Just a few bugfixes, honest!

Just a few bugfixes, honest!

- Migrating frontend preferences from pre-2025.4.2 should be more reliable now.
- Parsing of incoming activities should be faster and use less memory.
- Many database queries are now faster.
- Blocking / silencing many instances will no longer slow down yours.
- Caches should be more correct.
- The "slow query" warning in the server logs can now be configured.
- S3 errors during media uploads are now correctly reported to the frontend.
- More consistent handling of note visibility and silenced instances / users.
- The MFM parser now accepts markdown image links like ![text](url), and those images are fetched like attachments (they're not yet rendered inline, though).
- Many privacy / security fixes.
- Improved notification grouping.
- Suspending a user no longer severs their follows, so they'll be restored when the user is un-suspended.
- On a note's detailed view, the "reactions" tab shows all the details of the first reaction group by default.
- API endpoints emit a X-Robots-Tag: noindex header to deter indexing.
- Videos will be optimized for streaming (not re-encoded, the metadata will just be modified slightly).
- The admin view of a user's profile now shows their sign-up reason.
- A few admin and moderation pages have been redesigned and should be more usable, especially on mobile.
- Server logging has been improved, it should now provide more details with less noise.
- Improved interoperability of quotes with Mastodon and other software that implements fep-e232 and/or fep-044f.
- Show attributions (fediverse:creator) in link previews, and allow users to set their "attribution domains".
- If enabled in the default policy, non-logged-in users can use translation features.
- Some frontend pages now retry API calls when they hit a rate limit.
- DeepLX works again.
- Fixed receiving poll votes.
- Users can again set their custom search engine for MFM's [search] feature.
- "Show muted words" works the right way around.
- Reworked the "trending polls" page.

Recommendations to admins:
- If your users had a broken migration, they can try re-importing via Settings → other → 🗘 Migrate old client settings, but we suggest backing up their current preferences first.
- The default policy now disables translation, you may want to create a conditional role matching all local users to re-enable it for them.
- We've added many new indexes to the database, we recommend running a vacuum (analyse, verbose) after the migrations have completed.
- If you do not use Docker, to avoid potential crashes when rendering some SVG images, you should make sure that your system has librsvg and some fonts (on Debian-style systems, that's librsvg2-2 and fonts-noto).

It's time for a brand new Sharkey release! This marks the first of the 2025.4 series (the .2 is to prevent conflicting tags with upstream for our merge workflows), and with it comes a lot of new features and bugfixes!

- Mfm now handles some punctuation inside bold/italic blocks.
- Users mentioned in DMs they can't see are no longer sent notifications.
- Optional WebSocket compression.
- Hopefully a fix for the bug of your own reactions not being marked on posts.
- Blocks and mutes should now be more effective.
- When a note is muted, the reason is shown.
- Fixed editing of scheduled posts.
- Additional moderation logs.
- Numerous fixes to the Mastodon API.
- Users can now delete their own avatars.
- Users are now warned when editing a poll, as it can lose all votes.
- Libretranslate is now supported in addition to DeepL.
- Showing linked notes as quotes is no longer automatic (you have to click a button), and it works in more cases.
- Admins can change the level of "authorized fetch" via the frontend ("never", "always", and the new "essential" that serves a reduced amount of data to non-signed requests), and users can override this for their own data.
- The notification dot on the favicon should work in more cases, and be more visible.
- The "replies" collection is now exposed on all notes (we still don't fetch remote replies, but we enable other software to do so).
- Improved compatibility with Lemmy and other ActivityPub implementations that Announce activities other than Note.
- Numerous translation improvements (Daniel Ares for German, Ahri for Thai and Vietnamese).
- Support for BunnyCDN in addition to S3-like object stores.
- Sensitive/content-warned content is not served to the Discordbot (Discord uses the mastodon api to fetch notes for their previews, and they've decided to ignore CWs in favour of their own ||spoiler|| markers-- we don't agree with that decision).
- Admins can now inject custom HTML in every page's <head> (e.g. custom CSS).
- Admin set MOTDs can now use HTML.
- Links in profile fields are now verified for remote users.
- Fixed signature verification for paginated AP requests.
- Admins can now remove a role's color.
- Admins can disable the use of the "proxy account" (although this will break some lists!).
- Disabling the local timeline also disables the "featured" timeline on the logged-out front page.
- Drive cleaner now shows all files, even those inside folders.
- Delivery of activities has been re-ordered a bit, this should mitigate the infamous "Yaseen bug".
- URL previews once again follow redirects.
- Config file(s) can now be placed in any directory.
- You can now configure the directory for drive files (when not using S3 or similar).
- Improvements to the admin UI.
- Improved "delete account" process with better reliability.
- New role setting "can trend".
- new role conditions "is from bubble instance", "is from instance X", "has more/fewer than X local/remote followers", "follows more/fewer than X local/remote accounts".
- The config option allowPrivateNetworks can now specify ports for each network.
- New "pattern checker" tool to test your word mutes.
- The web frontend passes the user's authorization token in a header instead of the request body-- this should prevent accidentally leaking the token via logs.
- Improved interoperability with Akkoma and Wafrn "invisible mentions"

From Upstream:
- Brand-new job queue dashboard
- All-new settings/preferences system that enables searching of settings!
- Admins can now limit the max file size for users, via roles-- if this is applied to remote users, it applies to caching.

Potential Gotchas:
- If your browser is logged into more than one account, you may need to log in again, due to an upstream change.

Develop changes have been merged and finished building!

Note that for users who run develop, they will need to wait for this MR to be merged into develop for the patches.

We've officially released version 2025.2.3 of Sharkey!

This update contains critical security fixes. Please update as soon as possible. Disclosures for the relevant vulnerabilities will be made available once instances have been patched.

@[email protected] CI is running on the branch, once thats done it'll be merged into stable, which will build the image.

Please be patient, GitLab is not behaving which is preventing us from pushing our changes- hence why we allocated a window of time.

Almost time!

@[email protected] Fingers crossed 🥴

@[email protected] @[email protected] We'd advise against holding off on this, it's pretty severe

@[email protected] the two hour window is just our target- Misskey will probably be releasing on the tail end of the window on account of timezones, whereas Iceshrimp and Sharkey should release relatively quickly.

Heads up- we'll be making a major security release for Sharkey later today (between 2025-04-27T19:00:00.000Z and 2025-04-27T21:00:00.000Z) in coordination with Iceshrimp and Misskey. Please make sure to update your instances as soon as possible.