Merge remote-tracking branch 'upstream/main'

* Fix domain blocks/rationales being visible to unapproved/unconfirmed users

* Fix domain blocks/rationales being visible to suspended users

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

* Allow moved users to view domain blocks

* Add authorization specs for `/api/v1/instance/domain_blocks` spec

* Fix tests

* Fix incorrect test setup

---------

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

.browserslistrc

@@ -1,10 +1,6 @@
-[production]
 defaults
 > 0.2%
 firefox >= 78
 ios >= 15.6
 not dead
 not OperaMini all
-
-[development]
-supports es6-module

.devcontainer/compose.yaml

@@ -10,6 +10,7 @@ services:
       RAILS_ENV: development
       NODE_ENV: development
       BIND: 0.0.0.0
+      BOOTSNAP_CACHE_DIR: /tmp
       REDIS_HOST: redis
       REDIS_PORT: '6379'
       DB_HOST: db

.drone.yml

@@ -16,7 +16,7 @@ steps:
     repo: git.greyfox.tech/bark/mastodon
     dockerfile: Dockerfile
     tags:
-      - prod
+      - latest
 - name: build-streaming
   image: plugins/docker
   environment:		
@@ -30,4 +30,4 @@ steps:
     repo: git.greyfox.tech/bark/mastodon-streaming
     dockerfile: streaming/Dockerfile
     tags:
-      - prod
+      - latest

.env.production.sample

@@ -50,7 +50,7 @@ OTP_SECRET=
 # Must be available (and set to same values) for all server processes
 # These are private/secret values, do not share outside hosting environment
 # Use `bin/rails db:encryption:init` to generate fresh secrets
-# Do not change these secrets once in use, as this would cause data loss and other issues
+# Do NOT change these secrets once in use, as this would cause data loss and other issues
 # ------------------
 # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
 # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=

.eslintrc.js

@@ -109,7 +109,7 @@ module.exports = defineConfig({
     'react/jsx-equals-spacing': 'error',
     'react/jsx-no-bind': 'error',
     'react/jsx-no-useless-fragment': 'error',
-    'react/jsx-no-target-blank': 'off',
+    'react/jsx-no-target-blank': ['error', { allowReferrer: true }],
     'react/jsx-tag-spacing': 'error',
     'react/jsx-uses-react': 'off', // not needed with new JSX transform
     'react/jsx-wrap-multilines': 'error',

.github/ISSUE_TEMPLATE/2.server_bug_report.yml

@@ -60,7 +60,7 @@ body:
         Any additional technical details you may have, like logs or error traces
       value: |
         If this is happening on your own Mastodon server, please fill out those:
-        - Ruby version: (from `ruby --version`, eg. v3.3.5)
+        - Ruby version: (from `ruby --version`, eg. v3.4.1)
         - Node.js version: (from `node --version`, eg. v20.18.0)
     validations:
       required: false

.github/ISSUE_TEMPLATE/3.troubleshooting.yml

@@ -61,7 +61,7 @@ body:
       value: |
         Please at least include those informations:
         - Operating system: (eg. Ubuntu 22.04)
-        - Ruby version: (from `ruby --version`, eg. v3.3.5)
+        - Ruby version: (from `ruby --version`, eg. v3.4.1)
         - Node.js version: (from `node --version`, eg. v20.18.0)
     validations:
       required: false

.github/workflows/build-container-image.yml

@@ -1,14 +1,9 @@
 on:
   workflow_call:
     inputs:
-      platforms:
-        required: true
-        type: string
       cache:
         type: boolean
         default: true
-      use_native_arm64_builder:
-        type: boolean
       push_to_images:
         type: string
       version_prerelease:
@@ -24,42 +19,36 @@ on:
       file_to_build:
         type: string
 
+# This builds multiple images with one runner each, allowing us to build for multiple architectures
+# using Github's runners.
+# The two-step process is adapted form:
+# https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
 jobs:
+  # Build each (amd64 and arm64) image separately
   build-image:
-    runs-on: ubuntu-latest
+    runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
 
     steps:
       - uses: actions/checkout@v4
 
-      - uses: docker/setup-qemu-action@v3
-        if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder
+      - name: Prepare
+        env:
+          PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          # Transform multi-line variable into comma-separated variable
+          image_names=${PUSH_TO_IMAGES//$'\n'/,}
+          echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV
 
       - uses: docker/setup-buildx-action@v3
         id: buildx
-        if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }}
-
-      - name: Start a local Docker Builder
-        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
-        run: |
-          docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234
-
-      - uses: docker/setup-buildx-action@v3
-        id: buildx-native
-        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
-        with:
-          driver: remote
-          endpoint: tcp://localhost:1234
-          platforms: linux/amd64
-          append: |
-            - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865
-              platforms: linux/arm64
-              name: mastodon-docker-builder-arm64-01
-              driver-opts:
-                - servername=mastodon-docker-builder-arm64-01
-        env:
-          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }}
-          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }}
-          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }}
 
       - name: Log in to Docker Hub
         if: contains(inputs.push_to_images, 'tootsuite')
@@ -76,16 +65,18 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/metadata-action@v5
+      - name: Docker meta
         id: meta
+        uses: docker/metadata-action@v5
         if: ${{ inputs.push_to_images != '' }}
         with:
           images: ${{ inputs.push_to_images }}
           flavor: ${{ inputs.flavor }}
-          tags: ${{ inputs.tags }}
           labels: ${{ inputs.labels }}
 
-      - uses: docker/build-push-action@v6
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ${{ inputs.file_to_build }}
@@ -93,11 +84,87 @@ jobs:
             MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
             MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
             SOURCE_COMMIT=${{ github.sha }}
-          platforms: ${{ inputs.platforms }}
+          platforms: ${{ matrix.platform }}
           provenance: false
-          builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }}
           push: ${{ inputs.push_to_images != '' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
           cache-from: ${{ inputs.cache && 'type=gha' || '' }}
           cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
+          outputs: type=image,"name=${{ env.IMAGE_NAMES }}",push-by-digest=true,name-canonical=true,push=${{ inputs.push_to_images != '' }}
+
+      - name: Export digest
+        if: ${{ inputs.push_to_images != '' }}
+        run: |
+          mkdir -p "${{ runner.temp }}/digests"
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: ${{ inputs.push_to_images != '' }}
+        uses: actions/upload-artifact@v4
+        with:
+          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  # Then merge the docker images into a single one
+  merge-images:
+    if: ${{ inputs.push_to_images != '' }}
+    runs-on: ubuntu-24.04
+    needs:
+      - build-image
+
+    env:
+      PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          pattern: digests-${{ hashFiles(inputs.file_to_build) }}-*
+          merge-multiple: true
+
+      - name: Log in to Docker Hub
+        if: contains(inputs.push_to_images, 'tootsuite')
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to the GitHub Container registry
+        if: contains(inputs.push_to_images, 'ghcr.io')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        if: ${{ inputs.push_to_images != '' }}
+        with:
+          images: ${{ inputs.push_to_images }}
+          flavor: ${{ inputs.flavor }}
+          tags: ${{ inputs.tags }}
+          labels: ${{ inputs.labels }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          echo "$PUSH_TO_IMAGES" | xargs -I{} \
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+              $(printf '{}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          echo "$PUSH_TO_IMAGES" | xargs -i{} \
+            docker buildx imagetools inspect {}:${{ steps.meta.outputs.version }}

.github/workflows/build-nightly.yml

@@ -26,8 +26,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       cache: false
       push_to_images: |
         tootsuite/mastodon
@@ -48,8 +46,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       cache: false
       push_to_images: |
         tootsuite/mastodon-streaming

.github/workflows/build-push-pr.yml

@@ -32,8 +32,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       push_to_images: |
         ghcr.io/mastodon/mastodon
       version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
@@ -49,8 +47,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       push_to_images: |
         ghcr.io/mastodon/mastodon-streaming
       version_metadata: ${{ needs.compute-suffix.outputs.metadata }}

.github/workflows/build-releases.yml

@@ -13,8 +13,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       push_to_images: |
         tootsuite/mastodon
         ghcr.io/mastodon/mastodon
@@ -34,8 +32,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       push_to_images: |
         tootsuite/mastodon-streaming
         ghcr.io/mastodon/mastodon-streaming

.github/workflows/build-security.yml

@@ -24,8 +24,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       cache: false
       push_to_images: |
         tootsuite/mastodon
@@ -46,8 +44,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64,linux/arm64
-      use_native_arm64_builder: true
       cache: false
       push_to_images: |
         tootsuite/mastodon-streaming

.github/workflows/check-i18n.yml

@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   check-i18n:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/crowdin-download-stable.yml

@@ -50,7 +50,7 @@ jobs:
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.5
+        uses: peter-evans/create-pull-request@v7.0.6
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'

.github/workflows/crowdin-download.yml

@@ -52,7 +52,7 @@ jobs:
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.5
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations (automated)'

.github/workflows/lint-css.yml

@@ -40,4 +40,4 @@ jobs:
         uses: ./.github/actions/setup-javascript
 
       - name: Stylelint
-        run: yarn lint:css -f github
+        run: yarn lint:css --custom-formatter @csstools/stylelint-formatter-github

.github/workflows/lint-haml.yml

@@ -43,4 +43,4 @@ jobs:
       - name: Run haml-lint
         run: |
           echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json"
-          bin/haml-lint --reporter github
+          bin/haml-lint --parallel --reporter github

.github/workflows/lint-ruby.yml

@@ -9,6 +9,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
+      - 'bin/rubocop'
       - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'
@@ -19,6 +20,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
+      - 'bin/rubocop'
       - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'

.github/workflows/test-image-build.yml

@@ -20,7 +20,6 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: Dockerfile
-      platforms: linux/amd64 # Testing only on native platform so it is performant
       cache: true
 
   build-image-streaming:
@@ -31,5 +30,4 @@ jobs:
     uses: ./.github/workflows/build-container-image.yml
     with:
       file_to_build: streaming/Dockerfile
-      platforms: linux/amd64 # Testing only on native platform so it is performant
       cache: true

.github/workflows/test-migrations.yml

@@ -12,6 +12,7 @@ on:
       - '**/*.rb'
       - '.github/workflows/test-migrations.yml'
       - 'lib/tasks/tests.rake'
+      - 'lib/tasks/db.rake'
 
   pull_request:
     paths:
@@ -63,7 +64,6 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
       RAILS_ENV: test
       BUNDLE_CLEAN: true
       BUNDLE_FROZEN: true
@@ -90,6 +90,11 @@ jobs:
           bin/rails db:drop
           bin/rails db:create
           SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails tests:migrations:prepare_database
+
+          # Migrate up to v4.2.0 breakpoint
+          bin/rails db:migrate VERSION=20230907150100
+
+          # Migrate the rest
           SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails db:migrate
           bin/rails db:migrate
           bin/rails tests:migrations:check_database

.github/workflows/test-ruby.yml

@@ -107,7 +107,7 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: ${{ matrix.ruby-version != '.ruby-version' }}
+      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
       RAILS_ENV: test
       ALLOW_NOPAM: true
       PAM_ENABLED: true
@@ -125,6 +125,7 @@ jobs:
       matrix:
         ruby-version:
           - '3.2'
+          - '3.3'
           - '.ruby-version'
     steps:
       - uses: actions/checkout@v4
@@ -166,7 +167,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           files: coverage/lcov/*.lcov
         env:
@@ -174,7 +175,7 @@ jobs:
 
   test-libvips:
     name: Libvips tests
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
 
     needs:
       - build
@@ -207,7 +208,7 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: ${{ matrix.ruby-version != '.ruby-version' }}
+      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
       RAILS_ENV: test
       ALLOW_NOPAM: true
       PAM_ENABLED: true
@@ -226,6 +227,7 @@ jobs:
       matrix:
         ruby-version:
           - '3.2'
+          - '3.3'
           - '.ruby-version'
     steps:
       - uses: actions/checkout@v4
@@ -252,7 +254,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           files: coverage/lcov/mastodon.lcov
         env:
@@ -293,7 +295,6 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
       RAILS_ENV: test
       BUNDLE_WITH: test
       LOCAL_DOMAIN: localhost:3000
@@ -304,6 +305,7 @@ jobs:
       matrix:
         ruby-version:
           - '3.2'
+          - '3.3'
           - '.ruby-version'
 
     steps:
@@ -408,7 +410,6 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
       RAILS_ENV: test
       BUNDLE_WITH: test
       ES_ENABLED: true
@@ -420,6 +421,7 @@ jobs:
       matrix:
         ruby-version:
           - '3.2'
+          - '3.3'
           - '.ruby-version'
         search-image:
           - docker.elastic.co/elasticsearch/elasticsearch:7.17.13

.nvmrc

@@ -1 +1 @@
-22.11
+22.14

.rubocop.yml

@@ -26,9 +26,11 @@ inherit_mode:
   merge:
     - Exclude
 
-require:
+plugins:
   - rubocop-rails
   - rubocop-rspec
-  - rubocop-rspec_rails
   - rubocop-performance
+
+require:
+  - rubocop-rspec_rails
   - rubocop-capybara

.rubocop/rails.yml

@@ -2,6 +2,9 @@
 Rails/BulkChangeTable:
   Enabled: false # Conflicts with strong_migrations features
 
+Rails/Delegate:
+  Enabled: false
+
 Rails/FilePath:
   EnforcedStyle: arguments
 

.rubocop/style.yml

@@ -1,4 +1,7 @@
 ---
+Style/ArrayIntersect:
+  Enabled: false
+
 Style/ClassAndModuleChildren:
   Enabled: false
 
@@ -19,6 +22,13 @@ Style/HashSyntax:
   EnforcedShorthandSyntax: either
   EnforcedStyle: ruby19_no_mixed_keys
 
+Style/IfUnlessModifier:
+  Exclude:
+    - '**/*.haml'
+
+Style/KeywordArgumentsMerging:
+  Enabled: false
+
 Style/NumericLiterals:
   AllowedPatterns:
     - \d{4}_\d{2}_\d{2}_\d{6}
@@ -37,6 +47,9 @@ Style/RedundantFetchBlock:
 Style/RescueStandardError:
   EnforcedStyle: implicit
 
+Style/SafeNavigationChainLength:
+  Enabled: false
+
 Style/SymbolArray:
   Enabled: false
 
@@ -45,3 +58,6 @@ Style/TrailingCommaInArrayLiteral:
 
 Style/TrailingCommaInHashLiteral:
   EnforcedStyleForMultiline: comma
+
+Style/WordArray:
+  MinSize: 3 # Override default of 2

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-offense-counts --no-auto-gen-timestamp`
-# using RuboCop version 1.66.1.
+# using RuboCop version 1.72.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -8,7 +8,7 @@
 
 Lint/NonLocalExitFromIterator:
   Exclude:
-    - 'app/helpers/jsonld_helper.rb'
+    - 'app/helpers/json_ld_helper.rb'
 
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
@@ -35,7 +35,6 @@ Rails/OutputSafety:
 # Configuration parameters: AllowedVars.
 Style/FetchEnvVar:
   Exclude:
-    - 'app/lib/translation_service.rb'
     - 'config/environments/production.rb'
     - 'config/initializers/2_limited_federation_mode.rb'
     - 'config/initializers/3_omniauth.rb'
@@ -70,20 +69,11 @@ Style/MapToHash:
   Exclude:
     - 'app/models/status.rb'
 
-# This cop supports unsafe autocorrection (--autocorrect-all).
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: literals, strict
-Style/MutableConstant:
-  Exclude:
-    - 'app/models/tag.rb'
-    - 'app/services/delete_account_service.rb'
-    - 'lib/mastodon/migration_warning.rb'
-
 # Configuration parameters: AllowedMethods.
 # AllowedMethods: respond_to_missing?
 Style/OptionalBooleanParameter:
   Exclude:
-    - 'app/helpers/jsonld_helper.rb'
+    - 'app/helpers/json_ld_helper.rb'
     - 'app/lib/admin/system_check/message.rb'
     - 'app/lib/request.rb'
     - 'app/lib/webfinger.rb'
@@ -104,10 +94,3 @@ Style/RedundantConstantBase:
   Exclude:
     - 'config/environments/production.rb'
     - 'config/initializers/sidekiq.rb'
-
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: WordRegex.
-# SupportedStyles: percent, brackets
-Style/WordArray:
-  EnforcedStyle: percent
-  MinSize: 3

.ruby-version

@@ -1 +1 @@
-3.3.6
+3.4.2

CHANGELOG.md

@@ -2,6 +2,101 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.4] - 2025-02-27
+
+### Security
+
+- Update dependencies
+- Change HTML sanitization to remove unusable and unused `embed` tag (#34021 by @ClearlyClaire, [GHSA-mq2m-hr29-8gqf](https://github.com/mastodon/mastodon/security/advisories/GHSA-mq2m-hr29-8gqf))
+- Fix rate-limit on sign-up email verification ([GHSA-v39f-c9jj-8w7h](https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h))
+- Fix improper disclosure of domain blocks to unverified users ([GHSA-94h4-fj37-c825](https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825))
+
+### Changed
+
+- Change preview cards to be shown when Content Warnings are expanded (#33827 by @ClearlyClaire)
+- Change warnings against changing encryption secrets to be even more noticeable (#33631 by @ClearlyClaire)
+- Change `mastodon:setup` to prevent overwriting already-configured servers (#33603, #33616, and #33684 by @ClearlyClaire and @mjankowski)
+- Change notifications from moderators to not be filtered (#32974 and #33654 by @ClearlyClaire and @mjankowski)
+
+### Fixed
+
+- Fix `GET /api/v2/notifications/:id` and `POST /api/v2/notifications/:id/dismiss` for ungrouped notifications (#33990 by @ClearlyClaire)
+- Fix issue with some versions of libvips on some systems (#33853 by @kleisauke)
+- Fix handling of duplicate mentions in incoming status `Update` (#33911 by @ClearlyClaire)
+- Fix inefficiencies in timeline generation (#33839 and #33842 by @ClearlyClaire)
+- Fix emoji rewrite adding unnecessary curft to the DOM for most emoji (#33818 by @ClearlyClaire)
+- Fix `tootctl feeds build` not building list timelines (#33783 by @ClearlyClaire)
+- Fix flaky test in `/api/v2/notifications` tests (#33773 by @ClearlyClaire)
+- Fix incorrect signature after HTTP redirect (#33757 and #33769 by @ClearlyClaire)
+- Fix polls not being validated on edition (#33755 by @ClearlyClaire)
+- Fix media preview height in compose form when 3 or more images are attached (#33571 by @ClearlyClaire)
+- Fix preview card sizing in “Author attribution” in profile settings (#33482 by @ClearlyClaire)
+- Fix processing of incoming notifications for unfilterable types (#33429 by @ClearlyClaire)
+- Fix featured tags for remote accounts not being kept up to date (#33372, #33406, and #33425 by @ClearlyClaire and @mjankowski)
+- Fix notification polling showing a loading bar in web UI (#32960 by @Gargron)
+- Fix accounts table long display name (#29316 by @WebCoder49)
+- Fix exclusive lists interfering with notifications (#28162 by @ShadowJonathan)
+
+## [4.3.3] - 2025-01-16
+
+### Security
+
+- Fix insufficient validation of account URIs ([GHSA-5wxh-3p65-r4g6](https://github.com/mastodon/mastodon/security/advisories/GHSA-5wxh-3p65-r4g6))
+- Update dependencies
+
+### Fixed
+
+- Fix `libyaml` missing from `Dockerfile` build stage (#33591 by @vmstan)
+- Fix incorrect notification settings migration for non-followers (#33348 by @ClearlyClaire)
+- Fix down clause for notification policy v2 migrations (#33340 by @jesseplusplus)
+- Fix error decrementing status count when `FeaturedTags#last_status_at` is `nil` (#33320 by @ClearlyClaire)
+- Fix last paginated notification group only including data on a single notification (#33271 by @ClearlyClaire)
+- Fix processing of mentions for post edits with an existing corresponding silent mention (#33227 by @ClearlyClaire)
+- Fix deletion of unconfirmed users with Webauthn set (#33186 by @ClearlyClaire)
+- Fix empty authors preview card serialization (#33151, #33466 by @mjankowski and @ClearlyClaire)
+
+## [4.3.2] - 2024-12-03
+
+### Added
+
+- Add `tootctl feeds vacuum` (#33065 by @ClearlyClaire)
+- Add error message when user tries to follow their own account (#31910 by @lenikadali)
+- Add client_secret_expires_at to OAuth Applications (#30317 by @ThisIsMissEm)
+
+### Changed
+
+- Change design of Content Warnings and filters (#32543 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing incoming post edits with mentions to unresolvable accounts (#33129 by @ClearlyClaire)
+- Fix error when including multiple instances of `embed.js` (#33107 by @YKWeyer)
+- Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire)
+- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire)
+- Fix `TagFollow` records not being correctly handled in account operations (#33063 by @ClearlyClaire)
+- Fix pushing hashtag-followed posts to feeds of inactive users (#33018 by @Gargron)
+- Fix duplicate notifications in notification groups when using slow mode (#33014 by @ClearlyClaire)
+- Fix posts made in the future being allowed to trend (#32996 by @ClearlyClaire)
+- Fix uploading higher-than-wide GIF profile picture with libvips enabled (#32911 by @ClearlyClaire)
+- Fix domain attribution field having autocorrect and autocapitalize enabled (#32903 by @ClearlyClaire)
+- Fix titles being escaped twice (#32889 by @ClearlyClaire)
+- Fix list creation limit check (#32869 by @ClearlyClaire)
+- Fix error in `tootctl email_domain_blocks` when supplying `--with-dns-records` (#32863 by @mjankowski)
+- Fix `min_id` and `max_id` causing error in search API (#32857 by @Gargron)
+- Fix inefficiencies when processing removal of posts that use featured tags (#32787 by @ClearlyClaire)
+- Fix alt-text pop-in not using the translated description (#32766 by @ClearlyClaire)
+- Fix preview cards with long titles erroneously causing layout changes (#32678 by @ClearlyClaire)
+- Fix embed modal layout on mobile (#32641 by @DismalShadowX)
+- Fix and improve batch attachment deletion handling when using OpenStack Swift (#32637 by @hugogameiro)
+- Fix blocks not being applied on link timeline (#32625 by @tribela)
+- Fix follow counters being incorrectly changed (#32622 by @oneiros)
+- Fix 'unknown' media attachment type rendering (#32613 and #32713 by @ThisIsMissEm and @renatolond)
+- Fix tl language native name (#32606 by @seav)
+
+### Security
+
+- Update dependencies
+
 ## [4.3.1] - 2024-10-21
 
 ### Added
@@ -93,7 +188,7 @@ The following changelog entries focus on changes visible to users, administrator
 - **Add notifications of severed relationships** (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)\
   Notify local users when they lose relationships as a result of a local moderator blocking a remote account or server, allowing the affected user to retrieve the list of broken relationships.\
   Note that this does not notify remote users.\
-  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`relationship_severance_event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
+  This adds the `severed_relationships` notification type to the REST API and streaming, with a new [`event` attribute](https://docs.joinmastodon.org/entities/Notification/#relationship_severance_event).
 - **Add hover cards in web UI** (#30754, #30864, #30850, #30879, #30928, #30949, #30948, #30931, and #31300 by @ClearlyClaire, @Gargron, and @renchap)\
   Hovering over an avatar or username will now display a hover card with the first two lines of the user's description and their first two profile fields.\
   This can be disabled in the “Animations and accessibility” section of the preferences.

CONTRIBUTING.md

@@ -9,30 +9,51 @@ You can contribute in the following ways:
 - Contributing code to Mastodon by fixing bugs or implementing features
 - Improving the documentation
 
-If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
-
 Please review the org-level [contribution guidelines] for high-level acceptance
-criteria guidance.
-
-[contribution guidelines]: https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md
+criteria guidance and the [DEVELOPMENT] guide for environment-specific details.
 
 ## API Changes and Additions
 
-Please note that any changes or additions made to the API should have an accompanying pull request on [our documentation repository](https://github.com/mastodon/documentation).
+Any changes or additions made to the API should have an accompanying pull
+request on our [documentation repository].
 
-## Bug reports
+## Bug Reports
 
-Bug reports and feature suggestions must use descriptive and concise titles and be submitted to [GitHub Issues](https://github.com/mastodon/mastodon/issues). Please use the search function to make sure that you are not submitting duplicates, and that a similar report or request has not already been resolved or rejected.
+Bug reports and feature suggestions must use descriptive and concise titles and
+be submitted to [GitHub Issues]. Please use the search function to make sure
+there are not duplicate bug reports or feature requests.
 
 ## Translations
 
-You can submit translations via [Crowdin](https://crowdin.com/project/mastodon). They are periodically merged into the codebase.
+Translations are community contributed via [Crowdin]. They are periodically
+reviewed and merged into the codebase.
 
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg)](https://crowdin.com/project/mastodon)
 
-## Pull requests
+## Pull Requests
 
-**Please use clean, concise titles for your pull requests.** Unless the pull request is about refactoring code, updating dependencies or other internal tasks, assume that the person reading the pull request title is not a programmer or Mastodon developer, but instead a Mastodon user or server administrator, and **try to describe your change or fix from their perspective**. We use commit squashing, so the final commit in the main branch will carry the title of the pull request, and commits from the main branch are fed into the changelog. The changelog is separated into [keepachangelog.com categories](https://keepachangelog.com/en/1.0.0/), and while that spec does not prescribe how the entries ought to be named, for easier sorting, start your pull request titles using one of the verbs "Add", "Change", "Deprecate", "Remove", or "Fix" (present tense).
+### Size and Scope
+
+Our time is limited and PRs making large, unsolicited changes are unlikely to
+get a response. Changes which link to an existing confirmed issue, or which come
+from a "help wanted" issue or other request are more likely to be reviewed.
+
+The smaller and more narrowly focused the changes in a PR are, the easier they
+are to review and potentially merge. If the change only makes sense in some
+larger context of future ongoing work, note that in the description, but still
+aim to keep each distinct PR to a "smallest viable change" chunk of work.
+
+### Description of Changes
+
+Unless the Pull Request is about refactoring code, updating dependencies or
+other internal tasks, assume that the audience are not developers, but a
+Mastodon user or server admin, and try to describe it from their perspective.
+
+The final commit in the main branch will carry the title from the PR. The main
+branch is then fed into the changelog and ultimately into release notes. We try
+to follow the [keepachangelog] spec, and while that does not prescribe how
+exactly the entries ought to be named, starting titles using one of the verbs
+"Add", "Change", "Deprecate", "Remove", or "Fix" (present tense) is helpful.
 
 Example:
 
@@ -40,16 +61,25 @@ Example:
 | ------------------------------------ | ------------------------------------------------------------- |
 | Fixed NoMethodError in RemovalWorker | Fix nil error when removing statuses caused by race condition |
 
-It is not always possible to phrase every change in such a manner, but it is desired.
+### Technical Requirements
 
-**The smaller the set of changes in the pull request is, the quicker it can be reviewed and merged.** Splitting tasks into multiple smaller pull requests is often preferable.
-
-**Pull requests that do not pass automated checks may not be reviewed**. In particular, you need to keep in mind:
+Pull requests that do not pass automated checks on CI may not be reviewed. In
+particular, please keep in mind:
 
 - Unit and integration tests (rspec, jest)
 - Code style rules (rubocop, eslint)
 - Normalization of locale files (i18n-tasks)
+- Relevant accessibility or performance concerns
 
 ## Documentation
 
-The [Mastodon documentation](https://docs.joinmastodon.org) is a statically generated site. You can [submit merge requests to mastodon/documentation](https://github.com/mastodon/documentation).
+The [Mastodon documentation] is a statically generated site that contains guides
+and API docs. Improvements are made via PRs to the [documentation repository].
+
+[contribution guidelines]: https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md
+[Crowdin]: https://crowdin.com/project/mastodon
+[DEVELOPMENT]: docs/DEVELOPMENT.md
+[documentation repository]: https://github.com/mastodon/documentation
+[GitHub Issues]: https://github.com/mastodon/mastodon/issues
+[keepachangelog]: https://keepachangelog.com/en/1.0.0/
+[Mastodon documentation]: https://docs.joinmastodon.org

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.12
 
 # This file is designed for production server deployment, not local development work
-# For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/README.md#docker
+# For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/docs/DEVELOPMENT.md#docker
 
 # Please see https://docs.docker.com/engine/reference/builder for information about
 # the extended buildx capabilities used in this file.
@@ -9,30 +9,31 @@
 # See: https://docs.docker.com/build/building/multi-platform/
 ARG TARGETPLATFORM=${TARGETPLATFORM}
 ARG BUILDPLATFORM=${BUILDPLATFORM}
+ARG BASE_REGISTRY="docker.io"
 
-# Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.3.x"]
+# Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.3.6"
+ARG RUBY_VERSION="3.4.2"
 # # Node version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
 # renovate: datasource=node-version depName=node
 ARG NODE_MAJOR_VERSION="22"
 # Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
 ARG DEBIAN_VERSION="bookworm"
 # Node image to use for base image based on combined variables (ex: 20-bookworm-slim)
-FROM docker.io/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
-# Ruby image to use for base image based on combined variables (ex: 3.3.x-slim-bookworm)
-FROM docker.io/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
+FROM ${BASE_REGISTRY}/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
+# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-bookworm)
+FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
 
 # Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
 # Example: v4.3.0-nightly.2023.11.09+pr-123456
 # Overwrite existence of 'alpha.X' in version.rb [--build-arg MASTODON_VERSION_PRERELEASE="nightly.2023.11.09"]
 ARG MASTODON_VERSION_PRERELEASE="bark"
 # Append build metadata or fork information to version.rb [--build-arg MASTODON_VERSION_METADATA="pr-123456"]
-ARG MASTODON_VERSION_METADATA="05-12-2024"
+ARG MASTODON_VERSION_METADATA="dev"
 # Will be available as Mastodon::Version.source_commit
 ARG SOURCE_COMMIT=""
 
-# Allow Ruby on Rails to serve statiprodc files
+# Allow Ruby on Rails to serve static files
 # See: https://docs.joinmastodon.org/admin/config/#rails_serve_static_files
 ARG RAILS_SERVE_STATIC_FILES="true"
 # Allow to use YJIT compiler
@@ -153,6 +154,7 @@ RUN \
   libpq-dev \
   libssl-dev \
   libtool \
+  libyaml-dev \
   meson \
   nasm \
   pkg-config \

Gemfile

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-ruby '>= 3.2.0'
+ruby '>= 3.2.0', '< 3.5.0'
 
 gem 'propshaft'
 gem 'puma', '~> 6.3'
 gem 'rack', '~> 2.2.7'
-gem 'rails', '~> 7.2.0'
+gem 'rails', '~> 8.0'
 gem 'thor', '~> 1.2'
 
 gem 'dotenv'
@@ -73,13 +73,13 @@ gem 'public_suffix', '~> 6.0'
 gem 'pundit', '~> 2.3'
 gem 'rack-attack', '~> 6.6'
 gem 'rack-cors', '~> 2.0', require: 'rack/cors'
-gem 'rails-i18n', '~> 7.0'
+gem 'rails-i18n', '~> 8.0'
 gem 'redcarpet', '~> 3.6'
 gem 'redis', '~> 4.5', require: ['redis', 'redis/connection/hiredis']
 gem 'redis-namespace', '~> 1.10'
 gem 'rqrcode', '~> 2.2'
 gem 'ruby-progressbar', '~> 1.13'
-gem 'sanitize', '~> 6.0'
+gem 'sanitize', '~> 7.0'
 gem 'scenic', '~> 1.7'
 gem 'sidekiq', '~> 6.5'
 gem 'sidekiq-bulk', '~> 0.2.0'
@@ -94,29 +94,31 @@ gem 'twitter-text', '~> 3.1.0'
 gem 'tzinfo-data', '~> 1.2023'
 gem 'webauthn', '~> 3.0'
 gem 'webpacker', '~> 5.4'
-gem 'webpush', github: 'ClearlyClaire/webpush', ref: 'f14a4d52e201128b1b00245d11b6de80d6cfdcd9'
+gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913'
 
 gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.2'
 gem 'rdf-normalize', '~> 0.5'
 
+gem 'prometheus_exporter', '~> 2.2', require: false
+
 gem 'opentelemetry-api', '~> 1.4.0'
 
 group :opentelemetry do
   gem 'opentelemetry-exporter-otlp', '~> 0.29.0', require: false
-  gem 'opentelemetry-instrumentation-active_job', '~> 0.7.1', require: false
-  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.20.1', require: false
-  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.21.2', require: false
-  gem 'opentelemetry-instrumentation-excon', '~> 0.22.0', require: false
-  gem 'opentelemetry-instrumentation-faraday', '~> 0.24.1', require: false
-  gem 'opentelemetry-instrumentation-http', '~> 0.23.2', require: false
-  gem 'opentelemetry-instrumentation-http_client', '~> 0.22.3', require: false
-  gem 'opentelemetry-instrumentation-net_http', '~> 0.22.4', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.29.0', require: false
-  gem 'opentelemetry-instrumentation-rack', '~> 0.25.0', require: false
-  gem 'opentelemetry-instrumentation-rails', '~> 0.33.0', require: false
-  gem 'opentelemetry-instrumentation-redis', '~> 0.25.3', require: false
-  gem 'opentelemetry-instrumentation-sidekiq', '~> 0.25.2', require: false
+  gem 'opentelemetry-instrumentation-active_job', '~> 0.8.0', require: false
+  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.22.0', require: false
+  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.22.0', require: false
+  gem 'opentelemetry-instrumentation-excon', '~> 0.23.0', require: false
+  gem 'opentelemetry-instrumentation-faraday', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-http', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-http_client', '~> 0.23.0', require: false
+  gem 'opentelemetry-instrumentation-net_http', '~> 0.23.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.30.0', require: false
+  gem 'opentelemetry-instrumentation-rack', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-rails', '~> 0.36.0', require: false
+  gem 'opentelemetry-instrumentation-redis', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-sidekiq', '~> 0.26.0', require: false
   gem 'opentelemetry-sdk', '~> 1.4', require: false
 end
 
@@ -125,7 +127,7 @@ group :test do
   gem 'flatware-rspec'
 
   # Adds RSpec Error/Warning annotations to GitHub PRs on the Files tab
-  gem 'rspec-github', '~> 2.4', require: false
+  gem 'rspec-github', '~> 3.0', require: false
 
   # RSpec helpers for email specs
   gem 'email_spec'
@@ -143,9 +145,6 @@ group :test do
   # Used to mock environment variables
   gem 'climate_control'
 
-  # Add back helpers functions removed in Rails 5.1
-  gem 'rails-controller-testing', '~> 1.0'
-
   # Validate schemas in specs
   gem 'json-schema', '~> 5.0'
 
@@ -154,7 +153,7 @@ group :test do
 
   gem 'shoulda-matchers'
 
-  # Coverage formatter for RSpec test if DISABLE_SIMPLECOV is false
+  # Coverage formatter for RSpec
   gem 'simplecov', '~> 0.22', require: false
   gem 'simplecov-lcov', '~> 0.8', require: false
 
@@ -172,7 +171,7 @@ group :development do
   gem 'rubocop-rspec_rails', require: false
 
   # Annotates modules with schema
-  gem 'annotaterb', '~> 4.13'
+  gem 'annotaterb', '~> 4.13', require: false
 
   # Enhanced error message pages for development
   gem 'better_errors', '~> 2.9'
@@ -183,7 +182,7 @@ group :development do
   gem 'letter_opener_web', '~> 3.0'
 
   # Security analysis CLI tools
-  gem 'brakeman', '~> 6.0', require: false
+  gem 'brakeman', '~> 7.0', require: false
   gem 'bundler-audit', '~> 0.9', require: false
 
   # Linter CLI for HAML files
@@ -195,7 +194,7 @@ end
 
 group :development, :test do
   # Interactive Debugging tools
-  gem 'debug', '~> 1.8'
+  gem 'debug', '~> 1.8', require: false
 
   # Generate fake data values
   gem 'faker', '~> 3.2'
@@ -207,7 +206,7 @@ group :development, :test do
   gem 'memory_profiler', require: false
   gem 'ruby-prof', require: false
   gem 'stackprof', require: false
-  gem 'test-prof'
+  gem 'test-prof', require: false
 
   # RSpec runner for rails
   gem 'rspec-rails', '~> 7.0'
@@ -222,7 +221,7 @@ gem 'concurrent-ruby', require: false
 gem 'connection_pool', require: false
 gem 'xorcist', '~> 1.1'
 
-gem 'net-http', '~> 0.5.0'
+gem 'net-http', '~> 0.6.0'
 gem 'rubyzip', '~> 2.3'
 
 gem 'hcaptcha', '~> 7.1'

Gemfile.lock

@@ -1,55 +1,54 @@
 GIT
-  remote: https://github.com/ClearlyClaire/webpush.git
-  revision: f14a4d52e201128b1b00245d11b6de80d6cfdcd9
-  ref: f14a4d52e201128b1b00245d11b6de80d6cfdcd9
+  remote: https://github.com/mastodon/webpush.git
+  revision: 9631ac63045cfabddacc69fc06e919b4c13eb913
+  ref: 9631ac63045cfabddacc69fc06e919b4c13eb913
   specs:
-    webpush (0.3.8)
+    webpush (1.1.0)
       hkdf (~> 0.2)
       jwt (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.2.2)
-      actionpack (= 7.2.2)
-      activesupport (= 7.2.2)
+    actioncable (8.0.1)
+      actionpack (= 8.0.1)
+      activesupport (= 8.0.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.2.2)
-      actionpack (= 7.2.2)
-      activejob (= 7.2.2)
-      activerecord (= 7.2.2)
-      activestorage (= 7.2.2)
-      activesupport (= 7.2.2)
+    actionmailbox (8.0.1)
+      actionpack (= 8.0.1)
+      activejob (= 8.0.1)
+      activerecord (= 8.0.1)
+      activestorage (= 8.0.1)
+      activesupport (= 8.0.1)
       mail (>= 2.8.0)
-    actionmailer (7.2.2)
-      actionpack (= 7.2.2)
-      actionview (= 7.2.2)
-      activejob (= 7.2.2)
-      activesupport (= 7.2.2)
+    actionmailer (8.0.1)
+      actionpack (= 8.0.1)
+      actionview (= 8.0.1)
+      activejob (= 8.0.1)
+      activesupport (= 8.0.1)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.2.2)
-      actionview (= 7.2.2)
-      activesupport (= 7.2.2)
+    actionpack (8.0.1)
+      actionview (= 8.0.1)
+      activesupport (= 8.0.1)
       nokogiri (>= 1.8.5)
-      racc
-      rack (>= 2.2.4, < 3.2)
+      rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (7.2.2)
-      actionpack (= 7.2.2)
-      activerecord (= 7.2.2)
-      activestorage (= 7.2.2)
-      activesupport (= 7.2.2)
+    actiontext (8.0.1)
+      actionpack (= 8.0.1)
+      activerecord (= 8.0.1)
+      activestorage (= 8.0.1)
+      activesupport (= 8.0.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.2.2)
-      activesupport (= 7.2.2)
+    actionview (8.0.1)
+      activesupport (= 8.0.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
@@ -59,22 +58,22 @@ GEM
       activemodel (>= 4.1)
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (7.2.2)
-      activesupport (= 7.2.2)
+    activejob (8.0.1)
+      activesupport (= 8.0.1)
       globalid (>= 0.3.6)
-    activemodel (7.2.2)
-      activesupport (= 7.2.2)
-    activerecord (7.2.2)
-      activemodel (= 7.2.2)
-      activesupport (= 7.2.2)
+    activemodel (8.0.1)
+      activesupport (= 8.0.1)
+    activerecord (8.0.1)
+      activemodel (= 8.0.1)
+      activesupport (= 8.0.1)
       timeout (>= 0.4.0)
-    activestorage (7.2.2)
-      actionpack (= 7.2.2)
-      activejob (= 7.2.2)
-      activerecord (= 7.2.2)
-      activesupport (= 7.2.2)
+    activestorage (8.0.1)
+      actionpack (= 8.0.1)
+      activejob (= 8.0.1)
+      activerecord (= 8.0.1)
+      activesupport (= 8.0.1)
       marcel (~> 1.0)
-    activesupport (7.2.2)
+    activesupport (8.0.1)
       base64
       benchmark (>= 0.3)
       bigdecimal
@@ -86,16 +85,17 @@ GEM
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     aes_key_wrap (1.1.0)
     android_key_attestation (0.3.0)
-    annotaterb (4.13.0)
+    annotaterb (4.14.0)
     ast (2.4.2)
     attr_required (1.0.2)
     aws-eventstream (1.3.0)
-    aws-partitions (1.1015.0)
-    aws-sdk-core (3.214.0)
+    aws-partitions (1.1032.0)
+    aws-sdk-core (3.214.1)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
@@ -103,13 +103,13 @@ GEM
     aws-sdk-kms (1.96.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.175.0)
+    aws-sdk-s3 (1.177.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.10.1)
       aws-eventstream (~> 1, >= 1.0.2)
-    azure-blob (0.5.3)
+    azure-blob (0.5.4)
       rexml
     base64 (0.2.0)
     bcp47_spec (0.2.1)
@@ -119,16 +119,16 @@ GEM
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
       rouge (>= 1.0.0)
-    bigdecimal (3.1.8)
+    bigdecimal (3.1.9)
     bindata (2.5.0)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
     blurhash (0.1.8)
     bootsnap (1.18.4)
       msgpack (~> 1.2)
-    brakeman (6.2.2)
+    brakeman (7.0.0)
       racc
-    browser (6.1.0)
+    browser (6.2.0)
     brpoplpush-redis_script (0.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       redis (>= 1.0, < 6)
@@ -159,8 +159,8 @@ GEM
     climate_control (1.2.0)
     cocoon (1.2.15)
     color_diff (0.1)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.0)
     cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
@@ -168,15 +168,15 @@ GEM
       bigdecimal
       rexml
     crass (1.0.6)
-    css_parser (1.19.1)
+    css_parser (1.21.0)
       addressable
-    csv (3.3.0)
+    csv (3.3.2)
     database_cleaner-active_record (2.2.0)
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    date (3.4.0)
-    debug (1.9.2)
+    date (3.4.1)
+    debug (1.10.0)
       irb (~> 1.10)
       reline (>= 0.3.8)
     debug_inspector (1.2.0)
@@ -194,14 +194,14 @@ GEM
     devise_pam_authenticatable2 (9.2.0)
       devise (>= 4.0.0)
       rpam2 (~> 4.0)
-    diff-lcs (1.5.1)
+    diff-lcs (1.6.0)
     discard (1.4.0)
       activerecord (>= 4.2, < 9.0)
     docile (1.4.1)
     domain_name (0.6.20240107)
-    doorkeeper (5.8.0)
+    doorkeeper (5.8.1)
       railties (>= 5)
-    dotenv (3.1.4)
+    dotenv (3.1.7)
     drb (2.2.1)
     elasticsearch (7.17.11)
       elasticsearch-api (= 7.17.11)
@@ -217,42 +217,42 @@ GEM
       htmlentities (~> 4.3.3)
       launchy (>= 2.1, < 4.0)
       mail (~> 2.7)
-    erubi (1.13.0)
+    erubi (1.13.1)
     et-orbi (1.2.11)
       tzinfo
-    excon (0.112.0)
+    excon (1.2.3)
     fabrication (2.31.0)
     faker (3.5.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.12.0)
-      faraday-net_http (>= 2.0, < 3.4)
+    faraday (2.12.2)
+      faraday-net_http (>= 2.0, < 3.5)
       json
       logger
     faraday-httpclient (2.0.1)
       httpclient (>= 2.2)
-    faraday-net_http (3.3.0)
-      net-http
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
     fast_blank (1.0.1)
-    fastimage (2.3.1)
-    ffi (1.17.0)
+    fastimage (2.4.0)
+    ffi (1.17.1)
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
-    flatware (2.3.3)
+    flatware (2.3.4)
       drb
       thor (< 2.0)
-    flatware-rspec (2.3.3)
-      flatware (= 2.3.3)
+    flatware-rspec (2.3.4)
+      flatware (= 2.3.4)
       rspec (>= 3.6)
-    fog-core (2.5.0)
+    fog-core (2.6.0)
       builder
-      excon (~> 0.71)
+      excon (~> 1.0)
       formatador (>= 0.2, < 2.0)
       mime-types
     fog-json (1.2.0)
       fog-core
       multi_json (~> 1.10)
-    fog-openstack (1.1.3)
+    fog-openstack (1.1.4)
       fog-core (~> 2.1)
       fog-json (>= 1.0)
     formatador (1.1.0)
@@ -273,17 +273,17 @@ GEM
       activesupport (>= 5.1)
       haml (>= 4.0.6)
       railties (>= 5.1)
-    haml_lint (0.59.0)
+    haml_lint (0.61.0)
       haml (>= 5.0)
       parallel (~> 1.10)
       rainbow
       rubocop (>= 1.0)
       sysexits (~> 1.1)
-    hashdiff (1.1.1)
+    hashdiff (1.1.2)
     hashie (5.0.0)
     hcaptcha (7.1.0)
       json
-    highline (3.1.1)
+    highline (3.1.2)
       reline
     hiredis (0.6.3)
     hkdf (0.3.0)
@@ -294,7 +294,7 @@ GEM
       http-cookie (~> 1.0)
       http-form_data (~> 2.2)
       llhttp-ffi (~> 0.5.0)
-    http-cookie (1.0.5)
+    http-cookie (1.0.8)
       domain_name (~> 0.5)
     http-form_data (2.3.0)
     http_accept_language (2.1.1)
@@ -302,7 +302,7 @@ GEM
     httplog (1.7.0)
       rack (>= 2.0)
       rainbow (>= 2.0.0)
-    i18n (1.14.6)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     i18n-tasks (1.0.14)
       activesupport (>= 4.0.2)
@@ -318,8 +318,9 @@ GEM
     inline_svg (1.10.0)
       activesupport (>= 3.0)
       nokogiri (>= 1.6)
-    io-console (0.7.2)
-    irb (1.14.1)
+    io-console (0.8.0)
+    irb (1.15.1)
+      pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jd-paperclip-azure (3.0.0)
@@ -327,7 +328,7 @@ GEM
       azure-blob (~> 0.5.2)
       hashie (~> 5.0)
     jmespath (1.6.2)
-    json (2.8.1)
+    json (2.10.1)
     json-canonicalization (1.0.0)
     json-jwt (1.15.3.1)
       activesupport (>= 4.2)
@@ -349,7 +350,7 @@ GEM
       addressable (~> 2.8)
       bigdecimal (~> 3.1)
     jsonapi-renderer (0.2.2)
-    jwt (2.9.3)
+    jwt (2.10.1)
       base64
     kaminari (1.2.2)
       activesupport (>= 4.1.0)
@@ -369,10 +370,11 @@ GEM
       marcel (~> 1.0.1)
       mime-types
       terrapin (>= 0.6.0, < 2.0)
-    language_server-protocol (3.17.0.3)
-    launchy (3.0.1)
+    language_server-protocol (3.17.0.4)
+    launchy (3.1.0)
       addressable (~> 2.8)
       childprocess (~> 5.0)
+      logger (~> 1.6)
     letter_opener (1.10.0)
       launchy (>= 2.2, < 4)
     letter_opener_web (3.0.0)
@@ -381,16 +383,17 @@ GEM
       railties (>= 6.1)
       rexml
     link_header (0.0.8)
+    lint_roller (1.1.0)
     llhttp-ffi (0.5.0)
       ffi-compiler (~> 1.0)
       rake (~> 13.0)
-    logger (1.6.1)
+    logger (1.6.6)
     lograge (0.14.0)
       actionpack (>= 4)
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.23.1)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -406,16 +409,16 @@ GEM
     mime-types (3.6.0)
       logger
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.1105)
+    mime-types-data (3.2025.0220)
     mini_mime (1.1.5)
     mini_portile2 (2.8.8)
-    minitest (5.25.2)
-    msgpack (1.7.5)
+    minitest (5.25.4)
+    msgpack (1.8.0)
     multi_json (1.15.0)
     mutex_m (0.3.0)
-    net-http (0.5.0)
+    net-http (0.6.0)
       uri
-    net-imap (0.5.1)
+    net-imap (0.5.6)
       date
       net-protocol
     net-ldap (0.19.0)
@@ -423,13 +426,13 @@ GEM
       net-protocol
     net-protocol (0.2.2)
       timeout
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.16.8)
+    nokogiri (1.18.3)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oj (3.16.7)
+    oj (3.16.10)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
     omniauth (2.1.2)
@@ -460,92 +463,99 @@ GEM
       validate_email
       validate_url
       webfinger (~> 1.2)
-    openssl (3.2.0)
+    openssl (3.3.0)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     opentelemetry-api (1.4.0)
     opentelemetry-common (0.21.0)
       opentelemetry-api (~> 1.0)
-    opentelemetry-exporter-otlp (0.29.0)
+    opentelemetry-exporter-otlp (0.29.1)
       google-protobuf (>= 3.18)
       googleapis-common-protos-types (~> 1.3)
       opentelemetry-api (~> 1.1)
       opentelemetry-common (~> 0.20)
       opentelemetry-sdk (~> 1.2)
       opentelemetry-semantic_conventions
-    opentelemetry-helpers-sql-obfuscation (0.2.1)
+    opentelemetry-helpers-sql-obfuscation (0.3.0)
       opentelemetry-common (~> 0.21)
-    opentelemetry-instrumentation-action_mailer (0.2.0)
+    opentelemetry-instrumentation-action_mailer (0.4.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-active_support (~> 0.1)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-action_pack (0.10.0)
+      opentelemetry-instrumentation-active_support (~> 0.7)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-action_pack (0.12.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
+      opentelemetry-instrumentation-base (~> 0.23.0)
       opentelemetry-instrumentation-rack (~> 0.21)
-    opentelemetry-instrumentation-action_view (0.7.3)
+    opentelemetry-instrumentation-action_view (0.9.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-active_support (~> 0.6)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-active_job (0.7.8)
+      opentelemetry-instrumentation-active_support (~> 0.7)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-active_job (0.8.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-active_model_serializers (0.20.2)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-active_model_serializers (0.22.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-active_record (0.8.1)
+      opentelemetry-instrumentation-active_support (>= 0.7.0)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-active_record (0.9.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-active_support (0.6.0)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-active_storage (0.1.0)
+      opentelemetry-api (~> 1.4.0)
+      opentelemetry-instrumentation-active_support (~> 0.7)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-active_support (0.8.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-base (0.22.6)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-base (0.23.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-common (~> 0.21)
       opentelemetry-registry (~> 0.1)
-    opentelemetry-instrumentation-concurrent_ruby (0.21.4)
+    opentelemetry-instrumentation-concurrent_ruby (0.22.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-excon (0.22.5)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-excon (0.23.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-faraday (0.24.7)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-faraday (0.26.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-http (0.23.5)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-http (0.24.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-http_client (0.22.8)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-http_client (0.23.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-net_http (0.22.8)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-net_http (0.23.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-pg (0.29.1)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-pg (0.30.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-helpers-sql-obfuscation
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-rack (0.25.0)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-rack (0.26.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-rails (0.33.1)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-rails (0.36.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-action_mailer (~> 0.2.0)
-      opentelemetry-instrumentation-action_pack (~> 0.10.0)
-      opentelemetry-instrumentation-action_view (~> 0.7.0)
-      opentelemetry-instrumentation-active_job (~> 0.7.0)
-      opentelemetry-instrumentation-active_record (~> 0.8.0)
-      opentelemetry-instrumentation-active_support (~> 0.6.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-redis (0.25.7)
+      opentelemetry-instrumentation-action_mailer (~> 0.4.0)
+      opentelemetry-instrumentation-action_pack (~> 0.12.0)
+      opentelemetry-instrumentation-action_view (~> 0.9.0)
+      opentelemetry-instrumentation-active_job (~> 0.8.0)
+      opentelemetry-instrumentation-active_record (~> 0.9.0)
+      opentelemetry-instrumentation-active_storage (~> 0.1.0)
+      opentelemetry-instrumentation-active_support (~> 0.8.0)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+      opentelemetry-instrumentation-concurrent_ruby (~> 0.22.0)
+    opentelemetry-instrumentation-redis (0.26.1)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-sidekiq (0.25.7)
+      opentelemetry-instrumentation-base (~> 0.23.0)
+    opentelemetry-instrumentation-sidekiq (0.26.0)
       opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
+      opentelemetry-instrumentation-base (~> 0.23.0)
     opentelemetry-registry (0.3.1)
       opentelemetry-api (~> 1.1)
-    opentelemetry-sdk (1.5.0)
+    opentelemetry-sdk (1.7.0)
       opentelemetry-api (~> 1.1)
       opentelemetry-common (~> 0.20)
       opentelemetry-registry (~> 0.2)
@@ -554,9 +564,10 @@ GEM
       opentelemetry-api (~> 1.0)
     orm_adapter (0.5.0)
     ostruct (0.6.1)
-    ox (2.14.18)
+    ox (2.14.22)
+      bigdecimal (>= 3.0)
     parallel (1.26.3)
-    parser (3.3.6.0)
+    parser (3.3.7.1)
       ast (~> 2.4.1)
       racc
     parslet (2.0.0)
@@ -565,6 +576,8 @@ GEM
     pg (1.5.9)
     pghero (3.6.1)
       activerecord (>= 6.1)
+    pp (0.6.2)
+      prettyprint
     premailer (1.27.0)
       addressable
       css_parser (>= 1.19.0)
@@ -573,21 +586,25 @@ GEM
       actionmailer (>= 3)
       net-smtp
       premailer (~> 1.7, >= 1.7.9)
+    prettyprint (0.2.0)
+    prometheus_exporter (2.2.0)
+      webrick
     propshaft (1.1.0)
       actionpack (>= 7.0.0)
       activesupport (>= 7.0.0)
       rack
       railties (>= 7.0.0)
-    psych (5.2.0)
+    psych (5.2.3)
+      date
       stringio
     public_suffix (6.0.1)
-    puma (6.5.0)
+    puma (6.6.0)
       nio4r (~> 2.0)
     pundit (2.4.0)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (2.2.10)
+    rack (2.2.11)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-cors (2.0.2)
@@ -605,42 +622,38 @@ GEM
       rack
     rack-session (1.0.2)
       rack (< 3)
-    rack-test (2.1.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (1.0.0)
+    rackup (1.0.1)
       rack (< 3)
       webrick
-    rails (7.2.2)
-      actioncable (= 7.2.2)
-      actionmailbox (= 7.2.2)
-      actionmailer (= 7.2.2)
-      actionpack (= 7.2.2)
-      actiontext (= 7.2.2)
-      actionview (= 7.2.2)
-      activejob (= 7.2.2)
-      activemodel (= 7.2.2)
-      activerecord (= 7.2.2)
-      activestorage (= 7.2.2)
-      activesupport (= 7.2.2)
+    rails (8.0.1)
+      actioncable (= 8.0.1)
+      actionmailbox (= 8.0.1)
+      actionmailer (= 8.0.1)
+      actionpack (= 8.0.1)
+      actiontext (= 8.0.1)
+      actionview (= 8.0.1)
+      activejob (= 8.0.1)
+      activemodel (= 8.0.1)
+      activerecord (= 8.0.1)
+      activestorage (= 8.0.1)
+      activesupport (= 8.0.1)
       bundler (>= 1.15.0)
-      railties (= 7.2.2)
-    rails-controller-testing (1.0.5)
-      actionpack (>= 5.0.1.rc1)
-      actionview (>= 5.0.1.rc1)
-      activesupport (>= 5.0.1.rc1)
+      railties (= 8.0.1)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    rails-i18n (7.0.10)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    rails-i18n (8.0.1)
       i18n (>= 0.7, < 2)
-      railties (>= 6.0.0, < 8)
-    railties (7.2.2)
-      actionpack (= 7.2.2)
-      activesupport (= 7.2.2)
+      railties (>= 8.0.0, < 9)
+    railties (8.0.1)
+      actionpack (= 8.0.1)
+      activesupport (= 8.0.1)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -654,7 +667,7 @@ GEM
       link_header (~> 0.0, >= 0.0.8)
     rdf-normalize (0.7.0)
       rdf (~> 3.3)
-    rdoc (6.7.0)
+    rdoc (6.12.0)
       psych (>= 4.0.0)
     redcarpet (3.6.0)
     redis (4.8.1)
@@ -662,15 +675,15 @@ GEM
       redis (>= 4)
     redlock (1.3.2)
       redis (>= 3.0.0, < 6.0)
-    regexp_parser (2.9.2)
-    reline (0.5.11)
+    regexp_parser (2.10.0)
+    reline (0.6.0)
       io-console (~> 0.5)
-    request_store (1.6.0)
+    request_store (1.7.0)
       rack (>= 1.4)
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.3.9)
+    rexml (3.4.1)
     rotp (6.3.0)
     rouge (4.5.1)
     rpam2 (4.0.2)
@@ -682,17 +695,17 @@ GEM
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.2)
+    rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-github (2.4.0)
+    rspec-github (3.0.0)
       rspec-core (~> 3.0)
     rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (7.1.0)
+    rspec-rails (7.1.1)
       actionpack (>= 7.0)
       activesupport (>= 7.0)
       railties (>= 7.0)
@@ -705,31 +718,35 @@ GEM
       rspec-expectations (~> 3.0)
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 8)
-    rspec-support (3.13.1)
-    rubocop (1.66.1)
+    rspec-support (3.13.2)
+    rubocop (1.72.2)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rubocop-ast (>= 1.32.2, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.32.3)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.38.0)
       parser (>= 3.3.1.0)
     rubocop-capybara (2.21.0)
       rubocop (~> 1.41)
-    rubocop-performance (1.22.1)
-      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.27.0)
+    rubocop-performance (1.24.0)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rails (2.30.2)
       activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
       rack (>= 1.1)
-      rubocop (>= 1.52.0, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rspec (3.2.0)
-      rubocop (~> 1.61)
+      rubocop (>= 1.72.1, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rspec (3.5.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
     rubocop-rspec_rails (2.30.0)
       rubocop (~> 1.61)
       rubocop-rspec (~> 3, >= 3.0.1)
@@ -738,28 +755,28 @@ GEM
     ruby-saml (1.17.0)
       nokogiri (>= 1.13.10)
       rexml
-    ruby-vips (2.2.2)
+    ruby-vips (2.2.3)
       ffi (~> 1.12)
       logger
-    rubyzip (2.3.2)
-    rufus-scheduler (3.9.1)
-      fugit (~> 1.1, >= 1.1.6)
+    rubyzip (2.4.1)
+    rufus-scheduler (3.9.2)
+      fugit (~> 1.1, >= 1.11.1)
     safety_net_attestation (0.4.0)
       jwt (~> 2.0)
-    sanitize (6.1.3)
+    sanitize (7.0.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
+      nokogiri (>= 1.16.8)
     scenic (1.8.0)
       activerecord (>= 4.0.0)
       railties (>= 4.0.0)
-    securerandom (0.3.2)
-    selenium-webdriver (4.27.0)
+    securerandom (0.4.1)
+    selenium-webdriver (4.29.1)
       base64 (~> 0.2)
       logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
-    semantic_range (3.0.0)
+    semantic_range (3.1.0)
     shoulda-matchers (6.4.0)
       activesupport (>= 5.2.0)
     sidekiq (6.5.12)
@@ -790,27 +807,27 @@ GEM
     simplecov-html (0.13.1)
     simplecov-lcov (0.8.0)
     simplecov_json_formatter (0.1.4)
-    stackprof (0.2.26)
-    stoplight (4.1.0)
+    stackprof (0.2.27)
+    stoplight (4.1.1)
       redlock (~> 1.0)
-    stringio (3.1.2)
-    strong_migrations (2.1.0)
-      activerecord (>= 6.1)
+    stringio (3.1.4)
+    strong_migrations (2.2.0)
+      activerecord (>= 7)
     swd (1.3.0)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
       httpclient (>= 2.4)
     sysexits (1.2.0)
     temple (0.10.3)
-    terminal-table (3.0.2)
-      unicode-display_width (>= 1.1.1, < 3)
+    terminal-table (4.0.0)
+      unicode-display_width (>= 1.1.1, < 4)
     terrapin (1.0.1)
       climate_control
-    test-prof (1.4.2)
+    test-prof (1.4.4)
     thor (1.3.2)
-    tilt (2.4.0)
-    timeout (0.4.2)
-    tpm-key_attestation (0.12.1)
+    tilt (2.6.0)
+    timeout (0.4.3)
+    tpm-key_attestation (0.14.0)
       bindata (~> 2.4)
       openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
@@ -829,14 +846,16 @@ GEM
       unf (~> 0.1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2024.2)
+    tzinfo-data (1.2025.1)
       tzinfo (>= 1.0.0)
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.9.1)
-    unicode-display_width (2.6.0)
-    uri (0.13.1)
-    useragent (0.16.10)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    uri (1.0.2)
+    useragent (0.16.11)
     validate_email (0.1.6)
       activemodel (>= 3.0)
       mail (>= 2.2.5)
@@ -845,18 +864,18 @@ GEM
       public_suffix
     warden (1.2.9)
       rack (>= 2.0.9)
-    webauthn (3.2.2)
+    webauthn (3.4.0)
       android_key_attestation (~> 0.3.0)
       bindata (~> 2.4)
       cbor (~> 0.5.9)
       cose (~> 1.1)
       openssl (>= 2.2)
       safety_net_attestation (~> 0.4.0)
-      tpm-key_attestation (~> 0.12.0)
+      tpm-key_attestation (~> 0.14.0)
     webfinger (1.2.0)
       activesupport
       httpclient (>= 2.4)
-    webmock (3.24.0)
+    webmock (3.25.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -865,16 +884,17 @@ GEM
       rack-proxy (>= 0.6.1)
       railties (>= 5.2)
       semantic_range (>= 2.3.0)
-    webrick (1.9.0)
+    webrick (1.9.1)
     websocket (1.2.11)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     wisper (2.0.1)
     xorcist (1.1.3)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.7.1)
+    zeitwerk (2.7.2)
 
 PLATFORMS
   ruby
@@ -888,7 +908,7 @@ DEPENDENCIES
   binding_of_caller (~> 1.0)
   blurhash (~> 0.1)
   bootsnap (~> 1.18.0)
-  brakeman (~> 6.0)
+  brakeman (~> 7.0)
   browser
   bundler-audit (~> 0.9)
   capybara (~> 3.39)
@@ -945,7 +965,7 @@ DEPENDENCIES
   memory_profiler
   mime-types (~> 3.6.0)
   mutex_m
-  net-http (~> 0.5.0)
+  net-http (~> 0.6.0)
   net-ldap (~> 0.18)
   nokogiri (~> 1.15)
   oj (~> 3.14)
@@ -956,25 +976,26 @@ DEPENDENCIES
   omniauth_openid_connect (~> 0.6.1)
   opentelemetry-api (~> 1.4.0)
   opentelemetry-exporter-otlp (~> 0.29.0)
-  opentelemetry-instrumentation-active_job (~> 0.7.1)
-  opentelemetry-instrumentation-active_model_serializers (~> 0.20.1)
-  opentelemetry-instrumentation-concurrent_ruby (~> 0.21.2)
-  opentelemetry-instrumentation-excon (~> 0.22.0)
-  opentelemetry-instrumentation-faraday (~> 0.24.1)
-  opentelemetry-instrumentation-http (~> 0.23.2)
-  opentelemetry-instrumentation-http_client (~> 0.22.3)
-  opentelemetry-instrumentation-net_http (~> 0.22.4)
-  opentelemetry-instrumentation-pg (~> 0.29.0)
-  opentelemetry-instrumentation-rack (~> 0.25.0)
-  opentelemetry-instrumentation-rails (~> 0.33.0)
-  opentelemetry-instrumentation-redis (~> 0.25.3)
-  opentelemetry-instrumentation-sidekiq (~> 0.25.2)
+  opentelemetry-instrumentation-active_job (~> 0.8.0)
+  opentelemetry-instrumentation-active_model_serializers (~> 0.22.0)
+  opentelemetry-instrumentation-concurrent_ruby (~> 0.22.0)
+  opentelemetry-instrumentation-excon (~> 0.23.0)
+  opentelemetry-instrumentation-faraday (~> 0.26.0)
+  opentelemetry-instrumentation-http (~> 0.24.0)
+  opentelemetry-instrumentation-http_client (~> 0.23.0)
+  opentelemetry-instrumentation-net_http (~> 0.23.0)
+  opentelemetry-instrumentation-pg (~> 0.30.0)
+  opentelemetry-instrumentation-rack (~> 0.26.0)
+  opentelemetry-instrumentation-rails (~> 0.36.0)
+  opentelemetry-instrumentation-redis (~> 0.26.0)
+  opentelemetry-instrumentation-sidekiq (~> 0.26.0)
   opentelemetry-sdk (~> 1.4)
   ox (~> 2.14)
   parslet
   pg (~> 1.5)
   pghero
   premailer-rails
+  prometheus_exporter (~> 2.2)
   propshaft
   public_suffix (~> 6.0)
   puma (~> 6.3)
@@ -983,15 +1004,14 @@ DEPENDENCIES
   rack-attack (~> 6.6)
   rack-cors (~> 2.0)
   rack-test (~> 2.1)
-  rails (~> 7.2.0)
-  rails-controller-testing (~> 1.0)
-  rails-i18n (~> 7.0)
+  rails (~> 8.0)
+  rails-i18n (~> 8.0)
   rdf-normalize (~> 0.5)
   redcarpet (~> 3.6)
   redis (~> 4.5)
   redis-namespace (~> 1.10)
   rqrcode (~> 2.2)
-  rspec-github (~> 2.4)
+  rspec-github (~> 3.0)
   rspec-rails (~> 7.0)
   rspec-sidekiq (~> 5.0)
   rubocop
@@ -1004,7 +1024,7 @@ DEPENDENCIES
   ruby-progressbar (~> 1.13)
   ruby-vips (~> 2.2)
   rubyzip (~> 2.3)
-  sanitize (~> 6.0)
+  sanitize (~> 7.0)
   scenic (~> 1.7)
   selenium-webdriver
   shoulda-matchers
@@ -1031,7 +1051,7 @@ DEPENDENCIES
   xorcist (~> 1.1)
 
 RUBY VERSION
-   ruby 3.3.6p108
+   ruby 3.4.1p0
 
 BUNDLED WITH
-   2.5.23
+   2.6.5

README.md

@@ -1,24 +1,24 @@
-<h1><picture>
-  <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true">
-  <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true">
-  <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34">
-</picture></h1>
+> [!NOTE]
+> Want to learn more about Mastodon?
+> Click below to find out more in a video.
 
-[![GitHub release](https://img.shields.io/github/release/mastodon/mastodon.svg)][releases]
-[![Ruby Testing](https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml/badge.svg)](https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml)
-[![Crowdin](https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg)][crowdin]
+<p align="center">
+  <a style="text-decoration:none" href="https://www.youtube.com/watch?v=IPSbNdBmWKE">
+    <img alt="Mastodon hero image" src="https://github.com/user-attachments/assets/ef53f5e9-c0d8-484d-9f53-00efdebb92c3" />
+  </a>
+</p>
 
-[releases]: https://github.com/mastodon/mastodon/releases
-[crowdin]: https://crowdin.com/project/mastodon
+<p align="center">
+  <a style="text-decoration:none" href="https://github.com/mastodon/mastodon/releases">
+    <img src="https://img.shields.io/github/release/mastodon/mastodon.svg" alt="Release" /></a>
+  <a style="text-decoration:none" href="https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml">
+    <img src="https://github.com/mastodon/mastodon/actions/workflows/test-ruby.yml/badge.svg" alt="Ruby Testing" /></a>
+  <a style="text-decoration:none" href="https://crowdin.com/project/mastodon">
+    <img src="https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg" alt="Crowdin" /></a>
+</p>
 
 Mastodon is a **free, open-source social network server** based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub!)
 
-Click below to **learn more** in a video:
-
-[![Screenshot](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/ezgif-2-60f1b00403.gif)][youtube_demo]
-
-[youtube_demo]: https://www.youtube.com/watch?v=IPSbNdBmWKE
-
 ## Navigation
 
 - [Project homepage 🐘](https://joinmastodon.org)
@@ -37,25 +37,15 @@ Click below to **learn more** in a video:
 
 <img src="/app/javascript/images/elephant_ui_working.svg?raw=true" align="right" width="30%" />
 
-### No vendor lock-in: Fully interoperable with any conforming platform
+**No vendor lock-in: Fully interoperable with any conforming platform** - It doesn't have to be Mastodon; whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
 
-It doesn't have to be Mastodon; whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
+**Real-time, chronological timeline updates** - updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
 
-### Real-time, chronological timeline updates
+**Media attachments like images and short videos** - upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos loop continuously!
 
-Updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
+**Safety and moderation tools** - Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
 
-### Media attachments like images and short videos
-
-Upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos loop continuously!
-
-### Safety and moderation tools
-
-Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
-
-### OAuth2 and a straightforward REST API
-
-Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Streaming APIs. This results in a rich app ecosystem with a lot of choices!
+**OAuth2 and a straightforward REST API** - Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Streaming APIs. This results in a rich app ecosystem with a lot of choices!
 
 ## Deployment
 
@@ -74,85 +64,40 @@ Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Stre
 
 The repository includes deployment configurations for **Docker and docker-compose** as well as specific platforms like **Heroku**, and **Scalingo**. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). The [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
 
-## Development
-
-### Vagrant
-
-A **Vagrant** configuration is included for development purposes. To use it, complete the following steps:
-
-- Install Vagrant and Virtualbox
-- Install the `vagrant-hostsupdater` plugin: `vagrant plugin install vagrant-hostsupdater`
-- Run `vagrant up`
-- Run `vagrant ssh -c "cd /vagrant && bin/dev"`
-- Open `http://mastodon.local` in your browser
-
-### macOS
-
-To set up **macOS** for native development, complete the following steps:
-
-- Install [Homebrew] and run `brew install postgresql@14 redis imagemagick
-libidn nvm` to install the required project dependencies
-- Use a Ruby version manager to activate the ruby in `.ruby-version` and run
-  `nvm use` to activate the node version from `.nvmrc`
-- Run the `bin/setup` script, which will install the required ruby gems and node
-  packages and prepare the database for local development
-- Finally, run the `bin/dev` script which will launch services via `overmind`
-  (if installed) or `foreman`
-
-### Docker
-
-For production hosting and deployment with **Docker**, use the `Dockerfile` and
-`docker-compose.yml` in the project root directory.
-
-For local development, install and launch [Docker], and run:
-
-```shell
-docker compose -f .devcontainer/compose.yaml up -d
-docker compose -f .devcontainer/compose.yaml exec app bin/setup
-docker compose -f .devcontainer/compose.yaml exec app bin/dev
-```
-
-### Dev Containers
-
-Within IDEs that support the [Development Containers] specification, start the
-"Mastodon on local machine" container from the editor. The necessary `docker
-compose` commands to build and setup the container should run automatically. For
-**Visual Studio Code** this requires installing the [Dev Container extension].
-
-### GitHub Codespaces
-
-[GitHub Codespaces] provides a web-based version of VS Code and a cloud hosted
-development environment configured with the software needed for this project.
-
-[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)][codespace]
-
-- Click the button to create a new codespace, and confirm the options
-- Wait for the environment to build (takes a few minutes)
-- When the editor is ready, run `bin/dev` in the terminal
-- Wait for an _Open in Browser_ prompt. This will open Mastodon
-- On the _Ports_ tab "stream" setting change _Port visibility_ → _Public_
-
 ## Contributing
 
 Mastodon is **free, open-source software** licensed under **AGPLv3**.
 
-You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository or submit translations using Crowdin. To get started, take a look at [CONTRIBUTING.md](CONTRIBUTING.md). If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
+You can open issues for bugs you've found or features you think are missing. You
+can also submit pull requests to this repository or translations via Crowdin. To
+get started, look at the [CONTRIBUTING] and [DEVELOPMENT] guides. For changes
+accepted into Mastodon, you can request to be paid through our [OpenCollective].
 
-**IRC channel**: #mastodon on irc.libera.chat
+**IRC channel**: #mastodon on [`irc.libera.chat`](https://libera.chat)
 
 ## License
 
-Copyright (C) 2016-2024 Eugen Rochko & other Mastodon contributors (see [AUTHORS.md](AUTHORS.md))
+Copyright (c) 2016-2024 Eugen Rochko (+ [`mastodon authors`](AUTHORS.md))
 
-This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+Licensed under GNU Affero General Public License as stated in the [LICENSE](LICENSE):
 
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
+```
+Copyright (c) 2016-2024 Eugen Rochko & other Mastodon contributors
 
-You should have received a copy of the GNU Affero General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
+This program is free software: you can redistribute it and/or modify it under
+the terms of the GNU Affero General Public License as published by the Free
+Software Foundation, either version 3 of the License, or (at your option) any
+later version.
 
-[codespace]: https://codespaces.new/mastodon/mastodon?quickstart=1&devcontainer_path=.devcontainer%2Fcodespaces%2Fdevcontainer.json
-[Dev Container extension]: https://containers.dev/supporting#dev-containers
-[Development Containers]: https://containers.dev/supporting
-[Docker]: https://docs.docker.com
-[GitHub Codespaces]: https://docs.github.com/en/codespaces
-[Homebrew]: https://brew.sh
+This program is distributed in the hope that it will be useful, but WITHOUT
+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+details.
+
+You should have received a copy of the GNU Affero General Public License along
+with this program. If not, see https://www.gnu.org/licenses/
+```
+
+[CONTRIBUTING]: CONTRIBUTING.md
+[DEVELOPMENT]: docs/DEVELOPMENT.md
+[OpenCollective]: https://opencollective.com/mastodon

Vagrantfile

@@ -174,7 +174,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   if config.vm.networks.any? { |type, options| type == :private_network }
     config.vm.synced_folder ".", "/vagrant", type: "nfs", mount_options: ['rw', 'actimeo=1']
   else
-    config.vm.synced_folder ".", "/vagrant"
+    config.vm.synced_folder ".", "/vagrant", type: "rsync", create: true, rsync__args: ["--verbose", "--archive", "--delete", "-z"]
   end
 
   # Otherwise, you can access the site at http://localhost:3000 and http://localhost:4000 , http://localhost:8080

app/controllers/activitypub/collections_controller.rb

@@ -49,7 +49,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
 
   def collection_presenter
     ActivityPub::CollectionPresenter.new(
-      id: account_collection_url(@account, params[:id]),
+      id: ActivityPub::TagManager.instance.collection_uri_for(@account, params[:id]),
       type: @type,
       size: @size,
       items: @items

app/controllers/activitypub/outboxes_controller.rb

@@ -41,12 +41,8 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
     end
   end
 
-  def outbox_url(**)
-    if params[:account_username].present?
-      account_outbox_url(@account, **)
-    else
-      instance_actor_outbox_url(**)
-    end
+  def outbox_url(...)
+    ActivityPub::TagManager.instance.outbox_uri_for(@account, ...)
   end
 
   def next_page

app/controllers/admin/account_actions_controller.rb

@@ -34,7 +34,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:admin_account_action).permit(:type, :report_id, :warning_preset_id, :text, :send_email_notification, :include_statuses)
+      params
+        .expect(admin_account_action: [:type, :report_id, :warning_preset_id, :text, :send_email_notification, :include_statuses])
     end
   end
 end

app/controllers/admin/account_moderation_notes_controller.rb

@@ -29,10 +29,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:account_moderation_note).permit(
-        :content,
-        :target_account_id
-      )
+      params
+        .expect(account_moderation_note: [:content, :target_account_id])
     end
 
     def set_account_moderation_note

app/controllers/admin/accounts_controller.rb

@@ -158,7 +158,8 @@ module Admin
     end
 
     def form_account_batch_params
-      params.require(:form_account_batch).permit(:action, account_ids: [])
+      params
+        .expect(form_account_batch: [:action, account_ids: []])
     end
 
     def action_from_button

app/controllers/admin/announcements_controller.rb

@@ -84,6 +84,7 @@ class Admin::AnnouncementsController < Admin::BaseController
   end
 
   def resource_params
-    params.require(:announcement).permit(:text, :scheduled_at, :starts_at, :ends_at, :all_day)
+    params
+      .expect(announcement: [:text, :scheduled_at, :starts_at, :ends_at, :all_day])
   end
 end

app/controllers/admin/base_controller.rb

@@ -7,14 +7,14 @@ module Admin
 
     layout 'admin'
 
-    before_action :set_cache_headers
+    before_action :set_referrer_policy_header
 
     after_action :verify_authorized
 
     private
 
-    def set_cache_headers
-      response.cache_control.replace(private: true, no_store: true)
+    def set_referrer_policy_header
+      response.headers['Referrer-Policy'] = 'same-origin'
     end
 
     def set_user

app/controllers/admin/change_emails_controller.rb

@@ -41,9 +41,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:user).permit(
-        :unconfirmed_email
-      )
+      params
+        .expect(user: [:unconfirmed_email])
     end
   end
 end

app/controllers/admin/custom_emojis_controller.rb

@@ -44,7 +44,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:custom_emoji).permit(:shortcode, :image, :visible_in_picker)
+      params
+        .expect(custom_emoji: [:shortcode, :image, :visible_in_picker])
     end
 
     def filtered_custom_emojis
@@ -74,7 +75,8 @@ module Admin
     end
 
     def form_custom_emoji_batch_params
-      params.require(:form_custom_emoji_batch).permit(:action, :category_id, :category_name, custom_emoji_ids: [])
+      params
+        .expect(form_custom_emoji_batch: [:action, :category_id, :category_name, custom_emoji_ids: []])
     end
   end
 end

app/controllers/admin/domain_allows_controller.rb

@@ -37,6 +37,7 @@ class Admin::DomainAllowsController < Admin::BaseController
   end
 
   def resource_params
-    params.require(:domain_allow).permit(:domain)
+    params
+      .expect(domain_allow: [:domain])
   end
 end

app/controllers/admin/domain_blocks_controller.rb

@@ -25,7 +25,9 @@ module Admin
     rescue Mastodon::NotPermittedError
       flash[:alert] = I18n.t('admin.domain_blocks.not_permitted')
     else
-      redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
+      flash[:notice] = I18n.t('admin.domain_blocks.created_msg')
+    ensure
+      redirect_to admin_instances_path(limited: '1')
     end
 
     def new
@@ -114,7 +116,12 @@ module Admin
     end
 
     def form_domain_block_batch_params
-      params.require(:form_domain_block_batch).permit(domain_blocks_attributes: [:enabled, :domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate])
+      params
+        .expect(
+          form_domain_block_batch: [
+            domain_blocks_attributes: [[:enabled, :domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate]],
+          ]
+        )
     end
 
     def action_from_button

app/controllers/admin/email_domain_blocks_controller.rb

@@ -62,11 +62,13 @@ module Admin
     end
 
     def resource_params
-      params.require(:email_domain_block).permit(:domain, :allow_with_approval, other_domains: [])
+      params
+        .expect(email_domain_block: [:domain, :allow_with_approval, other_domains: []])
     end
 
     def form_email_domain_block_batch_params
-      params.require(:form_email_domain_block_batch).permit(email_domain_block_ids: [])
+      params
+        .expect(form_email_domain_block_batch: [email_domain_block_ids: []])
     end
 
     def action_from_button

app/controllers/admin/follow_recommendations_controller.rb

@@ -37,7 +37,8 @@ module Admin
     end
 
     def form_account_batch_params
-      params.require(:form_account_batch).permit(:action, account_ids: [])
+      params
+        .expect(form_account_batch: [:action, account_ids: []])
     end
 
     def filter_params

app/controllers/admin/invites_controller.rb

@@ -39,7 +39,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:invite).permit(:max_uses, :expires_in)
+      params
+        .expect(invite: [:max_uses, :expires_in])
     end
 
     def filtered_invites

app/controllers/admin/ip_blocks_controller.rb

@@ -44,7 +44,8 @@ module Admin
     private
 
     def resource_params
-      params.require(:ip_block).permit(:ip, :severity, :comment, :expires_in)
+      params
+        .expect(ip_block: [:ip, :severity, :comment, :expires_in])
     end
 
     def action_from_button
@@ -52,7 +53,8 @@ module Admin
     end
 
     def form_ip_block_batch_params
-      params.require(:form_ip_block_batch).permit(ip_block_ids: [])
+      params
+        .expect(form_ip_block_batch: [ip_block_ids: []])
     end
   end
 end

app/controllers/admin/relays_controller.rb

@@ -57,7 +57,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:relay).permit(:inbox_url)
+      params
+        .expect(relay: [:inbox_url])
     end
 
     def warn_signatures_not_enabled!

app/controllers/admin/report_notes_controller.rb

@@ -47,10 +47,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:report_note).permit(
-        :content,
-        :report_id
-      )
+      params
+        .expect(report_note: [:content, :report_id])
     end
 
     def set_report_note

app/controllers/admin/roles_controller.rb

@@ -61,7 +61,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:user_role).permit(:name, :color, :highlighted, :position, permissions_as_keys: [])
+      params
+        .expect(user_role: [:name, :color, :highlighted, :position, permissions_as_keys: []])
     end
   end
 end

app/controllers/admin/rules_controller.rb

@@ -53,7 +53,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:rule).permit(:text, :hint, :priority)
+      params
+        .expect(rule: [:text, :hint, :priority])
     end
   end
 end

app/controllers/admin/settings_controller.rb

@@ -28,7 +28,8 @@ module Admin
     end
 
     def settings_params
-      params.require(:form_admin_settings).permit(*Form::AdminSettings::KEYS)
+      params
+        .expect(form_admin_settings: [*Form::AdminSettings::KEYS])
     end
   end
 end

app/controllers/admin/software_updates_controller.rb

@@ -6,7 +6,7 @@ module Admin
 
     def index
       authorize :software_update, :index?
-      @software_updates = SoftwareUpdate.all.sort_by(&:gem_version)
+      @software_updates = SoftwareUpdate.by_version.filter(&:pending?)
     end
 
     private

app/controllers/admin/statuses_controller.rb

@@ -39,7 +39,8 @@ module Admin
     helper_method :batched_ordered_status_edits
 
     def admin_status_batch_action_params
-      params.require(:admin_status_batch_action).permit(status_ids: [])
+      params
+        .expect(admin_status_batch_action: [status_ids: []])
     end
 
     def after_create_redirect_path

app/controllers/admin/tags_controller.rb

@@ -37,7 +37,8 @@ module Admin
     end
 
     def tag_params
-      params.require(:tag).permit(:name, :display_name, :trendable, :usable, :listable)
+      params
+        .expect(tag: [:name, :display_name, :trendable, :usable, :listable])
     end
 
     def filtered_tags

app/controllers/admin/terms_of_service/distributions_controller.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::DistributionsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def create
+    authorize @terms_of_service, :distribute?
+    @terms_of_service.touch(:notification_sent_at)
+    Admin::DistributeTermsOfServiceNotificationWorker.perform_async(@terms_of_service.id)
+    redirect_to admin_terms_of_service_index_path
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.find(params[:terms_of_service_id])
+  end
+end

app/controllers/admin/terms_of_service/drafts_controller.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::DraftsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def show
+    authorize :terms_of_service, :create?
+  end
+
+  def update
+    authorize @terms_of_service, :update?
+
+    @terms_of_service.published_at = Time.now.utc if params[:action_type] == 'publish'
+
+    if @terms_of_service.update(resource_params)
+      log_action(:publish, @terms_of_service) if @terms_of_service.published?
+      redirect_to @terms_of_service.published? ? admin_terms_of_service_index_path : admin_terms_of_service_draft_path
+    else
+      render :show
+    end
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.draft.first || TermsOfService.new(text: current_terms_of_service&.text)
+  end
+
+  def current_terms_of_service
+    TermsOfService.live.first
+  end
+
+  def resource_params
+    params
+      .expect(terms_of_service: [:text, :changelog])
+  end
+end

app/controllers/admin/terms_of_service/generates_controller.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::GeneratesController < Admin::BaseController
+  before_action :set_instance_presenter
+
+  def show
+    authorize :terms_of_service, :create?
+
+    @generator = TermsOfService::Generator.new(
+      domain: @instance_presenter.domain,
+      admin_email: @instance_presenter.contact.email
+    )
+  end
+
+  def create
+    authorize :terms_of_service, :create?
+
+    @generator = TermsOfService::Generator.new(resource_params)
+
+    if @generator.valid?
+      TermsOfService.create!(text: @generator.render)
+      redirect_to admin_terms_of_service_draft_path
+    else
+      render :show
+    end
+  end
+
+  private
+
+  def set_instance_presenter
+    @instance_presenter = InstancePresenter.new
+  end
+
+  def resource_params
+    params
+      .expect(terms_of_service_generator: [*TermsOfService::Generator::VARIABLES])
+  end
+end

app/controllers/admin/terms_of_service/histories_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::HistoriesController < Admin::BaseController
+  def show
+    authorize :terms_of_service, :index?
+    @terms_of_service = TermsOfService.published.all
+  end
+end

app/controllers/admin/terms_of_service/previews_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::PreviewsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def show
+    authorize @terms_of_service, :distribute?
+    @user_count = @terms_of_service.scope_for_notification.count
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.find(params[:terms_of_service_id])
+  end
+end

app/controllers/admin/terms_of_service/tests_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::TestsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def create
+    authorize @terms_of_service, :distribute?
+    UserMailer.terms_of_service_changed(current_user, @terms_of_service).deliver_later!
+    redirect_to admin_terms_of_service_preview_path(@terms_of_service)
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.find(params[:terms_of_service_id])
+  end
+end

app/controllers/admin/terms_of_service_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfServiceController < Admin::BaseController
+  def index
+    authorize :terms_of_service, :index?
+    @terms_of_service = TermsOfService.live.first
+  end
+end

app/controllers/admin/trends/links/preview_card_providers_controller.rb

@@ -31,7 +31,8 @@ class Admin::Trends::Links::PreviewCardProvidersController < Admin::BaseControll
   end
 
   def trends_preview_card_provider_batch_params
-    params.require(:trends_preview_card_provider_batch).permit(:action, preview_card_provider_ids: [])
+    params
+      .expect(trends_preview_card_provider_batch: [:action, preview_card_provider_ids: []])
   end
 
   def action_from_button

app/controllers/admin/trends/links_controller.rb

@@ -31,7 +31,8 @@ class Admin::Trends::LinksController < Admin::BaseController
   end
 
   def trends_preview_card_batch_params
-    params.require(:trends_preview_card_batch).permit(:action, preview_card_ids: [])
+    params
+      .expect(trends_preview_card_batch: [:action, preview_card_ids: []])
   end
 
   def action_from_button

app/controllers/admin/trends/statuses_controller.rb

@@ -31,7 +31,8 @@ class Admin::Trends::StatusesController < Admin::BaseController
   end
 
   def trends_status_batch_params
-    params.require(:trends_status_batch).permit(:action, status_ids: [])
+    params
+      .expect(trends_status_batch: [:action, status_ids: []])
   end
 
   def action_from_button

app/controllers/admin/trends/tags_controller.rb

@@ -31,7 +31,8 @@ class Admin::Trends::TagsController < Admin::BaseController
   end
 
   def trends_tag_batch_params
-    params.require(:trends_tag_batch).permit(:action, tag_ids: [])
+    params
+      .expect(trends_tag_batch: [:action, tag_ids: []])
   end
 
   def action_from_button

app/controllers/admin/users/roles_controller.rb

@@ -28,7 +28,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:user).permit(:role_id)
+      params
+        .expect(user: [:role_id])
     end
   end
 end

app/controllers/admin/warning_presets_controller.rb

@@ -52,7 +52,8 @@ module Admin
     end
 
     def warning_preset_params
-      params.require(:account_warning_preset).permit(:title, :text)
+      params
+        .expect(account_warning_preset: [:title, :text])
     end
   end
 end

app/controllers/admin/webhooks_controller.rb

@@ -74,7 +74,8 @@ module Admin
     end
 
     def resource_params
-      params.require(:webhook).permit(:url, :template, events: [])
+      params
+        .expect(webhook: [:url, :template, events: []])
     end
   end
 end

app/controllers/api/v1/accounts/credentials_controller.rb

@@ -33,6 +33,7 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
       :discoverable,
       :hide_collections,
       :indexable,
+      attribution_domains: [],
       fields_attributes: [:name, :value]
     )
   end

app/controllers/api/v1/instances/domain_blocks_controller.rb

@@ -31,7 +31,7 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
   end
 
   def show_domain_blocks_to_user?
-    Setting.show_domain_blocks == 'users' && user_signed_in?
+    Setting.show_domain_blocks == 'users' && user_signed_in? && current_user.functional_or_moved?
   end
 
   def set_domain_blocks
@@ -47,6 +47,6 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
   end
 
   def show_rationale_for_user?
-    Setting.show_domain_blocks_rationale == 'users' && user_signed_in?
+    Setting.show_domain_blocks_rationale == 'users' && user_signed_in? && current_user.functional_or_moved?
   end
 end

app/controllers/api/v1/instances/terms_of_services_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Api::V1::Instances::TermsOfServicesController < Api::V1::Instances::BaseController
+  before_action :set_terms_of_service
+
+  def show
+    cache_even_if_authenticated!
+    render json: @terms_of_service, serializer: REST::PrivacyPolicySerializer
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.live.first!
+  end
+end

app/controllers/api/v1/polls/votes_controller.rb

@@ -15,7 +15,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
   private
 
   def set_poll
-    @poll = Poll.attached.find(params[:poll_id])
+    @poll = Poll.find(params[:poll_id])
     authorize @poll.status, :show?
   rescue Mastodon::NotPermittedError
     not_found

app/controllers/api/v1/polls_controller.rb

@@ -15,7 +15,7 @@ class Api::V1::PollsController < Api::BaseController
   private
 
   def set_poll
-    @poll = Poll.attached.find(params[:id])
+    @poll = Poll.find(params[:id])
     authorize @poll.status, :show?
   rescue Mastodon::NotPermittedError
     not_found

app/controllers/api/v1/push/subscriptions_controller.rb

@@ -21,6 +21,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
         endpoint: subscription_params[:endpoint],
         key_p256dh: subscription_params[:keys][:p256dh],
         key_auth: subscription_params[:keys][:auth],
+        standard: subscription_params[:standard] || false,
         data: data_params,
         user_id: current_user.id,
         access_token_id: doorkeeper_token.id
@@ -55,12 +56,12 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
   end
 
   def subscription_params
-    params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
+    params.expect(subscription: [:endpoint, :standard, keys: [:auth, :p256dh]])
   end
 
   def data_params
     return {} if params[:data].blank?
 
-    params.require(:data).permit(:policy, alerts: Notification::TYPES)
+    params.expect(data: [:policy, alerts: Notification::TYPES])
   end
 end

app/controllers/api/v1/trends/tags_controller.rb

@@ -27,7 +27,9 @@ class Api::V1::Trends::TagsController < Api::BaseController
   end
 
   def tags_from_trends
-    Trends.tags.query.allowed
+    scope = Trends.tags.query.allowed.in_locale(content_locale)
+    scope = scope.filtered_for(current_account) if user_signed_in?
+    scope
   end
 
   def next_path

app/controllers/api/v2/notifications_controller.rb

@@ -46,7 +46,7 @@ class Api::V2::NotificationsController < Api::BaseController
   end
 
   def show
-    @notification = current_account.notifications.without_suspended.find_by!(group_key: params[:group_key])
+    @notification = current_account.notifications.without_suspended.by_group_key(params[:group_key]).take!
     presenter = GroupedNotificationsPresenter.new(NotificationGroup.from_notifications([@notification]))
     render json: presenter, serializer: REST::DedupNotificationGroupSerializer
   end
@@ -57,7 +57,7 @@ class Api::V2::NotificationsController < Api::BaseController
   end
 
   def dismiss
-    current_account.notifications.where(group_key: params[:group_key]).destroy_all
+    current_account.notifications.by_group_key(params[:group_key]).destroy_all
     render_empty
   end
 
@@ -80,10 +80,31 @@ class Api::V2::NotificationsController < Api::BaseController
     return [] if @notifications.empty?
 
     MastodonOTELTracer.in_span('Api::V2::NotificationsController#load_grouped_notifications') do
-      NotificationGroup.from_notifications(@notifications, pagination_range: (@notifications.last.id)..(@notifications.first.id), grouped_types: params[:grouped_types])
+      pagination_range = (@notifications.last.id)..@notifications.first.id
+
+      # If the page is incomplete, we know we are on the last page
+      if incomplete_page?
+        if paginating_up?
+          pagination_range = @notifications.last.id...(params[:max_id]&.to_i)
+        else
+          range_start = params[:since_id]&.to_i
+          range_start += 1 unless range_start.nil?
+          pagination_range = range_start..(@notifications.first.id)
         end
       end
 
+      NotificationGroup.from_notifications(@notifications, pagination_range: pagination_range, grouped_types: params[:grouped_types])
+    end
+  end
+
+  def incomplete_page?
+    @notifications.size < limit_param(DEFAULT_NOTIFICATIONS_LIMIT)
+  end
+
+  def paginating_up?
+    params[:min_id].present?
+  end
+
   def browserable_account_notifications
     current_account.notifications.without_suspended.browserable(
       types: Array(browserable_params[:types]),

app/controllers/api/web/push_subscriptions_controller.rb

@@ -66,7 +66,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def subscription_params
-    @subscription_params ||= params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
+    @subscription_params ||= params.expect(subscription: [:standard, :endpoint, keys: [:auth, :p256dh]])
   end
 
   def web_push_subscription_params
@@ -76,11 +76,12 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
       endpoint: subscription_params[:endpoint],
       key_auth: subscription_params[:keys][:auth],
       key_p256dh: subscription_params[:keys][:p256dh],
+      standard: subscription_params[:standard] || false,
       user_id: active_session.user_id,
     }
   end
 
   def data_params
-    @data_params ||= params.require(:data).permit(:policy, alerts: Notification::TYPES)
+    @data_params ||= params.expect(data: [:policy, alerts: Notification::TYPES])
   end
 end

app/controllers/application_controller.rb

@@ -70,7 +70,13 @@ class ApplicationController < ActionController::Base
   end
 
   def require_functional!
-    redirect_to edit_user_registration_path unless current_user.functional?
+    return if current_user.functional?
+
+    if current_user.confirmed?
+      redirect_to edit_user_registration_path
+    else
+      redirect_to auth_setup_path
+    end
   end
 
   def skip_csrf_meta_tags?

app/controllers/auth/registrations_controller.rb

@@ -12,7 +12,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController
   before_action :set_sessions, only: [:edit, :update]
   before_action :set_strikes, only: [:edit, :update]
   before_action :require_not_suspended!, only: [:update]
-  before_action :set_cache_headers, only: [:edit, :update]
   before_action :set_rules, only: :new
   before_action :require_rules_acceptance!, only: :new
   before_action :set_registration_form_time, only: :new
@@ -139,7 +138,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
     set_locale { render :rules }
   end
 
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
+  def is_flashing_format? # rubocop:disable Naming/PredicateName
+    if params[:action] == 'create'
+      false # Disable flash messages for sign-up
+    else
+      super
+    end
   end
 end

app/controllers/auth/sessions_controller.rb

@@ -73,7 +73,7 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def user_params
-    params.require(:user).permit(:email, :password, :otp_attempt, credential: {})
+    params.expect(user: [:email, :password, :otp_attempt, credential: {}])
   end
 
   def after_sign_in_path_for(resource)

app/controllers/auth/setup_controller.rb

@@ -18,7 +18,7 @@ class Auth::SetupController < ApplicationController
 
     if @user.update(user_params)
       @user.resend_confirmation_instructions unless @user.confirmed?
-      redirect_to auth_setup_path, notice: I18n.t('auth.setup.new_confirmation_instructions_sent')
+      redirect_to auth_setup_path, notice: t('auth.setup.new_confirmation_instructions_sent')
     else
       render :show
     end
@@ -35,6 +35,6 @@ class Auth::SetupController < ApplicationController
   end
 
   def user_params
-    params.require(:user).permit(:email)
+    params.expect(user: [:email])
   end
 end

app/controllers/concerns/admin/export_controller_concern.rb

@@ -24,6 +24,6 @@ module Admin::ExportControllerConcern
   end
 
   def import_params
-    params.require(:admin_import).permit(:data)
+    params.expect(admin_import: [:data])
   end
 end

app/controllers/concerns/challengable_concern.rb

@@ -58,6 +58,6 @@ module ChallengableConcern
   end
 
   def challenge_params
-    params.require(:form_challenge).permit(:current_password, :return_to)
+    params.expect(form_challenge: [:current_password, :return_to])
   end
 end

app/controllers/concerns/localized.rb

@@ -25,7 +25,7 @@ module Localized
   end
 
   def available_locale_or_nil(locale_name)
-    locale_name.to_sym if locale_name.present? && I18n.available_locales.include?(locale_name.to_sym)
+    locale_name.to_sym if locale_name.respond_to?(:to_sym) && I18n.available_locales.include?(locale_name.to_sym)
   end
 
   def content_locale

app/controllers/concerns/signature_verification.rb

@@ -117,7 +117,7 @@ module SignatureVerification
 
   def verify_signature_strength!
     raise SignatureVerificationError, 'Mastodon requires the Date header or (created) pseudo-header to be signed' unless signed_headers.include?('date') || signed_headers.include?('(created)')
-    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(Request::REQUEST_TARGET) || signed_headers.include?('digest')
+    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(HttpSignatureDraft::REQUEST_TARGET) || signed_headers.include?('digest')
     raise SignatureVerificationError, 'Mastodon requires the Host header to be signed when doing a GET request' if request.get? && !signed_headers.include?('host')
     raise SignatureVerificationError, 'Mastodon requires the Digest header to be signed when doing a POST request' if request.post? && !signed_headers.include?('digest')
   end
@@ -155,14 +155,14 @@ module SignatureVerification
   def build_signed_string(include_query_string: true)
     signed_headers.map do |signed_header|
       case signed_header
-      when Request::REQUEST_TARGET
+      when HttpSignatureDraft::REQUEST_TARGET
         if include_query_string
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
         else
           # Current versions of Mastodon incorrectly omit the query string from the (request-target) pseudo-header.
           # Therefore, temporarily support such incorrect signatures for compatibility.
           # TODO: remove eventually some time after release of the fixed version
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
         end
       when '(created)'
         raise SignatureVerificationError, 'Invalid pseudo-header (created) for rsa-sha256' unless signature_algorithm == 'hs2019'

app/controllers/concerns/web_app_controller_concern.rb

@@ -7,6 +7,7 @@ module WebAppControllerConcern
     vary_by 'Accept, Accept-Language, Cookie'
 
     before_action :redirect_unauthenticated_to_permalinks!
+    before_action :set_referer_header
 
     content_security_policy do |p|
       policy = ContentSecurityPolicy.new
@@ -41,4 +42,10 @@ module WebAppControllerConcern
       end
     end
   end
+
+  protected
+
+  def set_referer_header
+    response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'strict-origin-when-cross-origin' : 'same-origin')
+  end
 end

app/controllers/custom_css_controller.rb

@@ -1,10 +1,8 @@
 # frozen_string_literal: true
 
 class CustomCssController < ActionController::Base # rubocop:disable Rails/ApplicationController
-  before_action :set_user_roles
-
   def show
-    expires_in 3.minutes, public: true
+    expires_in 1.month, public: true
     render content_type: 'text/css'
   end
 
@@ -14,8 +12,4 @@ class CustomCssController < ActionController::Base # rubocop:disable Rails/Appli
     Setting.custom_css
   end
   helper_method :custom_css_styles
-
-  def set_user_roles
-    @user_roles = UserRole.providing_styles
-  end
 end

app/controllers/disputes/appeals_controller.rb

@@ -21,6 +21,6 @@ class Disputes::AppealsController < Disputes::BaseController
   end
 
   def appeal_params
-    params.require(:appeal).permit(:text)
+    params.expect(appeal: [:text])
   end
 end

app/controllers/disputes/base_controller.rb

@@ -8,11 +8,4 @@ class Disputes::BaseController < ApplicationController
   skip_before_action :require_functional!
 
   before_action :authenticate_user!
-  before_action :set_cache_headers
-
-  private
-
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
-  end
 end

app/controllers/filters/statuses_controller.rb

@@ -6,7 +6,6 @@ class Filters::StatusesController < ApplicationController
   before_action :authenticate_user!
   before_action :set_filter
   before_action :set_status_filters
-  before_action :set_cache_headers
 
   PER_PAGE = 20
 
@@ -34,14 +33,10 @@ class Filters::StatusesController < ApplicationController
   end
 
   def status_filter_batch_action_params
-    params.require(:form_status_filter_batch_action).permit(status_filter_ids: [])
+    params.expect(form_status_filter_batch_action: [status_filter_ids: []])
   end
 
   def action_from_button
     'remove' if params[:remove]
   end
-
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
-  end
 end

app/controllers/filters_controller.rb

@@ -5,7 +5,6 @@ class FiltersController < ApplicationController
 
   before_action :authenticate_user!
   before_action :set_filter, only: [:edit, :update, :destroy]
-  before_action :set_cache_headers
 
   def index
     @filters = current_account.custom_filters.includes(:keywords, :statuses).order(:phrase)
@@ -48,10 +47,6 @@ class FiltersController < ApplicationController
   end
 
   def resource_params
-    params.require(:custom_filter).permit(:title, :expires_in, :filter_action, context: [], keywords_attributes: [:id, :keyword, :whole_word, :_destroy])
-  end
-
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
+    params.expect(custom_filter: [:title, :expires_in, :filter_action, context: [], keywords_attributes: [[:id, :keyword, :whole_word, :_destroy]]])
   end
 end

app/controllers/follower_accounts_controller.rb

@@ -46,7 +46,7 @@ class FollowerAccountsController < ApplicationController
   end
 
   def page_url(page)
-    account_followers_url(@account, page: page) unless page.nil?
+    ActivityPub::TagManager.instance.followers_uri_for(@account, page: page) unless page.nil?
   end
 
   def next_page_url

app/controllers/invites_controller.rb

@@ -6,7 +6,6 @@ class InvitesController < ApplicationController
   layout 'admin'
 
   before_action :authenticate_user!
-  before_action :set_cache_headers
 
   def index
     authorize :invite, :create?
@@ -43,10 +42,6 @@ class InvitesController < ApplicationController
   end
 
   def resource_params
-    params.require(:invite).permit(:max_uses, :expires_in, :autofollow, :comment)
-  end
-
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
+    params.expect(invite: [:max_uses, :expires_in, :autofollow, :comment])
   end
 end

app/controllers/oauth/authorizations_controller.rb

@@ -5,7 +5,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
 
   before_action :store_current_location
   before_action :authenticate_resource_owner!
-  before_action :set_cache_headers
 
   content_security_policy do |p|
     p.form_action(false)
@@ -32,8 +31,4 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   def truthy_param?(key)
     ActiveModel::Type::Boolean.new.cast(params[key])
   end
-
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
-  end
 end

app/controllers/oauth/authorized_applications_controller.rb

@@ -6,7 +6,6 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
   before_action :store_current_location
   before_action :authenticate_resource_owner!
   before_action :require_not_suspended!, only: :destroy
-  before_action :set_cache_headers
 
   before_action :set_last_used_at_by_app, only: :index, unless: -> { request.format == :json }
 
@@ -30,10 +29,6 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
     forbidden if current_account.unavailable?
   end
 
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
-  end
-
   def set_last_used_at_by_app
     @last_used_at_by_app = current_resource_owner.applications_last_used
   end

app/controllers/relationships_controller.rb

@@ -6,7 +6,6 @@ class RelationshipsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_accounts, only: :show
   before_action :set_relationships, only: :show
-  before_action :set_cache_headers
 
   helper_method :following_relationship?, :followed_by_relationship?, :mutual_relationship?
 
@@ -36,7 +35,7 @@ class RelationshipsController < ApplicationController
   end
 
   def form_account_batch_params
-    params.require(:form_account_batch).permit(:action, account_ids: [])
+    params.expect(form_account_batch: [:action, account_ids: []])
   end
 
   def following_relationship?
@@ -66,8 +65,4 @@ class RelationshipsController < ApplicationController
       'remove_domains_from_followers'
     end
   end
-
-  def set_cache_headers
-    response.cache_control.replace(private: true, no_store: true)
-  end
 end

app/controllers/settings/aliases_controller.rb

@@ -30,7 +30,7 @@ class Settings::AliasesController < Settings::BaseController
   private
 
   def resource_params
-    params.require(:account_alias).permit(:acct)
+    params.expect(account_alias: [:acct])
   end
 
   def set_alias