Release history
ktistec releases
ActivityPub (https://www.w3.org/TR/activitypub/) server for individual users and small groups.
All releases
14 shown
v3.3.7
New feature
Security fixes
- Prevent pinning of private objects and auto-unpin them
- Remove `href` attributes with unsafe schemes from sanitized HTML
- Escape interpolated values in view helpers and actor icon refresh
Notable features
- Sliding token expiration for OAuth2 access tokens
- Mastodon-compatible API endpoint `/api/v1/accounts/update_credentials`
Full changelog
Added
- Sliding token expiration for OAuth2 access tokens.
- Mastodon-compatible API:
/api/v1/accounts/update_credentialsendpoint.
Fixed
- Prevent pinning of (and auto-unpin) private objects.
- Don't save a quote if the quoted actor cannot be dereferenced.
- Fix rendering of federated actor profile attachment values.
- Remove
hrefattributes with unsafe schemes from sanitized HTML. - Escape interpolated values in view helpers and the actor icon streaming refresh.
- Restrict upload extensions and serve uploads with
X-Content-Type-Options: nosniff. - Escape
publicKeyand scrubTag.href. - Sanitizer no longer permits single-quote attribute injection.
- Ensure bearer-token sessions cannot reach the web UI.
- Require client authentication on the OAuth token endpoint.
v3.3.6
Security
Security fixes
- Prevented SSRF when dereferencing externally supplied IRIs
Notable features
- Deferred downloading of script files
- Deferred loading of image, video, and audio attachments
Full changelog
Fixed
- Prevent SSRF when dereferencing externally supplied IRIs.
- Timeline entry no longer becomes stale when an announce is undone.
- Correctly represent boosted posts on the home timeline in API clients.
Changed
- Defer downloading of script files.
- Defer loading of image, video, and audio attachments.
- Move poll vote notification for voters into the outbox processor.
v3.3.5
New feature
Breaking changes
- with_mastodon_api compiler flag removed, API always enabled
Security fixes
- Correctly resolve keyId from Signature header
Notable features
- Mastodon-compatible API endpoints
- Cursor-based pagination
- Account and status APIs
v3.3.4
New feature
Security fixes
- Fixed autosave focus handling
Notable features
- Status posting endpoint
- Public timeline endpoint
v3.3.2
Bug fix
Security fixes
- HTTP signature keyId includes main-key fragment
v3.3.1
New feature
Breaking changes
- NodeInfo siteName renamed to nodeName
Notable features
- Federation documentation
- Quote post notifications
- MCP integration
v3.3.0
New feature
Breaking changes
- next_attempt_at in tasks nil means not scheduled
Notable features
- FEP-044f quote post support
v3.2.8
New feature
Notable features
- Poll creation frontend
- Poll expiry notifications
- Metadata editor options
v3.2.7
New feature
Notable features
- Backend poll support
- Advanced theming
- Admin task monitoring