Your self-hosted, globally interconnected microblogging community
[!WARNING] We recently released important security updates fixing major security updates. If you are using Mastodon v4.2.6 or below, v4.1.14 or below, or any older version, please update as soon as possible.
See updates for the 4.2.x branch, the 4.0.x branch and the 3.5.x branch.
[!IMPORTANT] This update changes registrations to be closed by default.
Running a social media platform where anyone can sign up without active moderation is dangerous.
We are changing the default, so that opening registrations is always a conscious choice. If you have never changed or saved the registrations mode yourself, this update will switch your server to not accepting new users. Simply change the setting again after the update if you wish to restore the old behaviour.
EMAIL_DOMAIN_ALLOWLIST
is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true
.tootctl settings registrations open
if you want to enable them again.Link
objects as Image
url
(ClearlyClaire)While we work on better tools to fight spam and abuse, we want to draw your attention to the tools already at your disposal:
any.pink
being used in the current wave)When setting up a new server, the admin account created by the mastodon:setup
task will not be automatically approved. You will need to approve it from the command-line interface with tootctl modify <username> --approved
.
To get the code for v4.1.16, use git fetch && git checkout v4.1.16
.
[!NOTE] As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.
External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
The following instructions are for updating from 4.1.15.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
[!WARNING] We recently released important security updates fixing major security updates. If you are using Mastodon v4.2.6 or below, v4.1.14 or below, or any older version, please update as soon as possible.
See updates for the 4.1.x branch, the 4.0.x branch and the 3.5.x branch.
[!IMPORTANT] This update changes registrations to be closed by default.
Running a social media platform where anyone can sign up without active moderation is dangerous.
We are changing the default, so that opening registrations is always a conscious choice. If you have never changed or saved the registrations mode yourself, this update will switch your server to not accepting new users. Simply change the setting again after the update if you wish to restore the old behaviour.
EMAIL_DOMAIN_ALLOWLIST
is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true
.tootctl settings registrations open
if you want to enable them again.Link
objects as Image
url
(ClearlyClaire)While we work on better tools to fight spam and abuse, we want to draw your attention to the tools already at your disposal:
any.pink
being used in the current wave)When setting up a new server, the admin account created by the mastodon:setup
task will not be automatically approved. You will need to approve it from the command-line interface with RAILS_ENV=production bin/tootctl accounts modify <username> --approve
.
To get the code for v4.2.8, use git fetch && git checkout v4.2.8
.
[!NOTE] As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
The following instructions are for updating from 4.2.7.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
RAILS_ENV=production bundle exec rails assets:precompile
Using Docker:
[!CAUTION] The 3.5.x branch will not receive any update—including security fixes—after this one.
[!WARNING] This release is an important security release fixing a major security issue.
Corresponding security releases are available for the 4.2.x branch, the 4.1.x branch and the 4.0.x branch.
[!NOTE] If you are using nightly builds, do not use this release but update to
nightly.2024-02-17-security
or newer instead. If you are on themain
branch, update to the latest commit.
The 3.5.x branch will not receive any further update after this one.
This means that no further security fix will be made available for this branch, and you will need to update to a more recent version (such as the 4.2.x branch) to receive security fixes.
To get the code for v3.5.19, use git fetch && git checkout v3.5.19
.
[!NOTE] As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0 in Mastodon v3.5.18.
External dependencies have not changed compared to v3.5.18, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
[!TIP] If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 3.5.18.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
[!CAUTION] The 4.0.x branch will not receive any update—including security fixes—after this one.
[!WARNING] This release is an important security release fixing a major security issue.
Corresponding security releases are available for the 4.2.x branch, the 4.1.x branch and the 3.5.x branch.
[!NOTE] If you are using nightly builds, do not use this release but update to
nightly.2024-02-17-security
or newer instead. If you are on themain
branch, update to the latest commit.
The 4.0.x branch will not receive any further update after this one.
This means that no further security fix will be made available for this branch, and you will need to update to a more recent version (such as the 4.2.x branch) to receive security fixes.
To get the code for v4.0.15, use git fetch && git checkout v4.0.15
.
[!NOTE] As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.0.14.
External dependencies have not changed compared to v4.0.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
[!TIP] If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 4.0.14.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
[!WARNING] This release is an important security release fixing a major security issue.
Corresponding security releases are available for the 4.2.x branch, the 4.0.x branch and the 3.5.x branch.
[!NOTE] If you are using nightly builds, do not use this release but update to
nightly.2024-02-17-security
or newer instead. If you are on themain
branch, update to the latest commit.
To get the code for v4.1.15, use git fetch && git checkout v4.1.15
.
[!NOTE] As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0 in Mastodon v4.1.14.
External dependencies have not changed compared to v4.1.14, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
[!TIP] If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 4.1.14.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
[!WARNING] This release is an important security release fixing a major security issue.
Corresponding security releases are available for the 4.1.x branch, the 4.0.x branch and the 3.5.x branch.
[!NOTE] If you are using nightly builds, do not use this release but update to
nightly.2024-02-17-security
or newer instead. If you are on themain
branch, update to the latest commit.
nsa
gem, instead of a no longer existing commit (mjankowski)To get the code for v4.2.7, use git fetch && git checkout v4.2.7
.
[!NOTE] As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
[!TIP] If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 4.2.6.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Using Docker:
:warning: The 3.5.x branch will not receive any update—including security fixes—after this one.
:warning: This release is an important security release fixing several security issues.
Corresponding security releases are available for the 4.2.x branch, the 4.1.x branch and the 4.0.x branch.
If you are using nightly builds, do not use this release but update to
nightly.2024-02-15-security
or newer instead. If you are on themain
branch, update to the latest commit.
The 3.5.x branch will not receive any further update after this one.
This means that no further security fix will be made available for this branch, and you will need to update to a more recent version (such as the 4.2.x branch) to receive security fixes.
sidekiq-unique-jobs
dependency (see GHSA-cmh9-rx85-xj38)
In addition, we have disabled the web interface for sidekiq-unique-jobs
out of caution, as it is very rarely useful.
If you need to investigate sidekiq-unique-jobs
locks, you can re-enable it by setting ENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true
.
If you only need to clear all locks, you can now use the newly-added bundle exec rake sidekiq_unique_jobs:delete_all_locks
.nokogiri
dependency (see GHSA-xc9x-jj77-9p9j)ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH
environment variable.
In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.To get the code for v3.5.18, use git fetch && git checkout v3.5.18
.
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0.
With the exception of Ruby, external dependencies have not changed compared to v3.5.16, the compatible PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 3.5.17.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
:warning: The 4.0.x branch will not receive any update—including security fixes—after this one.
:warning: This release is an important security release fixing several security issues.
Corresponding security releases are available for the 4.2.x branch, the 4.1.x branch and the 3.5.x branch.
If you are using nightly builds, do not use this release but update to
nightly.2024-02-15-security
or newer instead. If you are on themain
branch, update to the latest commit.
The 4.0.x branch will not receive any further update after this one.
This means that no further security fix will be made available for this branch, and you will need to update to a more recent version (such as the 4.2.x branch) to receive security fixes.
sidekiq-unique-jobs
dependency (see GHSA-cmh9-rx85-xj38)
In addition, we have disabled the web interface for sidekiq-unique-jobs
out of caution, as it is very rarely useful.
If you need to investigate sidekiq-unique-jobs
locks, you can re-enable it by setting ENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true
.
If you only need to clear all locks, you can now use the newly-added bundle exec rake sidekiq_unique_jobs:delete_all_locks
.nokogiri
dependency (see GHSA-xc9x-jj77-9p9j)ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH
environment variable.
In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.To get the code for v4.0.14, use git fetch && git checkout v4.0.14
.
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0.
With the exception of Ruby, external dependencies have not changed compared to v4.0.14, the compatible PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 4.0.13.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
:warning: This release is an important security release fixing several security issues.
Corresponding security releases are available for the 4.2.x branch, the 4.0.x branch and the 3.5.x branch.
If you are using nightly builds, do not use this release but update to
nightly.2024-02-15-security
or newer instead. If you are on themain
branch, update to the latest commit.
sidekiq-unique-jobs
dependency (see GHSA-cmh9-rx85-xj38)
In addition, we have disabled the web interface for sidekiq-unique-jobs
out of caution, as it is very rarely useful.
If you need to investigate sidekiq-unique-jobs
locks, you can re-enable it by setting ENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true
.
If you only need to clear all locks, you can now use the newly-added bundle exec rake sidekiq_unique_jobs:delete_all_locks
.nokogiri
dependency (see GHSA-xc9x-jj77-9p9j)ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH
environment variable.
In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.To get the code for v4.1.14, use git fetch && git checkout v4.1.14
.
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
[!WARNING] The minimum required Ruby version has been bumped to 3.0.
With the exception of Ruby, external dependencies have not changed compared to v4.1.7, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 4.1.13.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Both Docker and non-Docker:
:warning: This release is an important security release fixing several security issue.
Corresponding security releases are available for the 4.1.x branch, the 4.0.x branch and the 3.5.x branch.
If you are using nightly builds, do not use this release but update to
nightly.2024-02-15-security
or newer instead. If you are on themain
branch, update to the latest commit.
sidekiq-unique-jobs
dependency (see GHSA-cmh9-rx85-xj38)
In addition, we have disabled the web interface for sidekiq-unique-jobs
out of caution, as it is very rarely useful.
If you need to investigate sidekiq-unique-jobs
locks, you can re-enable it by setting ENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true
.
If you only need to clear all locks, you can now use the newly-added bundle exec rake sidekiq_unique_jobs:delete_all_locks
.nokogiri
dependency (see GHSA-xc9x-jj77-9p9j)ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH
environment variable.
In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.To get the code for v4.2.6, use git fetch && git checkout v4.2.6
.
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:
docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
With the exception of Ruby's recommended version, external dependencies have not changed since v4.2.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
If your uploaded images are broken after the upgrade, it means your installed ImageMagick version is older than the new minimum version (6.9.7-7), for example if you are running Ubuntu 18.04. If this happens, you can find more information and ways to fix it on this page.
The following instructions are for updating from 4.2.5.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
Non-Docker only:
bundle install
and yarn install --frozen-lockfile
Using Docker: