2023-10-29 00:00 UTC

Pleroma major release: 2.6.0

Pleroma 2.6.0 is a major release. Featuring many fixes, additions and improvements.

Breaking changes

Get new dependencies and recompile Pleroma:

MIX_ENV=prod mix deps.get
MIX_ENV=prod mix compile

Run database migrations (inside Pleroma directory):
- OTP: ./bin/pleroma_ctl migrate
- From Source: mix ecto.migrate
Due to the large amount of migrations, it can take a long time to run this, depending on the size of your instance. It is recommended to schedule the downtime ahead of time for the migrations.
Recommended: Run VACUUM ANALYZE on your database
Restart Pleroma

There’s no feedback when installing/updating FE from new admin dashboard

add the initial i18n translation file for Taiwanese (Hokkien), and modify some related files.
Implemented a very basic instance administration screen
Implement quoting

Keep aspect ratio of custom emoji reaction in notification
Fix openSettingsModalTab so that it correctly opens Settings modal instead of Admin modal
Add alt text to emoji picker buttons
Use export-subst gitattribute to allow tarball builds
fix reports now showing reason/content:w
Fix HTML attribute parsing, discard attributes not strating with a letter
Make MentionsLine aware of line breaking by non-br elements
Fix a bug where mentioning a user twice will not fill the mention into the textarea
Fix parsing non-ascii tags
Fix OAuth2 token lingering after revocation
fix regex issue in HTML parser/renderer
don’t display quoted status twice
fix typo in code that prevented cards from showing at all
Fix react button not working if reaction accounts are not loaded
Fix react button misalignment on safari ios
Fix pinned statuses gone when reloading user timeline
Fix scrolling emoji selector in modal in safari ios

Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
Disable XML entity resolution completely to fix a dos vulnerability

rel="me” was missing its cache
MediaProxy responses now return a sandbox CSP header
Filter context activities using Visibility.visibleforuser?
UploadedMedia: Add missing disposition_type to Content-Disposition
fix not being able to fetch flash file from remote instance
Fix abnormal behaviour when refetching a poll
Allow non-HTTP(s) URIs in “url” fields for compatibility with “FEP-fffd: Proxy Objects”
Fix opengraph and twitter card meta tags
ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
OEmbed HTML tags are now filtered
Restrict attachments to only uploaded files only
Fix error 404 when deleting status of a banned user
Fix config ownership in dockerfile to pass restriction test
Fix user fetch completely broken if featured collection is not in a supported form
Correctly handle the situation when a poll has both “anyOf” and “oneOf” but one of them being empty
Fix handling report from a deactivated user
Prevent using the .json format to bypass authorized fetch mode
Fix mentioning punycode domains when using Markdown
Show more informative errors when profile exceeds char limits

BREAKING: Support for passwords generated with crypt(3) (Gnu Social migration artifact)
remove BBS/SSH feature, replaced by an external bridge.
Remove a few unused indexes.
Cleanup OStatus-era user upgrades and ap_enabled indicator
Deprecate Pleroma’s audio scrobbling

— tusooa