Skip to content

Releases: fedify-dev/hollo

Hollo 0.9.8

Choose a tag to compare

@github-actions github-actions released this 10 Jul 15:20
0.9.8
5e76665

Released on July 11, 2026.

  • Fixed a Mastodon API compatibility bug where accounts with Make following list public disabled could not view their own following list in clients. Authenticated account owners can now access their own following list while it remains hidden from everyone else. [#548]

Hollo 0.9.7

Choose a tag to compare

@github-actions github-actions released this 08 Jul 18:18
0.9.7
cafb7b2

Released on July 9, 2026.

  • Fixed a bug where locally-created quotes of remote posts that advertised an FEP-044f quote policy were marked as accepted immediately without first obtaining a QuoteAuthorization, causing third-party servers to see the quote as unapproved. Hollo now keeps those quotes pending, sends a QuoteRequest, and publishes the quoteAuthorization property after the remote server accepts the request. Remote posts without an FEP-044f quote policy are still treated as legacy quote targets and continue to publish the quote property without a quoteAuthorization.

Hollo 0.9.6

Choose a tag to compare

@github-actions github-actions released this 03 Jul 13:57
0.9.6
8f9579e

Released on July 3, 2026.

  • Fixed a Mastodon API compatibility bug where editing a post through PUT /api/v1/statuses/:id ignored updated media attachment descriptions, causing alt text changes from clients like Phanpy and Moshidon to appear successful without being saved. [#538]

Hollo 0.8.8

Choose a tag to compare

@github-actions github-actions released this 03 Jul 13:49
0.8.8
7e12d56

Released on July 3, 2026.

  • Fixed a Mastodon API compatibility bug where editing a post through PUT /api/v1/statuses/:id ignored updated media attachment descriptions, causing alt text changes from clients like Phanpy and Moshidon to appear successful without being saved. [#538]

Hollo 0.9.5

Choose a tag to compare

@github-actions github-actions released this 13 Jun 06:25
0.9.5
556a212

Released on June 13, 2026.

  • Fixed a bug where expired poll notifications appeared in /api/v1/notifications but not in the grouped /api/v2/notifications feed, which could leave Mastodon-compatible clients such as Phanpy showing a permanent unread notification badge. Poll notifications are now materialized into the notifications and notification_groups tables like other notification types, and existing expired polls are backfilled during migration. [#517]

Hollo 0.9.4

Choose a tag to compare

@github-actions github-actions released this 04 Jun 08:14
0.9.4
5711c2d

Released on June 4, 2026.

  • Upgraded Fedify to 2.2.4 to address a security vulnerability in SSRF mitigation. [CVE-2026-50131]

Hollo 0.8.7

Choose a tag to compare

@github-actions github-actions released this 04 Jun 08:10
0.8.7
47dcf9e

Released on June 4, 2026.

  • Upgraded Fedify to 2.1.15 to address a security vulnerability in SSRF mitigation. [CVE-2026-50131]

Hollo 0.7.18

Choose a tag to compare

@github-actions github-actions released this 04 Jun 08:06
0.7.18
34e3b1d

Released on June 4, 2026.

  • Upgraded Fedify to 1.10.11 to address a security vulnerability in SSRF mitigation. [CVE-2026-50131]

Hollo 0.9.3

Choose a tag to compare

@github-actions github-actions released this 03 Jun 11:59
0.9.3
d7e0426

Released on June 3, 2026.

  • Fixed a bug where some remote accounts' custom profile fields were rendered as per-character entries (field names 0, 1, 2, … with one character of HTML in each value) in Mastodon API responses and on profile pages. The affected rows had their field_htmls (and potentially emojis or fields) stored as double-encoded JSON strings by an older Drizzle ORM version; a data migration repairs them, and new CHECK constraints enforce that these columns always hold JSON objects. [#504]

Hollo 0.9.2

Choose a tag to compare

@github-actions github-actions released this 25 May 12:51
0.9.2
94ed038

Released on May 25, 2026.

  • Fixed a bug where the media proxy returned 404 Not Found for remote media whose upstream server labeled the payload as application/octet-stream or binary/octet-stream even though the bytes were valid image, video, or audio data. The proxy now sniffs magic bytes to recover the real MIME type in these cases. [#498]