Pleroma major release: 2.6.0
Pleroma 2.6.0 is a major release. Featuring many fixes, additions and improvements.
Breaking changes
- Support for passwords generated with
crypt(3)
(Gnu Social migration artifact) - remove BBS/SSH feature, replaced by an external bridge, sshocial.
- Deprecate Pleroma’s audio scrobbling
Upgrade notes
From source only
Get new dependencies and recompile Pleroma:
MIX_ENV=prod mix deps.get MIX_ENV=prod mix compile
Everyone
- Run database migrations (inside Pleroma directory):
- OTP:
./bin/pleroma_ctl migrate
- From Source:
mix ecto.migrate
Due to the large amount of migrations, it can take a long time to run this, depending on the size of your instance. It is recommended to schedule the downtime ahead of time for the migrations.
- OTP:
- Recommended: Run
VACUUM ANALYZE
on your database - Restart Pleroma
Frontend changes
Known issues
There’s no feedback when installing/updating FE from new admin dashboard
Added
- add the initial i18n translation file for Taiwanese (Hokkien), and modify some related files.
- Implemented a very basic instance administration screen
- Implement quoting
Fixed
- Keep aspect ratio of custom emoji reaction in notification
- Fix openSettingsModalTab so that it correctly opens Settings modal instead of Admin modal
- Add alt text to emoji picker buttons
- Use export-subst gitattribute to allow tarball builds
- fix reports now showing reason/content:w
- Fix HTML attribute parsing, discard attributes not strating with a letter
- Make MentionsLine aware of line breaking by non-br elements
- Fix a bug where mentioning a user twice will not fill the mention into the textarea
- Fix parsing non-ascii tags
- Fix OAuth2 token lingering after revocation
- fix regex issue in HTML parser/renderer
- don’t display quoted status twice
- fix typo in code that prevented cards from showing at all
- Fix react button not working if reaction accounts are not loaded
- Fix react button misalignment on safari ios
- Fix pinned statuses gone when reloading user timeline
- Fix scrolling emoji selector in modal in safari ios
Backend changes
Security
- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
- Disable XML entity resolution completely to fix a dos vulnerability
Added
- Support for Image activities, namely from Hubzilla
- Add OAuth scope descriptions
- Allow lang attribute in status text
- OnlyMedia Upload Filter
- Implement MRF policy to reject or delist according to emojis
- (hardening) Add nonewprivs=yes to OpenRC service files
- Implement quotes
- Add unified streaming endpoint
Fixed
- rel="me” was missing its cache
- MediaProxy responses now return a sandbox CSP header
- Filter context activities using Visibility.visibleforuser?
- UploadedMedia: Add missing disposition_type to Content-Disposition
- fix not being able to fetch flash file from remote instance
- Fix abnormal behaviour when refetching a poll
- Allow non-HTTP(s) URIs in “url” fields for compatibility with “FEP-fffd: Proxy Objects”
- Fix opengraph and twitter card meta tags
- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
- OEmbed HTML tags are now filtered
- Restrict attachments to only uploaded files only
- Fix error 404 when deleting status of a banned user
- Fix config ownership in dockerfile to pass restriction test
- Fix user fetch completely broken if featured collection is not in a supported form
- Correctly handle the situation when a poll has both “anyOf” and “oneOf” but one of them being empty
- Fix handling report from a deactivated user
- Prevent using the .json format to bypass authorized fetch mode
- Fix mentioning punycode domains when using Markdown
- Show more informative errors when profile exceeds char limits
Removed
- BREAKING: Support for passwords generated with
crypt(3)
(Gnu Social migration artifact) - remove BBS/SSH feature, replaced by an external bridge.
- Remove a few unused indexes.
- Cleanup OStatus-era user upgrades and ap_enabled indicator
- Deprecate Pleroma’s audio scrobbling