8.2.1

What's Changed

Security

• Hardened how the inbox processes large recipient lists in incoming activities. [#3094]

Fixed

• Fix monthly and annual Fediverse Stats emails being sent more than once per period when the scheduler ran multiple times. [#3252]

New Contributors

• @arthur791004 made their first contribution in #3252

---

Full Changelog: 8.2.0...8.2.1

8.2.0

What's Changed

• Trim dev-only lint configs from the release archive by @pfefferle in #3214
• Require PKCE by default for public OAuth clients by @pfefferle in #3222
• Require PHPUnit 9.6.33+ (CVE-2026-24765) by @pfefferle in #3224
• Respect force_signature in Delete handler's deferred verification by @pfefferle in #3223
• Enforce caller ownership on OAuth token revocation by @pfefferle in #3221
• Harden HTTP signature verification against replay by @pfefferle in #3212
• Sanitize inbox activity type to prevent action hook pollution by @pfefferle in #3227
• Harden OAuth client discovery and SSE proxy outbound requests by @pfefferle in #3228
• Resolve AAAA records in resolve_public_host so IPv6-only hosts work by @pfefferle in #3229
• Tighten clock tolerance on the deprecated signature verifier by @pfefferle in #3230
• Reject internal-address authority values on followers/sync at the route layer by @pfefferle in #3232
• Fail closed in OAuth rate limits when client IP can't be determined by @pfefferle in #3231
• Block additional reserved IPv6 ranges in resolve_public_host by @pfefferle in #3233
• Require signatures on HEAD requests to peer-only endpoints by @pfefferle in #3235
• Return 429 from the OAuth token endpoint when rate-limited by @pfefferle in #3236
• Decode percent-encoded authority before the followers/sync blocklist by @pfefferle in #3234
• Drop credentialed CORS reflection on ActivityPub REST endpoints by @pfefferle in #3237
• Stop trusting client-supplied proxy headers for rate-limit IP by default by @pfefferle in #3238

New Contributors

• @tbradsha made their first contribution in #3217

Full Changelog: 8.1.1...8.2.0

8.1.1

What's Changed

• Fix stats widget on sites with a remapped REST namespace by @pfefferle in #3206
• Consolidate rewrite-rule flushes at end of migration by @pfefferle in #3207
• Fix reply posts disappearing from front page and admin list by @jeherve in #3209
• Harden the reactions API response against unsanitized remote data by @pfefferle in #3211
• Add activitypub_post_object_type filter wrapping Post::get_type() by @kraftbj in #3210

Full Changelog: 8.1.0...8.1.1

8.1.0

What's Changed

• Add following page and profile page patterns, fix follow page post types by @pfefferle in #3032
• Add EXIF metadata support for image attachments by @pfefferle in #2751
• [C2S] Add Client-to-Server ActivityPub API support by @pfefferle in #2851
• [C2S] Add Block, Add, and Remove outbox handlers by @pfefferle in #3033
• [C2S] Add Server-Sent Events (SSE) for real-time collection streaming by @pfefferle in #2945
• Fix stale avatar URLs causing 404s by @pfefferle in #3041
• Block non-public posts from ActivityPub content negotiation by @pfefferle in #3045
• Remove changelog entry already released in 8.0.2 by @pfefferle in #3048
• Show OAuth errors as styled WordPress login page by @pfefferle in #3043
• Fix is_post_disabled for Fediverse Preview and attachment parent status by @pfefferle in #3054
• Use FEP-b2b8 content allowlist for HTML sanitization by @pfefferle in #3049
• Fix fatal error when outbox item is missing during delivery by @pfefferle in #3058
• Remove type overloading from podcast integrations by @pfefferle in #3065
• Move localhost URL allowance to local environment only by @pfefferle in #3076
• Fix missing wp-views script dependency notice by @pfefferle in #3084
• Improve pre-publish panel with clearer messages and confirmation by @pfefferle in #3090
• Show reaction action buttons even without existing reactions by @pfefferle in #3091
• Reject signatures with missing Date header by @pfefferle in #3096
• Sanitize SSE access token query parameter by @pfefferle in #3095
• Use wp_safe_remote_request for signature double-knock retry by @pfefferle in #3098
• Validate emoji updated timestamp before storing by @pfefferle in #3101
• Fix double-encoding of comment author names on update by @pfefferle in #3100
• Use preg_replace_callback for emoji shortcode wrapping by @pfefferle in #3099
• Remove plain PKCE support, only allow S256 by @pfefferle in #3097
• Fix Move activity losing target when sent to followers by @pfefferle in #3102
• Validate stamp meta belongs to queried post by @pfefferle in #3093
• Add rate limiting to OAuth client registration endpoint by @pfefferle in #3108
• Verify signature keyId host matches activity actor by @pfefferle in #3109
• Fix Update handler using stale local actor data instead of activity payload by @akirk in #3110
• Add Posts and Replies block using query_loop_block_query_vars by @pfefferle in #3036
• Fix empty error description in WebFinger Site Health check by @pfefferle in #3123
• Add activitypub_pre_get_by_id filter to Actors::get_by_id() by @pfefferle in #3124
• Add Arrive outbox handler for check-in activities by @pfefferle in #3120
• Fix comments on remote posts being held in moderation by @pfefferle in #3129
• Add liked actor collection and include quotes in shares by @pfefferle in #3128
• Fix blog actor totalItems counting incoming federated comments by @pfefferle in #3136
• Fix blog actor Joined date showing oldest post date by @pfefferle in #3137
• Fix purge options silently disabling cleanup jobs by @pfefferle in #3138
• Fix Enable Mastodon Apps notification pagination by using date-constrained queries by @akirk in #3150
• Fix performance regression from reply-exclusion filter by @akirk in #3153
• Enable Mastodon Apps: Use ap_actor post ID for account IDs by @akirk in #3152
• Enable Mastodon Apps: Add tags.pub integration for tag timelines by @akirk in #3151
• Add stats block with shareable image generation by @pfefferle in #3126
• Fix fatal error when language property is an array by @pfefferle in #3158
• Fix double-encoded HTML entities in stats top posts titles by @jeherve in #3162
• Add seasonal starter pattern for Fediverse Stats post by @pfefferle in #3160
• Add support for Mastodon FeaturedCollection import by @pfefferle in #3168
• Fix OAuth client metadata fetch for localhost subdomains by @pfefferle in #3169
• Fix BuddyPress @mention filter corrupting Followers block by @pfefferle in #3174
• Add OAuth registration endpoint to actor discovery by @pfefferle in #3175
• Pass $url to http_headers_useragent filter by @pfefferle in #3179
• Add ActivityPub options to Jetpack sync allow list by @pfefferle in #3176
• Fix blog actor outbox activity handling by @pfefferle in #3188
• Fix array_keys(null) fatal in get_comment_type_slugs() by @mauteri in #3196
• Fix Reader view crash and infinite scroll on WP 6.9 by @pfefferle in #3194
• Strip private addressing (bto/bcc) at the serialization boundary by @pfefferle in #3200
• Require signed peer requests on /followers/sync per FEP-8fcf by @pfefferle in #3202
• Gate per-post REST routes on post visibility by @pfefferle in #3203

New Contributors

• @mauteri made their first contribution in #3196

Full Changelog: 8.0.1...8.1.0

8.0.2

What's Changed

• Prevent non-public posts (drafts, scheduled, pending review) from being accessible via ActivityPub by @pfefferle in #3045

Full Changelog: 8.0.1...8.0.2

8.0.1

What's Changed

• Fix dark sidebar colors breaking with non-default admin color schemes by @pfefferle in #3022
• Fix quote policy meta making new posts dirty on load by @pfefferle in #3028
• Simplify follow page block pattern by @pfefferle in #3029
• Fix Reactions block alignment in block themes by @pfefferle in #3025

New Contributors

• @jfietkau made their first contribution in #3018

Full Changelog: 8.0.0...8.0.1

8.0.0

What's Changed

• Add block patterns and FSE templates for ActivityPub blocks by @pfefferle in #2891
• Add wp activitypub fetch CLI command by @pfefferle in #2906
• Add block-based runtime caching for remote media by @pfefferle in #2887
• Fix outbox invalidation canceling pending Accept/Reject activities by @pfefferle in #2911
• Fix comment count to properly exclude likes, shares, and notes by @pfefferle in #2913
• Add rewrite rule for Mastodon's authorize_interaction endpoint by @pfefferle in #2922
• Add Locale from Tags snippet by @jeherve in #2923
• Fix QuoteRequest handler to derive actor from post author by @pfefferle in #2924
• Delete superseded outbox items instead of publishing them by @pfefferle in #2932
• Fix purge methods to handle large collections without OOM or timeout by @pfefferle in #2929
• Add Site Health test to detect excessive outbox activity by @pfefferle in #2928
• Add bot account support for blog and user profiles by @kraftbj in #2861
• Accept HTTP Signature requests for standalone key objects by @pfefferle in #2935
• Improve NodeInfo active user counting by @pfefferle in #2943
• Use is_activity_public() in Dispatcher and fix empty-recipients visibility by @pfefferle in #2944
• Support actors with publicKey as URL reference by @pfefferle in #2947
• Fix case-insensitive Digest header algorithm matching by @pfefferle in #2949
• Fix language map normalization in inbox controllers by @pfefferle in #2950
• Bump minimum PHP version from 7.2 to 7.4 by @pfefferle in #2942
• Strip bto and bcc fields before delivery by @pfefferle in #2956
• Adding new snippet for block- and javascript-less rendering of Fediverse Reactions by @futtta in #2958
• Add backwards compatibility for ACTIVITYPUB_DISABLE_SIDELOADING by @pfefferle in #2973
• Fix crash when WordPress falls back to FTP filesystem by @pfefferle in #2974
• Remove fallback for language maps in base properties by @pfefferle in #2979
• Add pre-publish panel suggesting post formats for federation by @pfefferle in #2971
• Add video poster image federation by @pfefferle in #2982
• Add notice to switch from legacy template mode to automatic mode by @pfefferle in #2985
• Add action buttons (Like, Boost) to the reactions block by @pfefferle in #2988
• Fix soft-deleted posts generating spurious activities on re-save by @pfefferle in #2991
• Fix reactions block responsive layout and label styling by @pfefferle in #2992
• Add Fediverse help section to modal dialogs by @pfefferle in #2993
• Fix reactions buttons inheriting theme background on classic themes by @pfefferle in #2996
• Fix modal overlay not covering full viewport in block layouts by @pfefferle in #3000

New Contributors

• @futtta made their first contribution in #2958

Full Changelog: 7.9.1...8.0.0

7.9.1

What's Changed

• Restructure CLI into separate command classes by @pfefferle in #2881
• Add option to disable direct file sideloading by @pfefferle in #2883
• Refactor attachment download handling by @obenland in #2889
• Fix null comment object in Quote_Request handler by @pfefferle in #2895
• Fix podcast integrations ignoring content template settings by @pfefferle in #2897

Full Changelog: 7.9.0...7.9.1

7.9.0

What's Changed

• feat: make actor table columns filterable by @Menrath in #2704
• Only disable blocks for ClassicPress, not Classic Editor plugin by @pfefferle in #2765
• Fix Unicode URL encoding for ActivityPub actor URLs by @pfefferle in #2757
• Add location support using WordPress Geodata by @pfefferle in #2760
• Add site health check for REST API accessibility by @pfefferle in #2768
• Initialize Scheduler before Migration to ensure hooks are registered by @pfefferle in #2771
• Revert "Fix Unicode URL encoding for ActivityPub actor URLs" by @pfefferle in #2775
• Add health check to verify scheduled events are registered by @pfefferle in #2786
• Defer add_to_outbox to async processing during post save by @pfefferle in #2761
• Remove redundant __nextHasNoMarginBottom props by @pfefferle in #2801
• Skip fetching public audience identifiers by @pfefferle in #2794
• Send Add/Remove activities when changing a post's sticky status by @pfefferle in #2802
• Add Social Web item to the admin bar by @pfefferle in #2805
• Fix duplicate media attachments in Classic Editor posts by @pfefferle in #2814
• Show notice when trying to follow already-followed account by @pfefferle in #2815
• Emoji: First pass at support in Interactions by @obenland in #1129
• Show warning when user cannot federate replies to fediverse comments by @pfefferle in #2817
• Fix comments with empty type not being federated by @pfefferle in #2831
• Fix QuoteRequest not being processed via shared inbox by @pfefferle in #2830
• Add soft delete support with Tombstone objects by @pfefferle in #2824
• Add Following block and shared actor-list components by @pfefferle in #2837
• Skip pagination when social graph is hidden by @pfefferle in #2836
• Fix reply block embed appearing squished at 200x200 by @kraftbj in #2848
• Don't filter the comment query when type__not_in has been set by @lostfocus in #2850
• Filter comments on AP posts from REST API by @pfefferle in #2777
• Add Podlove Podcast Publisher integration by @pfefferle in #2870
• Revert to synchronous outbox processing with performance improvements by @pfefferle in #2858
• Hide admin REST endpoints from API index by @pfefferle in #2873
• Add global default quote policy setting by @pfefferle in #2839
• Fix tombstone handling for user transformers and restore users when re-enabled by @pfefferle in #2875

New Contributors

• @lostfocus made their first contribution in #2850

Full Changelog: 7.8.4...7.9.0

7.8.5

What's Changed

• Only disable blocks for ClassicPress, not when Classic Editor plugin is installed by @pfefferle in [#2765]

Full Changelog: 7.8.4...7.8.5