Upstream 20260225

.github/renovate.json5

@@ -154,9 +154,15 @@
       groupName: 'opentelemetry-ruby (non-major)',
     },
     {
-      // Group Playwright Ruby & JS deps in the same PR, as they need to be in sync
-      matchManagers: ['bundler', 'npm'],
-      matchPackageNames: ['playwright-ruby-client', 'playwright'],
+      // The ruby portion of the Playwright group
+      matchManagers: ['bundler'],
+      matchPackageNames: ['playwright-ruby-client'],
+      groupName: 'Playwright',
+    },
+    {
+      // The node portion of the Playwright group
+      matchManagers: ['npm'],
+      matchPackageNames: ['playwright'],
       groupName: 'Playwright',
     },
     // Add labels depending on package manager

.github/workflows/format-check.yml

@@ -21,5 +21,5 @@ jobs:
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript
 
-      - name: Check formatting with Prettier
+      - name: Check formatting
         run: yarn format:check

.github/workflows/lint-haml.yml

@@ -45,5 +45,4 @@ jobs:
 
       - name: Run haml-lint
         run: |
-          echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json"
           bin/haml-lint --reporter github

.oxfmtrc.json

@@ -0,0 +1,92 @@
+{
+  "$schema": "./node_modules/oxfmt/configuration_schema.json",
+  "singleQuote": true,
+  "jsxSingleQuote": true,
+  "printWidth": 80,
+  "ignorePatterns": [
+    "/tmp",
+    "/coverage",
+    "/public/assets",
+    "/public/emoji",
+    "/public/packs",
+    "/public/packs-test",
+    "/public/system",
+    "/public/vite*",
+
+    "*.html",
+    "docker-compose.override.yml",
+
+    // Ignore config YAML files that include ERB/ruby code
+    "config/email.yml",
+
+    // Vendored CSS
+    "app/javascript/styles/mastodon/reset.scss",
+
+    // Automatically generated
+    "/app/javascript/mastodon/features/emoji/emoji_map.json",
+    "/app/javascript/mastodon/features/emoji/emoji_data.json",
+    "AUTHORS.md",
+    "/app/javascript/mastodon/locales/*.json",
+    "/config/locales",
+    ".storybook/static/mockServiceWorker.js",
+
+    // do not reformat JS files as this will change too many files and cause merge conflicts with open PRs and forks
+    "app/javascript/**/*.js",
+    "app/javascript/**/*.jsx",
+    "streaming/**/*.js"
+  ],
+  "experimentalSortPackageJson": false,
+  "experimentalSortImports": {
+    "groups": [
+      ["builtin"],
+      ["react"],
+      ["react-intl"],
+      ["react-utils"],
+      ["redux"],
+      ["external", "type-external"],
+      ["internal", "type-internal"],
+      ["mastodon-internals"],
+      ["parent", "type-parent"],
+      ["sibling", "type-sibling", "index", "type-index"],
+      ["side_effect"]
+    ],
+    "customGroups": [
+      {
+        "groupName": "react",
+        "elementNamePattern": [
+          "react",
+          "react-dom",
+          "react-dom/client",
+          "prop-types"
+        ]
+      },
+      {
+        "groupName": "react-intl",
+        "elementNamePattern": ["react-intl", "intl-messageformat"]
+      },
+      {
+        "groupName": "react-utils",
+        "elementNamePattern": [
+          "classnames",
+          "react-helmet",
+          "react-router",
+          "react-router-dom"
+        ]
+      },
+      {
+        "groupName": "redux",
+        "elementNamePattern": [
+          "immutable",
+          "@reduxjs/toolkit",
+          "react-redux",
+          "react-immutable-proptypes",
+          "react-immutable-pure-component"
+        ]
+      },
+      {
+        "groupName": "mastodon-internals",
+        "elementNamePattern": ["mastodon/**", "@/**"]
+      }
+    ]
+  }
+}

.rubocop/layout.yml

@@ -4,3 +4,6 @@ Layout/FirstHashElementIndentation:
 
 Layout/LineLength:
   Max: 300 # Default of 120 causes a duplicate entry in generated todo file
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented

.storybook/preview.tsx

@@ -21,9 +21,10 @@ import { reducerWithInitialState } from '@/mastodon/reducers';
 import { defaultMiddleware } from '@/mastodon/store/store';
 import { mockHandlers, unhandledRequestHandler } from '@/testing/api';
 
+import { modes } from './modes';
+
 import '../app/javascript/styles/application.scss';
 import './styles.css';
-import { modes } from './modes';
 
 const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
   query: { as: 'json' },

CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.5.7] - 2026-02-24
+
+### Security
+
+- Reject unconfirmed FASPs (#37926 by @oneiros, [GHSA-qgmm-vr4c-ggjg](https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg))
+- Re-use custom socket class for FASP requests (#37925 by @oneiros, [GHSA-46w6-g98f-wxqm](https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm))
+
+### Added
+
+- Add `--suspended-only` option to `tootctl emoji purge` (#37828 and #37861 by @ClearlyClaire and @mjankowski)
+
+### Fixed
+
+- Fix emoji data not being properly cached (#37858 by @ChaosExAnima)
+- Fix delete & redraft of pending posts (#37839 by @ClearlyClaire)
+- Fix processing separate key documents without the ActivityStreams context (#37826 by @ClearlyClaire)
+- Fix custom emojis not being purged on domain suspension (#37808 by @ClearlyClaire)
+- Fix users without special permissions being able to stream disabled timelines (#37791 by @ClearlyClaire)
+- Fix processing of object updates with duplicate hashtags (#37756 by @ClearlyClaire)
+
 ## [4.5.6] - 2026-02-03
 
 ### Security

Gemfile.lock

@@ -187,7 +187,7 @@ GEM
       irb (~> 1.10)
       reline (>= 0.3.8)
     debug_inspector (1.2.0)
-    devise (5.0.1)
+    devise (5.0.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 7.0)
@@ -470,7 +470,7 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.5)
-    nokogiri (1.19.0)
+    nokogiri (1.19.1)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     oj (3.16.15)
@@ -488,7 +488,7 @@ GEM
     omniauth-rails_csrf_protection (2.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-saml (2.2.4)
+    omniauth-saml (2.2.5)
       omniauth (~> 2.1)
       ruby-saml (~> 1.18)
     omniauth_openid_connect (0.8.0)
@@ -631,7 +631,7 @@ GEM
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.4)
+    rack (3.2.5)
     rack-attack (6.8.0)
       rack (>= 1.0, < 4)
     rack-cors (3.0.0)
@@ -741,21 +741,21 @@ GEM
     rspec-mocks (3.13.7)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (8.0.2)
+    rspec-rails (8.0.3)
       actionpack (>= 7.2)
       activesupport (>= 7.2)
       railties (>= 7.2)
       rspec-core (~> 3.13)
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
-    rspec-sidekiq (5.2.0)
+    rspec-sidekiq (5.3.0)
       rspec-core (~> 3.0)
       rspec-expectations (~> 3.0)
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 9)
     rspec-support (3.13.7)
-    rubocop (1.84.0)
+    rubocop (1.84.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)

app/chewy/public_statuses_index.rb

@@ -8,9 +8,9 @@ class PublicStatusesIndex < Chewy::Index
   settings index: index_preset(refresh_interval: '30s', number_of_shards: 5), analysis: ChewyConfig.instance.public_statuses
 
   index_scope ::Status.unscoped
-                      .kept
-                      .indexable
-                      .includes(:media_attachments, :preloadable_poll, :tags, :account, preview_cards_status: :preview_card)
+    .kept
+    .indexable
+    .includes(:media_attachments, :preloadable_poll, :tags, :account, preview_cards_status: :preview_card)
 
   root date_detection: false do
     field(:id, type: 'long')

app/controllers/admin/collections_controller.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Admin
+  class CollectionsController < BaseController
+    before_action :set_account
+    before_action :set_collection, only: :show
+
+    def show
+      authorize @collection, :show?
+    end
+
+    private
+
+    def set_account
+      @account = Account.find(params[:account_id])
+    end
+
+    def set_collection
+      @collection = @account.collections.includes(accepted_collection_items: :account).find(params[:id])
+    end
+  end
+end

app/controllers/admin/fasp/debug/callbacks_controller.rb

@@ -5,8 +5,8 @@ def index
     authorize [:admin, :fasp, :provider], :update?
 
     @callbacks = Fasp::DebugCallback
-                 .includes(:fasp_provider)
-                 .order(created_at: :desc)
+      .includes(:fasp_provider)
+      .order(created_at: :desc)
   end
 
   def destroy