fix(container): update mastodon group ( nightly.2026-06-24 → nightly.2026-06-27 )

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/glitch-soc/mastodon	patch	nightly.2026-06-24 → nightly.2026-06-27
ghcr.io/glitch-soc/mastodon-streaming	patch	nightly.2026-06-24 → nightly.2026-06-27

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

glitch-soc/mastodon & mastodon-streaming: nightly.2026-06-24 → nightly.2026-06-25

Verdict: Safe to merge

This nightly bump incorporates the upstream Mastodon v4.6.1 patch release (tagged June 24) plus the corresponding glitch-soc merge. Since this repo has been tracking glitch-soc nightlies continuously, most pre-v4.6.1 changes were already included in prior nightlies — this bump finalizes the v4.6.1 tag and adds a handful of UI fixes.

Changes in this delta:

• Security: Dependency updates (upstream v4.6.1)
• API: avatar_description and header_description added to /api/v1/accounts/update_credentials (additive, no action needed)
• UI fixes: Combobox menu not closing after selection, combobox listbox scroll on new suggestions, emoji IndexedDB upgrade resilience with multiple tabs, media modal RTL navigation, accounts not visible in collection editor (advanced interface)

Breaking changes: None

Deprecations: None

New features worth adopting: None requiring config changes — the avatar_description/header_description API additions are automatic.

Known issues: No bugs reported against v4.6.1 in the upstream Mastodon tracker. The glitch-soc issue tracker has no new regressions related to this nightly.

Not applicable to this repo:

• v4.6.1 upgrade notes mention "Requires assets recompilation" — handled automatically by the container image build
• LDAP login fix — this deployment does not use LDAP (externalAuth.ldap is not configured in mastodon-legacy.yaml)
• ImageMagick removal note (carried from v4.6.0) — irrelevant since the glitch-soc container image bundles libvips

Repo impact: Only social/mastodon/mastodon-legacy.yaml is affected (two tag bumps). dbMigrate is enabled, but v4.6.1 introduces no new database migrations beyond v4.6.0 (already applied via prior nightlies). HTTPRoute, BackendTrafficPolicy, and all other supporting resources are unchanged.

Sources consulted:

• Mastodon v4.6.1 release notes
• Mastodon v4.6.0 release notes
• glitch-soc commit history (June 24–25)
• Upstream issue tracker search for v4.6.1 regressions (none found)

[github-actions]

Claude Review Usage

When (UTC)	Version	Model	Turns	Cost
2026-06-25 08:48	2026-06-24 -> 2026-06-25	claude-sonnet-4-6	23	$0.5288
2026-06-26 15:14	2026-06-24 -> 2026-06-26	claude-sonnet-4-6	14	$0.3622
2026-06-27 09:50	2026-06-24 -> 2026-06-27	claude-sonnet-4-6	21	$0.4364

Superseded by updated review

[claude]

glitch-soc/mastodon & mastodon-streaming: nightly.2026-06-24 → nightly.2026-06-26

Verdict: Safe to merge — recommend prompt merge due to critical CVE fix

This nightly bump spans two upstream Mastodon patch releases: v4.6.1 (June 24) and v4.6.2 (June 25), plus the corresponding glitch-soc merge commits through June 26.

Security (critical):

• CVE-2026-8461 (critical severity) — FFmpeg vulnerability fixed in the container image via v4.6.2. This is a container-image-only fix with no application code changes. Since this repo uses the ghcr.io/glitch-soc/mastodon and ghcr.io/glitch-soc/mastodon-streaming container images, merging this PR picks up the patched FFmpeg. The GHSA advisory rates this as critical.
• v4.6.1 also includes general dependency security updates.

Bug fixes (v4.6.1):

• Combobox menu not closing after selection
• Emoji IndexedDB upgrade resilience when multiple tabs are open
• Combobox listbox not scrolling up on new suggestions
• Media modal navigation in RTL languages
• Accounts not visible in collection editor in advanced web interface
• Error on login with certain LDAP configurations
• Simplified layout applying to other pages in web UI
• Emoji database loading in web worker
• Display name length limit incorrectly enforced in web UI
• Advanced UI columns not using mobile styles
• "Private mention" post heading overlapping thread line
• Misattribution of remote featured collections
• Custom profile field overflow
• Fetching unknown key error handling
• Fix incorrectly redirecting users to admin path when submitting an appeal

glitch-soc specific changes (June 25–26):

• Status media attachments refactor (UI-only)
• Autosuggestions to include second word in web UI
• Remove dependency resolution override for React 19 types

New features (v4.6.1):

• avatar_description and header_description added to /api/v1/accounts/update_credentials — additive API change, no action needed

Breaking changes: None

Deprecations: None

Known issues: No bugs reported against v4.6.2 in the upstream Mastodon or glitch-soc issue trackers.

Not applicable to this repo:

• v4.6.1 "Requires assets recompilation" — handled automatically by the container image
• LDAP login fix — this deployment does not configure LDAP (externalAuth.ldap absent from mastodon-legacy.yaml)
• ImageMagick removal (v4.6.0 note) — glitch-soc container image bundles libvips
• Email subscription feature cost warning (v4.6.0) — admin opt-in required, no impact unless explicitly enabled

Repo impact: Only social/mastodon/mastodon-legacy.yaml is affected (two image tag bumps). dbMigrate: true is set, but neither v4.6.1 nor v4.6.2 introduce new database migrations beyond v4.6.0 (already applied via prior nightlies). No changes to HTTPRoute, resources, secrets, or any other configuration. The Helm chart version (6.9.0) is unchanged.

Sources consulted:

• Mastodon v4.6.2 release notes
• Mastodon v4.6.1 release notes
• CVE-2026-8461 advisory
• glitch-soc commit history (June 24–26)
• Upstream issue tracker search for v4.6.2 regressions (none found)
• glitch-soc issue tracker (no related regressions)

Superseded by updated review

[claude]

glitch-soc/mastodon & mastodon-streaming: nightly.2026-06-24 → nightly.2026-06-27

Verdict: Safe to merge — recommend prompt merge due to critical CVE fix included in range

This nightly bump spans three days of upstream Mastodon patch releases (v4.6.1 on June 24, v4.6.2 on June 25) plus glitch-soc merge commits through June 25. The nightly.2026-06-27 build contains no new application code compared to nightly.2026-06-26 — the last commit to glitch-soc/mastodon was June 25 at 20:38 UTC. The June 27 nightly is a container image rebuild that may pick up base image and dependency security updates.

Security (critical):

• CVE-2026-8461 (critical severity) — FFmpeg vulnerability fixed in the container image via v4.6.2. Since this repo uses ghcr.io/glitch-soc/mastodon and ghcr.io/glitch-soc/mastodon-streaming container images, merging picks up the patched FFmpeg. GHSA advisory.

Bug fixes (v4.6.1):

• Combobox menu not closing after selection
• Emoji IndexedDB upgrade resilience with multiple tabs
• Combobox listbox scrolling on new suggestions
• Media modal navigation in RTL languages
• Accounts not visible in collection editor (advanced web interface)
• LDAP login error handling
• Simplified layout applying to other pages
• Emoji database loading in web worker
• Display name length limit enforcement in web UI
• Advanced UI columns mobile styles
• "Private mention" heading overlapping thread line
• Remote featured collections misattribution
• Custom profile field overflow
• Fetching unknown key error handling
• Incorrect redirect to admin path on appeal submission

Bug fixes (v4.6.2):

• Container-image-only release: updated FFmpeg to fix CVE-2026-8461

glitch-soc specific changes (June 25):

• Status media attachments refactor (UI-only)
• Autosuggestions to include second word in web UI
• Remove dependency resolution override for React 19 types

New features (v4.6.1):

• avatar_description and header_description added to /api/v1/accounts/update_credentials — additive API change, no action needed

Breaking changes: None

Deprecations: None

Known issues: No bugs reported against v4.6.2 in the upstream Mastodon or glitch-soc issue trackers. No new issues opened since June 25.

Not applicable to this repo:

• v4.6.1 "Requires assets recompilation" — handled automatically by the container image
• LDAP login fix — this deployment does not configure LDAP (externalAuth.ldap absent from mastodon-legacy.yaml)
• v4.6.0 ImageMagick removal — glitch-soc container image bundles libvips

Repo impact: Only social/mastodon/mastodon-legacy.yaml is affected (two image tag bumps at lines 20 and 101). dbMigrate: true is set, but neither v4.6.1 nor v4.6.2 introduce new database migrations beyond v4.6.0 (already applied via prior nightlies). No changes to HTTPRoute, resources, secrets, or any other configuration. The Helm chart version (6.9.0) is unchanged. The mastodon.yaml file has glitch-soc references commented out and is not affected.

Sources consulted:

• Mastodon v4.6.2 release notes
• Mastodon v4.6.1 release notes
• CVE-2026-8461 advisory
• glitch-soc/mastodon commit history (June 24–27)
• Upstream Mastodon issue tracker — no bugs against v4.6.2
• glitch-soc issue tracker — no related regressions since June 25