9.0.1

What's Changed

• Add FAQ section with troubleshooting checklists by @pfefferle in #3404
• Send profile updates when the Starter Kit policy changes by @pfefferle in #3405
• Move the canFeature policy out of the Activity vocabulary layer by @pfefferle in #3406
• Support Starter Kit consent stamps for the blog actor by @pfefferle in #3407

Full Changelog: 9.0.0...9.0.1

9.0.0

What's Changed

• Improve SWICG ActivityPub API Basic Profile conformance for C2S by @pfefferle in #3328
• Add blurhash term to JSON-LD context by @kraftbj in #3327
• Update @tanstack/history to clean release, remove supply-chain pin by @pfefferle in #3346
• Render the reply block as a simple mention link in feeds by @jeherve in #3340
• Use nodeinfo_discovery hook instead of deprecated wellknown_nodeinfo_data by @pfefferle in #3347
• Add FEP-7aa9 consent endpoint for featured collections by @pfefferle in #3277
• Defer Getting Started help-tab video until its panel is visible by @pfefferle in #3350
• Add the quoting post link to quote notification emails by @pfefferle in #3351
• Don't add the classic Fediverse metabox in the block editor by @pfefferle in #3354
• Scope the outbox event stream to the requesting actor by @pfefferle in #3356
• Bind the signing-key host to the actor for RFC 9421 keyIds by @pfefferle in #3357
• Gate outbox visibility on strict ownership instead of capability by @pfefferle in #3358
• Rate-limit the remote-follow lookup endpoint by @pfefferle in #3361
• Scope OAuth token introspection to the caller's own tokens by @pfefferle in #3363
• Restrict quote stamps to quote-authorization meta by @pfefferle in #3364
• Bind inbound Update and Undo activities to the activity actor by @pfefferle in #3360
• Add configurable distribution modes for federation delivery by @pfefferle in #3044
• Add Blurhash placeholders for federated images by @pfefferle in #3355
• Append the query string when rebuilding (request-target) for signature verification by @Kernel-Error in #3369
• Fix fatal error in Stream connector on new follower by @pfefferle in #3372
• Extend soft delete to draft, pending, and private post statuses by @pfefferle in #2860
• Federate comments only when the parent post is federated by @pfefferle in #3374
• Verify Accept sender matches the followed actor by @pfefferle in #3377
• Backfill missing inbox actor from HTTP signature keyId by @pfefferle in #3385
• Remove deprecations from versions 7.0 through 7.4 by @pfefferle in #3387
• Harden the Blurhash encoder against decode bombs, transparency, and metadata races by @kraftbj in #3386
• Fix FEP-8fcf followers-sync authority bypass by @pfefferle in #3390
• Use wp_safe_remote_get() for the Site Health REST API check by @pfefferle in #3391

New Contributors

• @mahangu made their first contribution in #3368
• @Kernel-Error made their first contribution in #3369

Full Changelog: 8.3.0...9.0.0

8.3.0

What's Changed

• Cap remote recipient fetches per incoming activity by @pfefferle in #3094
• Make Fediverse Stats emails idempotent per period by @arthur791004 in #3252
• Rebuild assets and update lock file after dependency bumps by @pfefferle in #3259
• Add jitter to backfill statistics migration by @pfefferle in #3275
• Allow site admins to act as the blog actor via C2S by @pfefferle in #3281
• Fix C2S blog actor posts created without author by @jeherve in #3283
• Pin @tanstack/history to avoid compromised npm versions by @pfefferle in #3285
• Guard against null post in statistics earliest-date lookup by @pfefferle in #3284
• Migrate interactive directives off data-wp-on-async by @pfefferle in #3220
• Accept WebFinger handles on the proxy endpoint by @pfefferle in #3289
• Store content warnings sent through the outbox API by @pfefferle in #3292
• Fix window.wp destructure timing in block view modules by @pfefferle in #3302
• Make C2S Undo of Follow work end-to-end by @pfefferle in #3303
• Use FEP-3b86 follow intent for remote follow endpoint by @pfefferle in #3307
• Contribute CORS Allow-Headers via rest_allowed_cors_headers filter by @pfefferle in #3308
• Move tombstone storage off the autoloaded options row by @pfefferle in #3293
• Recognize the FEP-3b86 Object Intent in the intent-endpoint fallback chain by @pfefferle in #3316

New Contributors

• @arthur791004 made their first contribution in #3252

Full Changelog: 8.2.0...8.3.0

8.2.1

What's Changed

Security

• Hardened how the inbox processes large recipient lists in incoming activities. [#3094]

Fixed

• Fix monthly and annual Fediverse Stats emails being sent more than once per period when the scheduler ran multiple times. [#3252]

New Contributors

• @arthur791004 made their first contribution in #3252

---

Full Changelog: 8.2.0...8.2.1

8.2.0

What's Changed

• Trim dev-only lint configs from the release archive by @pfefferle in #3214
• Require PKCE by default for public OAuth clients by @pfefferle in #3222
• Require PHPUnit 9.6.33+ (CVE-2026-24765) by @pfefferle in #3224
• Respect force_signature in Delete handler's deferred verification by @pfefferle in #3223
• Enforce caller ownership on OAuth token revocation by @pfefferle in #3221
• Harden HTTP signature verification against replay by @pfefferle in #3212
• Sanitize inbox activity type to prevent action hook pollution by @pfefferle in #3227
• Harden OAuth client discovery and SSE proxy outbound requests by @pfefferle in #3228
• Resolve AAAA records in resolve_public_host so IPv6-only hosts work by @pfefferle in #3229
• Tighten clock tolerance on the deprecated signature verifier by @pfefferle in #3230
• Reject internal-address authority values on followers/sync at the route layer by @pfefferle in #3232
• Fail closed in OAuth rate limits when client IP can't be determined by @pfefferle in #3231
• Block additional reserved IPv6 ranges in resolve_public_host by @pfefferle in #3233
• Require signatures on HEAD requests to peer-only endpoints by @pfefferle in #3235
• Return 429 from the OAuth token endpoint when rate-limited by @pfefferle in #3236
• Decode percent-encoded authority before the followers/sync blocklist by @pfefferle in #3234
• Drop credentialed CORS reflection on ActivityPub REST endpoints by @pfefferle in #3237
• Stop trusting client-supplied proxy headers for rate-limit IP by default by @pfefferle in #3238

New Contributors

• @tbradsha made their first contribution in #3217

Full Changelog: 8.1.1...8.2.0

8.1.1

What's Changed

• Fix stats widget on sites with a remapped REST namespace by @pfefferle in #3206
• Consolidate rewrite-rule flushes at end of migration by @pfefferle in #3207
• Fix reply posts disappearing from front page and admin list by @jeherve in #3209
• Harden the reactions API response against unsanitized remote data by @pfefferle in #3211
• Add activitypub_post_object_type filter wrapping Post::get_type() by @kraftbj in #3210

Full Changelog: 8.1.0...8.1.1

8.1.0

What's Changed

• Add following page and profile page patterns, fix follow page post types by @pfefferle in #3032
• Add EXIF metadata support for image attachments by @pfefferle in #2751
• [C2S] Add Client-to-Server ActivityPub API support by @pfefferle in #2851
• [C2S] Add Block, Add, and Remove outbox handlers by @pfefferle in #3033
• [C2S] Add Server-Sent Events (SSE) for real-time collection streaming by @pfefferle in #2945
• Fix stale avatar URLs causing 404s by @pfefferle in #3041
• Block non-public posts from ActivityPub content negotiation by @pfefferle in #3045
• Remove changelog entry already released in 8.0.2 by @pfefferle in #3048
• Show OAuth errors as styled WordPress login page by @pfefferle in #3043
• Fix is_post_disabled for Fediverse Preview and attachment parent status by @pfefferle in #3054
• Use FEP-b2b8 content allowlist for HTML sanitization by @pfefferle in #3049
• Fix fatal error when outbox item is missing during delivery by @pfefferle in #3058
• Remove type overloading from podcast integrations by @pfefferle in #3065
• Move localhost URL allowance to local environment only by @pfefferle in #3076
• Fix missing wp-views script dependency notice by @pfefferle in #3084
• Improve pre-publish panel with clearer messages and confirmation by @pfefferle in #3090
• Show reaction action buttons even without existing reactions by @pfefferle in #3091
• Reject signatures with missing Date header by @pfefferle in #3096
• Sanitize SSE access token query parameter by @pfefferle in #3095
• Use wp_safe_remote_request for signature double-knock retry by @pfefferle in #3098
• Validate emoji updated timestamp before storing by @pfefferle in #3101
• Fix double-encoding of comment author names on update by @pfefferle in #3100
• Use preg_replace_callback for emoji shortcode wrapping by @pfefferle in #3099
• Remove plain PKCE support, only allow S256 by @pfefferle in #3097
• Fix Move activity losing target when sent to followers by @pfefferle in #3102
• Validate stamp meta belongs to queried post by @pfefferle in #3093
• Add rate limiting to OAuth client registration endpoint by @pfefferle in #3108
• Verify signature keyId host matches activity actor by @pfefferle in #3109
• Fix Update handler using stale local actor data instead of activity payload by @akirk in #3110
• Add Posts and Replies block using query_loop_block_query_vars by @pfefferle in #3036
• Fix empty error description in WebFinger Site Health check by @pfefferle in #3123
• Add activitypub_pre_get_by_id filter to Actors::get_by_id() by @pfefferle in #3124
• Add Arrive outbox handler for check-in activities by @pfefferle in #3120
• Fix comments on remote posts being held in moderation by @pfefferle in #3129
• Add liked actor collection and include quotes in shares by @pfefferle in #3128
• Fix blog actor totalItems counting incoming federated comments by @pfefferle in #3136
• Fix blog actor Joined date showing oldest post date by @pfefferle in #3137
• Fix purge options silently disabling cleanup jobs by @pfefferle in #3138
• Fix Enable Mastodon Apps notification pagination by using date-constrained queries by @akirk in #3150
• Fix performance regression from reply-exclusion filter by @akirk in #3153
• Enable Mastodon Apps: Use ap_actor post ID for account IDs by @akirk in #3152
• Enable Mastodon Apps: Add tags.pub integration for tag timelines by @akirk in #3151
• Add stats block with shareable image generation by @pfefferle in #3126
• Fix fatal error when language property is an array by @pfefferle in #3158
• Fix double-encoded HTML entities in stats top posts titles by @jeherve in #3162
• Add seasonal starter pattern for Fediverse Stats post by @pfefferle in #3160
• Add support for Mastodon FeaturedCollection import by @pfefferle in #3168
• Fix OAuth client metadata fetch for localhost subdomains by @pfefferle in #3169
• Fix BuddyPress @mention filter corrupting Followers block by @pfefferle in #3174
• Add OAuth registration endpoint to actor discovery by @pfefferle in #3175
• Pass $url to http_headers_useragent filter by @pfefferle in #3179
• Add ActivityPub options to Jetpack sync allow list by @pfefferle in #3176
• Fix blog actor outbox activity handling by @pfefferle in #3188
• Fix array_keys(null) fatal in get_comment_type_slugs() by @mauteri in #3196
• Fix Reader view crash and infinite scroll on WP 6.9 by @pfefferle in #3194
• Strip private addressing (bto/bcc) at the serialization boundary by @pfefferle in #3200
• Require signed peer requests on /followers/sync per FEP-8fcf by @pfefferle in #3202
• Gate per-post REST routes on post visibility by @pfefferle in #3203

New Contributors

• @mauteri made their first contribution in #3196

Full Changelog: 8.0.1...8.1.0

8.0.2

What's Changed

• Prevent non-public posts (drafts, scheduled, pending review) from being accessible via ActivityPub by @pfefferle in #3045

Full Changelog: 8.0.1...8.0.2

8.0.1

What's Changed

• Fix dark sidebar colors breaking with non-default admin color schemes by @pfefferle in #3022
• Fix quote policy meta making new posts dirty on load by @pfefferle in #3028
• Simplify follow page block pattern by @pfefferle in #3029
• Fix Reactions block alignment in block themes by @pfefferle in #3025

New Contributors

• @jfietkau made their first contribution in #3018

Full Changelog: 8.0.0...8.0.1

8.0.0

What's Changed

• Add block patterns and FSE templates for ActivityPub blocks by @pfefferle in #2891
• Add wp activitypub fetch CLI command by @pfefferle in #2906
• Add block-based runtime caching for remote media by @pfefferle in #2887
• Fix outbox invalidation canceling pending Accept/Reject activities by @pfefferle in #2911
• Fix comment count to properly exclude likes, shares, and notes by @pfefferle in #2913
• Add rewrite rule for Mastodon's authorize_interaction endpoint by @pfefferle in #2922
• Add Locale from Tags snippet by @jeherve in #2923
• Fix QuoteRequest handler to derive actor from post author by @pfefferle in #2924
• Delete superseded outbox items instead of publishing them by @pfefferle in #2932
• Fix purge methods to handle large collections without OOM or timeout by @pfefferle in #2929
• Add Site Health test to detect excessive outbox activity by @pfefferle in #2928
• Add bot account support for blog and user profiles by @kraftbj in #2861
• Accept HTTP Signature requests for standalone key objects by @pfefferle in #2935
• Improve NodeInfo active user counting by @pfefferle in #2943
• Use is_activity_public() in Dispatcher and fix empty-recipients visibility by @pfefferle in #2944
• Support actors with publicKey as URL reference by @pfefferle in #2947
• Fix case-insensitive Digest header algorithm matching by @pfefferle in #2949
• Fix language map normalization in inbox controllers by @pfefferle in #2950
• Bump minimum PHP version from 7.2 to 7.4 by @pfefferle in #2942
• Strip bto and bcc fields before delivery by @pfefferle in #2956
• Adding new snippet for block- and javascript-less rendering of Fediverse Reactions by @futtta in #2958
• Add backwards compatibility for ACTIVITYPUB_DISABLE_SIDELOADING by @pfefferle in #2973
• Fix crash when WordPress falls back to FTP filesystem by @pfefferle in #2974
• Remove fallback for language maps in base properties by @pfefferle in #2979
• Add pre-publish panel suggesting post formats for federation by @pfefferle in #2971
• Add video poster image federation by @pfefferle in #2982
• Add notice to switch from legacy template mode to automatic mode by @pfefferle in #2985
• Add action buttons (Like, Boost) to the reactions block by @pfefferle in #2988
• Fix soft-deleted posts generating spurious activities on re-save by @pfefferle in #2991
• Fix reactions block responsive layout and label styling by @pfefferle in #2992
• Add Fediverse help section to modal dialogs by @pfefferle in #2993
• Fix reactions buttons inheriting theme background on classic themes by @pfefferle in #2996
• Fix modal overlay not covering full viewport in block layouts by @pfefferle in #3000

New Contributors

• @futtta made their first contribution in #2958

Full Changelog: 7.9.1...8.0.0