Introducing #Hollo. Hollo is an #ActivityPub-enabled single-user microblogging software. Although it's for a single user, it also supports creating and running multiple accounts for different topics.

It's headless, meaning you can use existing #Mastodon client apps instead, with its Mastodon-compatible APIs. It has most feature parity with Mastodon. Two big differences with Mastodon is that you can use #Markdown in the content of your posts and you can quote another post.

Oh, and Hollo is built using #Bun and #Fedify.

https://github.com/dahlia/hollo

#fedidev

Hollo security updates: 0.7.17, 0.8.6, and 0.9.1

If you run Hollo, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and Hollo depends on Fedify for ActivityPub federation.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended—without invalidating the signature.

The fix makes Fedify normalize Linked Data Signature-verified activities against its local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape. For full technical details of the underlying vulnerability, see the Fedify security announcement.

All Hollo versions up to and including 0.7.16, 0.8.5, and 0.9.0 are affected. Patched releases are 0.7.17 for the 0.7.x series, 0.8.6 for the 0.8.x series, and 0.9.1 for the 0.9.x series.

For 0.7.x deployments, update to 0.7.17:

docker pull ghcr.io/fedify-dev/hollo:0.7.17

For 0.8.x deployments, update to 0.8.6:

docker pull ghcr.io/fedify-dev/hollo:0.8.6

For 0.9.x deployments, update to 0.9.1:

docker pull ghcr.io/fedify-dev/hollo:0.9.1

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to @Claire for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

@hollo releases a new major version update, 0.90. Too many changes to hit in a single post! Skimming, the most notable to users will be the switch from Pico CSS (my weekend hobbyist fave) to Uno CSS. At least in screenshots, the new UI is taking on a polished look.

Planning to upgrade, but need to review this a bit more before flipping the switch.

https://github.com/fedify-dev/hollo/discussions/496

#FediDev #ActivityPub

Hollo 0.9.0 is out. https://github.com/fedify-dev/hollo/discussions/496

The biggest change this release is a complete redesign of every server-rendered page. Pico CSS is replaced by a new design system built on UnoCSS, and your chosen theme color now tints your profile and dashboard pages throughout.

Other highlights:

• Passkey (WebAuthn) authentication: sign in with a biometric or PIN gesture, which counts as MFA so there's no separate TOTP step
• Full FEP-044f quote authorization: QuoteRequest/Accept/Reject federation, quote policy enforcement, and dereferenceable QuoteAuthorization objects
• A configurable media proxy (MEDIA_PROXY=proxy or cache) that re-serves remote avatars, attachments, and preview images from Hollo's own origin
• Optional split-domain WebFinger via HANDLE_HOST + WEB_ORIGIN
• Public followers/following pages and per-post reaction list pages (likes, boosts, emoji reactions, quotes)

There were also several serious database performance fixes: profile page queries that were taking hundreds of seconds on cold caches, a NodeInfo endpoint doing a full table scan on every request, and a handful of timeline pagination bugs.

#Hollo #ActivityPub #Fediverse

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.

Hollo 0.8.0 shipped less than a month ago, and 0.9.0 is already shaping up to be a bigger release than I expected. New frontend design, Passkey support, WebFinger domain separation, a media proxy, full FEP-044f (Mastodon-style quote posts) compliance, and Traditional Chinese docs. More details when it's out.

Hollo security updates: 0.7.15 and 0.8.3

If you run Hollo, update to a patched release now. A private network protection bypass in Fedify, the ActivityPub framework Hollo depends on, affects remote document loading. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass URL validation even though they refer to private or loopback addresses.

Hollo uses Fedify to fetch remote ActivityPub documents and related resources. An attacker who can make your Hollo instance fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF (Server-Side Request Forgery) risk.

All Hollo versions up to and including 0.7.14 and 0.8.2 are affected. Patched releases are 0.7.15 for the 0.7.x series and 0.8.3 for the 0.8.x series. For full technical details of the underlying vulnerability, see the Fedify security announcement.

For 0.7.x deployments, update to 0.7.15:

docker pull ghcr.io/fedify-dev/hollo:0.7.15

For 0.8.x deployments, update to 0.8.3:

docker pull ghcr.io/fedify-dev/hollo:0.8.3

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

Hollo 0.8.0 is out. The main additions: you can now run web and worker processes separately via NODE_TYPE, which helps on instances with large follower counts where federation load was slowing down API responses. Mastodon clients that support the 4.5 quote post API will now work with Hollo. Remote actor profiles are refreshed automatically in the background when they go stale, and dead follower records are cleaned up on permanent delivery failures. There's also a new dashboard page for mass-deleting cached thumbnails from remote posts to free up storage.

https://github.com/fedify-dev/hollo/discussions/449

Hollo 0.7.11 is now available and includes an important security update. If you are running an older version, please upgrade to 0.7.11 as soon as possible.

Hollo has always been headless—no built-in frontend, just a Mastodon-compatible API. You pick your own client. That's kind of the point.

But we've been wondering: what if Hollo shipped its own web frontend? The Mastodon-compatible API would stay, so your current client setup wouldn't change. It'd just be one more option.

Would you use it?

Tried out self-hosting @hollo with docker-compose and garage (https://garagehq.deuxfleurs.fr/). Quick tests looked good, now I need to pick a domain before moving forward :)

@alderwick Snac looks cool, yes, and I've been looking at @hollo by @hongminhee as well!

なるほどHollo、他人to他人の絵文字リアクションが出るようになったんだ

@KazukyAkayashi Sorry, Hollo doesn't support instance-level blocking yet. It is on our future roadmap.

@benpate Yes, of course we're interested in #E2EE too! (For reference, Hollo doesn't have E2EE for DMs yet.) We're completely open to collaborating with the #Bonfire team.

The recent Hollo 0.7.3 and 0.7.4 updates have improved interoperability with #Bonfire. The issue where sending/receiving DMs or mutual following with Bonfire wasn't working properly has been resolved.

Hi #fediverse and #ActivityPub developers!

I'm currently working on interoperability testing for #Hollo and #Fedify, and I need a #Bonfire account to test federation with their implementation.

Since there aren't many open public Bonfire instances available, I was wondering if any Bonfire instance admins out there would be willing to grant me a test account? It would be a huge help for improving interop! Let me know if you can help. Thanks!

#fedidev #BonfireNetworks

Did you know there's a community space for #Fedify, #Hollo, #BotKit, and other Fedify ecosystem projects?

Whether you have questions, want to share what you're building, or just want to hang out with fellow fediverse developers—come join us!

• Matrix: #fedify:matrix.org
• Discord

Hollo 0.7.0 🎉

#Hollo

Hollo 0.7.0: Advanced search, faster notifications, and improved client compatibility

It's been a while since our last release, and we're excited to finally share Hollo 0.7.0 with you. This release brings a lot of improvements that we've been working on over the past months—from powerful new search capabilities to significant performance gains that should make your daily Hollo experience noticeably snappier.

Let's dive into what's new.

Highlights

Search gets a major upgrade

One of the most requested features has been better search, and we're happy to deliver. Hollo now supports Mastodon-compatible search operators, so you can finally filter your searches the way you've always wanted:

• has:media/has:poll — Find posts with attachments or polls
• is:reply/is:sensitive — Filter by post type
• language:xx — Search in a specific language
• from:username — Find posts from a specific person
• mentions:username — Find posts mentioning someone
• before:YYYY-MM-DD/after:YYYY-MM-DD — Search within a date range
• Combine them with - for negation, OR for alternatives, and parentheses for grouping

For example, (from:alice OR from:bob) has:poll -is:reply will find polls from Alice or Bob that aren't replies.

We've also made search much faster. URL and handle searches that used to take 8–10 seconds now complete in about 1.4 seconds—an 85% improvement.

Notifications are faster than ever

We completely rebuilt how notifications work under the hood. Instead of computing notifications on every request, Hollo now stores them as they happen. The result? About 24% faster notification loading (down from 2.5s to 1.9s).

On top of that, we've implemented Mastodon's v2 grouped notifications API, which groups similar notifications together server-side. This means less work for your client app and a cleaner notification experience.

Everything loads faster with compression

All API responses are now compressed, reducing their size by 70–92%. Some real numbers: notification responses dropped from 767KB to 58KB, and home timeline responses went from 91KB to 14KB. You'll notice faster load times, especially on slower connections.

Quote notifications

When someone quotes your post, you'll now get a notification about it. And if the original author edits a post you've quoted, you'll be notified too. These are the new quote and quoted_update notification types from Mastodon 4.5.0.

Background import processing

Importing your data (follows, lists, muted/blocked accounts, bookmarks) used to block the entire request until it finished. Now imports run in the background, and you can watch the progress in real-time. Much better for large imports. Thanks to Juyoung Jung for implementing this in #295.

Other improvements

• Upgraded Fedify to 1.10.0.
• Instance API responses now include proper thumbnails, actual stats, and correct values for max_featured_tags and max_pinned_statuses. Thanks to Juyoung Jung for this improvement in #296.
• The notifications API now includes a prev link in pagination headers, which was tracked in #312.
• Replaced the deprecated fluent-ffmpeg package with direct ffmpeg calls. If video thumbnail generation fails, you'll get a default image instead of an error. Thanks to Peter Jeschke for this fix in #333.

Bug fixes

• Emelia Smith fixed an issue where POST /api/v1/statuses and PUT /api/v1/statuses/:id were rejecting FormData requests in #171.
• Fixed log files writing multiple JSON objects on a single line, as reported in #174.
• Lee ByeongJun fixed POST /api/v1/statuses rejecting null values in optional fields in #179.
• Juyoung Jung fixed OAuth token endpoint issues with clients that send credentials in both the header and body in #296.
• Fixed OAuth token endpoint failing to parse requests from clients that don't send a Content-Type header.
• Peter Jeschke fixed notification endpoints returning 500 errors for unknown notification types in #334.
• Fixed /api/v2/search not respecting the limit parameter, as reported in #210.

Upgrading

Docker

Pull the latest image and restart your container:

docker pull ghcr.io/fedify-dev/hollo:0.7.0
docker compose up -d

Railway

Go to your Railway dashboard, select your Hollo service, and click Redeploy from the deployments menu.

Manual installation

Pull the latest code and reinstall dependencies:

git pull origin stable
pnpm install
pnpm run prod

Thank you to our contributors

This release wouldn't have been possible without the contributions from our community. A big thank you to Emelia Smith (@thisismissem), Juyoung Jung (@quadr), Lee ByeongJun (@joonnot), and Peter Jeschke (@peter@jeschke.dev) for their pull requests and bug reports. We really appreciate your help in making Hollo better!

@mickeymarse We have an issue for it, but there's no progress so far!

@KazukyAkayashi Oh, sorry for our late response. As of now, it's normal with the main branch showing v0.7.0, because our main branch is approaching to v0.7.0 (which is unreleased)!

Trying out pl-fe with @hollo and I'm pretty happy with it. It seems to customize per platform and show features specific to each.

I keep forgetting that Hollo supports emoji reacts and markdown .

https://pl.mkljczk.pl/

Hollo 0.7.0 will introduce advanced search operators!

You'll be able to filter posts using operators like has:media, is:sensitive, language:en, from:username, date ranges with before: and after:, and combine them with OR and negation (-).

For example: cat has:media -is:sensitive

Full documentation: https://canary.docs.hollo.social/search/.

セキュリティアップデート: Hollo 0.6.19 リリース

FedifyのHTMLパースコードにおけるセキュリティ脆弱性に対応したHollo 0.6.19をリリースしました。

この脆弱性 (CVE-2025-68475) は ReDoS (正規表現によるサービス拒否) の問題であり、攻撃者がフェデレーション操作中に特別に細工されたHTMLレスポンスを送信することで、サービス停止を引き起こす可能性があります。悪意のあるペイロードは小さい (約170バイト) ですが、Node.jsのイベントループを長時間ブロックする可能性があります。

すべてのHollo運営者の皆様には、直ちにバージョン 0.6.19 へのアップグレードを強くお勧めします。

#Hollo #セキュリティ #fediverse #ActivityPub

보안 업데이트: Hollo 0.6.19 릴리스

Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.

이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.

모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.

#Hollo #보안 #페디버스 #연합우주 #ActivityPub

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

#Hollo #Security #Fediverse #ActivityPub

#Hollo 0.7 brings a redesigned #notification system with much better performance. We've moved from generating #notifications on-demand to storing them as they happen, which makes the notifications endpoint about 60% faster. We've also added response compression (though if you're using a reverse proxy, you probably had this already).

More notably, Hollo 0.7 implements Mastodon's v2 grouped notifications API. Notifications like favorites, follows, and reblogs targeting the same post or account are now grouped together server-side, reducing clutter. Clients that support the new API (introduced in #Mastodon 4.3) will show cleaner, more organized notifications automatically.

Hollo 0.7 is still in development, but we're excited to share it with you when it's ready!

@KazukyAkayashi Yeah, that's no problem. For the maximum compatibility, we're pinning the version of the pnpm package manager.

@nshki Thanks for your interest in Hollo!

While we don't have officially documented minimum requirements yet, Hollo is designed for single-user instances and is significantly lighter than multi-user software like Mastodon or Misskey.

Rough guidelines:

• RAM: 2GB recommended (including Node.js and PostgreSQL)
• CPU: 1 vCPU/core should be sufficient
• Storage: 10GB+ (depending on media storage needs)
• Database: PostgreSQL 17+

Real-world deployment:

• Works well on basic VPS plans ($5–10/month tier)
• Runs smoothly on DigitalOcean Droplets, Linode, Vultr starter plans
• Railway's Hobby plan handles it fine
• ARM processors are supported (the official hollo.social instance runs on ARM)

Storage considerations:

• If storing media locally, plan for additional disk space
• Using S3-compatible object storage can help reduce local storage requirements
• Resource usage scales with the number of accounts you follow and federation activity

Since it's single-user software, you can start with minimal resources and adjust as needed based on your actual usage patterns.

Security update: Hollo 0.6.12 is now available

We've released #Hollo 0.6.12 to fix a critical privacy #vulnerability where direct messages were being exposed in the replies section of public posts. Please update your instances immediately to ensure your private conversations remain private.

#security