Releases: fedify-dev/hollo
Release list
Hollo 0.9.5
Released on June 13, 2026.
- Fixed a bug where expired poll notifications appeared in
/api/v1/notificationsbut not in the grouped/api/v2/notificationsfeed, which could leave Mastodon-compatible clients such as Phanpy showing a permanent unread notification badge. Poll notifications are now materialized into thenotificationsandnotification_groupstables like other notification types, and existing expired polls are backfilled during migration. [#517]
Hollo 0.9.4
Released on June 4, 2026.
- Upgraded Fedify to 2.2.4 to address a security vulnerability in SSRF mitigation. [CVE-2026-50131]
Hollo 0.8.7
Released on June 4, 2026.
- Upgraded Fedify to 2.1.15 to address a security vulnerability in SSRF mitigation. [CVE-2026-50131]
Hollo 0.7.18
Released on June 4, 2026.
- Upgraded Fedify to 1.10.11 to address a security vulnerability in SSRF mitigation. [CVE-2026-50131]
Hollo 0.9.3
Released on June 3, 2026.
- Fixed a bug where some remote accounts' custom profile fields were rendered as per-character entries (field names
0,1,2, … with one character of HTML in each value) in Mastodon API responses and on profile pages. The affected rows had theirfield_htmls(and potentiallyemojisorfields) stored as double-encoded JSON strings by an older Drizzle ORM version; a data migration repairs them, and newCHECKconstraints enforce that these columns always hold JSON objects. [#504]
Hollo 0.9.2
Released on May 25, 2026.
- Fixed a bug where the media proxy returned
404 Not Foundfor remote media whose upstream server labeled the payload asapplication/octet-streamorbinary/octet-streameven though the bytes were valid image, video, or audio data. The proxy now sniffs magic bytes to recover the real MIME type in these cases. [#498]
Hollo 0.9.1
Released on May 21, 2026.
- Upgraded Fedify to 2.2.3 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]
Hollo 0.9.0
Released on May 20, 2026.
-
Upgraded Drizzle ORM to 1.0.0-rc.2 and migrated Hollo's relational query definitions to the new relations API. This has no intended user-facing behavior changes, but the first migration after upgrading may need one extra database permission check. Drizzle 1 upgrades its own migration log table,
drizzle.__drizzle_migrations, by addingnameandapplied_atcolumns. PostgreSQL only allows thatALTER TABLEwhen the migration is run by the table owner.If
pnpm run migratefails withmust be owner of table __drizzle_migrations, first check which role owns Drizzle's migration log table:SELECT n.nspname AS schema, c.relname AS table_name, pg_get_userbyid(c.relowner) AS owner FROM pg_class c JOIN pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'drizzle' AND c.relname = '__drizzle_migrations';
If the owner is not the same role Hollo uses in
DATABASE_URL, run the following SQL as the current table owner or a database admin, replacinghollowith your Hollo database user:ALTER SCHEMA drizzle OWNER TO hollo; ALTER TABLE drizzle.__drizzle_migrations OWNER TO hollo; ALTER SEQUENCE IF EXISTS drizzle.__drizzle_migrations_id_seq OWNER TO hollo;
Then run
pnpm run migrateagain with Hollo's normalDATABASE_URL. If your database provider does not allow ownership transfers, run this one migration once with the database role that already ownsdrizzle.__drizzle_migrations. -
Cancel running PostgreSQL queries when the corresponding
GETorHEADrequest is aborted, such as when a client disconnects or quickly switches away from a timeline column. Hollo now tracks the underlying postgres.js query handles used by Drizzle and calls PostgreSQL cancellation for in-flight queries tied to the aborted read-only request. This reduces wasted database work and helps keep the connection pool available under repeated client-side aborts. The existingstatement_timeoutrecommendation remains useful as a backstop for queries that cannot be tied to a safe HTTP request. -
Added passkey (WebAuthn) authentication. The admin Auth page now has a “Passkeys” section for enrolling and managing passkeys, and the public login page presents a “Sign in with passkey” button (with the email/password form tucked behind a toggle) whenever at least one passkey is enrolled. Both device-bound and synced (multi-device) passkeys are accepted. A passkey on its own counts as multi-factor authentication, so a successful passkey sign-in is accepted in place of the TOTP step — the user is not asked for a one-time code in the same session.
Hollo uses the @simplewebauthn/server library for verification and ships the matching browser helper as a static asset linked only from the auth and login pages. Registration uses
residentKey: requiredanduserVerification: required, so every enrolled passkey is discoverable and tied to a biometric or PIN gesture. Registration challenges are bound to the current login session with a server-enforced 5-minute TTL, and login challenges are stored in a single-usepasskey_login_challengestable so a captured cookie + assertion pair can be redeemed at most once. [#487] -
Added optional split-domain WebFinger support. When the new
HANDLE_HOSTandWEB_ORIGINenvironment variables are set, Hollo uses Fedify'soriginconfiguration so that fediverse handles (e.g.@alice@example.com) and ActivityPub actor URIs (e.g.https://ap.example.com/@alice) can live on different domains. The Mastodon-compatible/api/v1/instanceand/api/v2/instanceendpoints exposeHANDLE_HOSTas the instance domain when this is configured, so clients display the correct@user@HANDLE_HOSThandle. Both variables must be set together; setting only one is a startup error. They must be configured before the first account is created — changing the handle domain after federation has begun breaks remote follow relationships; on startup Hollo logs a warning when the configuredHANDLE_HOSTdoes not match the existing account's stored handle. Operators must also configure their reverse proxy on the handle domain to redirect/.well-known/webfingertoWEB_ORIGIN. See the Split-domain WebFinger guide. [#161, #484] -
Added a media proxy that re-serves remote avatars, headers, post attachments, custom emojis, and preview-card images from Hollo's own origin. This sidesteps CORS configurations on remote object stores and prevents the visitor's browser from talking directly to the source server. Controlled by a new
MEDIA_PROXYenvironment variable with three levels: [#481, #483, #493]off(default): the Mastodon API and web UI hand the original remote URL to clients, matching the historical behaviour.proxy: every remote media URL is rewritten to a signed/proxy/<sig>/<b64url>path served by Hollo itself. The proxy runs SSRF checks on the upstream URL and on every redirect target, allows only image/video/audio Content-Types (image/svg+xml is explicitly blocked to avoid same-origin XSS), caps the body at 32 MiB, and serves the response withCache-Control: public, max-age=2592000, immutableandX-Content-Type-Options: nosniff. No on-disk cache.cache: same URL rewriting, but the streamed body is persisted to the configured storage backend asproxy/<sha256>.bin, with a content-type sidecar alongside it atproxy/<sha256>.json. Subsequent requests skip the upstream fetch. Remote actor avatars for accounts with an approved follow relationship to the local account are also prefetched into this same cache when the actor is stored or refreshed, so stale upstream avatar files can keep rendering after Hollo has seen them once. The admin dashboard at /thumbnail_cleanup can purge the cache on demand.
MEDIA_PROXYalso accepts the Boolean synonymstrue/on/1(as aliases forproxy) andfalse/off/0(as aliases foroff). Disk caching is opt-in only via the explicitcachevalue.Outbound federation is unaffected: Hollo still publishes the original remote URLs in ActivityPub
icon,image,attachment, and emojiTagreferences. -
Added a
REMOTE_MEDIA_THUMBNAILSenvironment variable that controls whether Hollo downloads incoming remote attachments to generate a local WebP thumbnail. Set tooffto skip the upstream fetch and Sharp pipeline entirely, storing the remote URL itself as the thumbnail URL—useful in combination withMEDIA_PROXY=proxyorcacheto free up the disk space the local thumbnails would otherwise occupy. Defaults toon(the historical behavior). [#481, #483] -
Added FEP-044f quote authorization and policy support on top of the Mastodon-compatible quote APIs. [#457, #459, #460]
- Added persistent quote states for
pending,accepted,rejected,revoked, andunauthorizedquotes, plus quote target and authorization IRIs for federation. - Hollo now enforces quote policy, quote target visibility, block relationships, follower-only quote permissions, and direct-message mention requirements when creating a quote through
POST /api/v1/statuses. Remote public posts without an advertised FEP-044f quote policy are treated as legacy quote targets and can be quoted without waiting for quote authorization. - Implemented
quote_approval_policyhandling on status creation and editing, and addedPUT /api/v1/statuses/:id/interaction_policyfor updating a status' quote policy after publication. quotes_countnow includes only accepted quotes and is updated when quotes are accepted, rejected, revoked, created, deleted, or received through federation.GET /api/v1/statuses/:id/quotesnow lists only accepted quotes, and quote revocation keeps quote target metadata while removing the quote from accepted quote lists and counts.- Published outbound FEP-044f
quote,quoteAuthorization, andinteractionPolicy.canQuoteproperties on ActivityPub objects, while keeping the legacyquoteUrlproperty for compatibility. - Parsed inbound FEP-044f
quotetargets and quote approval policies from remote objects, including support for the legacyquoteUrlproperty. - Added federation handling for
QuoteRequest,Accept(QuoteRequest),Reject(QuoteRequest), andDelete(QuoteAuthorization), allowing Hollo to request quote authorization from remote servers, accept or reject incoming quote requests, and revoke quotes when a remote quote authorization is deleted. - Added dereferenceable local
QuoteAuthorizationActivityPub objects for accepted quotes.
- Added persistent quote states for
-
Added custom field editing to the admin account creation and editing forms, allowing up to 10 label–value pairs per profile (beyond Mastodon's limit of 4). Field values support Markdown and mention syntax. The Mastodon-compatible
PATCH /api/v1/accounts/ update_credentialsendpoint now also accepts up to 10 custom fields viafields_attributes[0]throughfields_attributes[9]. -
Added
LOG_FILE_FORMATenvironment variable to control the format of the log file set byLOG_FILE. Valid values arejsonl(the default, JSON Lines format) andlogfmt([logfmt](https://brandur.org/...
Hollo 0.8.6
Released on May 21, 2026.
- Upgraded Fedify to 2.1.14 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]
Hollo 0.7.17
Released on May 21, 2026.
- Upgraded Fedify to 1.10.10 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]