Notices by Sharkey - Official Account (sharkey@sharkey.team)

Important Clarification: Sharkey's develop branch is affected by some of today's vulnerabilities, so instances running on development (pre-release) versions do need to update or apply mitigations!

We still haven't completed patches for the develop branch, but a candidate patch set is being tested as we speak. We'll push the changes as soon as they're done and confirmed to work!

#Sharkey #SharkeyDev

I'm sorry, but- I'm gonna have to throw in the towel for develop for the night. For the savvy users running it, please look into forward-porting the patches for your own instance, until an official release is made.

I'm at the end of my rope for now, and need to recharge- the diff requires resolving six months of merge conflicts. You have my sincerest apologies.

- @julia@eepy.moe

Jumped the gun on posting this slightly, my bad!! 🙇♀️
Docker images have now been pushed. Develop is still in progress.

The stable release for 2025.4.6 has been made, with the security patches applied. Develop has merge conflicts that are actively being resolved.

RE: https://sharkey.team/notes/ajka8rybkjf80061

This is your official notice that we'll be making a major security release for Sharkey tomorrow (between 2026-03-08T22:00:00.000Z and 2026-03-09T00:00:00.000Z) in coordination with Misskey. Please be ready to patch your instances soon as humanly possible, as the vulnerabilities at play are extremely severe. Note that IceShrimp and Firefish derivatives are not affected, only direct forks of Misskey.

For instances of sufficiently large instance (>~50 MaU) who are unable to apply patches at that time, our maintainer (@julia@eepy.moe) would like to give a one time offer to apply patches on the behalf of instance administrators.

If you are physically unable to apply patches and meet the requirements, please direct message her for further information.

Anubis has been deployed, and sign-ups have been re-enabled! Thanks for your patience :3

RE: https://sharkey.team/notes/absa26o0czx5002o

ActivityPub.software signups have been temporarily disabled due to a large influx of bot traffic to signups. We'll be enabling Anubis, as other bot prevention methods have been ineffective in preventing spam.

Just a few bugfixes, honest! 😅

- Migrating frontend preferences from pre-2025.4.2 should be more reliable now.
- Parsing of incoming activities should be faster and use less memory.
- Many database queries are now faster.
- Blocking / silencing many instances will no longer slow down yours.
- Caches should be more correct.
- The "slow query" warning in the server logs can now be configured.
- S3 errors during media uploads are now correctly reported to the frontend.
- More consistent handling of note visibility and silenced instances / users.
- The MFM parser now accepts markdown image links like , and those images are fetched like attachments (they're not yet rendered inline, though).
- Many privacy / security fixes.
- Improved notification grouping.
- Suspending a user no longer severs their follows, so they'll be restored when the user is un-suspended.
- On a note's detailed view, the "reactions" tab shows all the details of the first reaction group by default.
- API endpoints emit a X-Robots-Tag: noindex header to deter indexing.
- Videos will be optimized for streaming (not re-encoded, the metadata will just be modified slightly).
- The admin view of a user's profile now shows their sign-up reason.
- A few admin and moderation pages have been redesigned and should be more usable, especially on mobile.
- Server logging has been improved, it should now provide more details with less noise.
- Improved interoperability of quotes with Mastodon and other software that implements fep-e232 and/or fep-044f.
- Show attributions (fediverse:creator) in link previews, and allow users to set their "attribution domains".
- If enabled in the default policy, non-logged-in users can use translation features.
- Some frontend pages now retry API calls when they hit a rate limit.
- DeepLX works again.
- Fixed receiving poll votes.
- Users can again set their custom search engine for MFM's [search] feature.
- "Show muted words" works the right way around.
- Reworked the "trending polls" page.

Recommendations to admins:
- If your users had a broken migration, they can try re-importing via Settings → other → 🗘 Migrate old client settings, but we suggest backing up their current preferences first.
- The default policy now disables translation, you may want to create a conditional role matching all local users to re-enable it for them.
- We've added many new indexes to the database, we recommend running a vacuum (analyse, verbose) after the migrations have completed.
- If you do not use Docker, to avoid potential crashes when rendering some SVG images, you should make sure that your system has librsvg and some fonts (on Debian-style systems, that's librsvg2-2 and fonts-noto).

Note that for users who run develop, they will need to wait for this MR to be merged into develop for the patches.

We've officially released version 2024.2.3 of Sharkey!

This update contains critical security fixes. Please update as soon as possible. Disclosures for the relevant vulnerabilities will be made available once instances have been patched.

Please be patient, GitLab is not behaving which is preventing us from pushing our changes- hence why we allocated a window of time.

Almost time!

@puniko@mk.absturztau.be Fingers crossed 🥴

Heads up- we'll be making a major security release for Sharkey later today (between 2025-04-27T19:00:00.000Z and 2025-04-27T21:00:00.000Z) in coordination with Iceshrimp and Misskey. Please make sure to update your instances as soon as possible.

Hello everyone, we've just released a new version of Sharkey! This is the first release in the 2025.2 series, despite the .2- we had to make use of that due to technical limitations in the upstream merge workflow we use.

Here's what we've been working on:
- A fix for an annoying corepack/pnpm error.
- Optimizations to SQL-based note search.
- Support for tsvector full-text search.
- Support for filtering by Module and Flash file types.
- Fixes for quote preview.
- Fixes for hashtags and tag search.
- Allow user-initiated object lookups to redirect. (makes the lookup function 100x more likely to actually work instead of throwing a vague error).
- Add missing translations in various places.
- Bulk fixes and refactoring of Mastodon API. (it may work better with some clients, and several known bugs are fixed.)
- Option to regenerate vapid keys without a CLI command.
- Revision 2 of the new rate limit system- improved performance, simpler API, and the "role template" rate limit factor now applies to unauthenticated / logged-out requests.
- Fixes for docker build & deployment.
- Fixes for BSD build & deployment.
- Add a "follow back" button to "user followed you" notifications.
- Buttons to accept/reject follow requests directly from a user's profile.
- Various rate limit fixes and adjustments.
- Improved support for MFM and HTML ruby.
- Improved browser language detection, especially in cases where we don't have an exact-match language file.
- Robots.txt can be configured through admin settings, instead of using the reverse-proxy.
- Federation fixes and improvements, particularly for software which produces null for Person.discoverable.
- Build and development tooling improvements.
- Fixes for import limits and config settings.
- Fixes for reactions
- Fixes for note visibility in streaming API
- Shift-click to automatically boost w/ visibility
- Fixes to emoji sorting, search, and categorization.
- Emoji import now honours the import.downloadTimeout setting
- Laxer validation for admin-controlled HTML.
- Add some missing MFM to the cheat sheet.
- Record the person who created an invite code.
- Classic and narrow UI layout fixes.
- Fixes for RSS widgets
- Remove unused "email notification type" settings to avoid user confusion.
- Remove duplicate role badges
- Add file extension to locally-stored media (allows the reverse-proxy to directly serve media)
- The IP address that the server listens on is now configurable
- Users can set a default CW
- Moderators can force a CW for a user
- Moderators can remove the "quote" feature for specific users (local or remote) and remote instances
- Optional separate Redis connection for rate-limiting purposes
- Ability to log all AP objects- note that this respects deletes, and is optional, as a debugging aid.
- Better support for PeerTube thumbnails
- Better interoperability with SocialHome

Here's what we've pulled in from upsteam:
- A new experimental custom emoji manager using a spreadsheet UI
- Support for PGroonga full-text search, which gives accuracy closer to Meilisearch with dramatically less system load and deployment headache.
- We can log full SQL queries for development
- A bunch of bug fixes for login, note hiding, MFM, and others.
- Remove unused "view source" button.
- Fixes to data saver mode.
- Fixes to Deck UI.
- Add missing translations in various places.

Hey fedi! This is the new home of the official #Sharkey account!