Upstream 20250917

.github/workflows/codeql.yml

@@ -31,8 +31,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript', 'ruby']
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        language: ['actions', 'javascript', 'ruby']
+        # CodeQL supports [ 'actions', 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:

.ruby-version

@@ -1 +1 @@
-3.4.5
+3.4.6

.storybook/preview-body.html

@@ -0,0 +1,2 @@
+<html class="no-reduce-motion">
+</html>

CHANGELOG.md

@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.4.4] - 2025-09-16
+
+### Security
+
+- Update dependencies
+
+### Fixed
+
+- Fix missing memoization in `Web::PushNotificationWorker` (#36085 by @ClearlyClaire)
+- Fix unresponsive areas around GIFV modals in some cases (#36059 by @ClearlyClaire)
+- Fix missing `beforeUnload` confirmation when a poll is being authored (#36030 by @ClearlyClaire)
+- Fix processing of remote edited statuses with new media and no text (#35970 by @unfokus)
+- Fix polls not being displayed in moderation interface (#35644 and #35933 by @ThisIsMissEm)
+- Fix WebUI handling of deleted quoted posts (#35909 and #35918 by @ClearlyClaire and @diondiondion)
+- Fix “Edit” and “Delete & Redraft” on a poll not inserting empty option (#35892 by @ClearlyClaire)
+- Fix loading of some compatibility CSS on some configurations (#35876 by @shleeable)
+- Fix HttpLog not being enabled with `RAILS_LOG_LEVEL=debug` (#35833 by @mjankowski)
+- Fix self-destruct scheduler behavior on some Redis setups (#35823 by @ClearlyClaire)
+- Fix `tootctl admin create` not bypassing reserved username checks (#35779 by @ClearlyClaire)
+- Fix interaction policy changes in implicit updates not being saved (#35751 by @ClearlyClaire)
+- Fix quote revocation not being streamed (#35710 by @ClearlyClaire)
+- Fix export of large user archives by enabling Zip64 (#35850 by @ClearlyClaire)
+
+### Changed
+
+- Change labels for quote policy settings (#35893 by @ClearlyClaire)
+- Change standalone “Share” page to redirect to web interface after posting (#35763 by @ChaosExAnima)
+
 ## [4.4.3] - 2025-08-05
 
 ### Security

Dockerfile

@@ -13,7 +13,7 @@ ARG BASE_REGISTRY="docker.io"
 
 # Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.4.5"
+ARG RUBY_VERSION="3.4.6"
 # # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
 # renovate: datasource=node-version depName=node
 ARG NODE_MAJOR_VERSION="22"
@@ -183,7 +183,7 @@ FROM build AS libvips
 
 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
-ARG VIPS_VERSION=8.17.1
+ARG VIPS_VERSION=8.17.2
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download
 

Gemfile

@@ -88,7 +88,7 @@ gem 'sidekiq-scheduler', '~> 6.0'
 gem 'sidekiq-unique-jobs', '> 8'
 gem 'simple_form', '~> 5.2'
 gem 'simple-navigation', '~> 4.4'
-gem 'stoplight', github: 'ClearlyClaire/stoplight', ref: 'f13e0c0d5e6d34af8d3cfc888871caa84237db42'
+gem 'stoplight'
 gem 'strong_migrations'
 gem 'tty-prompt', '~> 0.23', require: false
 gem 'twitter-text', '~> 3.1.0'

Gemfile.lock

@@ -1,11 +1,3 @@
-GIT
-  remote: https://github.com/ClearlyClaire/stoplight.git
-  revision: f13e0c0d5e6d34af8d3cfc888871caa84237db42
-  ref: f13e0c0d5e6d34af8d3cfc888871caa84237db42
-  specs:
-    stoplight (5.3.1)
-      zeitwerk
-
 GIT
   remote: https://github.com/mastodon/webpush.git
   revision: 9631ac63045cfabddacc69fc06e919b4c13eb913
@@ -129,7 +121,7 @@ GEM
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
       rouge (>= 1.0.0)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
     bindata (2.5.1)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
@@ -308,8 +300,8 @@ GEM
     highline (3.1.2)
       reline
     hiredis (0.6.3)
-    hiredis-client (0.25.2)
-      redis-client (= 0.25.2)
+    hiredis-client (0.25.3)
+      redis-client (= 0.25.3)
     hkdf (0.3.0)
     htmlentities (4.3.4)
     http (5.3.1)
@@ -645,7 +637,7 @@ GEM
     public_suffix (6.0.2)
     puma (6.6.1)
       nio4r (~> 2.0)
-    pundit (2.5.0)
+    pundit (2.5.1)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
@@ -725,7 +717,7 @@ GEM
       reline
     redcarpet (3.6.1)
     redis (4.8.1)
-    redis-client (0.25.2)
+    redis-client (0.25.3)
       connection_pool
     regexp_parser (2.11.2)
     reline (0.6.2)
@@ -735,7 +727,7 @@ GEM
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.4.1)
+    rexml (3.4.4)
     rotp (6.3.0)
     rouge (4.6.0)
     rpam2 (4.0.2)
@@ -791,10 +783,10 @@ GEM
     rubocop-i18n (3.2.3)
       lint_roller (~> 1.1)
       rubocop (>= 1.72.1)
-    rubocop-performance (1.25.0)
+    rubocop-performance (1.26.0)
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
     rubocop-rails (2.33.3)
       activesupport (>= 4.2.0)
       lint_roller (~> 1.1)
@@ -817,7 +809,7 @@ GEM
     ruby-vips (2.2.5)
       ffi (~> 1.12)
       logger
-    rubyzip (3.0.2)
+    rubyzip (3.1.0)
     rufus-scheduler (3.9.2)
       fugit (~> 1.1, >= 1.11.1)
     safety_net_attestation (0.4.0)
@@ -861,6 +853,8 @@ GEM
     stackprof (0.2.27)
     starry (0.2.0)
       base64
+    stoplight (5.3.5)
+      zeitwerk
     stringio (3.1.7)
     strong_migrations (2.5.0)
       activerecord (>= 7.1)
@@ -1092,7 +1086,7 @@ DEPENDENCIES
   simplecov (~> 0.22)
   simplecov-lcov (~> 0.8)
   stackprof
-  stoplight!
+  stoplight
   strong_migrations
   test-prof
   thor (~> 1.2)

app/controllers/activitypub/contexts_controller.rb

@@ -26,7 +26,8 @@ def account_required?
   end
 
   def set_conversation
-    @conversation = Conversation.local.find(params[:id])
+    account_id, status_id = params[:id].split('-')
+    @conversation = Conversation.local.find_by(parent_account_id: account_id, parent_status_id: status_id)
   end
 
   def set_items

app/controllers/activitypub/quote_authorizations_controller.rb

@@ -9,7 +9,7 @@ class ActivityPub::QuoteAuthorizationsController < ActivityPub::BaseController
   before_action :set_quote_authorization
 
   def show
-    expires_in 0, public: @quote.status.distributable? && public_fetch_mode?
+    expires_in 30.seconds, public: true if @quote.status.distributable? && public_fetch_mode?
     render json: @quote, serializer: ActivityPub::QuoteAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
   end
 
@@ -21,6 +21,8 @@ def pundit_user
 
   def set_quote_authorization
     @quote = Quote.accepted.where(quoted_account: @account).find(params[:id])
+    return not_found unless @quote.status.present? && @quote.quoted_status.present?
+
     authorize @quote.status, :show?
   rescue Mastodon::NotPermittedError
     not_found

app/controllers/concerns/api/interaction_policies_concern.rb

@@ -4,10 +4,9 @@ module Api::InteractionPoliciesConcern
   extend ActiveSupport::Concern
 
   def quote_approval_policy
-    # TODO: handle `nil` separately
-    return nil unless Mastodon::Feature.outgoing_quotes_enabled? && status_params[:quote_approval_policy].present?
+    return nil unless Mastodon::Feature.outgoing_quotes_enabled?
 
-    case status_params[:quote_approval_policy]
+    case status_params[:quote_approval_policy].presence || current_user.setting_default_quote_policy
     when 'public'
       Status::QUOTE_APPROVAL_POLICY_FLAGS[:public] << 16
     when 'followers'

app/helpers/application_helper.rb

@@ -285,6 +285,10 @@ def app_store_url_android
     'https://play.google.com/store/apps/details?id=org.joinmastodon.android'
   end
 
+  def within_authorization_flow?
+    session[:user_return_to].present? && Rails.application.routes.recognize_path(session[:user_return_to])[:controller] == 'oauth/authorizations'
+  end
+
   private
 
   def storage_host_var

app/helpers/statuses_helper.rb

@@ -67,4 +67,16 @@ def visibility_icon(status)
   def prefers_autoplay?
     ActiveModel::Type::Boolean.new.cast(params[:autoplay]) || current_user&.setting_auto_play_gif
   end
+
+  def render_seo_schema(status)
+    json = ActiveModelSerializers::SerializableResource.new(
+      status,
+      serializer: SEO::SocialMediaPostingSerializer,
+      adapter: SEO::Adapter
+    ).to_json
+
+    # rubocop:disable Rails/OutputSafety
+    content_tag(:script, json_escape(json).html_safe, type: 'application/ld+json')
+    # rubocop:enable Rails/OutputSafety
+  end
 end

app/javascript/entrypoints/public.tsx

@@ -351,6 +351,31 @@ const setInputDisabled = (
   }
 };
 
+const setInputHint = (
+  input: HTMLInputElement | HTMLSelectElement,
+  hintPrefix: string,
+) => {
+  const fieldWrapper = input.closest<HTMLElement>('.fields-group > .input');
+  if (!fieldWrapper) return;
+
+  const hint = fieldWrapper.dataset[`${hintPrefix}Hint`];
+  const hintElement =
+    fieldWrapper.querySelector<HTMLSpanElement>(':scope > .hint');
+
+  if (hint) {
+    if (hintElement) {
+      hintElement.textContent = hint;
+    } else {
+      const newHintElement = document.createElement('span');
+      newHintElement.className = 'hint';
+      newHintElement.textContent = hint;
+      fieldWrapper.appendChild(newHintElement);
+    }
+  } else {
+    hintElement?.remove();
+  }
+};
+
 Rails.delegate(
   document,
   '#account_statuses_cleanup_policy_enabled',
@@ -379,6 +404,8 @@ const updateDefaultQuotePrivacyFromPrivacy = (
   );
   if (!select) return;
 
+  setInputHint(select, privacySelect.value);
+
   if (privacySelect.value === 'private') {
     select.value = 'nobody';
     setInputDisabled(select, true);

app/javascript/mastodon/actions/compose_typed.ts

@@ -16,6 +16,7 @@ import type { Status } from '../models/status';
 
 import { showAlert } from './alerts';
 import { focusCompose } from './compose';
+import { openModal } from './modal';
 
 const messages = defineMessages({
   quoteErrorUpload: {
@@ -110,7 +111,15 @@ export const quoteCompose = createAppThunk(
 
 export const quoteComposeByStatus = createAppThunk(
   (status: Status, { dispatch, getState }) => {
-    const composeState = getState().compose;
+    const state = getState();
+    const composeState = state.compose;
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+    const wasQuietPostHintModalDismissed: boolean =
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+      state.settings.getIn(
+        ['dismissed_banners', 'quote/quiet_post_hint'],
+        false,
+      );
 
     if (composeState.get('is_uploading')) {
       dispatch(showAlert({ message: messages.quoteErrorUpload }));
@@ -121,6 +130,16 @@ export const quoteComposeByStatus = createAppThunk(
       status.getIn(['quote_approval', 'current_user']) !== 'manual'
     ) {
       dispatch(showAlert({ message: messages.quoteErrorUnauthorized }));
+    } else if (
+      status.get('visibility') === 'unlisted' &&
+      !wasQuietPostHintModalDismissed
+    ) {
+      dispatch(
+        openModal({
+          modalType: 'CONFIRM_QUIET_QUOTE',
+          modalProps: { status },
+        }),
+      );
     } else {
       dispatch(quoteCompose(status));
     }

app/javascript/mastodon/actions/importer/normalizer.js

@@ -21,6 +21,15 @@ export function normalizeFilterResult(result) {
   return normalResult;
 }
 
+function stripQuoteFallback(text) {
+  const wrapper = document.createElement('div');
+  wrapper.innerHTML = text;
+
+  wrapper.querySelector('.quote-inline')?.remove();
+
+  return wrapper.innerHTML;
+}
+
 export function normalizeStatus(status, normalOldStatus, options = undefined) {
   const normalStatus   = { ...status };
 
@@ -84,7 +93,7 @@ export function normalizeStatus(status, normalOldStatus, options = undefined) {
   } else {
     // If the status has a CW but no contents, treat the CW as if it were the
     // status' contents, to avoid having a CW toggle with seemingly no effect.
-    if (normalStatus.spoiler_text && !normalStatus.content) {
+    if (normalStatus.spoiler_text && !normalStatus.content && !normalStatus.quote) {
       normalStatus.content = normalStatus.spoiler_text;
       normalStatus.spoiler_text = '';
     }
@@ -102,6 +111,11 @@ export function normalizeStatus(status, normalOldStatus, options = undefined) {
     normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
     normalStatus.hidden       = expandSpoilers ? false : spoilerText.length > 0 || normalStatus.sensitive;
 
+    // Remove quote fallback link from the DOM so it doesn't mess with paragraph margins
+    if (normalStatus.quote) {
+      normalStatus.contentHtml = stripQuoteFallback(normalStatus.contentHtml);
+    }
+
     if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
       normalStatus.url = null;
     }
@@ -152,6 +166,11 @@ export function normalizeStatusTranslation(translation, status) {
     spoiler_text: translation.spoiler_text,
   };
 
+  // Remove quote fallback link from the DOM so it doesn't mess with paragraph margins
+  if (status.get('quote')) {
+    normalTranslation.contentHtml = stripQuoteFallback(normalTranslation.contentHtml);
+  }
+
   return normalTranslation;
 }
 

app/javascript/mastodon/api_types/quotes.ts

@@ -4,6 +4,7 @@ export type ApiQuoteState = 'accepted' | 'pending' | 'revoked' | 'unauthorized';
 export type ApiQuotePolicy =
   | 'public'
   | 'followers'
+  | 'following'
   | 'nobody'
   | 'unsupported_policy';
 export type ApiUserQuotePolicy = 'automatic' | 'manual' | 'denied' | 'unknown';