Skip to content

v4.3.0
Compare
Choose a tag to compare
@ClearlyClaire ClearlyClaire released this 08 Oct 12:22
· 213 commits to stable-4.3 since this release
v4.3.0
ab36c15
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Mastodon

Upgrade overview

This release contains upgrade notes that deviate from the norm:

‼️ Requires new encryption secrets environment variables
⚠️ The minimal supported version for PostgreSQL has been bumped to 12, and PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug
⚠️ The minimal supported version for Ruby has been bumped to 3.1
⚠️ The minimal supported version for Node.js has been bumped to 18
⚠️ Requires rebuilding Elasticsearch accounts index
⚠️ We switched from yarn 1 to yarn 4, and recommend using corepack
⚠️ The Docker image has been split in two separate images
⚠️ Rolling updates from versions earlier than Mastodon 4.2 are not supported
⚠️ StatsD integration has been removed, replaced by OpenTelemetry integration
⚠️ ImageMagick is being deprecated and may be removed in a future version
ℹ️ Requires streaming API restart
ℹ️ Requires database migrations
ℹ️ The logging format of the streaming server has changed

For more information, view the complete release notes and scroll down to the upgrade instructions section.

Changelog

The following changelog entries focus on changes visible to users, administrators, client developers or federated software developers, but there has also been a lot of code modernization, refactoring, and tooling work, in particular by @mjankowski.

Security

  • Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)
    This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared.
  • Fix ReDoS vulnerability on some Ruby versions (GHSA-jpxp-r43f-rhvx)
  • Change form-action Content-Security-Policy directive to be more restrictive (#26897 and #32241 by @ClearlyClaire)
  • Update dependencies

Added

Changed

Removed

Fixed

  • Fix link preview cards not always preserving the original URL from the status (#27312 by @Gargron)
  • Fix log out from user menu not working on Safari (#31402 by @renchap)
  • Fix various issues when in link preview card generation (#28748, #30017, #30362, #30173, #30853, #30929, #30933, #30957, #30987, and #31144 by @adamniedzielski, @oneiros, @phocks, @timothyjrogers, and @tribela)
  • Fix handling of missing links in Webfinger responses (#31030 by @adamniedzielski)
  • Fix error when accepting an appeal for sensitive posts deleted in the meantime (#32037 by @ClearlyClaire)
  • Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
  • Fix Safari browser glitch related to horizontal scrolling (#31960 by @Gargron)
  • Fix unresolvable mentions sometimes preventing processing incoming posts (#29215 by @tribela and @ClearlyClaire)
  • Fix too many requests caused by relationship look-ups in web UI (#32042 by @Gargron)
  • Fix links for reblogs in moderation interface (#31979 by @ClearlyClaire)
  • Fix the appearance of avatars when they do not load (#31966 and #32270 by @Gargron and @renchap)
  • Fix spurious error notifications for aborted requests in web UI (#31952 by @c960657)
  • Fix HTTP 500 error in /api/v1/polls/:id/votes when required choices parameter is missing (#25598 by @danielmbrasil)
  • Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
  • Fix cross-origin loading of inert.css polyfill (#30687 by @louis77)
  • Fix wrapping in dashboard quick access buttons (#32043 by @renchap)
  • Fix recently used tags hint being displayed in profile edition page when there is none (#32120 by @mjankowski)
  • Fix checkbox lists on narrow screens in the settings interface (#32112 by @mjankowski)
  • Fix the position of status action buttons being affected by interaction counters (#32084 by @renchap)
  • Fix the summary of converted ActivityPub object types to be treated as HTML (#28629 by @Menrath)
  • Fix cutoff of instance name in sign-up form (#30598 by @oneiros)
  • Fix invalid date searches returning 503 errors (#31526 by @notchairmk)
  • Fix invalid visibility values in POST /api/v1/statuses returning 500 errors (#31571 by @c960657)
  • Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron)
  • Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm)
  • Fix email language when recipient has no selected locale (#31747 by @ClearlyClaire)
  • Fix frequently-used languages not correctly updating in the web UI (#31386 by @c960657)
  • Fix POST /api/v1/statuses silently ignoring invalid media_ids parameter (#31681 by @c960657)
  • Fix handling of the BIND environment variable in the streaming server (#31624 by @ThisIsMissEm)
  • Fix empty aria-hidden attribute value in logo resources area (#30570 by @mjankowski)
  • Fix “Redirect URI” field not being marked as required in “New application” form (#30311 by @ThisIsMissEm)
  • Fix right-to-left text in preview cards (#30930 by @ClearlyClaire)
  • Fix rack attack match_type value typo in logging config (#30514 by @mjankowski)
  • Fix various cases of duplicate, missing, or inconsistent borders or scrollbar styles (#31068, #31286, #31268, #31275, #31284, #31305, #31346, #31372, #31373, #31389, #31432, #31391, #31445, #32091, #32147 and #32137 by @ClearlyClaire, @mjankowski, @valtlai and @vmstan)
  • Fix editing description of media uploads with custom thumbnails (#32221 by @ClearlyClaire)
  • Fix race condition in POST /api/v1/push/subscription (#30166 by @ClearlyClaire)
  • Fix post deletion not being delayed when those are part of an account warning (#30163 by @ClearlyClaire)
  • Fix rendering error on /start when not logged in (#30023 by @timothyjrogers)
  • Fix unneeded requests to blocked domains when receiving relayed signed activities from them (#31161 by @ClearlyClaire)
  • Fix logo pushing header buttons out of view on certain conditions in mobile layout (#29787 by @ClearlyClaire)
  • Fix notification-related records not being reattributed when merging accounts (#29694 by @ClearlyClaire)
  • Fix results/query in api/v1/featured_tags/suggestions (#29597 by @mjankowski)
  • Fix distracting and confusing always-showing scrollbar track in boost confirmation modal (#31524 by @ClearlyClaire)
  • Fix being able to upload more than 4 media attachments in some cases (#29183 by @mashirozx)
  • Fix preview card player getting embedded when clicking on the external link button (#29457 by @ClearlyClaire)
  • Fix full date display not respecting the locale 12/24h format (#29448 by @renchap)
  • Fix filters title and keywords overflow (#29396 by @GeopJr)
  • Fix incorrect date format in “Follows and followers” (#29390 by @JasonPunyon)
  • Fix navigation item active highlight for some paths (#32159 by @mjankowski)
  • Fix “Edit media” modal sizing and layout when space-constrained (#27095 by @ronilaukkarinen)
  • Fix modal container bounds (#29185 by @nico3333fr)
  • Fix inefficient HTTP signature parsing using regexps and StringScanner (#29133 by @ClearlyClaire)
  • Fix moderation report updates through PUT /api/v1/admin/reports/:id not being logged in the audit log (#29044, #30342, and #31033 by @mjankowski, @tribela, and @vmstan)
  • Fix moderation interface allowing to select rule violation when there are no server rules (#31458 by @ThisIsMissEm)
  • Fix redirection from paths with url-encoded @ to their decoded form (#31184 by @timothyjrogers)
  • Fix Trending Tags pending review having an unstable sort order (#31473 by @ThisIsMissEm)
  • Fix the emoji dropdown button always opening the dropdown instead of behaving like a toggle (#29012 by @jh97uk)
  • Fix processing of incoming posts with bearcaps (#26527 by @kmycode)
  • Fix support for IPv6 redis connections in streaming (#31229 by @ThisIsMissEm)
  • Fix search form re-rendering spuriously in web UI (#28876 by @Gargron)
  • Fix RedownloadMediaWorker not being called on transient S3 failure (#28714 by @ClearlyClaire)
  • Fix ISO code for Canadian French from incorrect fr-QC to fr-CA (#26015 by @gunchleoc)
  • Fix .opus file uploads being misidentified by Paperclip (#28580 by @vmstan)
  • Fix loading local accounts with extraneous domain part in WebUI (#28559 by @ClearlyClaire)
  • Fix destructive actions in dropdowns not using error color in light theme (#28484 by @logicalmoody)
  • Fix call to inefficient delete_matched cache method in domain blocks (#28374 by @ClearlyClaire)
  • Fix status edits not always being streamed to mentioned users (#28324 by @ClearlyClaire)
  • Fix onboarding step descriptions being truncated on narrow screens (#28021 by @ClearlyClaire)
  • Fix duplicate IDs in relationships and familiar_followers APIs (#27982 by @KevinBongart)
  • Fix modal content not being selectable (#27813 by @pajowu)
  • Fix Web UI not displaying appropriate explanation when a user hides their follows/followers (#27791 by @ClearlyClaire)
  • Fix format-dependent redirects being cached regardless of requested format (#27632 by @ClearlyClaire)
  • Fix confusing screen when visiting a confirmation link for an already-confirmed email (#27368 by @ClearlyClaire)
  • Fix explore page reloading when you navigate back to it in web UI (#27489 by @Gargron)
  • Fix missing redirection from /home to /deck/home in the advanced interface (#27378 by @Signez)
  • Fix empty environment variables not using default nil value (#27400 by @renchap)
  • Fix language sorting in settings (#27158 by @gunchleoc)

Upgrade notes

To get the code for v4.3.0, use git fetch && git checkout v4.3.0.

Note

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have changed since v4.2.12, with the Ruby, PostgreSQL and Node.js minimum version being higher. In addition, an optional dependency on libvips has been introduced to replace ImageMagick.

  • Ruby: 3.1 or newer
  • PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see below)
  • Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
  • LibreTranslate (optional, for translations): 1.3.3 or newer
  • Redis: 4 or newer
  • Node: 18 or newer
  • ImageMagick (optional if using libvips): 6.9.7-7 or newer
  • libvips (optional, instead of ImageMagick): 8.13 or newer

PostgreSQL 14.0 to 14.3 bug

PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug.

If you run one of those versions, please upgrade to the latest PostgreSQL 14 minor version (14.13 at the time of the release) before upgrading Mastodon. Upgrading a PostgreSQL without bumping the major version should only a require a restart of your database after your packages/containers have been updated, not any data migration.

If you are using Docker Compose to run PostgreSQL, please ensure that the image field does not specify the patch version (for example, it can be 14, or 14-alpine, to tell Docker to use the latest image with this tag), then:

  • stop the database service: docker compose down db
  • pull the latest version for this tag: docker compose pull db
  • restart the service: docker compose up -d

If you want to use this opportunity to upgrade to a later PostgreSQL major version, then you will need to migrate your PostgreSQL data directory. You can find more informations about this process in the official documentation.

Active Record encryption secrets configuration

Mastodon now requires new environment variables for secret keys to be set.

Generate new secrets and set ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY, ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT, and ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY accordingly before restarting Mastodon.

Important

All Mastodon processes need to have access to the same secrets, so if you use multiple puma (mastodon-web) and sidekiq (mastodon-sidekiq) nodes, make sure to copy the secrets to all of them.
Furthermore, these secrets should not be changed once set, as changing secrets is not supported and may cause data loss and other issues that are difficult to recover from.

Such secrets can be generated by running bin/rails db:encryption:init.

Docker image split

The official Docker image has now been split in two smaller images:

  • ghcr.io/mastodon/mastodon, which does not contain the streaming server anymore
  • ghcr.io/mastodon/mastodon-streaming, which contains only the streaming server

The docker-compose.yml file shipped with Mastodon has been updated accordingly. If you use something else, you will need to update your configuration.

Cookies and rolling updates

Cookies issued by Mastodon are now using SHA256 digests. To ensure you are not losing user sessions, do not perform a rolling update from versions of Mastodon earlier than v4.2.0.

That is, either completely stop Mastodon before updating it, or update to the latest v4.2 then update to v4.3.

Yarn 4 and corepack

We have switched from Yarn 1 to the more modern and more efficient Yarn 4.

The recommended way is to use corepack, which is normally distributed with NodeJS. To do so, do corepack enable, then, in Mastodon's directory, once you have checked out v4.3.0, corepack prepare.

You can also install yarn 4 directly if you don't want to or can't use corepack.

ImageMagick deprecation and libvips replacement

ImageMagick support in Mastodon is being deprecated in favor of libvips, a more efficient library to process image attachments.

To use libvips instead of ImageMagick, install libvips 8.13 or newer, and set the MASTODON_USE_LIBVIPS environment variable to true.

The official Mastodon docker images use libvips instead of ImageMagick, and we recommend you do the same, but ImageMagick is still supported in this version for older distributions that do not include a recent enough version of libvips.

StatsD removal and OpenTelemetry integration

StatsD support has been removed, after being deprecated in 4.2.0.

If you want to have metrics for your Sidekiq queues (queue size, latency…), you can use https://github.com/Strech/sidekiq-prometheus-exporter

Mastodon now also supports exporting tracing data using OpenTelemetry. This can be used to get detailed performance data, as well as monitoring for backend errors. More informations on how to configure it in our docs (https://docs.joinmastodon.org/admin/config/#otel)

Update steps

The following instructions are for updating from 4.2.12.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. If you are upgrading from a pre-4.2 version, please check the “Cookies and rolling updates” section above.

If you are updating from 4.3.0-beta.1, 4.3.0-beta.2 or 4.3.0-rc.1, only a few of these steps are relevant, see the next section.

Non-docker

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

  1. If you are using rbenv, update the list of available versions and install the proper Ruby version by doing RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install in the Mastodon install directory (e.g. /home/mastodon/live)
  2. Install yarn 4 (if you use corepack, just do corepack prepare). See the “Yarn 4 and corepack” section for more information.
  3. Install dependencies with bundle install and yarn install --immutable
  4. Generate secrets by running RAILS_ENV=production bin/rails db:encryption:init, then copy them to your .env.production (copy it across all your nodes if you use multiple ones)
  5. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
  6. Run the pre-deployment database migrations by specifying the SKIP_POST_DEPLOYMENT_MIGRATIONS=true environment variable: SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production bundle exec rails db:migrate
  7. Restart all Mastodon processes. If you are updating directly from a Mastodon version earlier than 4.2.0, see the “Cookies and rolling updates” section.
  8. Run the post-deployment database migrations: RAILS_ENV=production bundle exec rails db:migrate
  9. If you use Elasticsearch or OpenSearch, rebuild the account search index with RAILS_ENV=production bin/tootctl search deploy --only=accounts

When using docker

  1. Generate secrets by running docker-compose run --rm web bin/rails db:encryption:init, then copy them to your .env.production (make sure to copy them across all your Mastodon nodes as they will all need access to these secrets)
  2. Run the pre-deployment database migrations by specifying the SKIP_POST_DEPLOYMENT_MIGRATIONS=true environment variable: docker-compose run --rm -e SKIP_POST_DEPLOYMENT_MIGRATIONS=true web bundle exec rails db:migrate
  3. Make sure your Docker configuration has been updated to take the Docker image split into account (See the “Docker image split” section above)
  4. Restart all Mastodon processes. If you are updating directly from a Mastodon version earlier than 4.2.0, see the “Cookies and rolling updates” section.
  5. Run the post-deployment database migrations: docker-compose run --rm web bundle exec rails db:migrate
  6. If you use Elasticsearch or OpenSearch, rebuild the account search index with docker-compose run --rm web bin/tootctl search deploy --only=accounts

Update steps from 4.3.0-beta.1, 4.3.0-beta.2 or 4.3.0-rc.1

The following instructions are for updating from 4.3.0-beta.1, 4.3.0-beta.2 or 4.3.0-rc.1, see the section above if you are updating from an older version.

Non-docker

Tip

The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

  1. If you are using rbenv, update the list of available versions and install the proper Ruby version by doing RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install in the Mastodon install directory (e.g. /home/mastodon/live)
  2. Install dependencies with bundle install and yarn install --immutable
  3. Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
  4. Run the pre-deployment database migrations by specifying the SKIP_POST_DEPLOYMENT_MIGRATIONS=true environment variable: SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production bundle exec rails db:migrate
  5. Restart all Mastodon processes. If you are updating directly from a Mastodon version earlier than 4.2.0, see the “Cookies and rolling updates” section.
  6. Run the post-deployment database migrations: RAILS_ENV=production bundle exec rails db:migrate

When using docker

  1. Run the pre-deployment database migrations by specifying the SKIP_POST_DEPLOYMENT_MIGRATIONS=true environment variable: docker-compose run --rm -e SKIP_POST_DEPLOYMENT_MIGRATIONS=true web bundle exec rails db:migrate
  2. Restart all Mastodon processes. If you are updating directly from a Mastodon version earlier than 4.2.0, see the “Cookies and rolling updates” section.
  3. Run the post-deployment database migrations: docker-compose run --rm web bundle exec rails db:migrate

Contributors

mjankowski, flavorjones, and 62 other contributors
Assets 2
Loading