From 94153792ba880edf7faa0d3252c12030e99fe5f9 Mon Sep 17 00:00:00 2001 From: Mike Date: Wed, 9 Oct 2024 13:44:30 +1100 Subject: [PATCH] Cleanup from skipped versions --- CHANGELOG.md | 79 ++++++++++++++++++++++++++++++++++++++++++---- streaming/index.js | 1 - 2 files changed, 73 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3a28c888..566c47435 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ The following changelog entries focus on changes visible to users, administrator ### Security +- **Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources** (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)\ + This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared. - Fix ReDoS vulnerability on some Ruby versions ([GHSA-jpxp-r43f-rhvx](https://github.com/mastodon/mastodon/security/advisories/GHSA-jpxp-r43f-rhvx)) - Change `form-action` Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire) - Update dependencies @@ -201,14 +203,79 @@ The following changelog entries focus on changes visible to users, administrator - Change cursor to `not-allowed` on disabled buttons (#32076 by @mjankowski) - Change OAuth authorization prompt to not refer to apps as “third-party” (#32005 by @Gargron) - Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire) +- Change zoom icon in web UI (#29683 by @Gargron) +- Change directory page to use URL query strings for options (#31980, #31977 and #31984 by @ClearlyClaire and @renchap) +- Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm) +- Change width of columns in advanced web UI (#31762 by @Gargron) +- Change design of unread conversations in web UI (#31763 by @Gargron) +- Change Web UI to allow viewing and severing relationships with suspended accounts (#27667 by @ClearlyClaire)\ + This also adds a `with_suspended` parameter to `GET /api/v1/accounts/relationships` in the REST API. +- Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire) +- Change avatars border radius (#31390 by @renchap) +- Change counters to be displayed on profile timelines in web UI (#30525 by @Gargron) +- Change disabled buttons color in light mode to make the difference more visible (#30998 by @renchap) +- Change design of people tab on explore in web UI (#30059 by @Gargron) +- Change sidebar text in web UI (#30696 by @Gargron) +- Change "Follow" to "Follow back" and "Mutual" when appropriate in web UI (#28452, #28465, and #31934 by @ClearlyClaire, @Gargron and @renchap) +- Change media to be hidden/blurred by default in report modal (#28522 by @ClearlyClaire) +- Change order of the "muting" and "blocking" list options in “Data Exports” (#26088 by @fixermark) +- Change admin and moderation notes character limit from 500 to 2000 characters (#30288 by @ThisIsMissEm) +- Change mute options to be in dropdown on muted users list in web UI (#30049 and #31315 by @ClearlyClaire and @Gargron) +- Change out-of-band hashtags design in web UI (#29732 by @Gargron) +- Change design of metadata underneath detailed posts in web UI (#29585, #29605, and #29648 by @ClearlyClaire and @Gargron) +- Change action button to be last on profiles in web UI (#29533 and #29923 by @ClearlyClaire and @Gargron) +- Change confirmation prompts in trending moderation interface to be more specific (#19626 by @tribela) +- Change “Trends” moderation menu to “Recommendations & Trends” and move follow recommendations there (#31292 by @ThisIsMissEm) +- Change irrelevant fields in account cleanup settings to be disabled unless automatic cleanup is enabled (#26562 by @c960657) +- Change dropdown menu icon to not be replaced by close icon when open in web UI (#29532 by @Gargron) +- Change back button to always appear in advanced web UI (#29551 and #29669 by @Gargron) +- Change border of active compose field search inputs (#29832 and #29839 by @vmstan) +- Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones) +- Change link detection to allow `@` at the end of an URL (#31124 by @adamniedzielski) +- Change User-Agent to use Mastodon as the product, and http.rb as platform details (#31192 by @ClearlyClaire) +- Change layout and wording of the Content Retention server settings page (#27733 by @vmstan) +- Change unconfirmed users to be kept for one week instead of two days (#30285 by @renchap) +- Change maximum page size for Admin Domain Management APIs from 200 to 500 (#31253 by @ThisIsMissEm) +- Change database pool size to default to Sidekiq concurrency settings in Sidekiq processes (#26488 by @sinoru) +- Change alt text to empty string for avatars (#21875 by @jasminjohal) +- Change Docker images to use custom-built libvips and ffmpeg (#30571, #30569, and #31498 by @vmstan) +- Change external links in the admin audit log to plain text or local administration pages (#27139 and #27150 by @ClearlyClaire and @ThisIsMissEm) +- Change YJIT to be enabled when available (#30310 and #27283 by @ClearlyClaire and @mjankowski)\ + Enable Ruby's built-in just-in-time compiler. This improves performances substantially, at the cost of a slightly increased memory usage. +- Change `.env` file loading from deprecated `dotenv-rails` gem to `dotenv` gem (#29173 and #30121 by @mjankowski)\ + This should have no effect except in the unlikely case an environment variable included a newline. +- Change “Panjabi” language name to the more common spelling “Punjabi” (#27117 by @gunchleoc) +- Change encryption of OTP secrets to use ActiveRecord Encryption (#29831, #28325, #30151, #30202, #30340, and #30344 by @ClearlyClaire and @mjankowski)\ + This requires a manual step from administrators of existing servers. Indeed, they need to generate new secrets, which can be done using `bundle exec rails db:encryption:init`.\ + Furthermore, there is a risk that the introduced migration fails if the server was misconfigured in the past. If that happens, the migration error will include the relevant information. +- Change `/api/v1/announcements` to return regular `Status` entities (#26736 by @ClearlyClaire) +- Change imports to convert case-insensitive fields to lowercase (#29739 and #29740 by @ThisIsMissEm) +- Change stats in the admin interface to be inclusive of the full selected range, from beginning of day to end of day (#29416 and #29841 by @mjankowski) +- Change materialized views to be refreshed concurrently to avoid locks (#29015 by @Gargron) +- Change compose form to use server-provided post character and poll options limits (#28928 and #29490 by @ClearlyClaire and @renchap) +- Change streaming server logging from `npmlog` to `pino` and `pino-http` (#27828 by @ThisIsMissEm)\ + This changes the Mastodon streaming server log format, so this might be considered a breaking change if you were parsing the logs. +- Change media “ALT” label to use a specific CSS class (#28777 by @ClearlyClaire) +- Change streaming API host to not be overridden to localhost in development mode (#28557 by @ClearlyClaire) +- Change cookie rotator to use SHA1 digest for new cookies (#27392 by @ClearlyClaire)\ + Note that this requires that no pre-4.2.0 Mastodon web server is running when this code is deployed, as those would not understand the new cookies.\ + Therefore, zero-downtime updates are only supported if you're coming from 4.2.0 or newer. If you want to skip Mastodon 4.2, you will need to completely stop Mastodon services before updating. +- Change preview card deletes to be done using batch method (#28183 by @vmstan) +- Change `img-src` and `media-src` CSP directives to not include `https:` (#28025 and #28561 by @ClearlyClaire) +- Change self-destruct procedure (#26439, #29049, and #29420 by @ClearlyClaire and @zunda)\ + Instead of enqueuing deletion jobs immediately, `tootctl self-destruct` now outputs a value for the `SELF_DESTRUCT` environment variable, which puts a server in self-destruct mode, processing deletions in the background, while giving users access to their export archives. -### Fixed +### Removed -- Fix replies collection being cached improperly -- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire) -- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire) - -## [4.2.12] - 2024-08-19 +- Remove unused E2EE messaging code and related `crypto` OAuth scope (#31193, #31945, #31963, and #31964 by @ClearlyClaire and @mjankowski) +- Remove StatsD integration (replaced by OpenTelemetry) (#30240 by @mjankowski) +- Remove `CacheBuster` default options (#30718 by @mjankowski) +- Remove home marker updates from the Web UI (#22721 by @davbeck)\ + The web interface was unconditionally updating the home marker to the most recent received post, discarding any value set by other clients, thus making the feature unreliable. +- Remove support for Ruby 3.0 (reaching EOL) (#29702 by @mjankowski) +- Remove setting for unfollow confirmation modal (#29373 by @ClearlyClaire)\ + Instead, the unfollow confirmation modal will always be displayed. +- Remove support for Capistrano (#27295 and #30009 by @mjankowski and @renchap) ### Fixed diff --git a/streaming/index.js b/streaming/index.js index ca6402624..48ed56b29 100644 --- a/streaming/index.js +++ b/streaming/index.js @@ -825,7 +825,6 @@ const startServer = async () => { transmit(event, payload); } }).catch(err => { - releasePgConnection(); log.error(err); releasePgConnection(); });