Profile editing: Rearranging and adding fields (#38083 )

New Crowdin Translations (automated) (#38091 )
Co-authored-by: GitHub Actions <noreply@github.com>
2026-03-06 12:57:06 +00:00 · 2026-03-06 11:39:35 +00:00 · 2026-03-06 11:16:28 +00:00 · 2026-03-05 17:44:52 +00:00 · 2026-03-05 15:57:27 +00:00 · 2026-03-05 15:43:57 +00:00
1678 changed files with 59606 additions and 22145 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,5 +1,5 @@
 # For details, see https://github.com/devcontainers/images/tree/main/src/ruby
-FROM mcr.microsoft.com/devcontainers/ruby:1-3.3-bookworm
+FROM mcr.microsoft.com/devcontainers/ruby:3.4-trixie

 # Install node version from .nvmrc
 WORKDIR /app
@@ -9,7 +9,7 @@ RUN /bin/bash --login -i -c "nvm install"
 # Install additional OS packages
 RUN apt-get update && \
    export DEBIAN_FRONTEND=noninteractive && \
-    apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg imagemagick libvips42 libpam-dev
+    apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg libvips42 libpam-dev

 # Disable download prompt for Corepack
 ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
--- a/.devcontainer/compose.yaml
+++ b/.devcontainer/compose.yaml
@@ -56,7 +56,7 @@ services:
      - internal_network

  es:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.29
    restart: unless-stopped
    environment:
      ES_JAVA_OPTS: -Xms512m -Xmx512m
@@ -73,7 +73,7 @@ services:
        hard: -1

  libretranslate:
-    image: libretranslate/libretranslate:v1.6.2
+    image: libretranslate/libretranslate:v1.7.3
    restart: unless-stopped
    volumes:
      - lt-data:/home/libretranslate/.local
--- a/.github/actions/setup-javascript/action.yml
+++ b/.github/actions/setup-javascript/action.yml
@@ -9,7 +9,7 @@ runs:
  using: 'composite'
  steps:
    - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
      with:
        node-version-file: '.nvmrc'

@@ -23,7 +23,7 @@ runs:
      shell: bash
      run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT

-    - uses: actions/cache@v4
+    - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
      id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
      with:
        path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
--- a/.github/actions/setup-ruby/action.yml
+++ b/.github/actions/setup-ruby/action.yml
@@ -17,7 +17,7 @@ runs:
        sudo apt-get install -y libicu-dev libidn11-dev libvips42 ${{ inputs.additional-system-dependencies }}

    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1
      with:
        ruby-version: ${{ inputs.ruby-version }}
        bundler-cache: true
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -5,7 +5,6 @@
    'customManagers:dockerfileVersions',
    ':labels(dependencies)',
    ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
-    ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
    ':enableVulnerabilityAlertsWithLabel(security)',
  ],
  rebaseWhen: 'conflicted',
@@ -23,8 +22,6 @@
      // Require Dependency Dashboard Approval for major version bumps of these node packages
      matchManagers: ['npm'],
      matchPackageNames: [
-        'tesseract.js', // Requires code changes
-
        // react-router: Requires manual upgrade
        'history',
        'react-router-dom',
@@ -116,6 +113,7 @@
      ],
      matchUpdateTypes: ['major'],
      groupName: 'artifact actions (major)',
+      extends: ['helpers:pinGitHubActionDigests'],
    },
    {
      // Update @types/* packages every week, with one grouped PR
@@ -156,9 +154,15 @@
      groupName: 'opentelemetry-ruby (non-major)',
    },
    {
-      // Group Playwright Ruby & JS deps in the same PR, as they need to be in sync
-      matchManagers: ['bundler', 'npm'],
-      matchPackageNames: ['playwright-ruby-client', 'playwright'],
+      // The ruby portion of the Playwright group
+      matchManagers: ['bundler'],
+      matchPackageNames: ['playwright-ruby-client'],
+      groupName: 'Playwright',
+    },
+    {
+      // The node portion of the Playwright group
+      matchManagers: ['npm'],
+      matchPackageNames: ['playwright'],
      groupName: 'Playwright',
    },
    // Add labels depending on package manager
--- a/.github/workflows/build-container-image.yml
+++ b/.github/workflows/build-container-image.yml
@@ -35,7 +35,7 @@ jobs:
          - linux/arm64

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Prepare
        env:
@@ -47,19 +47,19 @@ jobs:
          image_names=${PUSH_TO_IMAGES//$'\n'/,}
          echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV

-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
        id: buildx

      - name: Log in to Docker Hub
        if: contains(inputs.push_to_images, 'tootsuite')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to the GitHub Container registry
        if: contains(inputs.push_to_images, 'ghcr.io')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -67,7 +67,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        if: ${{ inputs.push_to_images != '' }}
        with:
          images: ${{ inputs.push_to_images }}
@@ -76,7 +76,7 @@ jobs:

      - name: Build and push by digest
        id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        with:
          context: .
          file: ${{ inputs.file_to_build }}
@@ -100,7 +100,7 @@ jobs:

      - name: Upload digest
        if: ${{ inputs.push_to_images != '' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        with:
          # `hashFiles` is used to disambiguate between streaming and non-streaming images
          name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
@@ -119,10 +119,10 @@ jobs:
      PUSH_TO_IMAGES: ${{ inputs.push_to_images }}

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
        with:
          path: ${{ runner.temp }}/digests
          # `hashFiles` is used to disambiguate between streaming and non-streaming images
@@ -131,25 +131,25 @@ jobs:

      - name: Log in to Docker Hub
        if: contains(inputs.push_to_images, 'tootsuite')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to the GitHub Container registry
        if: contains(inputs.push_to_images, 'ghcr.io')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        if: ${{ inputs.push_to_images != '' }}
        with:
          images: ${{ inputs.push_to_images }}
--- a/.github/workflows/build-push-pr.yml
+++ b/.github/workflows/build-push-pr.yml
@@ -18,7 +18,7 @@ jobs:
    steps:
      # Repository needs to be cloned so `git rev-parse` below works
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - id: version_vars
        run: |
          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
--- a/.github/workflows/build-releases.yml
+++ b/.github/workflows/build-releases.yml
@@ -9,7 +9,44 @@ permissions:
  packages: write

 jobs:
+  check-latest-stable:
+    runs-on: ubuntu-latest
+    outputs:
+      latest: ${{ steps.check.outputs.is_latest_stable }}
+    steps:
+      # Repository needs to be cloned to list branches
+      - name: Clone repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Check latest stable
+        shell: bash
+        id: check
+        run: |
+          ref="${GITHUB_REF#refs/tags/}"
+
+          if [[ "$ref" =~ ^v([0-9]+)\.([0-9]+)(\.[0-9]+)?$ ]]; then
+            current="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
+          else
+            echo "tag $ref is not semver"
+            echo "is_latest_stable=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          latest=$(git for-each-ref --format='%(refname:short)' "refs/remotes/origin/stable-*.*" \
+            | sed -E 's#^origin/stable-##' \
+            | sort -Vr \
+            | head -n1)
+
+          if [[ "$current" == "$latest" ]]; then
+            echo "is_latest_stable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_latest_stable=false" >> "$GITHUB_OUTPUT"
+          fi
+
  build-image:
+    needs: check-latest-stable
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
@@ -21,13 +58,14 @@ jobs:
      # Only tag with latest when ran against the latest stable branch
      # This needs to be updated after each minor version release
      flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
+        latest=${{ needs.check-latest-stable.outputs.latest }}
      tags: |
        type=pep440,pattern={{raw}}
        type=pep440,pattern=v{{major}}.{{minor}}
    secrets: inherit

  build-image-streaming:
+    needs: check-latest-stable
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
@@ -39,7 +77,7 @@ jobs:
      # Only tag with latest when ran against the latest stable branch
      # This needs to be updated after each minor version release
      flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
+        latest=${{ needs.check-latest-stable.outputs.latest }}
      tags: |
        type=pep440,pattern={{raw}}
        type=pep440,pattern=v{{major}}.{{minor}}
--- a/.github/workflows/bundler-audit.yml
+++ b/.github/workflows/bundler-audit.yml
@@ -28,10 +28,10 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1
        with:
          bundler-cache: true

--- a/.github/workflows/check-i18n.yml
+++ b/.github/workflows/check-i18n.yml
@@ -21,7 +21,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
@@ -42,8 +42,7 @@ jobs:

      - name: Check for missing strings in English YML
        run: |
-          bin/i18n-tasks add-missing -l en
-          git diff --exit-code
+          bin/i18n-tasks missing -t used -l en

      - name: Check for wrong string interpolations
        run: bin/i18n-tasks check-consistent-interpolations
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@@ -1,31 +1,51 @@
 name: 'Chromatic'
+permissions:
+  contents: read

 on:
  push:
    branches-ignore:
      - renovate/*
      - stable-*
-    paths:
-      - 'package.json'
-      - 'yarn.lock'
-      - '**/*.js'
-      - '**/*.jsx'
-      - '**/*.ts'
-      - '**/*.tsx'
-      - '**/*.css'
-      - '**/*.scss'
-      - '.github/workflows/chromatic.yml'

 jobs:
+  pathcheck:
+    name: Check for relevant changes
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.filter.outputs.src }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        id: filter
+        with:
+          filters: |
+            src:
+              - 'package.json'
+              - 'yarn.lock'
+              - '**/*.js'
+              - '**/*.jsx'
+              - '**/*.ts'
+              - '**/*.tsx'
+              - '**/*.css'
+              - '**/*.scss'
+              - '.github/workflows/chromatic.yml'
+
  chromatic:
    name: Run Chromatic
    runs-on: ubuntu-latest
-    if: github.repository == 'mastodon/mastodon'
+    needs: pathcheck
+    if: github.repository == 'mastodon/mastodon' && needs.pathcheck.outputs.changed == 'true'
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
+
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript

@@ -33,9 +53,10 @@ jobs:
        run: yarn build-storybook

      - name: Run Chromatic
-        uses: chromaui/action@v12
+        uses: chromaui/action@07791f8243f4cb2698bf4d00426baf4b2d1cb7e0 # v13
        with:
-          # ⚠️ Make sure to configure a `CHROMATIC_PROJECT_TOKEN` repository secret
          projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
          zip: true
          storybookBuildDir: 'storybook-static'
+          exitOnceUploaded: true # Exit immediately after upload
+          autoAcceptChanges: 'main' # Auto-accept changes on main branch only
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,11 +31,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -48,7 +48,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -61,6 +61,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
        with:
          category: '/language:${{matrix.language}}'
--- a/.github/workflows/crowdin-download-stable.yml
+++ b/.github/workflows/crowdin-download-stable.yml
@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Increase Git http.postBuffer
        # This is needed due to a bug in Ubuntu's cURL version?
@@ -24,7 +24,7 @@ jobs:

      # Download the translation files from Crowdin
      - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # v2
        with:
          upload_sources: false
          upload_translations: false
@@ -50,7 +50,7 @@ jobs:

      # Create or update the pull request
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          commit-message: 'New Crowdin translations'
          title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'
--- a/.github/workflows/crowdin-download.yml
+++ b/.github/workflows/crowdin-download.yml
@@ -15,7 +15,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Increase Git http.postBuffer
        # This is needed due to a bug in Ubuntu's cURL version?
@@ -26,7 +26,7 @@ jobs:

      # Download the translation files from Crowdin
      - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # v2
        with:
          upload_sources: false
          upload_translations: false
@@ -52,7 +52,7 @@ jobs:

      # Create or update the pull request
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
        with:
          commit-message: 'New Crowdin translations'
          title: 'New Crowdin Translations (automated)'
--- a/.github/workflows/crowdin-upload.yml
+++ b/.github/workflows/crowdin-upload.yml
@@ -23,10 +23,10 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # v2
        with:
          upload_sources: true
          upload_translations: false
--- a/.github/workflows/format-check.yml
+++ b/.github/workflows/format-check.yml
@@ -13,10 +13,10 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript

-      - name: Check formatting with Prettier
+      - name: Check formatting
        run: yarn format:check
--- a/.github/workflows/haml-lint-problem-matcher.json
+++ b/.github/workflows/haml-lint-problem-matcher.json
@@ -1,17 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "haml-lint",
-      "severity": "warning",
-      "pattern": [
-        {
-          "regexp": "^(.*):(\\d+)\\s\\[W]\\s(.*):\\s(.*)$",
-          "file": 1,
-          "line": 2,
-          "code": 3,
-          "message": 4
-        }
-      ]
-    }
-  ]
-}
--- a/.github/workflows/lint-css.yml
+++ b/.github/workflows/lint-css.yml
@@ -9,7 +9,6 @@ on:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
-      - '.prettier*'
      - 'stylelint.config.js'
      - '**/*.css'
      - '**/*.scss'
@@ -21,7 +20,6 @@ on:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
-      - '.prettier*'
      - 'stylelint.config.js'
      - '**/*.css'
      - '**/*.scss'
@@ -34,7 +32,7 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
--- a/.github/workflows/lint-haml.yml
+++ b/.github/workflows/lint-haml.yml
@@ -33,14 +33,13 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1
        with:
          bundler-cache: true

      - name: Run haml-lint
        run: |
-          echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json"
          bin/haml-lint --reporter github
--- a/.github/workflows/lint-js.yml
+++ b/.github/workflows/lint-js.yml
@@ -10,7 +10,6 @@ on:
      - 'yarn.lock'
      - 'tsconfig.json'
      - '.nvmrc'
-      - '.prettier*'
      - 'eslint.config.mjs'
      - '**/*.js'
      - '**/*.jsx'
@@ -24,7 +23,6 @@ on:
      - 'yarn.lock'
      - 'tsconfig.json'
      - '.nvmrc'
-      - '.prettier*'
      - 'eslint.config.mjs'
      - '**/*.js'
      - '**/*.jsx'
@@ -38,7 +36,7 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@@ -35,15 +35,15 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1
        with:
          bundler-cache: true

      - name: Set-up RuboCop Problem Matcher
-        uses: r7kamura/rubocop-problem-matchers-action@v1
+        uses: r7kamura/rubocop-problem-matchers-action@59f1a0759f50cc2649849fd850b8487594bb5a81 # v1.2.2

      - name: Run rubocop
        run: bin/rubocop
--- a/.github/workflows/rebase-needed.yml
+++ b/.github/workflows/rebase-needed.yml
@@ -18,7 +18,7 @@ jobs:

    steps:
      - name: Check for merge conflicts
-        uses: eps1lon/actions-label-merge-conflict@v3
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3
        with:
          dirtyLabel: 'rebase needed :construction:'
          repoToken: '${{ secrets.GITHUB_TOKEN }}'
--- a/.github/workflows/test-js.yml
+++ b/.github/workflows/test-js.yml
@@ -34,7 +34,7 @@ jobs:

    steps:
      - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
--- a/.github/workflows/test-migrations.yml
+++ b/.github/workflows/test-migrations.yml
@@ -72,7 +72,7 @@ jobs:
      BUNDLE_RETRY: 3

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
--- a/.github/workflows/test-ruby.yml
+++ b/.github/workflows/test-ruby.yml
@@ -32,7 +32,7 @@ jobs:
      SECRET_KEY_BASE_DUMMY: 1

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
@@ -43,7 +43,7 @@ jobs:
          onlyProduction: 'true'

      - name: Cache assets from compilation
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
        with:
          path: |
            public/assets
@@ -65,7 +65,7 @@ jobs:
        run: |
          tar --exclude={"*.br","*.gz"} -zcf artifacts.tar.gz public/assets public/packs* tmp/cache/vite/last-build*.json

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: matrix.mode == 'test'
        with:
          path: |-
@@ -128,9 +128,9 @@ jobs:
          - '3.3'
          - '.ruby-version'
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
        with:
          path: './'
          name: ${{ github.sha }}
@@ -151,7 +151,7 @@ jobs:
          bin/flatware fan bin/rails db:test:prepare

      - name: Cache RSpec persistence file
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
        with:
          path: |
            tmp/rspec/examples.txt
@@ -167,99 +167,12 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
        with:
          files: coverage/lcov/*.lcov
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

-  test-imagemagick:
-    name: ImageMagick tests
-    runs-on: ubuntu-latest
-
-    needs:
-      - build
-
-    services:
-      postgres:
-        image: postgres:14-alpine
-        env:
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_USER: postgres
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10ms
-          --health-timeout 3s
-          --health-retries 50
-        ports:
-          - 5432:5432
-
-      redis:
-        image: redis:7-alpine
-        options: >-
-          --health-cmd "redis-cli ping"
-          --health-interval 10ms
-          --health-timeout 3s
-          --health-retries 50
-        ports:
-          - 6379:6379
-
-    env:
-      DB_HOST: localhost
-      DB_USER: postgres
-      DB_PASS: postgres
-      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
-      RAILS_ENV: test
-      ALLOW_NOPAM: true
-      PAM_ENABLED: true
-      PAM_DEFAULT_SERVICE: pam_test
-      PAM_CONTROLLED_SERVICE: pam_test_controlled
-      OIDC_ENABLED: true
-      OIDC_SCOPE: read
-      SAML_ENABLED: true
-      CAS_ENABLED: true
-      BUNDLE_WITH: 'pam_authentication test'
-      GITHUB_RSPEC: ${{ matrix.ruby-version == '.ruby-version' && github.event.pull_request && 'true' }}
-      MASTODON_USE_LIBVIPS: false
-
-    strategy:
-      fail-fast: false
-      matrix:
-        ruby-version:
-          - '3.2'
-          - '3.3'
-          - '.ruby-version'
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/download-artifact@v4
-        with:
-          path: './'
-          name: ${{ github.sha }}
-
-      - name: Expand archived asset artifacts
-        run: |
-          tar xvzf artifacts.tar.gz
-
-      - name: Set up Ruby environment
-        uses: ./.github/actions/setup-ruby
-        with:
-          ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg imagemagick libpam-dev
-
-      - name: Load database schema
-        run: './bin/rails db:create db:schema:load db:seed'
-
-      - run: bin/rspec --tag attachment_processing
-
-      - name: Upload coverage reports to Codecov
-        if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v5
-        with:
-          files: coverage/lcov/mastodon.lcov
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-
  test-e2e:
    name: End to End testing
    runs-on: ubuntu-latest
@@ -309,9 +222,9 @@ jobs:
          - '.ruby-version'

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
        with:
          path: './'
          name: ${{ github.sha }}
@@ -334,7 +247,7 @@ jobs:

      - name: Cache Playwright Chromium browser
        id: playwright-cache
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
        with:
          path: ~/.cache/ms-playwright
          key: playwright-browsers-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
@@ -350,14 +263,14 @@ jobs:
      - run: bin/rspec spec/system --tag streaming --tag js

      - name: Archive logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: failure()
        with:
          name: e2e-logs-${{ matrix.ruby-version }}
          path: log/

      - name: Archive test screenshots
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: failure()
        with:
          name: e2e-screenshots-${{ matrix.ruby-version }}
@@ -439,17 +352,17 @@ jobs:
          - '3.3'
          - '.ruby-version'
        search-image:
-          - docker.elastic.co/elasticsearch/elasticsearch:7.17.13
+          - docker.elastic.co/elasticsearch/elasticsearch:7.17.29
        include:
          - ruby-version: '.ruby-version'
-            search-image: docker.elastic.co/elasticsearch/elasticsearch:8.10.2
+            search-image: docker.elastic.co/elasticsearch/elasticsearch:8.19.2
          - ruby-version: '.ruby-version'
            search-image: opensearchproject/opensearch:2

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
        with:
          path: './'
          name: ${{ github.sha }}
@@ -469,14 +382,14 @@ jobs:
      - run: bin/rspec --tag search

      - name: Archive logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: failure()
        with:
          name: test-search-logs-${{ matrix.ruby-version }}
          path: log/

      - name: Archive test screenshots
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: failure()
        with:
          name: test-search-screenshots
--- a/.haml-lint.yml
+++ b/.haml-lint.yml
@@ -10,6 +10,6 @@ linters:
  MiddleDot:
    enabled: true
  LineLength:
-    max: 300
+    max: 240 # Override default value of 80 inherited from rubocop
  ViewLength:
    max: 200 # Override default value of 100 inherited from rubocop
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-24.10
+24.14
--- a/.oxfmtrc.json
+++ b/.oxfmtrc.json
@@ -0,0 +1,92 @@
+{
+  "$schema": "./node_modules/oxfmt/configuration_schema.json",
+  "singleQuote": true,
+  "jsxSingleQuote": true,
+  "printWidth": 80,
+  "ignorePatterns": [
+    "/tmp",
+    "/coverage",
+    "/public/assets",
+    "/public/emoji",
+    "/public/packs",
+    "/public/packs-test",
+    "/public/system",
+    "/public/vite*",
+
+    "*.html",
+    "docker-compose.override.yml",
+
+    // Ignore config YAML files that include ERB/ruby code
+    "config/email.yml",
+
+    // Vendored CSS
+    "app/javascript/styles/mastodon/reset.scss",
+
+    // Automatically generated
+    "/app/javascript/mastodon/features/emoji/emoji_map.json",
+    "/app/javascript/mastodon/features/emoji/emoji_data.json",
+    "AUTHORS.md",
+    "/app/javascript/mastodon/locales/*.json",
+    "/config/locales",
+    ".storybook/static/mockServiceWorker.js",
+
+    // do not reformat JS files as this will change too many files and cause merge conflicts with open PRs and forks
+    "app/javascript/**/*.js",
+    "app/javascript/**/*.jsx",
+    "streaming/**/*.js"
+  ],
+  "experimentalSortPackageJson": false,
+  "experimentalSortImports": {
+    "groups": [
+      ["builtin"],
+      ["react"],
+      ["react-intl"],
+      ["react-utils"],
+      ["redux"],
+      ["external", "type-external"],
+      ["internal", "type-internal"],
+      ["mastodon-internals"],
+      ["parent", "type-parent"],
+      ["sibling", "type-sibling", "index", "type-index"],
+      ["side_effect"]
+    ],
+    "customGroups": [
+      {
+        "groupName": "react",
+        "elementNamePattern": [
+          "react",
+          "react-dom",
+          "react-dom/client",
+          "prop-types"
+        ]
+      },
+      {
+        "groupName": "react-intl",
+        "elementNamePattern": ["react-intl", "intl-messageformat"]
+      },
+      {
+        "groupName": "react-utils",
+        "elementNamePattern": [
+          "classnames",
+          "react-helmet",
+          "react-router",
+          "react-router-dom"
+        ]
+      },
+      {
+        "groupName": "redux",
+        "elementNamePattern": [
+          "immutable",
+          "@reduxjs/toolkit",
+          "react-redux",
+          "react-immutable-proptypes",
+          "react-immutable-pure-component"
+        ]
+      },
+      {
+        "groupName": "mastodon-internals",
+        "elementNamePattern": ["mastodon/**", "@/**"]
+      }
+    ]
+  }
+}
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,86 +0,0 @@
-# See https://help.github.com/articles/ignoring-files for more about ignoring files.
-#
-# If you find yourself ignoring temporary files generated by your text editor
-# or operating system, you probably want to add a global ignore instead:
-#   git config --global core.excludesfile '~/.gitignore_global'
-
-# Ignore bundler config and downloaded libraries.
-/.bundle
-/vendor/bundle
-
-# Ignore the default SQLite database.
-/db/*.sqlite3
-/db/*.sqlite3-journal
-
-# Ignore all logfiles and tempfiles.
-.eslintcache
-/log/*
-!/log/.keep
-/tmp
-/coverage
-.env
-.env.production
-.env.development
-/node_modules/
-/build/
-
-# Ignore Vagrant files
-.vagrant/
-
-# Ignore IDE files
-.vscode/
-.idea/
-
-# Ignore postgres + redis + elasticsearch volume optionally created by docker-compose
-/postgres
-/postgres14
-/redis
-/elasticsearch
-
-# Ignore Apple files
-.DS_Store
-
-# Ignore vim files
-*~
-*.swp
-
-# Ignore log files
-*.log
-
-# Ignore Docker option files
-docker-compose.override.yml
-
-# Ignore public
-/public/assets
-/public/emoji
-/public/packs
-/public/packs-test
-/public/system
-/public/vite*
-
-# Ignore emoji map file
-/app/javascript/mastodon/features/emoji/emoji_map.json
-/app/javascript/mastodon/features/emoji/emoji_data.json
-
-# Ignore locale files
-/app/javascript/mastodon/locales/*.json
-/config/locales
-
-# Ignore vendored CSS reset
-app/javascript/styles/mastodon/reset.scss
-
-# Ignore Javascript pending https://github.com/mastodon/mastodon/pull/23631
-*.js
-*.jsx
-
-# Ignore HTML till cleaned and included in CI
-*.html
-
-# Ignore the generated AUTHORS.md
-AUTHORS.md
-
-# Process a few selected JS files
-!lint-staged.config.js
-
-# Ignore config YAML files that include ERB/ruby code prettier does not understand
-/config/email.yml
--- a/.prettierrc.js
+++ b/.prettierrc.js
@@ -1,4 +0,0 @@
-module.exports = {
-  singleQuote: true,
-  jsxSingleQuote: true
-};
--- a/.rubocop/layout.yml
+++ b/.rubocop/layout.yml
@@ -4,3 +4,6 @@ Layout/FirstHashElementIndentation:

 Layout/LineLength:
  Max: 300 # Default of 120 causes a duplicate entry in generated todo file
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-3.4.7
+3.4.8
--- a/.storybook/main.ts
+++ b/.storybook/main.ts
@@ -27,11 +27,12 @@ const config: StorybookConfig = {
      'oops.gif',
      'oops.png',
    ].map((path) => ({ from: `../public/${path}`, to: `/${path}` })),
+    { from: '../app/javascript/images/logo.svg', to: '/custom-emoji/logo.svg' },
  ],
  viteFinal(config) {
    // For an unknown reason, Storybook does not use the root
    // from the Vite config so we need to set it manually.
-    config.root = resolve(__dirname, '../app/javascript');
+    config.root = resolve(import.meta.dirname, '../app/javascript');
    return config;
  },
 };
--- a/.storybook/modes.ts
+++ b/.storybook/modes.ts
@@ -0,0 +1,8 @@
+export const modes = {
+  darkTheme: {
+    theme: 'dark',
+  },
+  lightTheme: {
+    theme: 'light',
+  },
+} as const;
--- a/.storybook/preview-body.html
+++ b/.storybook/preview-body.html
@@ -1,2 +1,2 @@
-<html class="no-reduce-motion">
+<html class="no-reduce-motion" data-color-scheme="light">
 </html>
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -11,14 +11,19 @@ import type { Preview } from '@storybook/react-vite';
 import { initialize, mswLoader } from 'msw-storybook-addon';
 import { action } from 'storybook/actions';

+import {
+  importCustomEmojiData,
+  importLegacyShortcodes,
+  importEmojiData,
+} from '@/mastodon/features/emoji/loader';
 import type { LocaleData } from '@/mastodon/locales';
 import { reducerWithInitialState } from '@/mastodon/reducers';
 import { defaultMiddleware } from '@/mastodon/store/store';
 import { mockHandlers, unhandledRequestHandler } from '@/testing/api';

-// If you want to run the dark theme during development,
-// you can change the below to `/application.scss`
-import '../app/javascript/styles/mastodon-light.scss';
+import { modes } from './modes';
+
+import '../app/javascript/styles/application.scss';
 import './styles.css';

 const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
@@ -45,17 +50,46 @@ const preview: Preview = {
        dynamicTitle: true,
      },
    },
+    theme: {
+      description: 'Theme for the story',
+      toolbar: {
+        title: 'Theme',
+        icon: 'circlehollow',
+        items: [{ value: 'light' }, { value: 'dark' }],
+        dynamicTitle: true,
+      },
+    },
  },
  initialGlobals: {
    locale: 'en',
+    theme: 'light',
  },
  decorators: [
-    (Story, { parameters, globals, args }) => {
+    (Story, { parameters, globals, args, argTypes }) => {
      // Get the locale from the global toolbar
      // and merge it with any parameters or args state.
      const { locale } = globals as { locale: string };
      const { state = {} } = parameters;
-      const { state: argsState = {} } = args;
+
+      const argsState: Record<string, unknown> = {};
+      for (const [key, value] of Object.entries(args)) {
+        const argType = argTypes[key];
+        if (argType?.reduxPath) {
+          const reduxPath = Array.isArray(argType.reduxPath)
+            ? argType.reduxPath.map((p) => p.toString())
+            : argType.reduxPath.split('.');
+
+          reduxPath.reduce((acc, key, i) => {
+            if (acc[key] === undefined) {
+              acc[key] = {};
+            }
+            if (i === reduxPath.length - 1) {
+              acc[key] = value;
+            }
+            return acc[key] as Record<string, unknown>;
+          }, argsState);
+        }
+      }

      const reducer = reducerWithInitialState(
        {
@@ -64,7 +98,7 @@ const preview: Preview = {
          },
        },
        state as Record<string, unknown>,
-        argsState as Record<string, unknown>,
+        argsState,
      );

      const store = configureStore({
@@ -111,6 +145,13 @@ const preview: Preview = {
        </IntlProvider>
      );
    },
+    (Story, { globals }) => {
+      const theme = (globals.theme as string) || 'light';
+      useEffect(() => {
+        document.body.setAttribute('data-color-scheme', theme);
+      }, [theme]);
+      return <Story />;
+    },
    (Story) => (
      <MemoryRouter>
        <Story />
@@ -127,7 +168,12 @@ const preview: Preview = {
      </MemoryRouter>
    ),
  ],
-  loaders: [mswLoader],
+  loaders: [
+    mswLoader,
+    importCustomEmojiData,
+    importLegacyShortcodes,
+    ({ globals: { locale } }) => importEmojiData(locale as string),
+  ],
  parameters: {
    layout: 'centered',

@@ -152,6 +198,13 @@ const preview: Preview = {
    msw: {
      handlers: mockHandlers,
    },
+
+    chromatic: {
+      modes: {
+        dark: modes.darkTheme,
+        light: modes.lightTheme,
+      },
+    },
  },
 };

--- a/.storybook/static/mockServiceWorker.js
+++ b/.storybook/static/mockServiceWorker.js
@@ -7,7 +7,7 @@
 * - Please do NOT modify this file.
 */

-const PACKAGE_VERSION = '2.11.3'
+const PACKAGE_VERSION = '2.12.1'
 const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()
@@ -205,6 +205,7 @@ async function resolveMainClient(event) {
 * @param {FetchEvent} event
 * @param {Client | undefined} client
 * @param {string} requestId
+ * @param {number} requestInterceptedAt
 * @returns {Promise<Response>}
 */
 async function getResponse(event, client, requestId, requestInterceptedAt) {
--- a/.storybook/storybook-addon-vitest.d.ts
+++ b/.storybook/storybook-addon-vitest.d.ts
@@ -1,7 +1,20 @@
 // The addon package.json incorrectly exports types, so we need to override them here.
+
+import type { RootState } from '@/mastodon/store';
+
 // See: https://github.com/storybookjs/storybook/blob/v9.0.4/code/addons/vitest/package.json#L70-L76
 declare module '@storybook/addon-vitest/vitest-plugin' {
  export * from '@storybook/addon-vitest/dist/vitest-plugin/index';
 }

+type RootPathKeys = keyof RootState;
+
+declare module 'storybook/internal/csf' {
+  export interface InputType {
+    reduxPath?:
+      | `${RootPathKeys}.${string}`
+      | [RootPathKeys, ...(string | number)[]];
+  }
+}
+
 export {};
--- a/.yarn/patches/babel-plugin-lodash-npm-3.3.4-c7161075b6.patch
+++ b/.yarn/patches/babel-plugin-lodash-npm-3.3.4-c7161075b6.patch
@@ -1,13 +0,0 @@
-diff --git a/lib/index.js b/lib/index.js
-index 16ed6be8be8f555cc99096c2ff60954b42dc313d..d009c069770d066ad0db7ad02de1ea473a29334e 100644
--- a/lib/index.js
-+++ b/lib/index.js
-@@ -99,7 +99,7 @@ function lodash(_ref) {
- 
-         var node = _ref3;
- 
-        if ((0, _types.isModuleDeclaration)(node)) {
-+        if ((0, _types.isImportDeclaration)(node)  || (0, _types.isExportDeclaration)(node)) {
-           isModule = true;
-           break;
-         }
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -538,7 +538,7 @@ and provided thanks to the work of the following contributors:
 * [Drew Schuster](mailto:dtschust@gmail.com)
 * [Dryusdan](mailto:dryusdan@dryusdan.fr)
 * [Eai](mailto:eai@mizle.net)
-* [Eashwar Ranganathan](mailto:eranganathan@lyft.com)
+* [Eashwar Ranganathan](mailto:eashwar@eashwar.com)
 * [Ed Knutson](mailto:knutsoned@gmail.com)
 * [Elizabeth Martín Campos](mailto:me@elizabeth.sh)
 * [Elizabeth Myers](mailto:elizabeth@interlinked.me)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,17 +2,165 @@

 All notable changes to this project will be documented in this file.

-## [4.5.0] - UNRELEASED
+## [4.5.7] - 2026-02-24
+
+### Security
+
+- Reject unconfirmed FASPs (#37926 by @oneiros, [GHSA-qgmm-vr4c-ggjg](https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg))
+- Re-use custom socket class for FASP requests (#37925 by @oneiros, [GHSA-46w6-g98f-wxqm](https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm))

 ### Added

- **Add support for allowing and authoring quotes** (#35355, #35578, #35614, #35618, #35624, #35626, #35652, #35629, #35665, #35653, #35670, #35677, #35690, #35697, #35689, #35699, #35700, #35701, #35709, #35714, #35713, #35715, #35725, #35749, #35769, #35780, #35762, #35804, #35808, #35805, #35819, #35824, #35828, #35822, #35835, #35865, #35860, #35832, #35891, #35894, #35895, #35820, #35917, #35924, #35925, #35914, #35930, #35941, #35939, #35948, #35955, #35967, #35990, #35991, #35975, #35971, #36002, #35986, #36031, #36034, #36038, #36054, #36052, #36055, #36065, #36068, #36083, #36087, #36080, #36091, #36090, #36118, #36119, #36128, #36094, #36129, #36138, #36132, #36151, #36158, #36171, #36194, #36220, #36169, #36130, #36249, #36153, #36299, #36291, #36301, #36315, #36317, #36364, #36383, #36381, #36459, #36464, #36461, #36516, #36528, #36549, #36550 and #36559 by @ChaosExAnima, @ClearlyClaire, @Lycolia, @diondiondion, and @tribela)\
+- Add `--suspended-only` option to `tootctl emoji purge` (#37828 and #37861 by @ClearlyClaire and @mjankowski)
+
+### Fixed
+
+- Fix emoji data not being properly cached (#37858 by @ChaosExAnima)
+- Fix delete & redraft of pending posts (#37839 by @ClearlyClaire)
+- Fix processing separate key documents without the ActivityStreams context (#37826 by @ClearlyClaire)
+- Fix custom emojis not being purged on domain suspension (#37808 by @ClearlyClaire)
+- Fix users without special permissions being able to stream disabled timelines (#37791 by @ClearlyClaire)
+- Fix processing of object updates with duplicate hashtags (#37756 by @ClearlyClaire)
+
+## [4.5.6] - 2026-02-03
+
+### Security
+
+- Fix ActivityPub collection caching logic for pinned posts and featured tags not checking blocked accounts ([GHSA-ccpr-m53r-mfwr](https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr))
+
+### Changed
+
+- Shorten caching of quote posts pending approval (#37570 and #37592 by @ClearlyClaire)
+
+### Fixed
+
+- Fix relationship cache not being cleared when handling account migrations (#37664 by @ClearlyClaire)
+- Fix quote cancel button not appearing after edit then delete-and-redraft (#37066 by @PGrayCS)
+- Fix followers with profile subscription (bell icon) being notified of post edits (#37646 by @ClearlyClaire)
+- Fix error when encountering invalid tag in updated object (#37635 by @ClearlyClaire)
+- Fix cross-server conversation tracking (#37559 by @ClearlyClaire)
+- Fix recycled connections not being immediately closed (#37335 and #37674 by @ClearlyClaire and @shleeable)
+
+## [4.5.5] - 2026-01-20
+
+### Security
+
+- Fix missing limits on various federated properties [GHSA-gg8q-rcg7-p79g](https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g)
+- Fix remote user suspension bypass [GHSA-5h2f-wg8j-xqwp](https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp)
+- Fix missing length limits on some user-provided fields [GHSA-6x3w-9g92-gvf3](https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3)
+- Fix missing access check for push notification settings update [GHSA-f3q8-7vw3-69v4](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4)
+
+### Changed
+
+- Skip tombstone creation on deleting from 404 (#37533 by @ClearlyClaire)
+
+### Fixed
+
+- Fix potential duplicate handling of quote accept/reject/delete (#37537 by @ClearlyClaire)
+- Fix `FeedManager#filter_from_home` error when handling a reblog of a deleted status (#37486 by @ClearlyClaire)
+- Fix needlessly complicated SQL query in status batch removal (#37469 by @ClearlyClaire)
+- Fix `quote_approval_policy` being reset to user defaults when omitted in status update (#37436 and #37474 by @mjankowski and @shleeable)
+- Fix `Vary` parsing in cache control enforcement (#37426 by @MegaManSec)
+- Fix missing URI scheme test in `QuoteRequest` handling (#37425 by @MegaManSec)
+- Fix thread-unsafe ActivityPub activity dispatch (#37423 by @MegaManSec)
+- Fix URI generation for reblogs by accounts with numerical ActivityPub identifiers (#37415 by @oneiros)
+- Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375 by @shleeable)
+- Fix emoji with variant selector not being rendered properly (#37320 by @ChaosExAnima)
+- Fix mobile admin sidebar displaying under batch table toolbar (#37307 by @diondiondion)
+
+## [4.5.4] - 2026-01-07
+
+### Security
+
+- Fix SSRF protection bypass ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq))
+- Fix missing ownership check in severed relationships controller ([GHSA](https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24))
+
+### Changed
+
+- Change HTTP Signature verification status from 401 to 503 on temporary failure to get remote actor (#37221 by @ClearlyClaire)
+
+### Fixed
+
+- Fix custom emojis not being rendered in profile fields (#37365 by @ClearlyClaire)
+- Fix serialization of context pages (#37376 by @ClearlyClaire)
+- Fix quotes with CWs but no text not having fallback link (#37361 by @ClearlyClaire)
+- Fix outdated link target for “locked” warning (#37366 by @ClearlyClaire)
+- Fix local custom emojis sometimes being rendered in remote posts (#37284 by @ChaosExAnima)
+- Fix some assets not being loaded from configured CDN (#37310 by @ChaosExAnima)
+- Fix notifications page error in Tor browser (#37285 by @diondiondion)
+- Fix custom emojis not being displayed in CWs and fav/boost notifications (#37272 and #37306 by @ChaosExAnima and @ClearlyClaire)
+- Fix default `Admin` role not including `view_feeds` permission (#37301 by @ClearlyClaire)
+- Fix hashtag autocomplete replacing suggestion's first characters with input (#37281 by @ClearlyClaire)
+- Fix mentions of domain-blocked users being processed (#37257 by @ClearlyClaire)
+
+## [4.5.3] - 2025-12-08
+
+### Security
+
+- Fix inconsistent error handling leaking information on existence of private posts ([GHSA-gwhw-gcjx-72v8](https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8))
+
+### Fixed
+
+- Fix “Delete and Redraft” on a non-quote being treated as a quote post in some cases (#37140 by @ClearlyClaire)
+- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
+- Fix streamed quoted polls not being hydrated correctly (#37118 by @ClearlyClaire)
+- Fix creation of duplicate conversations (#37108 by @oneiros)
+- Fix extraneous `noreferrer` in external links (#37107 by @ChaosExAnima)
+- Fix edge case error handling in some database migrations (#37079 by @ClearlyClaire)
+- Fix error handling when re-fetching already-known statuses (#37077 by @ClearlyClaire)
+- Fix post navigation in single-column mode when Advanced UI is enabled (#37044 by @diondiondion)
+- Fix `tootctl status remove` removing quoted posts and remote quotes of local posts (#37009 by @ClearlyClaire)
+- Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
+- Fix compose autosuggest always lowercasing input token (#36995 by @ClearlyClaire)
+
+## [4.5.2] - 2025-11-20
+
+### Changed
+
+- Change private quote education modal to not show up on self-quotes (#36926 by @ClearlyClaire)
+
+### Fixed
+
+- Fix missing fallback link in CW-only quote posts (#36963 by @ClearlyClaire)
+- Fix statuses without text being hidden while loading (#36962 by @ClearlyClaire)
+- Fix `g` + `h` keyboard shortcut not working when a post is focused (#36935 by @diondiondion)
+- Fix quoting overwriting current content warning (#36934 by @ClearlyClaire)
+- Fix scroll-to-status in threaded view being unreliable (#36927 by @ClearlyClaire)
+- Fix path resolution for emoji worker (#36897 by @ChaosExAnima)
+- Fix `tootctl upgrade storage-schema` failing with `ArgumentError` (#36914 by @shugo)
+- Fix cross-origin handling of CSS modules (#36890 by @ClearlyClaire)
+- Fix error with remote tags including percent signs (#36886 and #36925 by @ChaosExAnima and @ClearlyClaire)
+- Fix bogus quote approval policy not always being replaced correctly (#36885 by @ClearlyClaire)
+- Fix hashtag completion not being inserted correctly (#36884 by @ClearlyClaire)
+- Fix Cmd/Ctrl + Enter in the composer triggering confirmation dialog action (#36870 by @diondiondion)
+
+## [4.5.1] - 2025-11-13
+
+### Fixed
+
+- Fix Cmd/Ctrl + Enter not submitting Alt text modal on some browsers (#36866 by @diondiondion)
+- Fix posts coming from public/hashtag streaming being marked as unquotable (#36860 and #36869 by @ClearlyClaire)
+- Fix old previously-undiscovered posts being treated as new when receiving an `Update` (#36848 by @ClearlyClaire)
+- Fix blank screen in browsers that don't support `Intl.DisplayNames` (#36847 by @diondiondion)
+- Fix filters not being applied to quotes in detailed view (#36843 by @ClearlyClaire)
+- Fix scroll shift caused by fetch-all-replies alerts (#36807 by @diondiondion)
+- Fix dropdown menu not focusing first item when opened via keyboard (#36804 by @diondiondion)
+- Fix assets build issue on arch64 (#36781 by @ClearlyClaire)
+- Fix `/api/v1/statuses/:id/context` sometimes returing `Mastodon-Async-Refresh` without `result_count` (#36779 by @ClearlyClaire)
+- Fix prepared quote not being discarded with contents when replying (#36778 by @ClearlyClaire)
+
+## [4.5.0] - 2025-11-06
+
+### Added
+
+- **Add support for allowing and authoring quotes** (#35355, #35578, #35614, #35618, #35624, #35626, #35652, #35629, #35665, #35653, #35670, #35677, #35690, #35697, #35689, #35699, #35700, #35701, #35709, #35714, #35713, #35715, #35725, #35749, #35769, #35780, #35762, #35804, #35808, #35805, #35819, #35824, #35828, #35822, #35835, #35865, #35860, #35832, #35891, #35894, #35895, #35820, #35917, #35924, #35925, #35914, #35930, #35941, #35939, #35948, #35955, #35967, #35990, #35991, #35975, #35971, #36002, #35986, #36031, #36034, #36038, #36054, #36052, #36055, #36065, #36068, #36083, #36087, #36080, #36091, #36090, #36118, #36119, #36128, #36094, #36129, #36138, #36132, #36151, #36158, #36171, #36194, #36220, #36169, #36130, #36249, #36153, #36299, #36291, #36301, #36315, #36317, #36364, #36383, #36381, #36459, #36464, #36461, #36516, #36528, #36549, #36550, #36559, #36693, #36704, #36690, #36689, #36696, #36721, #36695 and #36736 by @ChaosExAnima, @ClearlyClaire, @Lycolia, @diondiondion, and @tribela)\
  This includes a revamp of the composer interface.\
  See https://blog.joinmastodon.org/2025/09/introducing-quote-posts/ for a user-centric overview of the feature, and https://docs.joinmastodon.org/client/quotes/ for API documentation.
 - **Add support for fetching and refreshing replies to the web UI** (#35210, #35496, #35575, #35500, #35577, #35602, #35603, #35654, #36141, #36237, #36172, #36256, #36271, #36334, #36382, #36239, #36484, #36481, #36583, #36627 and #36547 by @ClearlyClaire, @diondiondion, @Gargron and @renchap)
 - **Add ability to block words in usernames** (#35407, #35655, and #35806 by @ClearlyClaire and @Gargron)
- Add ability to individually disable local or remote feeds for visitors or logged-in users `disabled` value to server setting for live and topic feeds, as well as user permission to bypass that (#36338, #36467, #36497, #36563, #36577, #36585, and #36607 by @ClearlyClaire)\
-  This splits the `timeline_preview` setting into four more granular settings controlling live feeds and topic (hashtag, trending link) feeds, with 3 values each: `public`, `authenticated`, `disabled`.\
+- Add ability to individually disable local or remote feeds for visitors or logged-in users `disabled` value to server setting for live and topic feeds, as well as user permission to bypass that (#36338, #36467, #36497, #36563, #36577, #36585, #36607 and #36703 by @ClearlyClaire)\
+  This splits the `timeline_preview` setting into four more granular settings controlling live feeds and topic (hashtag, trending link) feeds.\
+  The setting for local topic feeds has 2 values: `public` and `authenticated`. Every other setting has 3 values: `public`, `authenticated`, `disabled`.\
  When `disabled`, users with the “View live and topic feeds” will still be able to view them.
 - Add support for displaying of quote posts in Moderator UI (#35964 by @ThisIsMissEm)
 - Add support for displaying link previews for Admin UI (#35958 by @ThisIsMissEm)
@@ -20,21 +168,22 @@ All notable changes to this project will be documented in this file.
 - Add support for `Update` activities on converted object types (#36322 by @ClearlyClaire)
 - Add support for dynamic viewport height (#36272 by @e1berd)
 - Add support for numeric-based URIs for new local accounts (#32724, #36304, #36316, and #36365 by @ClearlyClaire)
+- Add default visualizer for audio upload without poster (#36734 by @ChaosExAnima)
 - Add Traditional Mongolian to posting languages (#36196 by @shimon1024)
 - Add example post with manual quote approval policy to `dev:populate_sample_data` (#36099 by @ClearlyClaire)
 - Add server-side support for handling posts with a quote policy allowing followers to quote (#36093 and #36127 by @ClearlyClaire)
 - Add schema.org markup to SEO-enabled posts (#36075 by @Gargron)
 - Add migration to fill unset default quote policy based on default post privacy (#36041 by @ClearlyClaire)
+- Add “Posting defaults” setting page, moving existing settings from “Other” (#35896, #36033, #35966, #35969, and #36084 by @ClearlyClaire and @diondiondion)
+- Added emoji from Twemoji v16 (#36501 and #36530 by @ChaosExAnima)
+- Add feature to select custom emoji rendering (#35229, #35282, #35253, #35424, #35473, #35483, #35505, #35568, #35605, #35659, #35664, #35739, #35985, #36051, #36071, #36137, #36165, #36248, #36262, #36275, #36293, #36341, #36342, #36366, #36377, #36378, #36385, #36393, #36397, #36403, #36413, #36410, #36454, #36402, #36503, #36502, #36532, #36603, #36409, #36638 and #36750 by @ChaosExAnima, @ClearlyClaire and @braddunbar)\
+  This also completely reworks the processing and rendering of emojis and server-rendered HTML in statuses and other places.
 - Add support for exposing conversation context for new public conversations according to FEP-7888 (#35959 and #36064 by @ClearlyClaire and @jesseplusplus)
 - Add digest re-check before removing followers in synchronization mechanism (#34273 by @ClearlyClaire)
- Add “Posting defaults” setting page, moving existing settings from “Other” (#35896, #36033, #35966, #35969, and #36084 by @ClearlyClaire and @diondiondion)
 - Add support for displaying Valkey version on admin dashboard (#35785 by @ykzts)
 - Add delivery failure tracking and handling to FASP jobs (#35625, #35628, and #35723 by @oneiros)
 - Add example of quote post with a preview card to development sample data (#35616 by @ClearlyClaire)
 - Add second set of blocked text that applies to accounts regardless of account age for spam-blocking (#35563 by @ClearlyClaire)
- Added emoji from Twemoji v16 (#36501 and #36530 by @ChaosExAnima)
- Add feature to select custom emoji rendering (#35229, #35282, #35253, #35424, #35473, #35483, #35505, #35568, #35605, #35659, #35664, #35739, #35985, #36051, #36071, #36137, #36165, #36248, #36262, #36275, #36293, #36341, #36342, #36366, #36377, #36378, #36385, #36393, #36397, #36403, #36413, #36410, #36454, #36402, #36503, #36502, #36532, #36603, #36409 and #36638 by @ChaosExAnima, @ClearlyClaire and @braddunbar)\
-  This also completely reworks the processing and rendering of emojis and server-rendered HTML in statuses and other places.

 ### Changed

@@ -43,6 +192,9 @@ All notable changes to this project will be documented in this file.
 - Change appearance settings to introduce new Advanced settings section (#36496 and #36506 by @diondiondion)
 - Change display of blocked and muted quoted users (#36619 by @ClearlyClaire)\
  This adds `blocked_account`, `blocked_domain` and `muted_account` values to the `state` attribute of `Quote` and `ShallowQuote` REST API entities.
+- Change submitting an empty post to show an error rather than failing silently (#36650 by @diondiondion)
+- Change "Privacy and reach" settings from "Public profile" to their own top-level category (#27294 by @ChaelCodes)
+- Change number of times quote verification is retried to better deal with temporary failures (#36698 by @ClearlyClaire)
 - Change display of content warnings in Admin UI (#35935 by @ThisIsMissEm)
 - Change styling of column banners (#36531 by @ClearlyClaire)
 - Change recommended Node version to 24 (LTS) (#36539 by @renchap)
@@ -70,9 +222,11 @@ All notable changes to this project will be documented in this file.
 - Fix relationship not being fetched to evaluate whether to show a quote post (#36517 by @ClearlyClaire)
 - Fix rendering of poll options in status history modal (#35633 by @ThisIsMissEm)
 - Fix “mute” button being displayed to unauthenticated visitors in hashtag dropdown (#36353 by @mkljczk)
+- Fix initially selected language in Rules panel, hide selector when no alternative translations exist (#36672 by @diondiondion)
 - Fix URL comparison for mentions in case of empty path (#36613 and #36626 by @ClearlyClaire)
 - Fix hashtags not being picked up when full-width hash sign is used (#36103 and #36625 by @ClearlyClaire and @Gargron)
 - Fix layout of severed relationships when purged events are listed (#36593 by @mejofi)
+- Fix Skeleton placeholders being animated when setting to reduce animations is enabled (#36716 by @ClearlyClaire)
 - Fix vacuum tasks being interrupted by a single batch failure (#36606 by @Gargron)
 - Fix handling of unreachable network error for search services (#36587 by @mjankowski)
 - Fix bookmarks export when a bookmarked status is soft-deleted (#36576 by @ClearlyClaire)
--- a/6
+++ b/6
@@ -13,7 +13,7 @@ ARG BASE_REGISTRY="docker.io"

 # Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.4.7"
+ARG RUBY_VERSION="3.4.8"
 # # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="22"]
 # renovate: datasource=node-version depName=node
 ARG NODE_MAJOR_VERSION="24"
@@ -70,8 +70,6 @@ ENV \
  PATH="${PATH}:/opt/ruby/bin:/opt/mastodon/bin" \
  # Optimize jemalloc 5.x performance
  MALLOC_CONF="narenas:2,background_thread:true,thp:never,dirty_decay_ms:1000,muzzy_decay_ms:0" \
-  # Enable libvips, should not be changed
-  MASTODON_USE_LIBVIPS=true \
  # Sidekiq will touch tmp/sidekiq_process_has_started_and_will_begin_processing_jobs to indicate it is ready. This can be used for a readiness check in Kubernetes
  MASTODON_SIDEKIQ_READY_FILENAME=sidekiq_process_has_started_and_will_begin_processing_jobs

@@ -183,7 +181,7 @@ FROM build AS libvips

 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
-ARG VIPS_VERSION=8.17.2
+ARG VIPS_VERSION=8.18.0
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download

--- a/FEDERATION.md
+++ b/FEDERATION.md
@@ -48,3 +48,23 @@ Mastodon requires all `POST` requests to be signed, and MAY require `GET` reques
 ### Additional documentation

 - [Mastodon documentation](https://docs.joinmastodon.org/)
+
+## Size limits
+
+Mastodon imposes a few hard limits on federated content.
+These limits are intended to be very generous and way above what the Mastodon user experience is optimized for, so as to accommodate future changes and unusual or unforeseen usage patterns, while still providing some limits for performance reasons.
+The following table summarizes those limits.
+
+| Limited property                                              | Size limit | Consequence of exceeding the limit |
+| ------------------------------------------------------------- | ---------- | ---------------------------------- |
+| Serialized JSON-LD                                            | 1MB        | **Activity is rejected/dropped**   |
+| Profile fields (actor `PropertyValue` attachments) name/value | 2047       | Field name/value is truncated      |
+| Number of profile fields (actor `PropertyValue` attachments)  | 50         | Fields list is truncated           |
+| Poll options (number of `anyOf`/`oneOf` in a `Question`)      | 500        | Items list is truncated            |
+| Account username (actor `preferredUsername`) length           | 2048       | **Actor will be rejected**         |
+| Account display name (actor `name`) length                    | 2048       | Display name will be truncated     |
+| Account note (actor `summary`) length                         | 20kB       | Account note will be truncated     |
+| Account `attributionDomains`                                  | 256        | List will be truncated             |
+| Account aliases (actor `alsoKnownAs`)                         | 256        | List will be truncated             |
+| Custom emoji shortcode (`Emoji` `name`)                       | 2048       | Emoji will be rejected             |
+| Media and avatar/header descriptions (`name`/`summary`)       | 1500       | Description will be truncated      |
--- a/35
+++ b/35
@@ -5,7 +5,7 @@ ruby '>= 3.2.0', '< 3.5.0'

 gem 'propshaft'
 gem 'puma', '~> 7.0'
-gem 'rails', '~> 8.0'
+gem 'rails', '~> 8.1.0'
 gem 'thor', '~> 1.2'

 gem 'dotenv'
@@ -13,7 +13,7 @@ gem 'haml-rails', '~>3.0'
 gem 'pg', '~> 1.5'
 gem 'pghero'

-gem 'aws-sdk-core', '< 3.216.0', require: false # TODO: https://github.com/mastodon/mastodon/pull/34173#issuecomment-2733378873
+gem 'aws-sdk-core', require: false
 gem 'aws-sdk-s3', '~> 1.123', require: false
 gem 'blurhash', '~> 0.1'
 gem 'fog-core', '<= 2.6.0'
@@ -24,11 +24,11 @@ gem 'ruby-vips', '~> 2.2', require: false

 gem 'active_model_serializers', '~> 0.10'
 gem 'addressable', '~> 2.8'
-gem 'bootsnap', '~> 1.18.0', require: false
+gem 'bootsnap', require: false
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
 gem 'chewy', '~> 7.3'
-gem 'devise', '~> 4.9'
+gem 'devise'
 gem 'devise-two-factor'

 group :pam_authentication, optional: true do
@@ -40,7 +40,7 @@ gem 'net-ldap', '~> 0.18'
 gem 'omniauth', '~> 2.0'
 gem 'omniauth-cas', '~> 3.0.0.beta.1'
 gem 'omniauth_openid_connect', '~> 0.8.0'
-gem 'omniauth-rails_csrf_protection', '~> 1.0'
+gem 'omniauth-rails_csrf_protection', '~> 2.0'
 gem 'omniauth-saml', '~> 2.0'

 gem 'color_diff', '~> 0.1'
@@ -55,7 +55,7 @@ gem 'hiredis-client'
 gem 'htmlentities', '~> 4.3'
 gem 'http', '~> 5.3.0'
 gem 'http_accept_language', '~> 2.1'
-gem 'httplog', '~> 1.7.0', require: false
+gem 'httplog', '~> 1.8.0', require: false
 gem 'i18n'
 gem 'idn-ruby', require: 'idn'
 gem 'inline_svg'
@@ -71,7 +71,7 @@ gem 'oj', '~> 3.14'
 gem 'ox', '~> 2.14'
 gem 'parslet'
 gem 'premailer-rails'
-gem 'public_suffix', '~> 6.0'
+gem 'public_suffix', '~> 7.0'
 gem 'pundit', '~> 2.3'
 gem 'rack-attack', '~> 6.6'
 gem 'rack-cors', require: 'rack/cors'
@@ -109,12 +109,12 @@ group :opentelemetry do
  gem 'opentelemetry-instrumentation-active_job', '~> 0.10.0', require: false
  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.24.0', require: false
  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.24.0', require: false
-  gem 'opentelemetry-instrumentation-excon', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-faraday', '~> 0.30.0', require: false
-  gem 'opentelemetry-instrumentation-http', '~> 0.27.0', require: false
-  gem 'opentelemetry-instrumentation-http_client', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-net_http', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.32.0', require: false
+  gem 'opentelemetry-instrumentation-excon', '~> 0.27.0', require: false
+  gem 'opentelemetry-instrumentation-faraday', '~> 0.31.0', require: false
+  gem 'opentelemetry-instrumentation-http', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-http_client', '~> 0.27.0', require: false
+  gem 'opentelemetry-instrumentation-net_http', '~> 0.27.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.35.0', require: false
  gem 'opentelemetry-instrumentation-rack', '~> 0.29.0', require: false
  gem 'opentelemetry-instrumentation-rails', '~> 0.39.0', require: false
  gem 'opentelemetry-instrumentation-redis', '~> 0.28.0', require: false
@@ -129,16 +129,13 @@ group :test do
  # Adds RSpec Error/Warning annotations to GitHub PRs on the Files tab
  gem 'rspec-github', '~> 3.0', require: false

-  # RSpec helpers for email specs
-  gem 'email_spec'
-
  # Extra RSpec extension methods and helpers for sidekiq
  gem 'rspec-sidekiq', '~> 5.0'

  # Browser integration testing
  gem 'capybara', '~> 3.39'
  gem 'capybara-playwright-driver'
-  gem 'playwright-ruby-client', '1.55.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
+  gem 'playwright-ruby-client', '1.57.1', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package

  # Used to reset the database between system tests
  gem 'database_cleaner-active_record'
@@ -180,14 +177,14 @@ group :development do

  # Enhanced error message pages for development
  gem 'better_errors', '~> 2.9'
-  gem 'binding_of_caller', '~> 1.0'
+  gem 'binding_of_caller'

  # Preview mail in the browser
  gem 'letter_opener', '~> 1.8'
  gem 'letter_opener_web', '~> 3.0'

  # Security analysis CLI tools
-  gem 'brakeman', '~> 7.0', require: false
+  gem 'brakeman', '~> 8.0', require: false
  gem 'bundler-audit', '~> 0.9', require: false

  # Linter CLI for HAML files
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -10,29 +10,31 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (8.0.3)
-      actionpack (= 8.0.3)
-      activesupport (= 8.0.3)
+    action_text-trix (2.1.16)
+      railties
+    actioncable (8.1.2)
+      actionpack (= 8.1.2)
+      activesupport (= 8.1.2)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
      zeitwerk (~> 2.6)
-    actionmailbox (8.0.3)
-      actionpack (= 8.0.3)
-      activejob (= 8.0.3)
-      activerecord (= 8.0.3)
-      activestorage (= 8.0.3)
-      activesupport (= 8.0.3)
+    actionmailbox (8.1.2)
+      actionpack (= 8.1.2)
+      activejob (= 8.1.2)
+      activerecord (= 8.1.2)
+      activestorage (= 8.1.2)
+      activesupport (= 8.1.2)
      mail (>= 2.8.0)
-    actionmailer (8.0.3)
-      actionpack (= 8.0.3)
-      actionview (= 8.0.3)
-      activejob (= 8.0.3)
-      activesupport (= 8.0.3)
+    actionmailer (8.1.2)
+      actionpack (= 8.1.2)
+      actionview (= 8.1.2)
+      activejob (= 8.1.2)
+      activesupport (= 8.1.2)
      mail (>= 2.8.0)
      rails-dom-testing (~> 2.2)
-    actionpack (8.0.3)
-      actionview (= 8.0.3)
-      activesupport (= 8.0.3)
+    actionpack (8.1.2)
+      actionview (= 8.1.2)
+      activesupport (= 8.1.2)
      nokogiri (>= 1.8.5)
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
@@ -40,73 +42,77 @@ GEM
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
      useragent (~> 0.16)
-    actiontext (8.0.3)
-      actionpack (= 8.0.3)
-      activerecord (= 8.0.3)
-      activestorage (= 8.0.3)
-      activesupport (= 8.0.3)
+    actiontext (8.1.2)
+      action_text-trix (~> 2.1.15)
+      actionpack (= 8.1.2)
+      activerecord (= 8.1.2)
+      activestorage (= 8.1.2)
+      activesupport (= 8.1.2)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (8.0.3)
-      activesupport (= 8.0.3)
+    actionview (8.1.2)
+      activesupport (= 8.1.2)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    active_model_serializers (0.10.15)
+    active_model_serializers (0.10.16)
      actionpack (>= 4.1)
      activemodel (>= 4.1)
      case_transform (>= 0.2)
      jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (8.0.3)
-      activesupport (= 8.0.3)
+    activejob (8.1.2)
+      activesupport (= 8.1.2)
      globalid (>= 0.3.6)
-    activemodel (8.0.3)
-      activesupport (= 8.0.3)
-    activerecord (8.0.3)
-      activemodel (= 8.0.3)
-      activesupport (= 8.0.3)
+    activemodel (8.1.2)
+      activesupport (= 8.1.2)
+    activerecord (8.1.2)
+      activemodel (= 8.1.2)
+      activesupport (= 8.1.2)
      timeout (>= 0.4.0)
-    activestorage (8.0.3)
-      actionpack (= 8.0.3)
-      activejob (= 8.0.3)
-      activerecord (= 8.0.3)
-      activesupport (= 8.0.3)
+    activestorage (8.1.2)
+      actionpack (= 8.1.2)
+      activejob (= 8.1.2)
+      activerecord (= 8.1.2)
+      activesupport (= 8.1.2)
      marcel (~> 1.0)
-    activesupport (8.0.3)
+    activesupport (8.1.2)
      base64
-      benchmark (>= 0.3)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.3.1)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
+      json
      logger (>= 1.4.2)
      minitest (>= 5.1)
      securerandom (>= 0.3)
      tzinfo (~> 2.0, >= 2.0.5)
      uri (>= 0.13.1)
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+    addressable (2.8.9)
+      public_suffix (>= 2.0.2, < 8.0)
    aes_key_wrap (1.1.0)
    android_key_attestation (0.3.0)
-    annotaterb (4.20.0)
+    annotaterb (4.22.0)
      activerecord (>= 6.0.0)
      activesupport (>= 6.0.0)
    ast (2.4.3)
    attr_required (1.0.2)
    aws-eventstream (1.4.0)
-    aws-partitions (1.1168.0)
-    aws-sdk-core (3.215.1)
+    aws-partitions (1.1222.0)
+    aws-sdk-core (3.243.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.992.0)
      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.96.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+      logger
+    aws-sdk-kms (1.122.0)
+      aws-sdk-core (~> 3, >= 3.241.4)
      aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.177.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-s3 (1.213.0)
+      aws-sdk-core (~> 3, >= 3.241.4)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.5)
    aws-sigv4 (1.12.1)
@@ -115,7 +121,7 @@ GEM
      rexml
    base64 (0.3.0)
    bcp47_spec (0.2.1)
-    bcrypt (3.1.20)
+    bcrypt (3.1.21)
    benchmark (0.5.0)
    better_errors (2.10.1)
      erubi (>= 1.0.0)
@@ -123,17 +129,17 @@ GEM
      rouge (>= 1.0.0)
    bigdecimal (3.3.1)
    bindata (2.5.1)
-    binding_of_caller (1.0.1)
+    binding_of_caller (2.0.0)
      debug_inspector (>= 1.2.0)
    blurhash (0.1.8)
-    bootsnap (1.18.6)
+    bootsnap (1.23.0)
      msgpack (~> 1.2)
-    brakeman (7.0.2)
+    brakeman (8.0.4)
      racc
    browser (6.2.0)
    builder (3.3.0)
-    bundler-audit (0.9.2)
-      bundler (>= 1.2.0, < 3)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
      thor (~> 1.0)
    capybara (3.40.0)
      addressable
@@ -144,7 +150,7 @@ GEM
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
-    capybara-playwright-driver (0.5.7)
+    capybara-playwright-driver (0.5.8)
      addressable
      capybara
      playwright-ruby-client (>= 1.16.0)
@@ -162,9 +168,9 @@ GEM
    chunky_png (1.4.0)
    climate_control (1.2.0)
    cocoon (1.2.15)
-    color_diff (0.1)
-    concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    color_diff (0.2)
+    concurrent-ruby (1.3.6)
+    connection_pool (2.5.5)
    cose (1.3.1)
      cbor (~> 0.5.9)
      openssl-signature_algorithm (~> 1.0)
@@ -179,21 +185,21 @@ GEM
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0)
    database_cleaner-core (2.0.1)
-    date (3.4.1)
-    debug (1.11.0)
+    date (3.5.1)
+    debug (1.11.1)
      irb (~> 1.10)
      reline (>= 0.3.8)
    debug_inspector (1.2.0)
-    devise (4.9.4)
+    devise (5.0.2)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 7.0)
      responders
      warden (~> 1.2.3)
-    devise-two-factor (6.2.0)
-      activesupport (>= 7.0, < 8.2)
-      devise (~> 4.0)
-      railties (>= 7.0, < 8.2)
+    devise-two-factor (6.4.0)
+      activesupport (>= 7.2, < 8.2)
+      devise (>= 4.0, < 6.0)
+      railties (>= 7.2, < 8.2)
      rotp (~> 6.0)
    devise_pam_authenticatable2 (9.2.0)
      devise (>= 4.0.0)
@@ -205,9 +211,9 @@ GEM
    domain_name (0.6.20240107)
    doorkeeper (5.8.2)
      railties (>= 5)
-    dotenv (3.1.8)
+    dotenv (3.2.0)
    drb (2.2.3)
-    dry-cli (1.3.0)
+    dry-cli (1.4.1)
    elasticsearch (7.17.11)
      elasticsearch-api (= 7.17.11)
      elasticsearch-transport (= 7.17.11)
@@ -218,34 +224,30 @@ GEM
      base64
      faraday (>= 1, < 3)
      multi_json
-    email_spec (2.3.0)
-      htmlentities (~> 4.3.3)
-      launchy (>= 2.1, < 4.0)
-      mail (~> 2.7)
    email_validator (2.2.4)
      activemodel
-    erb (5.1.1)
+    erb (6.0.2)
    erubi (1.13.1)
    et-orbi (1.4.0)
      tzinfo
-    excon (1.3.0)
+    excon (1.3.2)
      logger
    fabrication (3.0.0)
-    faker (3.5.2)
+    faker (3.6.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.14.0)
+    faraday (2.14.1)
      faraday-net_http (>= 2.0, < 3.5)
      json
      logger
-    faraday-follow_redirects (0.4.0)
+    faraday-follow_redirects (0.5.0)
      faraday (>= 1, < 3)
    faraday-httpclient (2.0.2)
      httpclient (>= 2.2)
-    faraday-net_http (3.4.1)
-      net-http (>= 0.5.0)
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
    fast_blank (1.0.1)
    fastimage (2.4.0)
-    ffi (1.17.2)
+    ffi (1.17.3)
    ffi-compiler (1.3.2)
      ffi (>= 1.15.5)
      rake
@@ -266,20 +268,20 @@ GEM
    fog-openstack (1.1.5)
      fog-core (~> 2.1)
      fog-json (>= 1.0)
-    formatador (1.2.1)
+    formatador (1.2.3)
      reline
-    forwardable (1.3.3)
-    fugit (1.12.0)
+    forwardable (1.4.0)
+    fugit (1.12.1)
      et-orbi (~> 1.4)
      raabro (~> 1.4)
    globalid (1.3.0)
      activesupport (>= 6.1)
-    google-protobuf (4.32.1)
+    google-protobuf (4.33.5)
      bigdecimal
      rake (>= 13)
    googleapis-common-protos-types (1.22.0)
      google-protobuf (~> 4.26)
-    haml (6.3.0)
+    haml (7.2.0)
      temple (>= 0.8.2)
      thor
      tilt
@@ -288,23 +290,24 @@ GEM
      activesupport (>= 5.1)
      haml (>= 4.0.6)
      railties (>= 5.1)
-    haml_lint (0.66.0)
+    haml_lint (0.72.0)
      haml (>= 5.0)
      parallel (~> 1.10)
      rainbow
      rubocop (>= 1.0)
      sysexits (~> 1.1)
    hashdiff (1.2.1)
-    hashie (5.0.0)
+    hashie (5.1.0)
+      logger
    hcaptcha (7.1.0)
      json
    highline (3.1.2)
      reline
    hiredis (0.6.3)
-    hiredis-client (0.26.1)
-      redis-client (= 0.26.1)
+    hiredis-client (0.26.4)
+      redis-client (= 0.26.4)
    hkdf (0.3.0)
-    htmlentities (4.3.4)
+    htmlentities (4.4.2)
    http (5.3.1)
      addressable (~> 2.8)
      http-cookie (~> 1.0)
@@ -316,18 +319,20 @@ GEM
    http_accept_language (2.1.1)
    httpclient (2.9.0)
      mutex_m
-    httplog (1.7.3)
+    httplog (1.8.0)
+      benchmark
      rack (>= 2.0)
      rainbow (>= 2.0.0)
-    i18n (1.14.7)
+    i18n (1.14.8)
      concurrent-ruby (~> 1.0)
-    i18n-tasks (1.0.15)
+    i18n-tasks (1.1.2)
      activesupport (>= 4.0.2)
      ast (>= 2.1.0)
      erubi
-      highline (>= 2.0.0)
+      highline (>= 3.0.0)
      i18n
      parser (>= 3.2.2.1)
+      prism
      rails-i18n
      rainbow (>= 2.2.2, < 4.0)
      ruby-progressbar (~> 1.8, >= 1.8.1)
@@ -336,9 +341,10 @@ GEM
    inline_svg (1.10.0)
      activesupport (>= 3.0)
      nokogiri (>= 1.6)
-    io-console (0.8.1)
-    irb (1.15.2)
+    io-console (0.8.2)
+    irb (1.17.0)
      pp (>= 0.6.0)
+      prism (>= 1.3.0)
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
    jd-paperclip-azure (3.0.0)
@@ -346,7 +352,7 @@ GEM
      azure-blob (~> 0.5.2)
      hashie (~> 5.0)
    jmespath (1.6.2)
-    json (2.15.1)
+    json (2.18.1)
    json-canonicalization (1.0.0)
    json-jwt (1.17.0)
      activesupport (>= 4.2)
@@ -366,9 +372,9 @@ GEM
    json-ld-preloaded (3.3.2)
      json-ld (~> 3.3)
      rdf (~> 3.3)
-    json-schema (6.0.0)
+    json-schema (6.1.0)
      addressable (~> 2.8)
-      bigdecimal (~> 3.1)
+      bigdecimal (>= 3.1, < 5)
    jsonapi-renderer (0.2.2)
    jwt (2.10.2)
      base64
@@ -384,7 +390,7 @@ GEM
      activerecord
      kaminari-core (= 1.2.2)
    kaminari-core (1.2.2)
-    kt-paperclip (7.2.2)
+    kt-paperclip (7.3.0)
      activemodel (>= 4.2.0)
      activesupport (>= 4.2.0)
      marcel (~> 1.0.1)
@@ -404,12 +410,12 @@ GEM
      rexml
    link_header (0.0.8)
    lint_roller (1.1.0)
-    linzer (0.7.7)
-      cgi (~> 0.4.2)
+    linzer (0.7.8)
+      cgi (>= 0.4.2, < 0.6.0)
      forwardable (~> 1.3, >= 1.3.3)
      logger (~> 1.7, >= 1.7.0)
-      net-http (~> 0.6.0)
-      openssl (~> 3.0, >= 3.0.0)
+      net-http (>= 0.6, < 0.10)
+      openssl (>= 3, < 5)
      rack (>= 2.2, < 4.0)
      starry (~> 0.2)
      stringio (~> 3.1, >= 3.1.2)
@@ -423,7 +429,7 @@ GEM
      activesupport (>= 4)
      railties (>= 4)
      request_store (~> 1.0)
-    loofah (2.24.1)
+    loofah (2.25.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    mail (2.9.0)
@@ -440,16 +446,18 @@ GEM
    mime-types (3.7.0)
      logger
      mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0924)
+    mime-types-data (3.2026.0224)
    mini_mime (1.1.5)
    mini_portile2 (2.8.9)
-    minitest (5.26.0)
+    minitest (6.0.2)
+      drb (~> 2.0)
+      prism (~> 1.5)
    msgpack (1.8.0)
-    multi_json (1.17.0)
+    multi_json (1.19.1)
    mutex_m (0.3.0)
    net-http (0.6.0)
      uri
-    net-imap (0.5.12)
+    net-imap (0.6.3)
      date
      net-protocol
    net-ldap (0.20.0)
@@ -461,11 +469,11 @@ GEM
      timeout
    net-smtp (0.5.1)
      net-protocol
-    nio4r (2.7.4)
-    nokogiri (1.18.10)
+    nio4r (2.7.5)
+    nokogiri (1.19.1)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    oj (3.16.11)
+    oj (3.16.15)
      bigdecimal (>= 3.0)
      ostruct (>= 0.2)
    omniauth (2.1.4)
@@ -477,10 +485,10 @@ GEM
      addressable (~> 2.8)
      nokogiri (~> 1.12)
      omniauth (~> 2.1)
-    omniauth-rails_csrf_protection (1.0.2)
+    omniauth-rails_csrf_protection (2.0.1)
      actionpack (>= 4.2)
      omniauth (~> 2.0)
-    omniauth-saml (2.2.4)
+    omniauth-saml (2.2.5)
      omniauth (~> 2.1)
      ruby-saml (~> 1.18)
    omniauth_openid_connect (0.8.0)
@@ -512,15 +520,16 @@ GEM
      opentelemetry-common (~> 0.20)
      opentelemetry-sdk (~> 1.10)
      opentelemetry-semantic_conventions
-    opentelemetry-helpers-sql (0.2.0)
+    opentelemetry-helpers-sql (0.3.0)
      opentelemetry-api (~> 1.7)
-    opentelemetry-helpers-sql-obfuscation (0.4.0)
+    opentelemetry-helpers-sql-processor (0.4.0)
+      opentelemetry-api (~> 1.0)
      opentelemetry-common (~> 0.21)
    opentelemetry-instrumentation-action_mailer (0.6.1)
      opentelemetry-instrumentation-active_support (~> 0.10)
    opentelemetry-instrumentation-action_pack (0.15.1)
      opentelemetry-instrumentation-rack (~> 0.29)
-    opentelemetry-instrumentation-action_view (0.11.1)
+    opentelemetry-instrumentation-action_view (0.11.2)
      opentelemetry-instrumentation-active_support (~> 0.10)
    opentelemetry-instrumentation-active_job (0.10.1)
      opentelemetry-instrumentation-base (~> 0.25)
@@ -538,19 +547,19 @@ GEM
      opentelemetry-registry (~> 0.1)
    opentelemetry-instrumentation-concurrent_ruby (0.24.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-excon (0.26.0)
+    opentelemetry-instrumentation-excon (0.27.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-faraday (0.30.0)
+    opentelemetry-instrumentation-faraday (0.31.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-http (0.27.0)
+    opentelemetry-instrumentation-http (0.28.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-http_client (0.26.0)
+    opentelemetry-instrumentation-http_client (0.27.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-net_http (0.26.0)
+    opentelemetry-instrumentation-net_http (0.27.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-pg (0.32.0)
+    opentelemetry-instrumentation-pg (0.35.0)
      opentelemetry-helpers-sql
-      opentelemetry-helpers-sql-obfuscation
+      opentelemetry-helpers-sql-processor
      opentelemetry-instrumentation-base (~> 0.25)
    opentelemetry-instrumentation-rack (0.29.0)
      opentelemetry-instrumentation-base (~> 0.25)
@@ -565,7 +574,7 @@ GEM
      opentelemetry-instrumentation-concurrent_ruby (~> 0.23)
    opentelemetry-instrumentation-redis (0.28.0)
      opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-sidekiq (0.28.0)
+    opentelemetry-instrumentation-sidekiq (0.28.1)
      opentelemetry-instrumentation-base (~> 0.25)
    opentelemetry-registry (0.4.0)
      opentelemetry-api (~> 1.1)
@@ -581,16 +590,17 @@ GEM
    ox (2.14.23)
      bigdecimal (>= 3.0)
    parallel (1.27.0)
-    parser (3.3.9.0)
+    parser (3.3.10.2)
      ast (~> 2.4.1)
      racc
    parslet (2.0.0)
    pastel (0.8.0)
      tty-color (~> 0.5)
-    pg (1.6.2)
+    pg (1.6.3)
    pghero (3.7.0)
      activerecord (>= 7.1)
-    playwright-ruby-client (1.55.0)
+    playwright-ruby-client (1.57.1)
+      base64
      concurrent-ruby (>= 1.1.6)
      mime-types (>= 3.0)
    pp (0.6.3)
@@ -604,37 +614,37 @@ GEM
      net-smtp
      premailer (~> 1.7, >= 1.7.9)
    prettyprint (0.2.0)
-    prism (1.5.2)
-    prometheus_exporter (2.3.0)
+    prism (1.9.0)
+    prometheus_exporter (2.3.1)
      webrick
    propshaft (1.3.1)
      actionpack (>= 7.0.0)
      activesupport (>= 7.0.0)
      rack
-    psych (5.2.6)
+    psych (5.3.1)
      date
      stringio
-    public_suffix (6.0.2)
-    puma (7.1.0)
+    public_suffix (7.0.5)
+    puma (7.2.0)
      nio4r (~> 2.0)
    pundit (2.5.2)
      activesupport (>= 3.0.0)
    raabro (1.4.0)
    racc (1.8.1)
-    rack (3.2.3)
+    rack (3.2.5)
    rack-attack (6.8.0)
      rack (>= 1.0, < 4)
    rack-cors (3.0.0)
      logger
      rack (>= 3.0.14)
-    rack-oauth2 (2.2.1)
+    rack-oauth2 (2.3.0)
      activesupport
      attr_required
      faraday (~> 2.0)
      faraday-follow_redirects
      json-jwt (>= 1.11.0)
      rack (>= 2.1.0)
-    rack-protection (4.1.1)
+    rack-protection (4.2.1)
      base64 (>= 0.1.0)
      logger (>= 1.6.0)
      rack (>= 3.0.0, < 4)
@@ -645,35 +655,35 @@ GEM
      rack (>= 3.0.0)
    rack-test (2.2.0)
      rack (>= 1.3)
-    rackup (2.2.1)
+    rackup (2.3.1)
      rack (>= 3)
-    rails (8.0.3)
-      actioncable (= 8.0.3)
-      actionmailbox (= 8.0.3)
-      actionmailer (= 8.0.3)
-      actionpack (= 8.0.3)
-      actiontext (= 8.0.3)
-      actionview (= 8.0.3)
-      activejob (= 8.0.3)
-      activemodel (= 8.0.3)
-      activerecord (= 8.0.3)
-      activestorage (= 8.0.3)
-      activesupport (= 8.0.3)
+    rails (8.1.2)
+      actioncable (= 8.1.2)
+      actionmailbox (= 8.1.2)
+      actionmailer (= 8.1.2)
+      actionpack (= 8.1.2)
+      actiontext (= 8.1.2)
+      actionview (= 8.1.2)
+      activejob (= 8.1.2)
+      activemodel (= 8.1.2)
+      activerecord (= 8.1.2)
+      activestorage (= 8.1.2)
+      activesupport (= 8.1.2)
      bundler (>= 1.15.0)
-      railties (= 8.0.3)
+      railties (= 8.1.2)
    rails-dom-testing (2.3.0)
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.2)
-      loofah (~> 2.21)
+    rails-html-sanitizer (1.7.0)
+      loofah (~> 2.25)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    rails-i18n (8.0.2)
+    rails-i18n (8.1.0)
      i18n (>= 0.7, < 2)
      railties (>= 8.0.0, < 9)
-    railties (8.0.3)
-      actionpack (= 8.0.3)
-      activesupport (= 8.0.3)
+    railties (8.1.2)
+      actionpack (= 8.1.2)
+      activesupport (= 8.1.2)
      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
@@ -681,7 +691,7 @@ GEM
      tsort (>= 0.2)
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.3.0)
+    rake (13.3.1)
    rdf (3.3.4)
      bcp47_spec (~> 0.2)
      bigdecimal (~> 3.1, >= 3.1.5)
@@ -691,7 +701,7 @@ GEM
      readline (~> 0.0)
    rdf-normalize (0.7.0)
      rdf (~> 3.3)
-    rdoc (6.15.0)
+    rdoc (7.2.0)
      erb
      psych (>= 4.0.0)
      tsort
@@ -699,10 +709,10 @@ GEM
      reline
    redcarpet (3.6.1)
    redis (4.8.1)
-    redis-client (0.26.1)
+    redis-client (0.26.4)
      connection_pool
    regexp_parser (2.11.3)
-    reline (0.6.2)
+    reline (0.6.3)
      io-console (~> 0.5)
    request_store (1.7.0)
      rack (>= 1.4)
@@ -711,27 +721,27 @@ GEM
      railties (>= 7.0)
    rexml (3.4.4)
    rotp (6.3.0)
-    rouge (4.6.1)
+    rouge (4.7.0)
    rpam2 (4.0.2)
-    rqrcode (3.1.0)
+    rqrcode (3.2.0)
      chunky_png (~> 1.0)
      rqrcode_core (~> 2.0)
-    rqrcode_core (2.0.0)
-    rspec (3.13.1)
+    rqrcode_core (2.1.0)
+    rspec (3.13.2)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.5)
+    rspec-core (3.13.6)
      rspec-support (~> 3.13.0)
    rspec-expectations (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-github (3.0.0)
      rspec-core (~> 3.0)
-    rspec-mocks (3.13.5)
+    rspec-mocks (3.13.7)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (8.0.2)
+    rspec-rails (8.0.3)
      actionpack (>= 7.2)
      activesupport (>= 7.2)
      railties (>= 7.2)
@@ -739,13 +749,13 @@ GEM
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
      rspec-support (~> 3.13)
-    rspec-sidekiq (5.2.0)
+    rspec-sidekiq (5.3.0)
      rspec-core (~> 3.0)
      rspec-expectations (~> 3.0)
      rspec-mocks (~> 3.0)
      sidekiq (>= 5, < 9)
-    rspec-support (3.13.6)
-    rubocop (1.81.6)
+    rspec-support (3.13.7)
+    rubocop (1.84.2)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.1.0)
@@ -753,12 +763,12 @@ GEM
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.47.1, < 2.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.47.1)
+    rubocop-ast (1.49.0)
      parser (>= 3.3.7.2)
-      prism (~> 1.4)
+      prism (~> 1.7)
    rubocop-capybara (2.22.1)
      lint_roller (~> 1.1)
      rubocop (~> 1.72, >= 1.72.1)
@@ -769,29 +779,30 @@ GEM
      lint_roller (~> 1.1)
      rubocop (>= 1.75.0, < 2.0)
      rubocop-ast (>= 1.47.1, < 2.0)
-    rubocop-rails (2.33.4)
+    rubocop-rails (2.34.3)
      activesupport (>= 4.2.0)
      lint_roller (~> 1.1)
      rack (>= 1.1)
      rubocop (>= 1.75.0, < 2.0)
      rubocop-ast (>= 1.44.0, < 2.0)
-    rubocop-rspec (3.7.0)
+    rubocop-rspec (3.9.0)
      lint_roller (~> 1.1)
-      rubocop (~> 1.72, >= 1.72.1)
-    rubocop-rspec_rails (2.31.0)
+      rubocop (~> 1.81)
+    rubocop-rspec_rails (2.32.0)
      lint_roller (~> 1.1)
      rubocop (~> 1.72, >= 1.72.1)
      rubocop-rspec (~> 3.5)
-    ruby-prof (1.7.2)
+    ruby-prof (2.0.2)
      base64
+      ostruct
    ruby-progressbar (1.13.0)
    ruby-saml (1.18.1)
      nokogiri (>= 1.13.10)
      rexml
-    ruby-vips (2.2.5)
+    ruby-vips (2.3.0)
      ffi (~> 1.12)
      logger
-    rubyzip (3.2.1)
+    rubyzip (3.2.2)
    rufus-scheduler (3.9.2)
      fugit (~> 1.1, >= 1.11.1)
    safety_net_attestation (0.5.0)
@@ -803,9 +814,9 @@ GEM
      activerecord (>= 4.0.0)
      railties (>= 4.0.0)
    securerandom (0.4.1)
-    shoulda-matchers (6.5.0)
-      activesupport (>= 5.2.0)
-    sidekiq (8.0.8)
+    shoulda-matchers (7.0.1)
+      activesupport (>= 7.1)
+    sidekiq (8.0.10)
      connection_pool (>= 2.5.0)
      json (>= 2.9.0)
      logger (>= 1.6.2)
@@ -816,13 +827,14 @@ GEM
    sidekiq-scheduler (6.0.1)
      rufus-scheduler (~> 3.2)
      sidekiq (>= 7.3, < 9)
-    sidekiq-unique-jobs (8.0.11)
+    sidekiq-unique-jobs (8.0.13)
      concurrent-ruby (~> 1.0, >= 1.0.5)
      sidekiq (>= 7.0.0, < 9.0.0)
      thor (>= 1.0, < 3.0)
-    simple-navigation (4.4.0)
+    simple-navigation (4.4.1)
      activesupport (>= 2.3.2)
-    simple_form (5.4.0)
+      ostruct
+    simple_form (5.4.1)
      actionpack (>= 7.0)
      activemodel (>= 7.0)
    simplecov (0.22.0)
@@ -832,13 +844,14 @@ GEM
    simplecov-html (0.13.2)
    simplecov-lcov (0.9.0)
    simplecov_json_formatter (0.1.4)
-    stackprof (0.2.27)
+    stackprof (0.2.28)
    starry (0.2.0)
      base64
-    stoplight (5.4.0)
+    stoplight (5.7.0)
+      concurrent-ruby
      zeitwerk
-    stringio (3.1.7)
-    strong_migrations (2.5.1)
+    stringio (3.2.0)
+    strong_migrations (2.5.2)
      activerecord (>= 7.1)
    swd (2.0.3)
      activesupport (>= 3)
@@ -851,10 +864,10 @@ GEM
      unicode-display_width (>= 1.1.1, < 4)
    terrapin (1.1.1)
      climate_control
-    test-prof (1.4.4)
-    thor (1.4.0)
-    tilt (2.6.1)
-    timeout (0.4.3)
+    test-prof (1.5.2)
+    thor (1.5.0)
+    tilt (2.7.0)
+    timeout (0.6.0)
    tpm-key_attestation (0.14.1)
      bindata (~> 2.4)
      openssl (> 2.0)
@@ -875,23 +888,23 @@ GEM
      unf (~> 0.1.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2025.2)
+    tzinfo-data (1.2026.1)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.9.1)
    unicode-display_width (3.2.0)
      unicode-emoji (~> 4.1)
-    unicode-emoji (4.1.0)
-    uri (1.0.4)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
    useragent (0.16.11)
    validate_url (1.0.15)
      activemodel (>= 3.0.0)
      public_suffix
-    vite_rails (3.0.19)
+    vite_rails (3.0.20)
      railties (>= 5.1, < 9)
      vite_ruby (~> 3.0, >= 3.2.2)
-    vite_ruby (3.9.2)
+    vite_ruby (3.9.3)
      dry-cli (>= 0.7, < 2)
      logger (~> 1.6)
      mutex_m
@@ -911,11 +924,11 @@ GEM
      activesupport
      faraday (~> 2.0)
      faraday-follow_redirects
-    webmock (3.26.0)
+    webmock (3.26.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.9.1)
+    webrick (1.9.2)
    websocket-driver (0.8.0)
      base64
      websocket-extensions (>= 0.1.0)
@@ -924,7 +937,7 @@ GEM
    xorcist (1.1.3)
    xpath (3.2.0)
      nokogiri (~> 1.8)
-    zeitwerk (2.7.3)
+    zeitwerk (2.7.5)

 PLATFORMS
  ruby
@@ -933,13 +946,13 @@ DEPENDENCIES
  active_model_serializers (~> 0.10)
  addressable (~> 2.8)
  annotaterb (~> 4.13)
-  aws-sdk-core (< 3.216.0)
+  aws-sdk-core
  aws-sdk-s3 (~> 1.123)
  better_errors (~> 2.9)
-  binding_of_caller (~> 1.0)
+  binding_of_caller
  blurhash (~> 0.1)
-  bootsnap (~> 1.18.0)
-  brakeman (~> 7.0)
+  bootsnap
+  brakeman (~> 8.0)
  browser
  bundler-audit (~> 0.9)
  capybara (~> 3.39)
@@ -954,13 +967,12 @@ DEPENDENCIES
  csv (~> 3.2)
  database_cleaner-active_record
  debug (~> 1.8)
-  devise (~> 4.9)
+  devise
  devise-two-factor
  devise_pam_authenticatable2 (~> 9.2)
  discard (~> 1.2)
  doorkeeper (~> 5.6)
  dotenv
-  email_spec
  fabrication
  faker (~> 3.2)
  faraday-httpclient
@@ -977,7 +989,7 @@ DEPENDENCIES
  htmlentities (~> 4.3)
  http (~> 5.3.0)
  http_accept_language (~> 2.1)
-  httplog (~> 1.7.0)
+  httplog (~> 1.8.0)
  i18n
  i18n-tasks (~> 1.0)
  idn-ruby
@@ -1005,7 +1017,7 @@ DEPENDENCIES
  oj (~> 3.14)
  omniauth (~> 2.0)
  omniauth-cas (~> 3.0.0.beta.1)
-  omniauth-rails_csrf_protection (~> 1.0)
+  omniauth-rails_csrf_protection (~> 2.0)
  omniauth-saml (~> 2.0)
  omniauth_openid_connect (~> 0.8.0)
  opentelemetry-api (~> 1.7.0)
@@ -1013,12 +1025,12 @@ DEPENDENCIES
  opentelemetry-instrumentation-active_job (~> 0.10.0)
  opentelemetry-instrumentation-active_model_serializers (~> 0.24.0)
  opentelemetry-instrumentation-concurrent_ruby (~> 0.24.0)
-  opentelemetry-instrumentation-excon (~> 0.26.0)
-  opentelemetry-instrumentation-faraday (~> 0.30.0)
-  opentelemetry-instrumentation-http (~> 0.27.0)
-  opentelemetry-instrumentation-http_client (~> 0.26.0)
-  opentelemetry-instrumentation-net_http (~> 0.26.0)
-  opentelemetry-instrumentation-pg (~> 0.32.0)
+  opentelemetry-instrumentation-excon (~> 0.27.0)
+  opentelemetry-instrumentation-faraday (~> 0.31.0)
+  opentelemetry-instrumentation-http (~> 0.28.0)
+  opentelemetry-instrumentation-http_client (~> 0.27.0)
+  opentelemetry-instrumentation-net_http (~> 0.27.0)
+  opentelemetry-instrumentation-pg (~> 0.35.0)
  opentelemetry-instrumentation-rack (~> 0.29.0)
  opentelemetry-instrumentation-rails (~> 0.39.0)
  opentelemetry-instrumentation-redis (~> 0.28.0)
@@ -1028,17 +1040,17 @@ DEPENDENCIES
  parslet
  pg (~> 1.5)
  pghero
-  playwright-ruby-client (= 1.55.0)
+  playwright-ruby-client (= 1.57.1)
  premailer-rails
  prometheus_exporter (~> 2.2)
  propshaft
-  public_suffix (~> 6.0)
+  public_suffix (~> 7.0)
  puma (~> 7.0)
  pundit (~> 2.3)
  rack-attack (~> 6.6)
  rack-cors
  rack-test (~> 2.1)
-  rails (~> 8.0)
+  rails (~> 8.1.0)
  rails-i18n (~> 8.0)
  rdf-normalize (~> 0.5)
  redcarpet (~> 3.6)
@@ -1085,7 +1097,7 @@ DEPENDENCIES
  xorcist (~> 1.1)

 RUBY VERSION
-   ruby 3.4.1p0
+  ruby 3.4.8

 BUNDLED WITH
-   2.7.2
+  4.0.7
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -15,7 +15,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through

 | Version | Supported        |
 | ------- | ---------------- |
+| 4.5.x   | Yes              |
 | 4.4.x   | Yes              |
-| 4.3.x   | Yes              |
-| 4.2.x   | Until 2026-01-08 |
-| < 4.2   | No               |
+| 4.3.x   | Until 2026-05-06 |
+| < 4.3   | No               |
--- a/1
+++ b/1
@@ -29,7 +29,6 @@ sudo apt-get install \
  libpq-dev \
  libxml2-dev \
  libxslt1-dev \
-  imagemagick \
  nodejs \
  redis-server \
  redis-tools \
--- a/app/chewy/public_statuses_index.rb
+++ b/app/chewy/public_statuses_index.rb
@@ -53,9 +53,9 @@ class PublicStatusesIndex < Chewy::Index
  }

  index_scope ::Status.unscoped
-                      .kept
-                      .indexable
-                      .includes(:media_attachments, :preloadable_poll, :tags, preview_cards_status: :preview_card)
+    .kept
+    .indexable
+    .includes(:media_attachments, :preloadable_poll, :tags, preview_cards_status: :preview_card)

  root date_detection: false do
    field(:id, type: 'long')
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -18,6 +18,8 @@ class AccountsController < ApplicationController
    respond_to do |format|
      format.html do
        expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.hour) unless user_signed_in?
+
+        redirect_to short_account_path(@account) if account_id_param.present? && username_param.blank?
      end

      format.rss do
--- a/app/controllers/activitypub/collections_controller.rb
+++ b/app/controllers/activitypub/collections_controller.rb
@@ -1,20 +1,36 @@
 # frozen_string_literal: true

 class ActivityPub::CollectionsController < ActivityPub::BaseController
+  SUPPORTED_COLLECTIONS = %w(featured tags).freeze
+
  vary_by -> { 'Signature' if authorized_fetch_mode? }

  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :check_authorization
  before_action :set_items
  before_action :set_size
  before_action :set_type

  def show
    expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+
+    if @unauthorized
+      render json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    else
+      render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    end
  end

  private

+  def check_authorization
+    # Because in public fetch mode we cache the response, there would be no
+    # benefit from performing the check below, since a blocked account or domain
+    # would likely be served the cache from the reverse proxy anyway
+
+    @unauthorized = authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+  end
+
  def set_items
    case params[:id]
    when 'featured'
@@ -57,11 +73,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
  end

  def for_signed_account
-    # Because in public fetch mode we cache the response, there would be no
-    # benefit from performing the check below, since a blocked account or domain
-    # would likely be served the cache from the reverse proxy anyway
-
-    if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+    if @unauthorized
      []
    else
      yield
--- a/app/controllers/activitypub/contexts_controller.rb
+++ b/app/controllers/activitypub/contexts_controller.rb
@@ -36,9 +36,8 @@ class ActivityPub::ContextsController < ActivityPub::BaseController

  def context_presenter
    first_page = ActivityPub::CollectionPresenter.new(
-      id: items_context_url(@conversation, page_params),
      type: :unordered,
-      part_of: items_context_url(@conversation),
+      part_of: context_url(@conversation),
      next: next_page,
      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
    )
@@ -52,7 +51,7 @@ class ActivityPub::ContextsController < ActivityPub::BaseController
    page = ActivityPub::CollectionPresenter.new(
      id: items_context_url(@conversation, page_params),
      type: :unordered,
-      part_of: items_context_url(@conversation),
+      part_of: context_url(@conversation),
      next: next_page,
      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
    )
--- a/app/controllers/activitypub/feature_authorizations_controller.rb
+++ b/app/controllers/activitypub/feature_authorizations_controller.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class ActivityPub::FeatureAuthorizationsController < ActivityPub::BaseController
+  include Authorization
+
+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_collection_item
+
+  def show
+    expires_in 30.seconds, public: true if public_fetch_mode?
+    render json: @collection_item, serializer: ActivityPub::FeatureAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def pundit_user
+    signed_request_account
+  end
+
+  def set_collection_item
+    @collection_item = @account.collection_items.accepted.find(params[:id])
+
+    authorize @collection_item.collection, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+end
--- a/app/controllers/activitypub/featured_collections_controller.rb
+++ b/app/controllers/activitypub/featured_collections_controller.rb
@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+class ActivityPub::FeaturedCollectionsController < ApplicationController
+  include SignatureAuthentication
+  include Authorization
+  include AccountOwnedConcern
+
+  PER_PAGE = 5
+
+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
+  before_action :check_feature_enabled
+  before_action :require_account_signature!, if: -> { authorized_fetch_mode? }
+  before_action :set_collections
+
+  skip_around_action :set_locale
+  skip_before_action :require_functional!, unless: :limited_federation_mode?
+
+  def index
+    respond_to do |format|
+      format.json do
+        expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
+
+        render json: collection_presenter,
+               serializer: ActivityPub::CollectionSerializer,
+               adapter: ActivityPub::Adapter,
+               content_type: 'application/activity+json'
+      end
+    end
+  end
+
+  private
+
+  def set_collections
+    authorize @account, :index_collections?
+    @collections = @account.collections.page(params[:page]).per(PER_PAGE)
+  rescue Mastodon::NotPermittedError
+    not_found
+  end
+
+  def page_requested?
+    params[:page].present?
+  end
+
+  def next_page_url
+    ap_account_featured_collections_url(@account, page: @collections.next_page) if @collections.respond_to?(:next_page)
+  end
+
+  def prev_page_url
+    ap_account_featured_collections_url(@account, page: @collections.prev_page) if @collections.respond_to?(:prev_page)
+  end
+
+  def collection_presenter
+    if page_requested?
+      ActivityPub::CollectionPresenter.new(
+        id: ap_account_featured_collections_url(@account, page: params.fetch(:page, 1)),
+        type: :unordered,
+        size: @account.collections.count,
+        items: @collections,
+        part_of: ap_account_featured_collections_url(@account),
+        next: next_page_url,
+        prev: prev_page_url
+      )
+    else
+      ActivityPub::CollectionPresenter.new(
+        id: ap_account_featured_collections_url(@account),
+        type: :unordered,
+        size: @account.collections.count,
+        first: ap_account_featured_collections_url(@account, page: 1)
+      )
+    end
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end
--- a/app/controllers/activitypub/inboxes_controller.rb
+++ b/app/controllers/activitypub/inboxes_controller.rb
@@ -3,6 +3,7 @@
 class ActivityPub::InboxesController < ActivityPub::BaseController
  include JsonLdHelper

+  before_action :skip_large_payload
  before_action :skip_unknown_actor_activity
  before_action :require_actor_signature!
  skip_before_action :authenticate_user!
@@ -16,6 +17,10 @@ class ActivityPub::InboxesController < ActivityPub::BaseController

  private

+  def skip_large_payload
+    head 413 if request.content_length > ActivityPub::Activity::MAX_JSON_SIZE
+  end
+
  def skip_unknown_actor_activity
    head 202 if unknown_affected_account?
  end
@@ -39,7 +44,7 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
    return @body if defined?(@body)

    @body = request.body.read
-    @body.force_encoding('UTF-8') if @body.present?
+    @body.presence&.force_encoding('UTF-8')

    request.body.rewind if request.body.respond_to?(:rewind)

--- a/app/controllers/activitypub/likes_controller.rb
+++ b/app/controllers/activitypub/likes_controller.rb
@@ -22,7 +22,7 @@ class ActivityPub::LikesController < ActivityPub::BaseController
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/activitypub/quote_authorizations_controller.rb
+++ b/app/controllers/activitypub/quote_authorizations_controller.rb
@@ -9,7 +9,7 @@ class ActivityPub::QuoteAuthorizationsController < ActivityPub::BaseController
  before_action :set_quote_authorization

  def show
-    expires_in 30.seconds, public: true if @quote.status.distributable? && public_fetch_mode?
+    expires_in 30.seconds, public: true if @quote.quoted_status.distributable? && public_fetch_mode?
    render json: @quote, serializer: ActivityPub::QuoteAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
  end

@@ -23,8 +23,8 @@ class ActivityPub::QuoteAuthorizationsController < ActivityPub::BaseController
    @quote = Quote.accepted.where(quoted_account: @account).find(params[:id])
    return not_found unless @quote.status.present? && @quote.quoted_status.present?

-    authorize @quote.status, :show?
-  rescue Mastodon::NotPermittedError
+    authorize @quote.quoted_status, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end
 end
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@@ -25,7 +25,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/activitypub/shares_controller.rb
+++ b/app/controllers/activitypub/shares_controller.rb
@@ -22,7 +22,7 @@ class ActivityPub::SharesController < ActivityPub::BaseController
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/admin/collections_controller.rb
+++ b/app/controllers/admin/collections_controller.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Admin
+  class CollectionsController < BaseController
+    before_action :set_account
+    before_action :set_collection, only: :show
+
+    def show
+      authorize @collection, :show?
+    end
+
+    private
+
+    def set_account
+      @account = Account.find(params[:account_id])
+    end
+
+    def set_collection
+      @collection = @account.collections.includes(accepted_collection_items: :account).find(params[:id])
+    end
+  end
+end
--- a/app/controllers/admin/custom_emojis_controller.rb
+++ b/app/controllers/admin/custom_emojis_controller.rb
@@ -5,6 +5,15 @@ module Admin
    def index
      authorize :custom_emoji, :index?

+      # If filtering by local emojis, remove by_domain filter.
+      params.delete(:by_domain) if params[:local].present?
+
+      # If filtering by domain, ensure remote filter is set.
+      if params[:by_domain].present?
+        params.delete(:local)
+        params[:remote] = '1'
+      end
+
      @custom_emojis = filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page])
      @form          = Form::CustomEmojiBatch.new
    end
--- a/app/controllers/admin/domain_blocks_controller.rb
+++ b/app/controllers/admin/domain_blocks_controller.rb
@@ -54,7 +54,7 @@ module Admin
      end

      # Allow transparently upgrading a domain block
-      if existing_domain_block.present? && existing_domain_block.domain == TagManager.instance.normalize_domain(@domain_block.domain.strip)
+      if existing_domain_block.present? && existing_domain_block.domain == TagManager.instance.normalize_domain(@domain_block.domain)
        @domain_block = existing_domain_block
        @domain_block.assign_attributes(resource_params)
      end
--- a/app/controllers/admin/fasp/debug/callbacks_controller.rb
+++ b/app/controllers/admin/fasp/debug/callbacks_controller.rb
@@ -5,8 +5,8 @@ class Admin::Fasp::Debug::CallbacksController < Admin::BaseController
    authorize [:admin, :fasp, :provider], :update?

    @callbacks = Fasp::DebugCallback
-                 .includes(:fasp_provider)
-                 .order(created_at: :desc)
+      .includes(:fasp_provider)
+      .order(created_at: :desc)
  end

  def destroy
--- a/app/controllers/admin/instances/moderation_notes_controller.rb
+++ b/app/controllers/admin/instances/moderation_notes_controller.rb
@@ -34,8 +34,11 @@ class Admin::Instances::ModerationNotesController < Admin::BaseController
  end

  def set_instance
-    domain = params[:instance_id]&.strip
-    @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(domain))
+    @instance = Instance.find_or_initialize_by(domain: normalized_domain)
+  end
+
+  def normalized_domain
+    TagManager.instance.normalize_domain(params[:instance_id])
  end

  def set_instance_note
--- a/app/controllers/admin/instances_controller.rb
+++ b/app/controllers/admin/instances_controller.rb
@@ -55,8 +55,11 @@ module Admin
    private

    def set_instance
-      domain = params[:id]&.strip
-      @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(domain))
+      @instance = Instance.find_or_initialize_by(domain: normalized_domain)
+    end
+
+    def normalized_domain
+      TagManager.instance.normalize_domain(params[:id])
    end

    def set_instances
--- a/app/controllers/admin/reports/actions_controller.rb
+++ b/app/controllers/admin/reports/actions_controller.rb
@@ -13,7 +13,7 @@ class Admin::Reports::ActionsController < Admin::BaseController

    case action_from_button
    when 'delete', 'mark_as_sensitive'
-      Admin::StatusBatchAction.new(status_batch_action_params).save!
+      Admin::ModerationAction.new(moderation_action_params).save!
    when 'silence', 'suspend'
      Admin::AccountAction.new(account_action_params).save!
    else
@@ -25,9 +25,8 @@ class Admin::Reports::ActionsController < Admin::BaseController

  private

-  def status_batch_action_params
+  def moderation_action_params
    shared_params
-      .merge(status_ids: @report.status_ids)
  end

  def account_action_params
--- a/app/controllers/admin/reports_controller.rb
+++ b/app/controllers/admin/reports_controller.rb
@@ -50,7 +50,7 @@ module Admin
    private

    def filtered_reports
-      ReportFilter.new(filter_params).results.order(id: :desc).includes(:account, :target_account)
+      ReportFilter.new(filter_params).results.order(id: :desc).includes(:account, :target_account, :collections)
    end

    def filter_params
@@ -58,7 +58,7 @@ module Admin
    end

    def set_report
-      @report = Report.find(params[:id])
+      @report = Report.includes(collections: :accepted_collection_items).find(params[:id])
    end
  end
 end
--- a/app/controllers/admin/roles_controller.rb
+++ b/app/controllers/admin/roles_controller.rb
@@ -62,7 +62,7 @@ module Admin

    def resource_params
      params
-        .expect(user_role: [:name, :color, :highlighted, :position, permissions_as_keys: []])
+        .expect(user_role: [:name, :color, :highlighted, :position, :require_2fa, permissions_as_keys: []])
    end
  end
 end
--- a/app/controllers/admin/site_uploads_controller.rb
+++ b/app/controllers/admin/site_uploads_controller.rb
@@ -9,7 +9,7 @@ module Admin

      @site_upload.destroy!

-      redirect_back fallback_location: admin_settings_path, notice: I18n.t('admin.site_uploads.destroyed_msg')
+      redirect_back_or_to admin_settings_path, notice: I18n.t('admin.site_uploads.destroyed_msg')
    end

    private
--- a/app/controllers/admin/statuses_controller.rb
+++ b/app/controllers/admin/statuses_controller.rb
@@ -78,8 +78,6 @@ module Admin
        'report'
      elsif params[:remove_from_report]
        'remove_from_report'
-      elsif params[:delete]
-        'delete'
      end
    end
  end
--- a/app/controllers/api/fasp/base_controller.rb
+++ b/app/controllers/api/fasp/base_controller.rb
@@ -47,7 +47,7 @@ class Api::Fasp::BaseController < ApplicationController
    provider = nil

    Linzer.verify!(request.rack_request, no_older_than: 5.minutes) do |keyid|
-      provider = Fasp::Provider.find(keyid)
+      provider = Fasp::Provider.confirmed.find(keyid)
      Linzer.new_ed25519_public_key(provider.provider_public_key_pem, keyid)
    end

--- a/app/controllers/api/v1/accounts/notes_controller.rb
+++ b/app/controllers/api/v1/accounts/notes_controller.rb
@@ -9,9 +9,9 @@ class Api::V1::Accounts::NotesController < Api::BaseController

  def create
    if params[:comment].blank?
-      AccountNote.find_by(account: current_account, target_account: @account)&.destroy
+      current_account.account_notes.find_by(target_account: @account)&.destroy
    else
-      @note = AccountNote.find_or_initialize_by(account: current_account, target_account: @account)
+      @note = current_account.account_notes.find_or_initialize_by(target_account: @account)
      @note.comment = params[:comment]
      @note.save! if @note.changed?
    end
--- a/app/controllers/api/v1/annual_reports_controller.rb
+++ b/app/controllers/api/v1/annual_reports_controller.rb
@@ -1,10 +1,12 @@
 # frozen_string_literal: true

 class Api::V1::AnnualReportsController < Api::BaseController
-  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, only: :index
-  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, except: :index
+  include AsyncRefreshesConcern
+
+  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, except: [:read, :generate]
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:read, :generate]
  before_action :require_user!
-  before_action :set_annual_report, except: :index
+  before_action :set_annual_report, only: [:show, :read]

  def index
    with_read_replica do
@@ -28,6 +30,28 @@ class Api::V1::AnnualReportsController < Api::BaseController
           relationships: @relationships
  end

+  def state
+    render json: { state: report_state }
+  end
+
+  def generate
+    return render_empty unless year == AnnualReport.current_campaign
+    return render_empty if GeneratedAnnualReport.exists?(account_id: current_account.id, year: year)
+
+    async_refresh = AsyncRefresh.new(refresh_key)
+
+    if async_refresh.running?
+      add_async_refresh_header(async_refresh, retry_seconds: 2)
+      return head 202
+    end
+
+    add_async_refresh_header(AsyncRefresh.create(refresh_key), retry_seconds: 2)
+
+    GenerateAnnualReportWorker.perform_async(current_account.id, year)
+
+    head 202
+  end
+
  def read
    @annual_report.view!
    render_empty
@@ -35,7 +59,21 @@ class Api::V1::AnnualReportsController < Api::BaseController

  private

+  def report_state
+    AnnualReport.new(current_account, year).state do |async_refresh|
+      add_async_refresh_header(async_refresh, retry_seconds: 2)
+    end
+  end
+
+  def refresh_key
+    "wrapstodon:#{current_account.id}:#{year}"
+  end
+
+  def year
+    params[:id]&.to_i
+  end
+
  def set_annual_report
-    @annual_report = GeneratedAnnualReport.find_by!(account_id: current_account.id, year: params[:id])
+    @annual_report = GeneratedAnnualReport.find_by!(account_id: current_account.id, year: year)
  end
 end
--- a/app/controllers/api/v1/blocks_controller.rb
+++ b/app/controllers/api/v1/blocks_controller.rb
@@ -18,14 +18,14 @@ class Api::V1::BlocksController < Api::BaseController

  def paginated_blocks
    @paginated_blocks ||= Block.eager_load(target_account: [:account_stat, :user])
-                               .joins(:target_account)
-                               .merge(Account.without_suspended)
-                               .where(account: current_account)
-                               .paginate_by_max_id(
-                                 limit_param(DEFAULT_ACCOUNTS_LIMIT),
-                                 params[:max_id],
-                                 params[:since_id]
-                               )
+      .joins(:target_account)
+      .merge(Account.without_suspended)
+      .where(account: current_account)
+      .paginate_by_max_id(
+        limit_param(DEFAULT_ACCOUNTS_LIMIT),
+        params[:max_id],
+        params[:since_id]
+      )
  end

  def next_path
--- a/app/controllers/api/v1/conversations_controller.rb
+++ b/app/controllers/api/v1/conversations_controller.rb
@@ -37,20 +37,20 @@ class Api::V1::ConversationsController < Api::BaseController

  def paginated_conversations
    AccountConversation.where(account: current_account)
-                       .includes(
-                         account: [:account_stat, user: :role],
-                         last_status: [
-                           :media_attachments,
-                           :status_stat,
-                           :tags,
-                           {
-                             preview_cards_status: { preview_card: { author_account: [:account_stat, user: :role] } },
-                             active_mentions: :account,
-                             account: [:account_stat, user: :role],
-                           },
-                         ]
-                       )
-                       .to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
+      .includes(
+        account: [:account_stat, user: :role],
+        last_status: [
+          :media_attachments,
+          :status_stat,
+          :tags,
+          {
+            preview_cards_status: { preview_card: { author_account: [:account_stat, user: :role] } },
+            active_mentions: :account,
+            account: [:account_stat, user: :role],
+          },
+        ]
+      )
+      .to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
  end

  def next_path
--- a/app/controllers/api/v1/donation_campaigns_controller.rb
+++ b/app/controllers/api/v1/donation_campaigns_controller.rb
@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+class Api::V1::DonationCampaignsController < Api::BaseController
+  before_action :require_user!
+
+  STOPLIGHT_COOL_OFF_TIME = 60
+  STOPLIGHT_FAILURE_THRESHOLD = 10
+
+  def index
+    return head 204 if api_url.blank?
+
+    json = from_cache
+    return render json: json if json.present?
+
+    campaign = fetch_campaign
+    return head 204 if campaign.nil?
+
+    save_to_cache!(campaign)
+
+    render json: campaign
+  end
+
+  private
+
+  def api_url
+    Rails.configuration.x.donation_campaigns.api_url
+  end
+
+  def seed
+    @seed ||= Random.new(current_account.id).rand(100)
+  end
+
+  def from_cache
+    key = Rails.cache.read(request_key, raw: true)
+    return if key.blank?
+
+    campaign = Rails.cache.read("donation_campaign:#{key}", raw: true)
+    Oj.load(campaign) if campaign.present?
+  end
+
+  def save_to_cache!(campaign)
+    return if campaign.blank?
+
+    Rails.cache.write_multi(
+      {
+        request_key => campaign_key(campaign),
+        "donation_campaign:#{campaign_key(campaign)}" => Oj.dump(campaign),
+      },
+      expires_in: 1.hour,
+      raw: true
+    )
+  end
+
+  def fetch_campaign
+    stoplight_wrapper.run do
+      url = Addressable::URI.parse(api_url)
+      url.query_values = { platform: 'web', seed: seed, locale: locale, environment: Rails.configuration.x.donation_campaigns.environment }.compact
+
+      Request.new(:get, url.to_s).perform do |res|
+        return Oj.load(res.body_with_limit, mode: :strict) if res.code == 200
+      end
+    end
+  rescue *Mastodon::HTTP_CONNECTION_ERRORS, Oj::ParseError
+    nil
+  end
+
+  def stoplight_wrapper
+    Stoplight(
+      'donation_campaigns',
+      cool_off_time: STOPLIGHT_COOL_OFF_TIME,
+      threshold: STOPLIGHT_FAILURE_THRESHOLD
+    )
+  end
+
+  def request_key
+    "donation_campaign_request:#{seed}:#{locale}"
+  end
+
+  def campaign_key(campaign)
+    "#{campaign['id']}:#{campaign['locale']}"
+  end
+
+  def locale
+    I18n.locale.to_s
+  end
+end
--- a/app/controllers/api/v1/mutes_controller.rb
+++ b/app/controllers/api/v1/mutes_controller.rb
@@ -18,14 +18,14 @@ class Api::V1::MutesController < Api::BaseController

  def paginated_mutes
    @paginated_mutes ||= Mute.eager_load(target_account: [:account_stat, :user])
-                             .joins(:target_account)
-                             .merge(Account.without_suspended)
-                             .where(account: current_account)
-                             .paginate_by_max_id(
-                               limit_param(DEFAULT_ACCOUNTS_LIMIT),
-                               params[:max_id],
-                               params[:since_id]
-                             )
+      .joins(:target_account)
+      .merge(Account.without_suspended)
+      .where(account: current_account)
+      .paginate_by_max_id(
+        limit_param(DEFAULT_ACCOUNTS_LIMIT),
+        params[:max_id],
+        params[:since_id]
+      )
  end

  def next_path
--- a/app/controllers/api/v1/peers/search_controller.rb
+++ b/app/controllers/api/v1/peers/search_controller.rb
@@ -47,10 +47,6 @@ class Api::V1::Peers::SearchController < Api::BaseController
  end

  def normalized_domain
-    TagManager.instance.normalize_domain(query_value)
-  end
-
-  def query_value
-    params[:q].strip
+    TagManager.instance.normalize_domain(params[:q])
  end
 end
--- a/app/controllers/api/v1/polls/votes_controller.rb
+++ b/app/controllers/api/v1/polls/votes_controller.rb
@@ -17,7 +17,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
  def set_poll
    @poll = Poll.find(params[:poll_id])
    authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/api/v1/polls_controller.rb
+++ b/app/controllers/api/v1/polls_controller.rb
@@ -17,7 +17,7 @@ class Api::V1::PollsController < Api::BaseController
  def set_poll
    @poll = Poll.find(params[:id])
    authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/api/v1/profiles_controller.rb
+++ b/app/controllers/api/v1/profiles_controller.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class Api::V1::ProfilesController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :profile, :read, :'read:accounts' }, except: [:update]
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update]
+  before_action :require_user!
+
+  def show
+    @account = current_account
+    render json: @account, serializer: REST::ProfileSerializer
+  end
+
+  def update
+    @account = current_account
+    UpdateAccountService.new.call(@account, account_params, raise_error: true)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
+
+    render json: @account, serializer: REST::ProfileSerializer
+  rescue ActiveRecord::RecordInvalid => e
+    render json: ValidationErrorFormatter.new(e).as_json, status: 422
+  end
+
+  def account_params
+    params.permit(
+      :display_name,
+      :note,
+      :avatar,
+      :header,
+      :locked,
+      :bot,
+      :discoverable,
+      :hide_collections,
+      :indexable,
+      :show_media,
+      :show_media_replies,
+      :show_featured,
+      attribution_domains: [],
+      fields_attributes: [:name, :value]
+    )
+  end
+end
--- a/app/controllers/api/v1/reports_controller.rb
+++ b/app/controllers/api/v1/reports_controller.rb
@@ -23,6 +23,10 @@ class Api::V1::ReportsController < Api::BaseController
  end

  def report_params
-    params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: [])
+    if Mastodon::Feature.collections_enabled?
+      params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], collection_ids: [], rule_ids: [])
+    else
+      params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: [])
+    end
  end
 end
--- a/app/controllers/api/v1/statuses/base_controller.rb
+++ b/app/controllers/api/v1/statuses/base_controller.rb
@@ -10,7 +10,7 @@ class Api::V1::Statuses::BaseController < Api::BaseController
  def set_status
    @status = Status.find(params[:status_id])
    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end
 end
--- a/app/controllers/api/v1/statuses/bookmarks_controller.rb
+++ b/app/controllers/api/v1/statuses/bookmarks_controller.rb
@@ -23,7 +23,7 @@ class Api::V1::Statuses::BookmarksController < Api::V1::Statuses::BaseController
    bookmark&.destroy!

    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end
 end
--- a/app/controllers/api/v1/statuses/favourites_controller.rb
+++ b/app/controllers/api/v1/statuses/favourites_controller.rb
@@ -25,7 +25,7 @@ class Api::V1::Statuses::FavouritesController < Api::V1::Statuses::BaseControlle

    relationships = StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }, attributes_map: { @status.id => { favourites_count: count } })
    render json: @status, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end
 end
--- a/app/controllers/api/v1/statuses/pins_controller.rb
+++ b/app/controllers/api/v1/statuses/pins_controller.rb
@@ -26,7 +26,7 @@ class Api::V1::Statuses::PinsController < Api::V1::Statuses::BaseController
  def distribute_add_activity!
    json = ActiveModelSerializers::SerializableResource.new(
      @status,
-      serializer: ActivityPub::AddSerializer,
+      serializer: ActivityPub::AddNoteSerializer,
      adapter: ActivityPub::Adapter
    ).as_json

@@ -36,7 +36,7 @@ class Api::V1::Statuses::PinsController < Api::V1::Statuses::BaseController
  def distribute_remove_activity!
    json = ActiveModelSerializers::SerializableResource.new(
      @status,
-      serializer: ActivityPub::RemoveSerializer,
+      serializer: ActivityPub::RemoveNoteSerializer,
      adapter: ActivityPub::Adapter
    ).as_json

--- a/app/controllers/api/v1/statuses/quotes_controller.rb
+++ b/app/controllers/api/v1/statuses/quotes_controller.rb
@@ -41,8 +41,8 @@ class Api::V1::Statuses::QuotesController < Api::V1::Statuses::BaseController
    if current_account&.id != @status.account_id
      domains = @statuses.filter_map(&:account_domain).uniq
      account_ids = @statuses.map(&:account_id).uniq
-      relations = current_account&.relations_map(account_ids, domains) || {}
-      @statuses.reject! { |status| StatusFilter.new(status, current_account, relations).filtered? }
+      current_account&.preload_relations!(account_ids, domains)
+      @statuses.reject! { |status| StatusFilter.new(status, current_account).filtered? }
    end
  end

--- a/app/controllers/api/v1/statuses/reblogs_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogs_controller.rb
@@ -36,7 +36,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController

    relationships = StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false }, attributes_map: { @reblog.id => { reblogs_count: count } })
    render json: @reblog, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

@@ -45,7 +45,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
  def set_reblog
    @reblog = Status.find(params[:status_id])
    authorize @reblog, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -66,7 +66,7 @@ class Api::V1::StatusesController < Api::BaseController
    if async_refresh.running?
      add_async_refresh_header(async_refresh)
    elsif !current_account.nil? && @status.should_fetch_replies?
-      add_async_refresh_header(AsyncRefresh.create(refresh_key))
+      add_async_refresh_header(AsyncRefresh.create(refresh_key, count_results: true))

      WorkerBatch.new.within do |batch|
        batch.connect(refresh_key, threshold: 1.0)
@@ -106,9 +106,7 @@ class Api::V1::StatusesController < Api::BaseController
    @status = Status.where(account: current_account).find(params[:id])
    authorize @status, :update?

-    UpdateStatusService.new.call(
-      @status,
-      current_account.id,
+    update_options = {
      text: status_params[:status],
      media_ids: status_params[:media_ids],
      media_attributes: status_params[:media_attributes],
@@ -116,8 +114,11 @@ class Api::V1::StatusesController < Api::BaseController
      language: status_params[:language],
      spoiler_text: status_params[:spoiler_text],
      poll: status_params[:poll],
-      quote_approval_policy: quote_approval_policy
-    )
+    }
+
+    update_options[:quote_approval_policy] = quote_approval_policy if status_params[:quote_approval_policy].present?
+
+    UpdateStatusService.new.call(@status, current_account.id, update_options)

    render json: @status, serializer: REST::StatusSerializer
  end
@@ -126,10 +127,13 @@ class Api::V1::StatusesController < Api::BaseController
    @status = Status.where(account: current_account).find(params[:id])
    authorize @status, :destroy?

+    # JSON is generated before `discard_with_reblogs` in order to have the proper URL
+    # for media attachments, as it would otherwise redirect to the media proxy
+    json = render_to_body json: @status, serializer: REST::StatusSerializer, source_requested: true
+
    @status.discard_with_reblogs
    StatusPin.find_by(status: @status)&.destroy
    @status.account.statuses_count = @status.account.statuses_count - 1
-    json = render_to_body json: @status, serializer: REST::StatusSerializer, source_requested: true

    RemovalWorker.perform_async(@status.id, { 'redraft' => !truthy_param?(:delete_media) })

@@ -145,7 +149,7 @@ class Api::V1::StatusesController < Api::BaseController
  def set_status
    @status = Status.find(params[:id])
    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/api/v1/tags_controller.rb
+++ b/app/controllers/api/v1/tags_controller.rb
@@ -39,6 +39,6 @@ class Api::V1::TagsController < Api::BaseController
  def set_or_create_tag
    return not_found unless Tag::HASHTAG_NAME_RE.match?(params[:id])

-    @tag = Tag.find_normalized(params[:id]) || Tag.new(name: Tag.normalize(params[:id]), display_name: params[:id])
+    @tag = Tag.find_normalized(params[:id]) || Tag.new(name: params[:id], display_name: params[:id])
  end
 end
--- a/app/controllers/api/v1_alpha/collection_items_controller.rb
+++ b/app/controllers/api/v1_alpha/collection_items_controller.rb
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class Api::V1Alpha::CollectionItemsController < Api::BaseController
+  include Authorization
+
+  before_action :check_feature_enabled
+
+  before_action -> { doorkeeper_authorize! :write, :'write:collections' }
+
+  before_action :require_user!
+
+  before_action :set_collection
+  before_action :set_account, only: [:create]
+  before_action :set_collection_item, only: [:destroy, :revoke]
+
+  after_action :verify_authorized
+
+  def create
+    authorize @collection, :update?
+    authorize @account, :feature?
+
+    @item = AddAccountToCollectionService.new.call(@collection, @account)
+
+    render json: @item, serializer: REST::CollectionItemSerializer, adapter: :json
+  end
+
+  def destroy
+    authorize @collection, :update?
+
+    DeleteCollectionItemService.new.call(@collection_item)
+
+    head 200
+  end
+
+  def revoke
+    authorize @collection_item, :revoke?
+
+    RevokeCollectionItemService.new.call(@collection_item)
+
+    head 200
+  end
+
+  private
+
+  def set_collection
+    @collection = Collection.find(params[:collection_id])
+  end
+
+  def set_account
+    return render(json: { error: '`account_id` parameter is missing' }, status: 422) if params[:account_id].blank?
+
+    @account = Account.find(params[:account_id])
+  end
+
+  def set_collection_item
+    @collection_item = @collection.collection_items.find(params[:id])
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end
--- a/app/controllers/api/v1_alpha/collections_controller.rb
+++ b/app/controllers/api/v1_alpha/collections_controller.rb
@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+class Api::V1Alpha::CollectionsController < Api::BaseController
+  include Authorization
+
+  DEFAULT_COLLECTIONS_LIMIT = 40
+
+  rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
+    render json: { error: ValidationErrorFormatter.new(e).as_json }, status: 422
+  end
+
+  before_action :check_feature_enabled
+
+  before_action -> { authorize_if_got_token! :read, :'read:collections' }, only: [:index, :show]
+  before_action -> { doorkeeper_authorize! :write, :'write:collections' }, only: [:create, :update, :destroy]
+
+  before_action :require_user!, only: [:create, :update, :destroy]
+
+  before_action :set_account, only: [:index]
+  before_action :set_collections, only: [:index]
+  before_action :set_collection, only: [:show, :update, :destroy]
+
+  after_action :insert_pagination_headers, only: [:index]
+
+  after_action :verify_authorized
+
+  def index
+    cache_if_unauthenticated!
+    authorize @account, :index_collections?
+
+    render json: @collections, each_serializer: REST::CollectionSerializer, adapter: :json
+  rescue Mastodon::NotPermittedError
+    render json: { collections: [] }
+  end
+
+  def show
+    cache_if_unauthenticated!
+    authorize @collection, :show?
+
+    render json: @collection, serializer: REST::CollectionWithAccountsSerializer
+  end
+
+  def create
+    authorize Collection, :create?
+
+    @collection = CreateCollectionService.new.call(collection_creation_params, current_user.account)
+
+    render json: @collection, serializer: REST::CollectionSerializer, adapter: :json
+  end
+
+  def update
+    authorize @collection, :update?
+
+    UpdateCollectionService.new.call(@collection, collection_update_params)
+
+    render json: @collection, serializer: REST::CollectionSerializer, adapter: :json
+  end
+
+  def destroy
+    authorize @collection, :destroy?
+
+    DeleteCollectionService.new.call(@collection)
+
+    head 200
+  end
+
+  private
+
+  def set_account
+    @account = Account.find(params[:account_id])
+  end
+
+  def set_collections
+    @collections = @account.collections
+      .with_tag
+      .order(created_at: :desc)
+      .offset(offset_param)
+      .limit(limit_param(DEFAULT_COLLECTIONS_LIMIT))
+    @collections = @collections.discoverable unless @account == current_account
+  end
+
+  def set_collection
+    @collection = Collection.find(params[:id])
+  end
+
+  def collection_creation_params
+    params.permit(:name, :description, :language, :sensitive, :discoverable, :tag_name, account_ids: [])
+  end
+
+  def collection_update_params
+    params.permit(:name, :description, :language, :sensitive, :discoverable, :tag_name)
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+
+  def next_path
+    return unless records_continue?
+
+    api_v1_alpha_account_collections_url(@account, pagination_params(offset: offset_param + limit_param(DEFAULT_COLLECTIONS_LIMIT)))
+  end
+
+  def prev_path
+    return if offset_param.zero?
+
+    api_v1_alpha_account_collections_url(@account, pagination_params(offset: offset_param - limit_param(DEFAULT_COLLECTIONS_LIMIT)))
+  end
+
+  def records_continue?
+    ((offset_param * limit_param(DEFAULT_COLLECTIONS_LIMIT)) + @collections.size) < @account.collections.size
+  end
+
+  def offset_param
+    params[:offset].to_i
+  end
+end
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@@ -30,7 +30,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
  def set_status
    @status = Status.find(params[:id])
    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end
 end
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@@ -62,7 +62,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  end

  def set_push_subscription
-    @push_subscription = ::Web::PushSubscription.find(params[:id])
+    @push_subscription = ::Web::PushSubscription.where(user_id: active_session.user_id).find(params[:id])
  end

  def subscription_params
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -17,7 +17,6 @@ class ApplicationController < ActionController::Base

  helper_method :current_account
  helper_method :current_session
-  helper_method :current_theme
  helper_method :single_user_mode?
  helper_method :use_seamless_external_login?
  helper_method :sso_account_settings
@@ -62,19 +61,25 @@ class ApplicationController < ActionController::Base
    return if request.referer.blank?

    redirect_uri = URI(request.referer)
-    return if redirect_uri.path.start_with?('/auth')
+    return if redirect_uri.path.start_with?('/auth', '/settings/two_factor_authentication', '/settings/otp_authentication')

    stored_url = redirect_uri.to_s if redirect_uri.host == request.host && redirect_uri.port == request.port

    store_location_for(:user, stored_url)
  end

+  def mfa_setup_path(path_params = {})
+    settings_two_factor_authentication_methods_path(path_params)
+  end
+
  def require_functional!
    return if current_user.functional?

    respond_to do |format|
      format.any do
-        if current_user.confirmed?
+        if current_user.missing_2fa?
+          redirect_to mfa_setup_path
+        elsif current_user.confirmed?
          redirect_to edit_user_registration_path
        else
          redirect_to auth_setup_path
@@ -86,6 +91,8 @@ class ApplicationController < ActionController::Base
          render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403
        elsif !current_user.approved?
          render json: { error: 'Your login is currently pending approval' }, status: 403
+        elsif current_user.missing_2fa?
+          render json: { error: 'Your account requires two-factor authentication' }, status: 403
        elsif !current_user.functional?
          render json: { error: 'Your login is currently disabled' }, status: 403
        end
@@ -171,12 +178,6 @@ class ApplicationController < ActionController::Base
    @current_session = SessionActivation.find_by(session_id: cookies.signed['_session_id']) if cookies.signed['_session_id'].present?
  end

-  def current_theme
-    return Setting.theme unless Themes.instance.names.include? current_user&.setting_theme
-
-    current_user.setting_theme
-  end
-
  def respond_with_error(code)
    respond_to do |format|
      format.any  { render "errors/#{code}", layout: 'error', status: code, formats: [:html] }
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@@ -130,12 +130,17 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def require_rules_acceptance!
-    return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token])
+    return if @rules.empty? || validated_accept_token?

    @accept_token = session[:accept_token] = SecureRandom.hex
-    @invite_code  = invite_code
+    @invite_code = invite_code
+    @rule_translations = @rules.map { |rule| rule.translation_for(I18n.locale) }

-    set_locale { render :rules }
+    render :rules
+  end
+
+  def validated_accept_token?
+    session[:accept_token].present? && params[:accept] == session[:accept_token]
  end

  def is_flashing_format? # rubocop:disable Naming/PredicatePrefix
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -197,14 +197,14 @@ class Auth::SessionsController < Devise::SessionsController
    "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
  end

-  def respond_to_on_destroy
+  def respond_to_on_destroy(**)
    respond_to do |format|
      format.json do
        render json: {
          redirect_to: after_sign_out_path_for(resource_name),
        }, status: 200
      end
-      format.all { super }
+      format.all { super(**) }
    end
  end
 end
--- a/app/controllers/authorize_interactions_controller.rb
+++ b/app/controllers/authorize_interactions_controller.rb
@@ -21,7 +21,7 @@ class AuthorizeInteractionsController < ApplicationController
  def set_resource
    @resource = located_resource
    authorize(@resource, :show?) if @resource.is_a?(Status)
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
    not_found
  end

--- a/app/controllers/collection_items_controller.rb
+++ b/app/controllers/collection_items_controller.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+class CollectionItemsController < ApplicationController
+  include SignatureAuthentication
+  include Authorization
+  include AccountOwnedConcern
+
+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
+  before_action :check_feature_enabled
+  before_action :require_account_signature!, if: -> { authorized_fetch_mode? }
+  before_action :set_collection_item
+
+  skip_around_action :set_locale
+  skip_before_action :require_functional!, unless: :limited_federation_mode?
+
+  def show
+    respond_to do |format|
+      format.json do
+        expires_in(3.minutes, public: public_fetch_mode?)
+
+        render json: @collection_item,
+               serializer: ActivityPub::FeaturedItemSerializer,
+               adapter: ActivityPub::Adapter,
+               content_type: 'application/activity+json'
+      end
+    end
+  end
+
+  private
+
+  def set_collection_item
+    @collection_item = @account.curated_collection_items.find(params[:id])
+    authorize @collection_item.collection, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end
--- a/app/controllers/collections_controller.rb
+++ b/app/controllers/collections_controller.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+class CollectionsController < ApplicationController
+  include WebAppControllerConcern
+  include SignatureAuthentication
+  include Authorization
+  include AccountOwnedConcern
+
+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
+  before_action :check_feature_enabled
+  before_action :require_account_signature!, only: :show, if: -> { request.format == :json && authorized_fetch_mode? }
+  before_action :set_collection
+
+  skip_around_action :set_locale, if: -> { request.format == :json }
+  skip_before_action :require_functional!, only: :show, unless: :limited_federation_mode?
+
+  def show
+    respond_to do |format|
+      # TODO: format.html
+
+      format.json do
+        expires_in expiration_duration, public: true if public_fetch_mode?
+        render_with_cache json: @collection, content_type: 'application/activity+json', serializer: ActivityPub::FeaturedCollectionSerializer, adapter: ActivityPub::Adapter
+      end
+    end
+  end
+
+  private
+
+  def set_collection
+    @collection = @account.collections.find(params[:id])
+    authorize @collection, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+
+  def expiration_duration
+    recently_updated = @collection.updated_at > 15.minutes.ago
+    recently_updated ? 30.seconds : 5.minutes
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end
--- a/app/controllers/concerns/accountable_concern.rb
+++ b/app/controllers/concerns/accountable_concern.rb
@@ -4,10 +4,8 @@ module AccountableConcern
  extend ActiveSupport::Concern

  def log_action(action, target)
-    Admin::ActionLog.create(
-      account: current_account,
-      action: action,
-      target: target
-    )
+    current_account
+      .action_logs
+      .create(action:, target:)
  end
 end
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .10
 .14
@@ -1 +1 @@
 .4.7
 .4.8