Releases: mastodon/mastodon
v4.5.4
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires assets recompilation
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
Security
- Fix SSRF protection bypass (GHSA)
- Fix missing ownership check in severed relationships controller (GHSA)
Changed
- Change HTTP Signature verification status from 401 to 503 on temporary failure to get remote actor (#37221 by @ClearlyClaire)
Fixed
- Fix custom emojis not being rendered in profile fields (#37365 by @ClearlyClaire)
- Fix serialization of context pages (#37376 by @ClearlyClaire)
- Fix quotes with CWs but no text not having fallback link (#37361 by @ClearlyClaire)
- Fix outdated link target for “locked” warning (#37366 by @ClearlyClaire)
- Fix local custom emojis sometimes being rendered in remote posts (#37284 by @ChaosExAnima)
- Fix some assets not being loaded from configured CDN (#37310 by @ChaosExAnima)
- Fix notifications page error in Tor browser (#37285 by @diondiondion)
- Fix custom emojis not being displayed in CWs and fav/boost notifications (#37272 and #37306 by @ChaosExAnima and @ClearlyClaire)
- Fix default
Adminrole not includingview_feedspermission (#37301 by @ClearlyClaire) - Fix hashtag autocomplete replacing suggestion's first characters with input (#37281 by @ClearlyClaire)
- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
Upgrade notes
To get the code for v4.5.4, use git fetch && git checkout v4.5.4.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.5.0.
- Ruby: 3.2 or newer
- PostgreSQL: 14 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 7.0 or newer
- Node: 20.19 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.5.3.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.5.0 release notes.
Non-Docker
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into this issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
- Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile - Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.4.11
Note
While we continue to support Mastodon 4.4 and release patches for it, please note that Mastodon 4.5 is available with new features, changes and fixes. We encourage administrators to update to the latest 4.5 version when they can.
Changelog
Security
- Fix SSRF protection bypass (GHSA)
- Fix missing ownership check in severed relationships controller (GHSA)
Changed
- Change HTTP Signature verification status from 401 to 503 on temporary failure to get remote actor (#37221 by @ClearlyClaire)
Fixed
- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
Upgrade notes
To get the code for v4.4.11, use git fetch && git checkout v4.4.11.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.4.1:
- Ruby: 3.2 or newer
- PostgreSQL: 13 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 6.2 or newer
- Node: 20 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.4.10.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.4.0 release notes.
Non-Docker
- Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.3.17
Note
While we continue to support Mastodon 4.3 and release patches for it, please note that Mastodon 4.5 is available with new features, changes and fixes. We encourage administrators to update to the latest 4.5 version when they can.
Changelog
Security
- Fix SSRF protection bypass (GHSA)
- Fix missing ownership check in severed relationships controller (GHSA)
Fixed
- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
Upgrade notes
To get the code for v4.3.17, use git fetch && git checkout v4.3.17.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.3.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.1 or newer
- PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see v4.3.0 release notes)
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 18 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
Update steps
The following instructions are for updating from 4.3.16.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, please read the v4.3.0 release notes, as there have been multiple important changes.
Non-docker
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
- Restart all Mastodon processes.
When using docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.2.29
Caution
The Mastodon 4.2.x branch will not receive any update—including security fixes—after 2026-01-08.
Please consider moving to a newer release as soon as possible.
Warning
There is a known security issue in the version of ActiveRecord we use. While it is unlikely to affect you, it is worth being aware of, and we recommend updating to Mastodon v4.3 or newer if possible.
Changelog
Security
- Fix SSRF protection bypass (GHSA)
Fixed
- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
Upgrade notes
To get the code for v4.2.29, use git fetch && git checkout v4.2.29.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Important
Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.
Dependencies
The minimum supported Ruby version has been bumped from 3.0 to 3.1 in Mastodon v4.2.17. Otherwise, external dependencies have not changed since v4.2.4, the compatible PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.1 to 3.3
- PostgreSQL: 10 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 16 or newer
- ImageMagick: 6.9.7-7 or newer
Update steps
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
The following instructions are for updating from 4.2.28.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
- Restart all Mastodon processes
Contributors
Assets 2
v4.5.3
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires assets recompilation
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
Security
- Fix inconsistent error handling leaking information on existence of private posts (GHSA-gwhw-gcjx-72v8)
Fixed
- Fix “Delete and Redraft” on a non-quote being treated as a quote post in some cases (#37140 by @ClearlyClaire)
- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
- Fix streamed quoted polls not being hydrated correctly (#37118 by @ClearlyClaire)
- Fix creation of duplicate conversations (#37108 by @oneiros)
- Fix extraneous
noreferrerin external links (#37107 by @ChaosExAnima) - Fix edge case error handling in some database migrations (#37079 by @ClearlyClaire)
- Fix error handling when re-fetching already-known statuses (#37077 by @ClearlyClaire)
- Fix post navigation in single-column mode when Advanced UI is enabled (#37044 by @diondiondion)
- Fix
tootctl status removeremoving quoted posts and remote quotes of local posts (#37009 by @ClearlyClaire) - Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
- Fix compose autosuggest always lowercasing input token (#36995 by @ClearlyClaire)
Upgrade notes
To get the code for v4.5.3, use git fetch && git checkout v4.5.3.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.5.0.
- Ruby: 3.2 or newer
- PostgreSQL: 14 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 7.0 or newer
- Node: 20.19 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.5.2.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.5.0 release notes.
Non-Docker
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into this issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
- Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile - Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.4.10
Note
While we continue to support Mastodon 4.4 and release patches for it, please note that Mastodon 4.5 is available with new features, changes and fixes. We encourage administrators to update to the latest 4.5 version when they can.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires assets recompilation
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
Security
- Fix inconsistent error handling leaking information on existence of private posts (GHSA-gwhw-gcjx-72v8)
Fixed
- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
- Fix YouTube iframe not being able to start at a defined time (#26584 by @BrunoViveiros)
- Fix streamed quoted polls not being hydrated correctly (#37118 by @ClearlyClaire)
- Fix error handling when re-fetching already-known statuses (#37077 by @ClearlyClaire)
- Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
Upgrade notes
To get the code for v4.4.10, use git fetch && git checkout v4.4.10.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.4.1:
- Ruby: 3.2 or newer
- PostgreSQL: 13 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 6.2 or newer
- Node: 20 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.4.9.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.4.0 release notes.
Non-Docker
- Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile - Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.3.16
Note
While we continue to support Mastodon 4.3 and release patches for it, please note that Mastodon 4.5 is available with new features, changes and fixes. We encourage administrators to update to the latest 4.5 version when they can.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires assets recompilation
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
Security
- Fix inconsistent error handling leaking information on existence of private posts (GHSA-gwhw-gcjx-72v8)
Fixed
- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
- Fix YouTube iframe not being able to start at a defined time (#26584 by @BrunoViveiros)
- Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
Upgrade notes
To get the code for v4.3.16, use git fetch && git checkout v4.3.16.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.3.0, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.1 or newer
- PostgreSQL: 12 or newer. PostgreSQL versions 14.0 to 14.3 are not supported as they contain a critical data-corruption bug (see v4.3.0 release notes)
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 18 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
Update steps
The following instructions are for updating from 4.3.15.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, please read the v4.3.0 release notes, as there have been multiple important changes.
Non-docker
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
- Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile - Restart all Mastodon processes.
When using docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.2.28
Warning
There is a known security issue in the version of ActiveRecord we use. While it is unlikely to affect you, it is worth being aware of, and we recommend updating to Mastodon v4.3 or newer if possible.
We would also like to remind you that support for Mastodon v4.2 will end on 2026-01-08.
Changelog
Security
- Fix inconsistent error handling leaking information on existence of private posts (GHSA-gwhw-gcjx-72v8)
Fixed
- Fix old previously-undiscovered posts being treated as new when receiving an
Update(#36848 by @ClearlyClaire)
Upgrade notes
To get the code for v4.2.28, use git fetch && git checkout v4.2.28.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Important
Since v4.2.10, Mastodon is now performing stricter checks to prevent client IP address spoofing. This means that if one of your reverse proxy is not on Mastodon's local network, you will need to set TRUSTED_PROXY_IP accordingly, listing the IP address of every trusted reverse-proxy (including local network ones). See the documentation for more information.
Dependencies
The minimum supported Ruby version has been bumped from 3.0 to 3.1 in Mastodon v4.2.17. Otherwise, external dependencies have not changed since v4.2.4, the compatible PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:
- Ruby: 3.1 to 3.3
- PostgreSQL: 10 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 4 or newer
- Node: 16 or newer
- ImageMagick: 6.9.7-7 or newer
Update steps
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into such an issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
The following instructions are for updating from 4.2.27.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.
- Restart all Mastodon processes
Contributors
Assets 2
v4.5.2
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires assets recompilation
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
Changed
- Change private quote education modal to not show up on self-quotes (#36926 by @ClearlyClaire)
Fixed
- Fix missing fallback link in CW-only quote posts (#36963 by @ClearlyClaire)
- Fix statuses without text being hidden while loading (#36962 by @ClearlyClaire)
- Fix
g+hkeyboard shortcut not working when a post is focused (#36935 by @diondiondion) - Fix quoting overwriting current content warning (#36934 by @ClearlyClaire)
- Fix scroll-to-status in threaded view being unreliable (#36927 by @ClearlyClaire)
- Fix path resolution for emoji worker (#36897 by @ChaosExAnima)
- Fix
tootctl upgrade storage-schemafailing withArgumentError(#36914 by @shugo) - Fix cross-origin handling of CSS modules (#36890 by @ClearlyClaire)
- Fix error with remote tags including percent signs (#36886 and #36925 by @ChaosExAnima and @ClearlyClaire)
- Fix bogus quote approval policy not always being replaced correctly (#36885 by @ClearlyClaire)
- Fix hashtag completion not being inserted correctly (#36884 by @ClearlyClaire)
- Fix Cmd/Ctrl + Enter in the composer triggering confirmation dialog action (#36870 by @diondiondion)
Upgrade notes
To get the code for v4.5.2, use git fetch && git checkout v4.5.2.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.5.0.
- Ruby: 3.2 or newer
- PostgreSQL: 14 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 7.0 or newer
- Node: 20.19 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.5.1.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.5.0 release notes.
Non-Docker
Tip
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into this issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
- Install dependencies with
bundle installandyarn install --immutable - Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile - Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.
Contributors
Assets 2
v4.4.9
Note
While we continue to support Mastodon 4.4 and release patches for it, please note that Mastodon 4.5 is available with new features, changes and fixes. We encourage administrators to update to the latest 4.5 version when they can.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires assets recompilation
For more information, view the complete release notes and scroll down to the upgrade instructions section.
Changelog
Fixed
- Fix
tootctl upgrade storage-schemafailing withArgumentError(#36914 by @shugo) - Fix old previously-undiscovered posts being treated as new when receiving an
Update(#36848 by @ClearlyClaire) - Fix filters not being applied to quotes in detailed view (#36843 by @ClearlyClaire)
Upgrade notes
To get the code for v4.4.9, use git fetch && git checkout v4.4.9.
Note
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.4.1:
- Ruby: 3.2 or newer
- PostgreSQL: 13 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 6.2 or newer
- Node: 20 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.4.8.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.4.0 release notes.
Non-Docker
- Install dependencies with
bundle installandyarn install --immutable - Precompile the assets:
RAILS_ENV=production bundle exec rails assets:precompile - Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.