (= 5.2.4.2)
-      actionview (= 5.2.4.1)
+      actionview (= 5.2.4.2)
-      activejob (= 5.2.4.1)
+      activejob (= 5.2.4.2)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)
-    actionpack (5.2.4.1)
+    actionpack (5.2.4.2)
-      actionview (= 5.2.4.1)
+      actionview (= 5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
      rack (~> 2.0, >= 2.0.8)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.4.1)
+    actionview (5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
@ -60,20 +60,20 @@ GEM
      case_transform (>= 0.2)
      jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
    active_record_query_trace (1.7)
-    activejob (5.2.4.1)
+    activejob (5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
      globalid (>= 0.3.6)
-    activemodel (5.2.4.1)
+    activemodel (5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
-    activerecord (5.2.4.1)
+    activerecord (5.2.4.2)
-      activemodel (= 5.2.4.1)
+      activemodel (= 5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
      arel (>= 9.0)
-    activestorage (5.2.4.1)
+    activestorage (5.2.4.2)
-      actionpack (= 5.2.4.1)
+      actionpack (= 5.2.4.2)
-      activerecord (= 5.2.4.1)
+      activerecord (= 5.2.4.2)
      marcel (~> 0.3.1)
-    activesupport (5.2.4.1)
+    activesupport (5.2.4.2)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
@ -82,7 +82,7 @@ GEM
      public_suffix (>= 2.0.2, < 5.0)
    airbrussh (1.4.0)
      sshkit (>= 1.6.1, != 1.7.0)
-    annotate (3.0.3)
+    annotate (3.1.1)
      activerecord (>= 3.2, < 7.0)
      rake (>= 10.4, < 14.0)
    arel (9.0.0)
@ -91,24 +91,24 @@ GEM
      encryptor (~> 3.0.0)
    av (0.9.0)
      cocaine (~> 0.5.3)
-    aws-eventstream (1.0.3)
+    aws-eventstream (1.1.0)
-    aws-partitions (1.261.0)
+    aws-partitions (1.312.0)
-    aws-sdk-core (3.86.0)
+    aws-sdk-core (3.95.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
+      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-kms (1.27.0)
+    aws-sdk-kms (1.31.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.60.1)
+    aws-sdk-s3 (1.64.0)
      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.3)
      aws-eventstream (~> 1.0, >= 1.0.2)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
-    better_errors (2.5.1)
+    better_errors (2.7.0)
      coderay (>= 1.0.0)
      erubi (>= 1.0.0)
      rack (>= 0.9.0)
@ -116,10 +116,10 @@ GEM
      debug_inspector (>= 0.0.1)
    blurhash (0.1.4)
      ffi (~> 1.10.0)
-    bootsnap (1.4.5)
+    bootsnap (1.4.6)
      msgpack (~> 1.0)
-    brakeman (4.7.2)
+    brakeman (4.8.1)
-    browser (3.0.3)
+    browser (4.1.0)
    builder (3.2.4)
    bullet (6.1.0)
      activesupport (>= 3.0.0)
@ -127,15 +127,14 @@ GEM
    bundler-audit (0.6.1)
      bundler (>= 1.2.0, < 3)
      thor (~> 0.18)
-    byebug (11.1.1)
+    byebug (11.1.3)
-    capistrano (3.11.2)
+    capistrano (3.14.0)
      airbrussh (>= 1.0.0)
      i18n
      rake (>= 10.0.0)
      sshkit (>= 1.9.0)
-    capistrano-bundler (1.3.0)
+    capistrano-bundler (1.6.0)
      capistrano (~> 3.1)
      sshkit (~> 1.2)
    capistrano-rails (1.4.0)
      capistrano (~> 3.1)
      capistrano-bundler (~> 1.1)
@ -144,7 +143,7 @@ GEM
      sshkit (~> 1.3)
    capistrano-yarn (2.0.2)
      capistrano (~> 3.0)
-    capybara (3.31.0)
+    capybara (3.32.1)
      addressable
      mini_mime (>= 0.1.3)
      nokogiri (~> 1.8)
@ -160,13 +159,13 @@ GEM
      elasticsearch (>= 2.0.0)
      elasticsearch-dsl
    chunky_png (1.3.11)
-    cld3 (3.2.6)
+    cld3 (3.3.0)
      ffi (>= 1.1.0, < 1.12.0)
    climate_control (0.2.0)
    cocaine (0.5.8)
      climate_control (>= 0.0.3, < 1.0)
    coderay (1.1.2)
-    concurrent-ruby (1.1.5)
+    concurrent-ruby (1.1.6)
    connection_pool (2.2.2)
    crack (0.4.3)
      safe_yaml (~> 1.0.0)
@ -190,37 +189,37 @@ GEM
      devise (>= 4.0.0)
      rpam2 (~> 4.0)
    diff-lcs (1.3)
-    discard (1.1.0)
+    discard (1.2.0)
      activerecord (>= 4.2, < 7)
    docile (1.3.2)
    domain_name (0.5.20190701)
      unf (>= 0.0.5, < 1.0.0)
-    doorkeeper (5.2.3)
+    doorkeeper (5.4.0)
      railties (>= 5)
    dotenv (2.7.5)
    dotenv-rails (2.7.5)
      dotenv (= 2.7.5)
      railties (>= 3.2, < 6.1)
    e2mmap (0.1.0)
-    elasticsearch (7.3.0)
+    elasticsearch (7.6.0)
-      elasticsearch-api (= 7.3.0)
+      elasticsearch-api (= 7.6.0)
-      elasticsearch-transport (= 7.3.0)
+      elasticsearch-transport (= 7.6.0)
-    elasticsearch-api (7.3.0)
+    elasticsearch-api (7.6.0)
      multi_json
-    elasticsearch-dsl (0.1.8)
+    elasticsearch-dsl (0.1.9)
-    elasticsearch-transport (7.3.0)
+    elasticsearch-transport (7.6.0)
-      faraday
+      faraday (~> 1)
      multi_json
    encryptor (3.0.0)
    equatable (0.6.1)
    erubi (1.9.0)
-    et-orbi (1.1.6)
+    et-orbi (1.2.4)
      tzinfo
-    excon (0.71.0)
+    excon (0.73.0)
-    fabrication (2.21.0)
+    fabrication (2.21.1)
-    faker (2.10.1)
+    faker (2.11.0)
      i18n (>= 1.6, < 2)
-    faraday (1.0.0)
+    faraday (1.0.1)
      multipart-post (>= 1.2, < 3)
    fast_blank (1.0.0)
    fastimage (2.1.7)
@ -241,8 +240,8 @@ GEM
      fog-json (>= 1.0)
      ipaddress (>= 0.8)
    formatador (0.2.5)
-    fugit (1.1.6)
+    fugit (1.3.5)
-      et-orbi (~> 1.1, >= 1.1.6)
+      et-orbi (~> 1.1, >= 1.1.8)
      raabro (~> 1.1)
    fuubar (2.5.0)
      rspec-core (~> 3.0)
@ -265,20 +264,20 @@ GEM
      railties (>= 4.0.1)
    hamster (3.0.0)
      concurrent-ruby (~> 1.0)
-    hashdiff (1.0.0)
+    hashdiff (1.0.1)
-    hashie (3.6.0)
+    hashie (4.1.0)
    highline (2.0.3)
    hiredis (0.6.3)
    hkdf (0.3.0)
    htmlentities (4.3.4)
-    http (4.3.0)
+    http (4.4.1)
      addressable (~> 2.3)
      http-cookie (~> 1.0)
      http-form_data (~> 2.2)
      http-parser (~> 1.2.0)
    http-cookie (1.0.3)
      domain_name (~> 0.5)
-    http-form_data (2.2.0)
+    http-form_data (2.3.0)
    http-parser (1.2.1)
      ffi-compiler (>= 1.0, < 2.0)
    http_accept_language (2.1.1)
@ -287,7 +286,7 @@ GEM
      rainbow (>= 2.0.0)
    i18n (1.8.2)
      concurrent-ruby (~> 1.0)
-    i18n-tasks (0.9.30)
+    i18n-tasks (0.9.31)
      activesupport (>= 4.0.2)
      ast (>= 2.1.0)
      erubi
@ -299,37 +298,37 @@ GEM
      terminal-table (>= 1.5.1)
    idn-ruby (0.1.0)
    ipaddress (0.8.3)
-    iso-639 (0.2.8)
+    iso-639 (0.3.5)
    jaro_winkler (1.5.4)
    jmespath (1.4.0)
    json (2.3.0)
    json-canonicalization (0.2.0)
-    json-ld (3.1.0)
+    json-ld (3.1.4)
      htmlentities (~> 4.3)
-      json-canonicalization (~> 0.1)
+      json-canonicalization (~> 0.2)
      link_header (~> 0.0, >= 0.0.8)
      multi_json (~> 1.14)
      rack (~> 2.0)
      rdf (~> 3.1)
-    json-ld-preloaded (3.1.0)
+    json-ld-preloaded (3.1.2)
      json-ld (~> 3.1)
      rdf (~> 3.1)
    jsonapi-renderer (0.2.2)
-    jwt (2.1.0)
+    jwt (2.2.1)
-    kaminari (1.1.1)
+    kaminari (1.2.0)
      activesupport (>= 4.1.0)
-      kaminari-actionview (= 1.1.1)
+      kaminari-actionview (= 1.2.0)
-      kaminari-activerecord (= 1.1.1)
+      kaminari-activerecord (= 1.2.0)
-      kaminari-core (= 1.1.1)
+      kaminari-core (= 1.2.0)
-    kaminari-actionview (1.1.1)
+    kaminari-actionview (1.2.0)
      actionview
-      kaminari-core (= 1.1.1)
+      kaminari-core (= 1.2.0)
-    kaminari-activerecord (1.1.1)
+    kaminari-activerecord (1.2.0)
      activerecord
-      kaminari-core (= 1.1.1)
+      kaminari-core (= 1.2.0)
-    kaminari-core (1.1.1)
+    kaminari-core (1.2.0)
-    launchy (2.4.3)
+    launchy (2.5.0)
-      addressable (~> 2.3)
+      addressable (~> 2.7)
    letter_opener (1.7.0)
      launchy (~> 2.2)
    letter_opener_web (1.4.0)
@ -342,7 +341,7 @@ GEM
      activesupport (>= 4)
      railties (>= 4)
      request_store (~> 1.0)
-    loofah (2.4.0)
+    loofah (2.5.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    mail (2.7.1)
@ -354,38 +353,38 @@ GEM
    mario-redis-lock (1.2.1)
      redis (>= 3.0.5)
    memory_profiler (0.9.14)
-    method_source (0.9.2)
+    method_source (1.0.0)
    microformats (4.2.0)
      json (~> 2.2)
      nokogiri (~> 1.10)
    mime-types (3.3.1)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2019.1009)
+    mime-types-data (3.2020.0425)
-    mimemagic (0.3.3)
+    mimemagic (0.3.5)
    mini_mime (1.0.2)
    mini_portile2 (2.4.0)
    minitest (5.14.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
    multi_json (1.14.1)
    multipart-post (2.1.1)
    necromancer (0.5.1)
    net-ldap (0.16.2)
-    net-scp (2.0.0)
+    net-scp (3.0.0)
-      net-ssh (>= 2.6.5, < 6.0.0)
+      net-ssh (>= 2.6.5, < 7.0.0)
-    net-ssh (5.2.0)
+    net-ssh (6.0.2)
    nio4r (2.5.2)
-    nokogiri (1.10.8)
+    nokogiri (1.10.9)
      mini_portile2 (~> 2.4.0)
-    nokogumbo (2.0.1)
+    nokogumbo (2.0.2)
      nokogiri (~> 1.8, >= 1.8.4)
    nsa (0.2.7)
      activesupport (>= 4.2, < 6)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      sidekiq (>= 3.5)
      statsd-ruby (~> 1.4, >= 1.4.0)
-    oj (3.10.1)
+    oj (3.10.6)
-    omniauth (1.9.0)
+    omniauth (1.9.1)
-      hashie (>= 3.4.6, < 3.7.0)
+      hashie (>= 3.4.6)
      rack (>= 1.6.2, < 3)
    omniauth-cas (1.1.1)
      addressable (~> 2.3)
@ -395,7 +394,7 @@ GEM
      omniauth (~> 1.3, >= 1.3.2)
      ruby-saml (~> 1.7)
    orm_adapter (0.5.0)
-    ox (2.12.1)
+    ox (2.13.2)
    paperclip (6.0.0)
      activemodel (>= 4.2.0)
      activesupport (>= 4.2.0)
@ -406,63 +405,63 @@ GEM
      av (~> 0.9.0)
      paperclip (>= 2.5.2)
    parallel (1.19.1)
-    parallel_tests (2.30.1)
+    parallel_tests (2.32.0)
      parallel
-    parser (2.7.0.2)
+    parser (2.7.1.2)
      ast (~> 2.4.0)
-    parslet (1.8.2)
+    parslet (2.0.0)
-    pastel (0.7.3)
+    pastel (0.7.4)
      equatable (~> 0.6)
      tty-color (~> 0.5)
-    pg (1.2.2)
+    pg (1.2.3)
-    pghero (2.4.1)
+    pghero (2.4.2)
      activerecord (>= 5)
    pkg-config (1.4.1)
    premailer (1.11.1)
      addressable
      css_parser (>= 1.6.0)
      htmlentities (>= 4.0.0)
-    premailer-rails (1.10.3)
+    premailer-rails (1.11.1)
      actionmailer (>= 3)
      premailer (~> 1.7, >= 1.7.9)
    private_address_check (0.5.0)
-    pry (0.12.2)
+    pry (0.13.1)
-      coderay (~> 1.1.0)
+      coderay (~> 1.1)
-      method_source (~> 0.9.0)
+      method_source (~> 1.0)
-    pry-byebug (3.8.0)
+    pry-byebug (3.9.0)
      byebug (~> 11.0)
-      pry (~> 0.10)
+      pry (~> 0.13.0)
    pry-rails (0.3.9)
      pry (>= 0.10.4)
-    public_suffix (4.0.3)
+    public_suffix (4.0.5)
-    puma (4.3.1)
+    puma (4.3.3)
      nio4r (~> 2.0)
    pundit (2.1.0)
      activesupport (>= 3.0.0)
-    raabro (1.1.6)
+    raabro (1.3.1)
    rack (2.2.2)
-    rack-attack (6.2.2)
+    rack-attack (6.3.0)
      rack (>= 1.0, < 3)
    rack-cors (1.1.1)
      rack (>= 2.0.0)
-    rack-protection (2.0.7)
+    rack-protection (2.0.8.1)
      rack
    rack-proxy (0.6.5)
      rack
    rack-test (1.1.0)
      rack (>= 1.0, < 3)
-    rails (5.2.4.1)
+    rails (5.2.4.2)
-      actioncable (= 5.2.4.1)
+      actioncable (= 5.2.4.2)
-      actionmailer (= 5.2.4.1)
+      actionmailer (= 5.2.4.2)
-      actionpack (= 5.2.4.1)
+      actionpack (= 5.2.4.2)
-      actionview (= 5.2.4.1)
+      actionview (= 5.2.4.2)
-      activejob (= 5.2.4.1)
+      activejob (= 5.2.4.2)
-      activemodel (= 5.2.4.1)
+      activemodel (= 5.2.4.2)
-      activerecord (= 5.2.4.1)
+      activerecord (= 5.2.4.2)
-      activestorage (= 5.2.4.1)
+      activestorage (= 5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
      bundler (>= 1.3.0)
-      railties (= 5.2.4.1)
+      railties (= 5.2.4.2)
      sprockets-rails (>= 2.0.0)
    rails-controller-testing (1.0.4)
      actionpack (>= 5.0.1.x)
@ -478,9 +477,9 @@ GEM
      railties (>= 5.0, < 6)
    rails-settings-cached (0.6.6)
      rails (>= 4.2.0)
-    railties (5.2.4.1)
+    railties (5.2.4.2)
-      actionpack (= 5.2.4.1)
+      actionpack (= 5.2.4.2)
-      activesupport (= 5.2.4.1)
+      activesupport (= 5.2.4.2)
      method_source
      rake (>= 0.8.7)
      thor (>= 0.19.0, < 2.0)
@ -491,102 +490,110 @@ GEM
      link_header (~> 0.0, >= 0.0.8)
    rdf-normalize (0.4.0)
      rdf (~> 3.1)
-    redis (4.1.3)
+    redis (4.1.4)
-    redis-actionpack (5.0.2)
+    redis-actionpack (5.2.0)
-      actionpack (>= 4.0, < 6)
+      actionpack (>= 5, < 7)
-      redis-rack (>= 1, < 3)
+      redis-rack (>= 2.1.0, < 3)
      redis-store (>= 1.1.0, < 2)
-    redis-activesupport (5.0.4)
+    redis-activesupport (5.2.0)
-      activesupport (>= 3, < 6)
+      activesupport (>= 3, < 7)
      redis-store (>= 1.3, < 2)
    redis-namespace (1.7.0)
      redis (>= 3.0.4)
-    redis-rack (2.0.4)
+    redis-rack (2.1.2)
-      rack (>= 1.5, < 3)
+      rack (>= 2.0.8, < 3)
      redis-store (>= 1.2, < 2)
    redis-rails (5.0.2)
      redis-actionpack (>= 5.0, < 6)
      redis-activesupport (>= 5.0, < 6)
      redis-store (>= 1.2, < 2)
-    redis-store (1.5.0)
+    redis-store (1.8.2)
-      redis (>= 2.2, < 5)
+      redis (>= 4, < 5)
-    regexp_parser (1.6.0)
+    regexp_parser (1.7.0)
    request_store (1.5.0)
      rack (>= 1.4)
    responders (3.0.0)
      actionpack (>= 5.0)
      railties (>= 5.0)
    rexml (3.2.4)
    rotp (2.1.2)
    rpam2 (4.0.2)
    rqrcode (1.1.2)
      chunky_png (~> 1.0)
      rqrcode_core (~> 0.1)
-    rqrcode_core (0.1.1)
+    rqrcode_core (0.1.2)
-    rspec-core (3.9.0)
+    rspec-core (3.9.2)
-      rspec-support (~> 3.9.0)
+      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.0)
+    rspec-expectations (3.9.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-rails (3.9.0)
+    rspec-rails (4.0.0)
-      actionpack (>= 3.0)
+      actionpack (>= 4.2)
-      activesupport (>= 3.0)
+      activesupport (>= 4.2)
-      railties (>= 3.0)
+      railties (>= 4.2)
-      rspec-core (~> 3.9.0)
+      rspec-core (~> 3.9)
-      rspec-expectations (~> 3.9.0)
+      rspec-expectations (~> 3.9)
-      rspec-mocks (~> 3.9.0)
+      rspec-mocks (~> 3.9)
-      rspec-support (~> 3.9.0)
+      rspec-support (~> 3.9)
    rspec-sidekiq (3.0.3)
      rspec-core (~> 3.0, >= 3.0.0)
      sidekiq (>= 2.4.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.3)
-    rubocop (0.79.0)
+    rspec_junit_formatter (0.4.1)
      rspec-core (>= 2, < 4, != 2.12.0)
    rubocop (0.82.0)
      jaro_winkler (~> 1.5.1)
      parallel (~> 1.10)
      parser (>= 2.7.0.1)
      rainbow (>= 2.2.2, < 4.0)
      rexml
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-rails (2.4.2)
+    rubocop-rails (2.5.2)
      activesupport
      rack (>= 1.1)
      rubocop (>= 0.72.0)
    ruby-progressbar (1.10.1)
-    ruby-saml (1.9.0)
+    ruby-saml (1.11.0)
      nokogiri (>= 1.5.10)
-    rufus-scheduler (3.5.2)
+    rufus-scheduler (3.6.0)
-      fugit (~> 1.1, >= 1.1.5)
+      fugit (~> 1.1, >= 1.1.6)
    safe_yaml (1.0.5)
    sanitize (5.1.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.8.0)
      nokogumbo (~> 2.0)
-    sidekiq (5.2.7)
+    semantic_range (2.3.0)
-      connection_pool (~> 2.2, >= 2.2.2)
+    sidekiq (6.0.7)
-      rack (>= 1.5.0)
+      connection_pool (>= 2.2.2)
-      rack-protection (>= 1.5.0)
+      rack (~> 2.0)
-      redis (>= 3.3.5, < 5)
+      rack-protection (>= 2.0.0)
      redis (>= 4.1.0)
    sidekiq-bulk (0.2.0)
      sidekiq
-    sidekiq-scheduler (3.0.0)
+    sidekiq-scheduler (3.0.1)
      e2mmap
      redis (>= 3, < 5)
      rufus-scheduler (~> 3.2)
      sidekiq (>= 3)
      thwait
      tilt (>= 1.4.0)
-    sidekiq-unique-jobs (6.0.18)
+    sidekiq-unique-jobs (6.0.21)
      concurrent-ruby (~> 1.0, >= 1.0.5)
      sidekiq (>= 4.0, < 7.0)
      thor (~> 0)
    simple-navigation (4.1.0)
      activesupport (>= 2.3.2)
-    simple_form (5.0.1)
+    simple_form (5.0.2)
      actionpack (>= 5.0)
      activemodel (>= 5.0)
-    simplecov (0.18.2)
+    simplecov (0.18.5)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
-    simplecov-html (0.12.0)
+    simplecov-html (0.12.2)
    sprockets (3.7.2)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
@ -594,7 +601,7 @@ GEM
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
-    sshkit (1.20.0)
+    sshkit (1.21.0)
      net-scp (>= 1.1.2)
      net-ssh (>= 2.8.0)
    stackprof (0.2.15)
@ -602,7 +609,7 @@ GEM
    stoplight (2.2.0)
    streamio-ffmpeg (3.0.2)
      multi_json (~> 1.8)
-    strong_migrations (0.5.1)
+    strong_migrations (0.6.6)
      activerecord (>= 5)
    temple (0.8.2)
    terminal-table (1.8.0)
@ -613,11 +620,11 @@ GEM
    thread_safe (0.3.6)
    thwait (0.1.0)
    tilt (2.0.10)
-    tty-color (0.5.0)
+    tty-color (0.5.1)
    tty-command (0.9.0)
      pastel (~> 0.7.0)
-    tty-cursor (0.7.0)
+    tty-cursor (0.7.1)
-    tty-prompt (0.20.0)
+    tty-prompt (0.21.0)
      necromancer (~> 0.5.0)
      pastel (~> 0.7.0)
      tty-reader (~> 0.7.0)
@ -625,28 +632,29 @@ GEM
      tty-cursor (~> 0.7)
      tty-screen (~> 0.7)
      wisper (~> 2.0.0)
-    tty-screen (0.7.0)
+    tty-screen (0.7.1)
    twitter-text (1.14.7)
      unf (~> 0.1.0)
-    tzinfo (1.2.6)
+    tzinfo (1.2.7)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2019.3)
+    tzinfo-data (1.2020.1)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
-    unf_ext (0.0.7.6)
+    unf_ext (0.0.7.7)
-    unicode-display_width (1.6.1)
+    unicode-display_width (1.7.0)
    uniform_notifier (1.13.0)
    warden (1.2.8)
      rack (>= 2.0.6)
-    webmock (3.8.0)
+    webmock (3.8.3)
      addressable (>= 2.3.6)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
-    webpacker (4.2.2)
+    webpacker (5.1.1)
-      activesupport (>= 4.2)
+      activesupport (>= 5.2)
      rack-proxy (>= 0.6.1)
-      railties (>= 4.2)
+      railties (>= 5.2)
      semantic_range (>= 2.3.0)
    webpush (0.3.8)
      hkdf (~> 0.2)
      jwt (~> 2.0)
@ -664,36 +672,36 @@ DEPENDENCIES
  active_model_serializers (~> 0.10)
  active_record_query_trace (~> 1.7)
  addressable (~> 2.7)
-  annotate (~> 3.0)
+  annotate (~> 3.1)
-  aws-sdk-s3 (~> 1.60)
+  aws-sdk-s3 (~> 1.64)
-  better_errors (~> 2.5)
+  better_errors (~> 2.7)
  binding_of_caller (~> 0.7)
  blurhash (~> 0.1)
  bootsnap (~> 1.4)
-  brakeman (~> 4.7)
+  brakeman (~> 4.8)
  browser
  bullet (~> 6.1)
  bundler-audit (~> 0.6)
-  capistrano (~> 3.11)
+  capistrano (~> 3.14)
  capistrano-rails (~> 1.4)
  capistrano-rbenv (~> 2.1)
  capistrano-yarn (~> 2.0)
-  capybara (~> 3.31)
+  capybara (~> 3.32)
  charlock_holmes (~> 0.7.7)
  chewy (~> 5.1)
-  cld3 (~> 3.2.6)
+  cld3 (~> 3.3.0)
  climate_control (~> 0.2)
  concurrent-ruby
  connection_pool
  devise (~> 4.7)
  devise-two-factor (~> 3.1)
  devise_pam_authenticatable2 (~> 9.2)
-  discard (~> 1.1)
+  discard (~> 1.2)
-  doorkeeper (~> 5.2)
+  doorkeeper (~> 5.4)
  dotenv-rails (~> 2.7)
  e2mmap (~> 0.1.0)
  fabrication (~> 2.21)
-  faker (~> 2.10)
+  faker (~> 2.11)
  fast_blank (~> 1.0)
  fastimage
  fog-core (<= 2.1.0)
@ -704,7 +712,7 @@ DEPENDENCIES
  health_check!
  hiredis (~> 0.6)
  htmlentities (~> 4.3)
-  http (~> 4.3)
+  http (~> 4.4)
  http_accept_language (~> 2.1)
  http_parser.rb (~> 0.6)!
  httplog (~> 1.4.2)
@ -713,7 +721,7 @@ DEPENDENCIES
  iso-639
  json-ld
  json-ld-preloaded (~> 3.1)
-  kaminari (~> 1.1)
+  kaminari (~> 1.2)
  letter_opener (~> 1.7)
  letter_opener_web (~> 1.4)
  link_header (~> 0.0)
@ -731,11 +739,11 @@ DEPENDENCIES
  omniauth (~> 1.9)
  omniauth-cas (~> 1.1)
  omniauth-saml (~> 1.10)
-  ox (~> 2.12)
+  ox (~> 2.13)
  paperclip (~> 6.0)
  paperclip-av-transcoder (~> 0.6)
  parallel (~> 1.19)
-  parallel_tests (~> 2.30)
+  parallel_tests (~> 2.32)
  parslet
  pg (~> 1.2)
  pghero (~> 2.4)
@ -743,14 +751,14 @@ DEPENDENCIES
  posix-spawn!
  premailer-rails
  private_address_check (~> 0.5)
-  pry-byebug (~> 3.8)
+  pry-byebug (~> 3.9)
  pry-rails (~> 0.3)
  puma (~> 4.3)
  pundit (~> 2.1)
  rack (~> 2.2.2)
-  rack-attack (~> 6.2)
+  rack-attack (~> 6.3)
  rack-cors (~> 1.1)
-  rails (~> 5.2.4)
+  rails (~> 5.2.4.2)
  rails-controller-testing (~> 1.0)
  rails-i18n (~> 5.1)
  rails-settings-cached (~> 0.6)
@ -759,13 +767,14 @@ DEPENDENCIES
  redis-namespace (~> 1.7)
  redis-rails (~> 5.0)
  rqrcode (~> 1.1)
-  rspec-rails (~> 3.9)
+  rspec-rails (~> 4.0)
  rspec-sidekiq (~> 3.0)
-  rubocop (~> 0.79)
+  rspec_junit_formatter (~> 0.4)
-  rubocop-rails (~> 2.4)
+  rubocop (~> 0.82)
  rubocop-rails (~> 2.5)
  ruby-progressbar (~> 1.10)
  sanitize (~> 5.1)
-  sidekiq (~> 5.2)
+  sidekiq (~> 6.0)
  sidekiq-bulk (~> 0.2.0)
  sidekiq-scheduler (~> 3.0)
  sidekiq-unique-jobs (~> 6.0)
@ -777,13 +786,13 @@ DEPENDENCIES
  stackprof
  stoplight (~> 2.2.0)
  streamio-ffmpeg (~> 3.0)
-  strong_migrations (~> 0.5)
+  strong_migrations (~> 0.6)
  thor (~> 0.20)
  thwait (~> 0.1.0)
  tty-command (~> 0.9)
-  tty-prompt (~> 0.20)
+  tty-prompt (~> 0.21)
  twitter-text (~> 1.14)
-  tzinfo-data (~> 1.2019)
+  tzinfo-data (~> 1.2020)
  webmock (~> 3.8)
-  webpacker (~> 4.2)
+  webpacker (~> 5.1)
  webpush
--- a/README.md
+++ b/README.md
@ -68,8 +68,8 @@ Mastodon acts as an OAuth2 provider so 3rd party apps can use the REST and Strea
 **Requirements:**
 - **PostgreSQL** 9.5+
- **Redis**
+- **Redis** 4+
- **Ruby** 2.4+
+- **Ruby** 2.5+
 - **Node.js** 10.13+
 The repository includes deployment configurations for **Docker and docker-compose**, but also a few specific platforms like **Heroku**, **Scalingo**, and **Nanobox**. The [**stand-alone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
@ -80,7 +80,7 @@ A **Vagrant** configuration is included for development purposes.
 Mastodon is **free, open-source software** licensed under **AGPLv3**.
-You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository, or submit translations using Weblate. To get started, take a look at [CONTRIBUTING.md](CONTRIBUTING.md). If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
+You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository, or submit translations using Crowdin. To get started, take a look at [CONTRIBUTING.md](CONTRIBUTING.md). If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
 **IRC channel**: #mastodon on irc.freenode.net
--- a/2
+++ b/2
@ -91,7 +91,7 @@ VAGRANTFILE_API_VERSION = "2"
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "ubuntu/xenial64"
+  config.vm.box = "ubuntu/bionic64"
  config.vm.provider :virtualbox do |vb|
    vb.name = "mastodon"
--- a/app/chewy/statuses_index.rb
+++ b/app/chewy/statuses_index.rb
@ -47,6 +47,11 @@ class StatusesIndex < Chewy::Index
      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
    end
    crutch :bookmarks do |collection|
      data = ::Bookmark.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
    end
    root date_detection: false do
      field :id, type: 'long'
      field :account_id, type: 'long'
--- a/app/controllers/account_follow_controller.rb
+++ b/app/controllers/account_follow_controller.rb
@ -6,7 +6,7 @@ class AccountFollowController < ApplicationController
  before_action :authenticate_user!
  def create
-    FollowService.new.call(current_user.account, @account.acct)
+    FollowService.new.call(current_user.account, @account, with_rate_limit: true)
    redirect_to account_path(@account)
  end
 end
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -27,7 +27,7 @@ class AccountsController < ApplicationController
        end
        @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
-        @statuses        = filtered_status_page(params)
+        @statuses        = filtered_status_page
        @statuses        = cache_collection(@statuses, Status)
        @rss_url         = rss_url
@ -40,7 +40,7 @@ class AccountsController < ApplicationController
      format.rss do
        expires_in 1.minute, public: true
-        @statuses = filtered_statuses.without_reblogs.without_replies.limit(PAGE_SIZE)
+        @statuses = filtered_statuses.without_reblogs.limit(PAGE_SIZE)
        @statuses = cache_collection(@statuses, Status)
        render xml: RSS::AccountSerializer.render(@account, @statuses, params[:tag])
      end
@ -129,23 +129,23 @@ class AccountsController < ApplicationController
  end
  def media_requested?
-    request.path.ends_with?('/media') && !tag_requested?
+    request.path.split('.').first.ends_with?('/media') && !tag_requested?
  end
  def replies_requested?
-    request.path.ends_with?('/with_replies') && !tag_requested?
+    request.path.split('.').first.ends_with?('/with_replies') && !tag_requested?
  end
  def tag_requested?
    request.path.split('.').first.ends_with?(Addressable::URI.parse("/tagged/#{params[:tag]}").normalize)
  end
-  def filtered_status_page(params)
+  def filtered_status_page
-    if params[:min_id].present?
+    filtered_statuses.paginate_by_id(PAGE_SIZE, params_slice(:max_id, :min_id, :since_id))
-      filtered_statuses.paginate_by_min_id(PAGE_SIZE, params[:min_id]).reverse
+  end
-    else
+
-      filtered_statuses.paginate_by_max_id(PAGE_SIZE, params[:max_id], params[:since_id]).to_a
+  def params_slice(*keys)
-    end
+    params.slice(*keys).permit(*keys)
  end
  def restrict_fields_to
--- a/app/controllers/activitypub/collections_controller.rb
+++ b/app/controllers/activitypub/collections_controller.rb
@ -24,20 +24,23 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
  def set_size
    case params[:id]
    when 'featured'
-      @account.pinned_statuses.count
+      @size = @account.pinned_statuses.count
    else
-      raise ActiveRecord::RecordNotFound
+      not_found
    end
  end
  def scope_for_collection
    case params[:id]
    when 'featured'
-      return Status.none if @account.blocking?(signed_request_account)
+      # Because in public fetch mode we cache the response, there would be no
-
+      # benefit from performing the check below, since a blocked account or domain
-      @account.pinned_statuses
+      # would likely be served the cache from the reverse proxy anyway
-    else
+      if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
-      raise ActiveRecord::RecordNotFound
+        Status.none
      else
        @account.pinned_statuses
      end
    end
  end
--- a/app/controllers/activitypub/inboxes_controller.rb
+++ b/app/controllers/activitypub/inboxes_controller.rb
@ -49,7 +49,7 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
      ResolveAccountWorker.perform_async(signed_request_account.acct)
    end
-    DeliveryFailureTracker.track_inverse_success!(signed_request_account)
+    DeliveryFailureTracker.reset!(signed_request_account.inbox_url)
  end
  def process_payload
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@ -11,7 +11,7 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
  before_action :set_cache_headers
  def show
-    expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
+    expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode? && !(signed_request_account.present? && page_requested?))
    render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
  end
@ -50,12 +50,12 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
    return unless page_requested?
    @statuses = @account.statuses.permitted_for(@account, signed_request_account)
-    @statuses = params[:min_id].present? ? @statuses.paginate_by_min_id(LIMIT, params[:min_id]).reverse : @statuses.paginate_by_max_id(LIMIT, params[:max_id])
+    @statuses = @statuses.paginate_by_id(LIMIT, params_slice(:max_id, :min_id, :since_id))
    @statuses = cache_collection(@statuses, Status)
  end
  def page_requested?
-    params[:page] == 'true'
+    truthy_param?(:page)
  end
  def page_params
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true
 class ActivityPub::RepliesController < ActivityPub::BaseController
-  include SignatureAuthentication
+  include SignatureVerification
  include Authorization
  include AccountOwnedConcern
@ -19,15 +19,19 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
  private
  def pundit_user
    signed_request_account
  end
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end
  def set_replies
-    @replies = page_params[:only_other_accounts] ? Status.where.not(account_id: @account.id) : @account.statuses
+    @replies = only_other_accounts? ? Status.where.not(account_id: @account.id) : @account.statuses
    @replies = @replies.where(in_reply_to_id: @status.id, visibility: [:public, :unlisted])
    @replies = @replies.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
  end
@ -38,7 +42,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
      type: :unordered,
      part_of: account_status_replies_url(@account, @status),
      next: next_page,
-      items: @replies.map { |status| status.local ? status : status.uri }
+      items: @replies.map { |status| status.local? ? status : status.uri }
    )
    return page if page_requested?
@ -51,16 +55,21 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
  end
  def page_requested?
-    params[:page] == 'true'
+    truthy_param?(:page)
  end
  def only_other_accounts?
    truthy_param?(:only_other_accounts)
  end
  def next_page
    only_other_accounts = !(@replies&.last&.account_id == @account.id && @replies.size == DESCENDANTS_LIMIT)
    account_status_replies_url(
      @account,
      @status,
      page: true,
-      min_id: only_other_accounts && !page_params[:only_other_accounts] ? nil : @replies&.last&.id,
+      min_id: only_other_accounts && !only_other_accounts? ? nil : @replies&.last&.id,
      only_other_accounts: only_other_accounts
    )
  end
--- a/app/controllers/admin/action_logs_controller.rb
+++ b/app/controllers/admin/action_logs_controller.rb
@ -2,8 +2,18 @@
 module Admin
  class ActionLogsController < BaseController
-    def index
+    before_action :set_action_logs
-      @action_logs = Admin::ActionLog.page(params[:page])
+
    def index; end
    private
    def set_action_logs
      @action_logs = Admin::ActionLogFilter.new(filter_params).results.page(params[:page])
    end
    def filter_params
      params.slice(:page, *Admin::ActionLogFilter::KEYS).permit(:page, *Admin::ActionLogFilter::KEYS)
    end
  end
 end
--- a/app/controllers/admin/email_domain_blocks_controller.rb
+++ b/app/controllers/admin/email_domain_blocks_controller.rb
@ -6,12 +6,12 @@ module Admin
    def index
      authorize :email_domain_block, :index?
-      @email_domain_blocks = EmailDomainBlock.page(params[:page])
+      @email_domain_blocks = EmailDomainBlock.where(parent_id: nil).includes(:children).order(id: :desc).page(params[:page])
    end
    def new
      authorize :email_domain_block, :create?
-      @email_domain_block = EmailDomainBlock.new
+      @email_domain_block = EmailDomainBlock.new(domain: params[:_domain])
    end
    def create
@ -21,6 +21,28 @@ module Admin
      if @email_domain_block.save
        log_action :create, @email_domain_block
        if @email_domain_block.with_dns_records?
          hostnames = []
          ips       = []
          Resolv::DNS.open do |dns|
            dns.timeouts = 1
            hostnames = dns.getresources(@email_domain_block.domain, Resolv::DNS::Resource::IN::MX).to_a.map { |e| e.exchange.to_s }
            ([@email_domain_block.domain] + hostnames).uniq.each do |hostname|
              ips.concat(dns.getresources(hostname, Resolv::DNS::Resource::IN::A).to_a.map { |e| e.address.to_s })
              ips.concat(dns.getresources(hostname, Resolv::DNS::Resource::IN::AAAA).to_a.map { |e| e.address.to_s })
            end
          end
          (hostnames + ips).each do |hostname|
            another_email_domain_block = EmailDomainBlock.new(domain: hostname, parent: @email_domain_block)
            log_action :create, another_email_domain_block if another_email_domain_block.save
          end
        end
        redirect_to admin_email_domain_blocks_path, notice: I18n.t('admin.email_domain_blocks.created_msg')
      else
        render :new
@ -41,7 +63,7 @@ module Admin
    end
    def resource_params
-      params.require(:email_domain_block).permit(:domain)
+      params.require(:email_domain_block).permit(:domain, :with_dns_records)
    end
  end
 end
--- a/app/controllers/admin/instances_controller.rb
+++ b/app/controllers/admin/instances_controller.rb
@ -19,7 +19,7 @@ module Admin
      @followers_count = Follow.where(target_account: Account.where(domain: params[:id])).count
      @reports_count   = Report.where(target_account: Account.where(domain: params[:id])).count
      @blocks_count    = Block.where(target_account: Account.where(domain: params[:id])).count
-      @available       = DeliveryFailureTracker.available?(Account.select(:shared_inbox_url).where(domain: params[:id]).first&.shared_inbox_url)
+      @available       = DeliveryFailureTracker.available?(params[:id])
      @media_storage   = MediaAttachment.where(account: Account.where(domain: params[:id])).sum(:file_file_size)
      @private_comment = @domain_block&.private_comment
      @public_comment  = @domain_block&.public_comment
--- a/app/controllers/admin/site_uploads_controller.rb
+++ b/app/controllers/admin/site_uploads_controller.rb
@ -0,0 +1,21 @@
 # frozen_string_literal: true
 module Admin
  class SiteUploadsController < BaseController
    before_action :set_site_upload
    def destroy
      authorize :settings, :destroy?
      @site_upload.destroy!
      redirect_to edit_admin_settings_path, notice: I18n.t('admin.site_uploads.destroyed_msg')
    end
    private
    def set_site_upload
      @site_upload = SiteUpload.find(params[:id])
    end
  end
 end
--- a/app/controllers/admin/warning_presets_controller.rb
+++ b/app/controllers/admin/warning_presets_controller.rb
@ -7,7 +7,7 @@ module Admin
    def index
      authorize :account_warning_preset, :index?
-      @warning_presets = AccountWarningPreset.all
+      @warning_presets = AccountWarningPreset.alphabetic
      @warning_preset  = AccountWarningPreset.new
    end
@ -19,7 +19,7 @@ module Admin
      if @warning_preset.save
        redirect_to admin_warning_presets_path
      else
-        @warning_presets = AccountWarningPreset.all
+        @warning_presets = AccountWarningPreset.alphabetic
        render :index
      end
    end
@ -52,7 +52,7 @@ module Admin
    end
    def warning_preset_params
-      params.require(:account_warning_preset).permit(:text)
+      params.require(:account_warning_preset).permit(:title, :text)
    end
  end
 end
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -44,6 +44,10 @@ class Api::BaseController < ApplicationController
    render json: { error: 'There was a temporary problem serving your request, please try again' }, status: 503
  end
  rescue_from Mastodon::RateLimitExceededError do
    render json: { error: I18n.t('errors.429') }, status: 429
  end
  rescue_from ActionController::ParameterMissing do |e|
    render json: { error: e.to_s }, status: 400
  end
--- a/app/controllers/api/v1/accounts/follower_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/follower_accounts_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
  before_action :set_account
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
@ -22,12 +20,12 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
    return [] if hide_results?
    scope = default_accounts
-    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil?
+    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil? || current_account.id == @account.id
    scope.merge(paginated_follows).to_a
  end
  def hide_results?
-    (@account.user_hides_network? && current_account&.id != @account.id) || (current_account && @account.blocking?(current_account))
+    (@account.hides_followers? && current_account&.id != @account.id) || (current_account && @account.blocking?(current_account))
  end
  def default_accounts
--- a/app/controllers/api/v1/accounts/following_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/following_accounts_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
  before_action :set_account
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
@ -22,12 +20,12 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
    return [] if hide_results?
    scope = default_accounts
-    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil?
+    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil? || current_account.id == @account.id
    scope.merge(paginated_follows).to_a
  end
  def hide_results?
-    (@account.user_hides_network? && current_account&.id != @account.id) || (current_account && @account.blocking?(current_account))
+    (@account.hides_following? && current_account&.id != @account.id) || (current_account && @account.blocking?(current_account))
  end
  def default_accounts
--- a/app/controllers/api/v1/accounts/identity_proofs_controller.rb
+++ b/app/controllers/api/v1/accounts/identity_proofs_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Accounts::IdentityProofsController < Api::BaseController
  before_action :require_user!
  before_action :set_account
  respond_to :json
  def index
    @proofs = @account.identity_proofs.active
    render json: @proofs, each_serializer: REST::IdentityProofSerializer
--- a/app/controllers/api/v1/accounts/lists_controller.rb
+++ b/app/controllers/api/v1/accounts/lists_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Accounts::ListsController < Api::BaseController
  before_action :require_user!
  before_action :set_account
  respond_to :json
  def index
    @lists = @account.lists.where(account: current_account)
    render json: @lists, each_serializer: REST::ListSerializer
--- a/app/controllers/api/v1/accounts/pins_controller.rb
+++ b/app/controllers/api/v1/accounts/pins_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Accounts::PinsController < Api::BaseController
  before_action :require_user!
  before_action :set_account
  respond_to :json
  def create
    AccountPin.create!(account: current_account, target_account: @account)
    render json: @account, serializer: REST::RelationshipSerializer, relationships: relationships_presenter
--- a/app/controllers/api/v1/accounts/relationships_controller.rb
+++ b/app/controllers/api/v1/accounts/relationships_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Accounts::RelationshipsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:follows' }
  before_action :require_user!
  respond_to :json
  def index
    accounts = Account.where(id: account_ids).select('id')
    # .where doesn't guarantee that our results are in the same order
--- a/app/controllers/api/v1/accounts/search_controller.rb
+++ b/app/controllers/api/v1/accounts/search_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Accounts::SearchController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }
  before_action :require_user!
  respond_to :json
  def show
    @accounts = account_search
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@ -6,8 +6,6 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
  after_action :insert_pagination_headers, unless: -> { truthy_param?(:pinned) }
  respond_to :json
  def index
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -14,7 +14,7 @@ class Api::V1::AccountsController < Api::BaseController
  skip_before_action :require_authenticated_user!, only: :create
-  respond_to :json
+  override_rate_limit_headers :follow, family: :follows
  def show
    render json: @account, serializer: REST::AccountSerializer
@ -31,7 +31,7 @@ class Api::V1::AccountsController < Api::BaseController
  end
  def follow
-    FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs))
+    FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs), with_rate_limit: true)
    options = @account.locked? || current_user.account.silenced? ? {} : { following_map: { @account.id => { reblogs: truthy_param?(:reblogs) } }, requested_map: { @account.id => false } }
--- a/app/controllers/api/v1/apps/credentials_controller.rb
+++ b/app/controllers/api/v1/apps/credentials_controller.rb
@ -3,8 +3,6 @@
 class Api::V1::Apps::CredentialsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read }
  respond_to :json
  def show
    render json: doorkeeper_token.application, serializer: REST::ApplicationSerializer, fields: %i(name website vapid_key)
  end
--- a/app/controllers/api/v1/blocks_controller.rb
+++ b/app/controllers/api/v1/blocks_controller.rb
@ -5,8 +5,6 @@ class Api::V1::BlocksController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/bookmarks_controller.rb
+++ b/app/controllers/api/v1/bookmarks_controller.rb
@ -5,8 +5,6 @@ class Api::V1::BookmarksController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/conversations_controller.rb
+++ b/app/controllers/api/v1/conversations_controller.rb
@ -9,8 +9,6 @@ class Api::V1::ConversationsController < Api::BaseController
  before_action :set_conversation, except: :index
  after_action :insert_pagination_headers, only: :index
  respond_to :json
  def index
    @conversations = paginated_conversations
    render json: @conversations, each_serializer: REST::ConversationSerializer
--- a/app/controllers/api/v1/custom_emojis_controller.rb
+++ b/app/controllers/api/v1/custom_emojis_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true
 class Api::V1::CustomEmojisController < Api::BaseController
  respond_to :json
  skip_before_action :set_cache_headers
  def index
--- a/app/controllers/api/v1/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/domain_blocks_controller.rb
@ -8,8 +8,6 @@ class Api::V1::DomainBlocksController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers, only: :show
  respond_to :json
  def show
    @blocks = load_domain_blocks
    render json: @blocks.map(&:domain)
--- a/app/controllers/api/v1/endorsements_controller.rb
+++ b/app/controllers/api/v1/endorsements_controller.rb
@ -5,8 +5,6 @@ class Api::V1::EndorsementsController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/favourites_controller.rb
+++ b/app/controllers/api/v1/favourites_controller.rb
@ -5,8 +5,6 @@ class Api::V1::FavouritesController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/featured_tags/suggestions_controller.rb
+++ b/app/controllers/api/v1/featured_tags/suggestions_controller.rb
@ -2,12 +2,9 @@
 class Api::V1::FeaturedTags::SuggestionsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, only: :index
  before_action :require_user!
  before_action :set_most_used_tags, only: :index
  respond_to :json
  def index
    render json: @most_used_tags, each_serializer: REST::TagSerializer
  end
--- a/app/controllers/api/v1/filters_controller.rb
+++ b/app/controllers/api/v1/filters_controller.rb
@ -7,8 +7,6 @@ class Api::V1::FiltersController < Api::BaseController
  before_action :set_filters, only: :index
  before_action :set_filter, only: [:show, :update, :destroy]
  respond_to :json
  def index
    render json: @filters, each_serializer: REST::FilterSerializer
  end
--- a/app/controllers/api/v1/instances/activity_controller.rb
+++ b/app/controllers/api/v1/instances/activity_controller.rb
@ -6,8 +6,6 @@ class Api::V1::Instances::ActivityController < Api::BaseController
  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
  respond_to :json
  def show
    expires_in 1.day, public: true
    render_with_cache json: :activity, expires_in: 1.day
--- a/app/controllers/api/v1/instances/peers_controller.rb
+++ b/app/controllers/api/v1/instances/peers_controller.rb
@ -6,8 +6,6 @@ class Api::V1::Instances::PeersController < Api::BaseController
  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
  respond_to :json
  def index
    expires_in 1.day, public: true
    render_with_cache(expires_in: 1.day) { Account.remote.domains }
--- a/app/controllers/api/v1/instances_controller.rb
+++ b/app/controllers/api/v1/instances_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true
 class Api::V1::InstancesController < Api::BaseController
  respond_to :json
  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
--- a/app/controllers/api/v1/media_controller.rb
+++ b/app/controllers/api/v1/media_controller.rb
@ -3,27 +3,42 @@
 class Api::V1::MediaController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:media' }
  before_action :require_user!
-
+  before_action :set_media_attachment, except: [:create]
-  respond_to :json
+  before_action :check_processing, except: [:create]
  def create
-    @media = current_account.media_attachments.create!(media_params)
+    @media_attachment = current_account.media_attachments.create!(media_attachment_params)
-    render json: @media, serializer: REST::MediaAttachmentSerializer
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer
  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
    render json: file_type_error, status: 422
  rescue Paperclip::Error
    render json: processing_error, status: 500
  end
  def show
    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
  end
  def update
-    @media = current_account.media_attachments.where(status_id: nil).find(params[:id])
+    @media_attachment.update!(media_attachment_params)
-    @media.update!(media_params)
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
    render json: @media, serializer: REST::MediaAttachmentSerializer
  end
  private
-  def media_params
+  def status_code_for_media_attachment
    @media_attachment.not_processed? ? 206 : 200
  end
  def set_media_attachment
    @media_attachment = current_account.media_attachments.unattached.find(params[:id])
  end
  def check_processing
    render json: processing_error, status: 422 if @media_attachment.processing_failed?
  end
  def media_attachment_params
    params.permit(:file, :description, :focus)
  end
--- a/app/controllers/api/v1/mutes_controller.rb
+++ b/app/controllers/api/v1/mutes_controller.rb
@ -5,8 +5,6 @@ class Api::V1::MutesController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/notifications_controller.rb
+++ b/app/controllers/api/v1/notifications_controller.rb
@ -6,8 +6,6 @@ class Api::V1::NotificationsController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers, only: :index
  respond_to :json
  DEFAULT_NOTIFICATIONS_LIMIT = 15
  def index
--- a/app/controllers/api/v1/polls/votes_controller.rb
+++ b/app/controllers/api/v1/polls/votes_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Polls::VotesController < Api::BaseController
  before_action :require_user!
  before_action :set_poll
  respond_to :json
  def create
    VoteService.new.call(current_account, @poll, vote_params[:choices])
    render json: @poll, serializer: REST::PollSerializer
@ -20,7 +18,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
    @poll = Poll.attached.find(params[:poll_id])
    authorize @poll.status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end
  def vote_params
--- a/app/controllers/api/v1/polls_controller.rb
+++ b/app/controllers/api/v1/polls_controller.rb
@ -7,8 +7,6 @@ class Api::V1::PollsController < Api::BaseController
  before_action :set_poll
  before_action :refresh_poll
  respond_to :json
  def show
    render json: @poll, serializer: REST::PollSerializer, include_results: true
  end
@ -19,7 +17,7 @@ class Api::V1::PollsController < Api::BaseController
    @poll = Poll.attached.find(params[:id])
    authorize @poll.status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end
  def refresh_poll
--- a/app/controllers/api/v1/preferences_controller.rb
+++ b/app/controllers/api/v1/preferences_controller.rb
@ -4,8 +4,6 @@ class Api::V1::PreferencesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }
  before_action :require_user!
  respond_to :json
  def index
    render json: current_account, serializer: REST::PreferencesSerializer
  end
--- a/app/controllers/api/v1/push/subscriptions_controller.rb
+++ b/app/controllers/api/v1/push/subscriptions_controller.rb
@ -4,6 +4,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :push }
  before_action :require_user!
  before_action :set_web_push_subscription
  before_action :check_web_push_subscription, only: [:show, :update]
  def create
    @web_subscription&.destroy!
@ -21,16 +22,11 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  end
  def show
    raise ActiveRecord::RecordNotFound if @web_subscription.nil?
    render json: @web_subscription, serializer: REST::WebPushSubscriptionSerializer
  end
  def update
    raise ActiveRecord::RecordNotFound if @web_subscription.nil?
    @web_subscription.update!(data: data_params)
    render json: @web_subscription, serializer: REST::WebPushSubscriptionSerializer
  end
@ -45,12 +41,17 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
    @web_subscription = ::Web::PushSubscription.find_by(access_token_id: doorkeeper_token.id)
  end
  def check_web_push_subscription
    not_found if @web_subscription.nil?
  end
  def subscription_params
    params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
  end
  def data_params
    return {} if params[:data].blank?
    params.require(:data).permit(alerts: [:follow, :follow_request, :favourite, :reblog, :mention, :poll])
  end
 end
--- a/app/controllers/api/v1/reports_controller.rb
+++ b/app/controllers/api/v1/reports_controller.rb
@ -4,7 +4,7 @@ class Api::V1::ReportsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:reports' }, only: [:create]
  before_action :require_user!
-  respond_to :json
+  override_rate_limit_headers :create, family: :reports
  def create
    @report = ReportService.new.call(
--- a/app/controllers/api/v1/statuses/bookmarks_controller.rb
+++ b/app/controllers/api/v1/statuses/bookmarks_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController
  before_action :require_user!
  before_action :set_status
  respond_to :json
  def create
    current_account.bookmarks.find_or_create_by!(account: current_account, status: @status)
    render json: @status, serializer: REST::StatusSerializer
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
  before_action :set_status
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/statuses/favourites_controller.rb
+++ b/app/controllers/api/v1/statuses/favourites_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController
  before_action :require_user!
  before_action :set_status
  respond_to :json
  def create
    FavouriteService.new.call(current_account, @status)
    render json: @status, serializer: REST::StatusSerializer
--- a/app/controllers/api/v1/statuses/mutes_controller.rb
+++ b/app/controllers/api/v1/statuses/mutes_controller.rb
@ -8,8 +8,6 @@ class Api::V1::Statuses::MutesController < Api::BaseController
  before_action :set_status
  before_action :set_conversation
  respond_to :json
  def create
    current_account.mute_conversation!(@conversation)
    @mutes_map = { @conversation.id => true }
@ -30,8 +28,7 @@ class Api::V1::Statuses::MutesController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
+    not_found
    raise ActiveRecord::RecordNotFound
  end
  def set_conversation
--- a/app/controllers/api/v1/statuses/pins_controller.rb
+++ b/app/controllers/api/v1/statuses/pins_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::PinsController < Api::BaseController
  before_action :require_user!
  before_action :set_status
  respond_to :json
  def create
    StatusPin.create!(account: current_account, status: @status)
    distribute_add_activity!
--- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
  before_action :set_status
  after_action :insert_pagination_headers
  respond_to :json
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/statuses/reblogs_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogs_controller.rb
@ -7,10 +7,11 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController
  before_action :require_user!
  before_action :set_reblog
-  respond_to :json
+  override_rate_limit_headers :create, family: :statuses
  def create
    @status = ReblogService.new.call(current_account, @reblog, reblog_params)
    render json: @status, serializer: REST::StatusSerializer
  end
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@ -7,8 +7,9 @@ class Api::V1::StatusesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only:   [:create, :destroy]
  before_action :require_user!, except:  [:show, :context]
  before_action :set_status, only:       [:show, :context]
  before_action :set_thread, only:       [:create]
-  respond_to :json
+  override_rate_limit_headers :create, family: :statuses
  # This API was originally unlimited, pagination cannot be introduced without
  # breaking backwards-compatibility. Arbitrarily high number to cover most
@ -36,7 +37,7 @@ class Api::V1::StatusesController < Api::BaseController
  def create
    @status = PostStatusService.new.call(current_user.account,
                                         text: status_params[:status],
-                                         thread: status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]),
+                                         thread: @thread,
                                         media_ids: status_params[:media_ids],
                                         sensitive: status_params[:sensitive],
                                         spoiler_text: status_params[:spoiler_text],
@ -44,7 +45,8 @@ class Api::V1::StatusesController < Api::BaseController
                                         scheduled_at: status_params[:scheduled_at],
                                         application: doorkeeper_token.application,
                                         poll: status_params[:poll],
-                                         idempotency: request.headers['Idempotency-Key'])
+                                         idempotency: request.headers['Idempotency-Key'],
                                         with_rate_limit: true)
    render json: @status, serializer: @status.is_a?(ScheduledStatus) ? REST::ScheduledStatusSerializer : REST::StatusSerializer
  end
@ -65,7 +67,13 @@ class Api::V1::StatusesController < Api::BaseController
    @status = Status.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end
  def set_thread
    @thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id])
  rescue ActiveRecord::RecordNotFound
    render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
  end
  def status_params
--- a/app/controllers/api/v1/streaming_controller.rb
+++ b/app/controllers/api/v1/streaming_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true
 class Api::V1::StreamingController < Api::BaseController
  respond_to :json
  def index
    if Rails.configuration.x.streaming_api_base_url != request.host
      redirect_to streaming_api_url, status: 301
--- a/app/controllers/api/v1/suggestions_controller.rb
+++ b/app/controllers/api/v1/suggestions_controller.rb
@ -7,8 +7,6 @@ class Api::V1::SuggestionsController < Api::BaseController
  before_action :require_user!
  before_action :set_accounts
  respond_to :json
  def index
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
--- a/app/controllers/api/v1/timelines/home_controller.rb
+++ b/app/controllers/api/v1/timelines/home_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Timelines::HomeController < Api::BaseController
  before_action :require_user!, only: [:show]
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
  respond_to :json
  def show
    @statuses = load_statuses
--- a/app/controllers/api/v1/timelines/public_controller.rb
+++ b/app/controllers/api/v1/timelines/public_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  before_action :require_user!, only: [:show], if: :require_auth?
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
  respond_to :json
  def show
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
@ -41,7 +39,7 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  end
  def public_timeline_statuses
-    Status.as_public_timeline(current_account, truthy_param?(:local))
+    Status.as_public_timeline(current_account, truthy_param?(:remote) ? :remote : truthy_param?(:local))
  end
  def insert_pagination_headers
@ -49,7 +47,7 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  end
  def pagination_params(core_params)
-    params.slice(:local, :limit, :only_media).permit(:local, :limit, :only_media).merge(core_params)
+    params.slice(:local, :remote, :limit, :only_media).permit(:local, :remote, :limit, :only_media).merge(core_params)
  end
  def next_path
--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Timelines::TagController < Api::BaseController
  before_action :load_tag
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
  respond_to :json
  def show
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/trends_controller.rb
+++ b/app/controllers/api/v1/trends_controller.rb
@ -3,8 +3,6 @@
 class Api::V1::TrendsController < Api::BaseController
  before_action :set_tags
  respond_to :json
  def index
    render json: @tags, each_serializer: REST::TagSerializer
  end
--- a/app/controllers/api/v2/media_controller.rb
+++ b/app/controllers/api/v2/media_controller.rb
@ -0,0 +1,12 @@
 # frozen_string_literal: true
 class Api::V2::MediaController < Api::V1::MediaController
  def create
    @media_attachment = current_account.media_attachments.create!({ delay_processing: true }.merge(media_attachment_params))
    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: 202
  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
    render json: file_type_error, status: 422
  rescue Paperclip::Error
    render json: processing_error, status: 500
  end
 end
--- a/app/controllers/api/v2/search_controller.rb
+++ b/app/controllers/api/v2/search_controller.rb
@ -8,8 +8,6 @@ class Api::V2::SearchController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:search' }
  before_action :require_user!
  respond_to :json
  def index
    @search = Search.new(search_results)
    render json: @search, serializer: REST::SearchSerializer
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true
 class Api::Web::EmbedsController < Api::Web::BaseController
  respond_to :json
  before_action :require_user!
  def create
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true
 class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  respond_to :json
  before_action :require_user!
  def create
--- a/app/controllers/api/web/settings_controller.rb
+++ b/app/controllers/api/web/settings_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true
 class Api::Web::SettingsController < Api::Web::BaseController
  respond_to :json
  before_action :require_user!
  def update
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -29,6 +29,7 @@ class ApplicationController < ActionController::Base
  rescue_from Mastodon::NotPermittedError, with: :forbidden
  rescue_from HTTP::Error, OpenSSL::SSL::SSLError, with: :internal_server_error
  rescue_from Mastodon::RaceConditionError, with: :service_unavailable
  rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests
  before_action :store_current_location, except: :raise_not_found, unless: :devise_controller?
  before_action :require_functional!, if: :user_signed_in?
@ -111,6 +112,10 @@ class ApplicationController < ActionController::Base
    respond_with_error(503)
  end
  def too_many_requests
    respond_with_error(429)
  end
  def single_user_mode?
    @single_user_mode ||= Rails.configuration.x.single_user_mode && Account.where('id > 0').exists?
  end
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController
  def update
    super do |resource|
-      resource.session_activations.destroy_all if resource.errors.empty?
+      if resource.errors.empty?
        resource.session_activations.destroy_all
        resource.forget_me!
      end
    end
  end
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true
 class Auth::RegistrationsController < Devise::RegistrationsController
  include Devise::Controllers::Rememberable
  layout :determine_layout
  before_action :set_invite, only: [:new, :create]
@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  def update
    super do |resource|
-      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
+      if resource.saved_change_to_encrypted_password?
        resource.clear_other_sessions(current_session.session_id)
        resource.forget_me!
        remember_me(resource)
      end
    end
  end
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -111,6 +111,13 @@ class Auth::SessionsController < Devise::SessionsController
    render :two_factor
  end
  def require_no_authentication
    super
    # Delete flash message that isn't entirely useful and may be confusing in
    # most cases because /web doesn't display/clear flash messages.
    flash.delete(:alert) if flash[:alert] == I18n.t('devise.failure.already_authenticated')
  end
  private
  def set_instance_presenter
--- a/app/controllers/authorize_interactions_controller.rb
+++ b/app/controllers/authorize_interactions_controller.rb
@ -20,7 +20,7 @@ class AuthorizeInteractionsController < ApplicationController
  end
  def create
-    if @resource.is_a?(Account) && FollowService.new.call(current_account, @resource)
+    if @resource.is_a?(Account) && FollowService.new.call(current_account, @resource, with_rate_limit: true)
      render :success
    else
      render :error
--- a/app/controllers/concerns/localized.rb
+++ b/app/controllers/concerns/localized.rb
@ -28,18 +28,6 @@ module Localized
  end
  def request_locale
-    preferred_locale || compatible_locale
+    http_accept_language.language_region_compatible_from(I18n.available_locales)
  end
  def preferred_locale
    http_accept_language.preferred_language_from(available_locales)
  end
  def compatible_locale
    http_accept_language.compatible_language_from(available_locales)
  end
  def available_locales
    I18n.available_locales.reverse
  end
 end
--- a/app/controllers/concerns/rate_limit_headers.rb
+++ b/app/controllers/concerns/rate_limit_headers.rb
@ -3,6 +3,20 @@
 module RateLimitHeaders
  extend ActiveSupport::Concern
  class_methods do
    def override_rate_limit_headers(method_name, options = {})
      around_action(only: method_name, if: :current_account) do |_controller, block|
        begin
          block.call
        ensure
          rate_limiter = RateLimiter.new(current_account, options)
          rate_limit_headers = rate_limiter.to_headers
          response.headers.merge!(rate_limit_headers) unless response.headers['X-RateLimit-Remaining'].present? && rate_limit_headers['X-RateLimit-Remaining'].to_i > response.headers['X-RateLimit-Remaining'].to_i
        end
      end
    end
  end
  included do
    before_action :set_rate_limit_headers, if: :rate_limited_request?
  end
@ -44,7 +58,7 @@ module RateLimitHeaders
  end
  def api_throttle_data
-    most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] }
+    most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] - v[:count] }
    request.env['rack.attack.throttle_data'][most_limited_type]
  end
--- a/app/controllers/follower_accounts_controller.rb
+++ b/app/controllers/follower_accounts_controller.rb
@ -28,7 +28,8 @@ class FollowerAccountsController < ApplicationController
        render json: collection_presenter,
               serializer: ActivityPub::CollectionSerializer,
               adapter: ActivityPub::Adapter,
-               content_type: 'application/activity+json'
+               content_type: 'application/activity+json',
               fields: restrict_fields_to
      end
    end
  end
@ -71,4 +72,12 @@ class FollowerAccountsController < ApplicationController
      )
    end
  end
  def restrict_fields_to
    if page_requested? || !@account.user_hides_network?
      # Return all fields
    else
      %i(id type totalItems)
    end
  end
 end
--- a/app/controllers/following_accounts_controller.rb
+++ b/app/controllers/following_accounts_controller.rb
@ -28,7 +28,8 @@ class FollowingAccountsController < ApplicationController
        render json: collection_presenter,
               serializer: ActivityPub::CollectionSerializer,
               adapter: ActivityPub::Adapter,
-               content_type: 'application/activity+json'
+               content_type: 'application/activity+json',
               fields: restrict_fields_to
      end
    end
  end
@ -71,4 +72,12 @@ class FollowingAccountsController < ApplicationController
      )
    end
  end
  def restrict_fields_to
    if page_requested? || !@account.user_hides_network?
      # Return all fields
    else
      %i(id type totalItems)
    end
  end
 end
--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true
 class HomeController < ApplicationController
  before_action :redirect_unauthenticated_to_permalinks!
  before_action :authenticate_user!
  before_action :set_referrer_policy_header
@ -10,7 +11,7 @@ class HomeController < ApplicationController
  private
-  def authenticate_user!
+  def redirect_unauthenticated_to_permalinks!
    return if user_signed_in?
    matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
@ -35,6 +36,7 @@ class HomeController < ApplicationController
    end
    matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
    redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
  end
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@ -33,7 +33,7 @@ class MediaController < ApplicationController
  def verify_permitted_status!
    authorize @media_attachment.status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end
  def check_playable
--- a/app/controllers/media_proxy_controller.rb
+++ b/app/controllers/media_proxy_controller.rb
@ -2,6 +2,7 @@
 class MediaProxyController < ApplicationController
  include RoutingHelper
  include Authorization
  skip_before_action :store_current_location
  skip_before_action :require_functional!
@ -10,12 +11,14 @@ class MediaProxyController < ApplicationController
  rescue_from ActiveRecord::RecordInvalid, with: :not_found
  rescue_from Mastodon::UnexpectedResponseError, with: :not_found
  rescue_from Mastodon::NotPermittedError, with: :not_found
  rescue_from HTTP::TimeoutError, HTTP::ConnectionError, OpenSSL::SSL::SSLError, with: :internal_server_error
  def show
    RedisLock.acquire(lock_options) do |lock|
      if lock.acquired?
-        @media_attachment = MediaAttachment.remote.find(params[:id])
+        @media_attachment = MediaAttachment.remote.attached.find(params[:id])
        authorize @media_attachment.status, :show?
        redownload! if @media_attachment.needs_redownload? && !reject_media?
      else
        raise Mastodon::RaceConditionError
--- a/app/controllers/remote_interaction_controller.rb
+++ b/app/controllers/remote_interaction_controller.rb
@ -41,7 +41,7 @@ class RemoteInteractionController < ApplicationController
    @status = Status.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end
  def set_body_classes
--- a/app/controllers/settings/identity_proofs_controller.rb
+++ b/app/controllers/settings/identity_proofs_controller.rb
@ -21,8 +21,7 @@ class Settings::IdentityProofsController < Settings::BaseController
    if current_account.username.casecmp(params[:username]).zero?
      render layout: 'auth'
    else
-      flash[:alert] = I18n.t('identity_proofs.errors.wrong_user', proving: params[:username], current: current_account.username)
+      redirect_to settings_identity_proofs_path, alert: I18n.t('identity_proofs.errors.wrong_user', proving: params[:username], current: current_account.username)
      redirect_to settings_identity_proofs_path
    end
  end
@ -34,11 +33,16 @@ class Settings::IdentityProofsController < Settings::BaseController
      PostStatusService.new.call(current_user.account, text: post_params[:status_text]) if publish_proof?
      redirect_to @proof.on_success_path(params[:user_agent])
    else
-      flash[:alert] = I18n.t('identity_proofs.errors.failed', provider: @proof.provider.capitalize)
+      redirect_to settings_identity_proofs_path, alert: I18n.t('identity_proofs.errors.failed', provider: @proof.provider.capitalize)
      redirect_to settings_identity_proofs_path
    end
  end
  def destroy
    @proof = current_account.identity_proofs.find(params[:id])
    @proof.destroy!
    redirect_to settings_identity_proofs_path, success: I18n.t('identity_proofs.removed')
  end
  private
  def check_required_params
--- a/app/controllers/settings/imports_controller.rb
+++ b/app/controllers/settings/imports_controller.rb
@ -29,6 +29,6 @@ class Settings::ImportsController < Settings::BaseController
  end
  def import_params
-    params.require(:import).permit(:data, :type)
+    params.require(:import).permit(:data, :type, :mode)
  end
 end
--- a/app/controllers/settings/pictures_controller.rb
+++ b/app/controllers/settings/pictures_controller.rb
@ -0,0 +1,37 @@
 # frozen_string_literal: true
 module Settings
  class PicturesController < BaseController
    before_action :authenticate_user!
    before_action :set_account
    before_action :set_picture
    def destroy
      if valid_picture
        account_params = {
          @picture => nil,
          (@picture + '_remote_url') => nil,
        }
        msg = UpdateAccountService.new.call(@account, account_params) ? I18n.t('generic.changes_saved_msg') : nil
        redirect_to settings_profile_path, notice: msg, status: 303
      else
        bad_request
      end
    end
    private
    def set_account
      @account = current_account
    end
    def set_picture
      @picture = params[:id]
    end
    def valid_picture
      @picture == 'avatar' || @picture == 'header'
    end
  end
 end
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@ -46,7 +46,7 @@ class StatusesController < ApplicationController
  end
  def embed
-    return not_found if @status.hidden?
+    return not_found if @status.hidden? || @status.reblog?
    expires_in 180, public: true
    response.headers['X-Frame-Options'] = 'ALLOWALL'
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@ -10,6 +10,7 @@ class TagsController < ApplicationController
  before_action :require_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
  before_action :authenticate_user!, if: :whitelist_mode?
  before_action :set_tag
  before_action :set_local
  before_action :set_body_classes
  before_action :set_instance_presenter
@ -24,7 +25,7 @@ class TagsController < ApplicationController
      format.rss do
        expires_in 0, public: true
-        @statuses = HashtagQueryService.new.call(@tag, filter_params).limit(PAGE_SIZE)
+        @statuses = HashtagQueryService.new.call(@tag, filter_params, nil, @local).limit(PAGE_SIZE)
        @statuses = cache_collection(@statuses, Status)
        render xml: RSS::TagSerializer.render(@tag, @statuses)
@ -33,7 +34,7 @@ class TagsController < ApplicationController
      format.json do
        expires_in 3.minutes, public: public_fetch_mode?
-        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, params[:local]).paginate_by_max_id(PAGE_SIZE, params[:max_id])
+        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, @local).paginate_by_max_id(PAGE_SIZE, params[:max_id])
        @statuses = cache_collection(@statuses, Status)
        render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
@ -47,6 +48,10 @@ class TagsController < ApplicationController
    @tag = Tag.usable.find_normalized!(params[:id])
  end
  def set_local
    @local = truthy_param?(:local)
  end
  def set_body_classes
    @body_classes = 'with-modals'
  end
--- a/app/helpers/admin/action_logs_helper.rb
+++ b/app/helpers/admin/action_logs_helper.rb
@ -9,79 +9,8 @@ module Admin::ActionLogsHelper
    end
  end
  def relevant_log_changes(log)
    if log.target_type == 'CustomEmoji' && [:enable, :disable, :destroy].include?(log.action)
      log.recorded_changes.slice('domain')
    elsif log.target_type == 'CustomEmoji' && log.action == :update
      log.recorded_changes.slice('domain', 'visible_in_picker')
    elsif log.target_type == 'User' && [:promote, :demote].include?(log.action)
      log.recorded_changes.slice('moderator', 'admin')
    elsif log.target_type == 'User' && [:change_email].include?(log.action)
      log.recorded_changes.slice('email', 'unconfirmed_email')
    elsif log.target_type == 'DomainBlock'
      log.recorded_changes.slice('severity', 'reject_media')
    elsif log.target_type == 'Status' && log.action == :update
      log.recorded_changes.slice('sensitive')
    elsif log.target_type == 'Announcement' && log.action == :update
      log.recorded_changes.slice('text', 'starts_at', 'ends_at', 'all_day')
    end
  end
  def log_extra_attributes(hash)
    safe_join(hash.to_a.map { |key, value| safe_join([content_tag(:span, key, class: 'diff-key'), '=', log_change(value)]) }, ' ')
  end
  def log_change(val)
    return content_tag(:span, val, class: 'diff-neutral') unless val.is_a?(Array)
    safe_join([content_tag(:span, val.first, class: 'diff-old'), content_tag(:span, val.last, class: 'diff-new')], '→')
  end
  def icon_for_log(log)
    case log.target_type
    when 'Account', 'User'
      'user'
    when 'CustomEmoji'
      'file'
    when 'Report'
      'flag'
    when 'DomainBlock'
      'lock'
    when 'DomainAllow'
      'plus-circle'
    when 'EmailDomainBlock'
      'envelope'
    when 'Status'
      'pencil'
    when 'AccountWarning'
      'warning'
    when 'Announcement'
      'bullhorn'
    end
  end
  def class_for_log_icon(log)
    case log.action
    when :enable, :unsuspend, :unsilence, :confirm, :promote, :resolve
      'positive'
    when :create
      opposite_verbs?(log) ? 'negative' : 'positive'
    when :update, :reset_password, :disable_2fa, :memorialize, :change_email
      'neutral'
    when :demote, :silence, :disable, :suspend, :remove_avatar, :remove_header, :reopen
      'negative'
    when :destroy
      opposite_verbs?(log) ? 'positive' : 'negative'
    else
      ''
    end
  end
  private
  def opposite_verbs?(log)
    %w(DomainBlock EmailDomainBlock AccountWarning).include?(log.target_type)
  end
  def linkable_log_target(record)
    case record.class.name
    when 'Account'
@ -99,7 +28,7 @@ module Admin::ActionLogsHelper
    when 'AccountWarning'
      link_to record.target_account.acct, admin_account_path(record.target_account_id)
    when 'Announcement'
-      link_to "##{record.id}", edit_admin_announcement_path(record.id)
+      link_to truncate(record.text), edit_admin_announcement_path(record.id)
    end
  end
@ -118,7 +47,7 @@ module Admin::ActionLogsHelper
        I18n.t('admin.action_logs.deleted_status')
      end
    when 'Announcement'
-      "##{attributes['id']}"
+      truncate(attributes['text'].is_a?(Array) ? attributes['text'].last : attributes['text'])
    end
  end
 end
--- a/app/helpers/admin/filter_helper.rb
+++ b/app/helpers/admin/filter_helper.rb
@ -10,6 +10,7 @@ module Admin::FilterHelper
    InviteFilter::KEYS,
    RelationshipFilter::KEYS,
    AnnouncementFilter::KEYS,
    Admin::ActionLogFilter::KEYS,
  ].flatten.freeze
  def filter_link_to(text, link_to_params, link_class_params = link_to_params)
--- a/app/helpers/admin/settings_helper.rb
+++ b/app/helpers/admin/settings_helper.rb
@ -0,0 +1,11 @@
 # frozen_string_literal: true
 module Admin::SettingsHelper
  def site_upload_delete_hint(hint, var)
    upload = SiteUpload.find_by(var: var.to_s)
    return hint unless upload
    link = link_to t('admin.site_uploads.delete'), admin_site_upload_path(upload), data: { method: :delete }
    safe_join([hint, link], '<br/>'.html_safe)
  end
 end
--- a/app/helpers/home_helper.rb
+++ b/app/helpers/home_helper.rb
@ -7,13 +7,13 @@ module HomeHelper
    }
  end
-  def account_link_to(account, button = '', size: 36, path: nil)
+  def account_link_to(account, button = '', path: nil)
    content_tag(:div, class: 'account') do
      content_tag(:div, class: 'account__wrapper') do
        section = if account.nil?
                    content_tag(:div, class: 'account__display-name') do
                      content_tag(:div, class: 'account__avatar-wrapper') do
-                        content_tag(:div, '', class: 'account__avatar', style: "width: #{size}px; height: #{size}px; background-size: #{size}px #{size}px; background-image: url(#{full_asset_url('avatars/original/missing.png', skip_pipeline: true)})")
+                        image_tag(full_asset_url('avatars/original/missing.png', skip_pipeline: true), class: 'account__avatar')
                      end +
                        content_tag(:span, class: 'display-name') do
                          content_tag(:strong, t('about.contact_missing')) +
@ -23,7 +23,7 @@ module HomeHelper
                  else
                    link_to(path || ActivityPub::TagManager.instance.url_for(account), class: 'account__display-name') do
                      content_tag(:div, class: 'account__avatar-wrapper') do
-                        content_tag(:div, '', class: 'account__avatar', style: "width: #{size}px; height: #{size}px; background-size: #{size}px #{size}px; background-image: url(#{full_asset_url(current_account&.user&.setting_auto_play_gif ? account.avatar_original_url : account.avatar_static_url)})")
+                        image_tag(full_asset_url(current_account&.user&.setting_auto_play_gif ? account.avatar_original_url : account.avatar_static_url), class: 'account__avatar')
                      end +
                        content_tag(:span, class: 'display-name') do
                          content_tag(:bdi) do
--- a/app/helpers/settings_helper.rb
+++ b/app/helpers/settings_helper.rb
@ -68,6 +68,7 @@ module SettingsHelper
    tr: 'Türkçe',
    uk: 'Українська',
    ur: 'اُردُو',
    vi: 'Tiếng Việt',
    'zh-CN': '简体中文',
    'zh-HK': '繁體中文（香港）',
    'zh-TW': '繁體中文（臺灣）',
@ -105,4 +106,13 @@ module SettingsHelper
      safe_join([image_tag(account.avatar.url, width: 15, height: 15, alt: display_name(account), class: 'avatar'), content_tag(:span, account.acct, class: 'username')], ' ')
    end
  end
  def picture_hint(hint, picture)
    if picture.original_filename.nil?
      hint
    else
      link = link_to t('generic.delete'), settings_profile_picture_path(picture.name.to_s), data: { method: :delete }
      safe_join([hint, link], '<br/>'.html_safe)
    end
  end
 end
--- a/app/helpers/webfinger_helper.rb
+++ b/app/helpers/webfinger_helper.rb
@ -0,0 +1,19 @@
 # frozen_string_literal: true
 module WebfingerHelper
  def webfinger!(uri)
    hidden_service_uri = /\.(onion|i2p)(:\d+)?$/.match(uri)
    raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if !Rails.configuration.x.access_to_hidden_service && hidden_service_uri
    opts = {
      ssl: !hidden_service_uri,
      headers: {
        'User-Agent': Mastodon::Version.user_agent,
      },
    }
    Goldfinger::Client.new(uri, opts.merge(Rails.configuration.x.http_client_proxy)).finger
  end
 end
--- a/app/javascript/images/logo_transparent_white.svg
+++ b/app/javascript/images/logo_transparent_white.svg
@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 216.4144 232.00976"><path d="M107.86523 0C78.203984.2425 49.672422 3.4535937 33.044922 11.089844c0 0-32.97656262 14.752031-32.97656262 65.082031 0 11.525-.224375 25.306175.140625 39.919925 1.19750002 49.22 9.02375002 97.72843 54.53124962 109.77343 20.9825 5.55375 38.99711 6.71547 53.505856 5.91797 26.31125-1.45875 41.08203-9.38867 41.08203-9.38867l-.86914-19.08984s-18.80171 5.92758-39.91796 5.20508c-20.921254-.7175-43.006879-2.25516-46.390629-27.94141-.3125-2.25625-.46875-4.66938-.46875-7.20313 0 0 20.536953 5.0204 46.564449 6.21289 15.915.73001 30.8393-.93343 45.99805-2.74218 29.07-3.47125 54.38125-21.3818 57.5625-37.74805 5.0125-25.78125 4.59961-62.916015 4.59961-62.916015 0-50.33-32.97461-65.082031-32.97461-65.082031C166.80539 3.4535938 138.255.2425 108.59375 0h-.72852zM74.296875 39.326172c12.355 0 21.710234 4.749297 27.896485 14.248047l6.01367 10.080078 6.01563-10.080078c6.185-9.49875 15.54023-14.248047 27.89648-14.248047 10.6775 0 19.28156 3.753672 25.85156 11.076172 6.36875 7.3225 9.53907 17.218828 9.53907 29.673828v60.941408h-24.14454V81.869141c0-12.46875-5.24453-18.798829-15.73828-18.798829-11.6025 0-17.41797 7.508516-17.41797 22.353516v32.375002H96.207031V85.423828c0-14.845-5.815468-22.353515-17.417969-22.353516-10.49375 0-15.740234 6.330079-15.740234 18.798829v59.148439H38.904297V80.076172c0-12.455 3.171016-22.351328 9.541015-29.673828 6.568751-7.3225 15.172813-11.076172 25.851563-11.076172z" fill="#fff"/></svg>
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 216.4144 232.00976"><path d="M107.86523 0C78.203984.2425 49.672422 3.4535937 33.044922 11.089844c0 0-32.97656262 14.752031-32.97656262 65.082031 0 11.525-.224375 25.306175.140625 39.919925 1.19750002 49.22 9.02375002 97.72843 54.53124962 109.77343 20.9825 5.55375 38.99711 6.71547 53.505856 5.91797 26.31125-1.45875 41.08203-9.38867 41.08203-9.38867l-.86914-19.08984s-18.80171 5.92758-39.91796 5.20508c-20.921254-.7175-43.006879-2.25516-46.390629-27.94141-.3125-2.25625-.46875-4.66938-.46875-7.20313 0 0 20.536953 5.0204 46.564449 6.21289 15.915.73001 30.8393-.93343 45.99805-2.74218 29.07-3.47125 54.38125-21.3818 57.5625-37.74805 5.0125-25.78125 4.59961-62.916015 4.59961-62.916015 0-50.33-32.97461-65.082031-32.97461-65.082031C166.80539 3.4535938 138.255.2425 108.59375 0h-.72852zM74.296875 39.326172c12.355 0 21.710234 4.749297 27.896485 14.248047l6.01367 10.080078 6.01563-10.080078c6.185-9.49875 15.54023-14.248047 27.89648-14.248047 10.6775 0 19.28156 3.753672 25.85156 11.076172 6.36875 7.3225 9.53907 17.218828 9.53907 29.673828v60.941408h-24.14454V81.869141c0-12.46875-5.24453-18.798829-15.73828-18.798829-11.6025 0-17.41797 7.508516-17.41797 22.353516v32.375002H96.207031V85.423828c0-14.845-5.815468-22.353515-17.417969-22.353516-10.49375 0-15.740234 6.330079-15.740234 18.798829v59.148439H38.904297V80.076172c0-12.455 3.171016-22.351328 9.541015-29.673828 6.568751-7.3225 15.172813-11.076172 25.851563-11.076172z" fill="#fff"/></svg>