Hollo

🚨 安全更新：Hollo 0.6.5 发布

我们发布了 #Hollo 0.6.5，修复了 CVE-2025-53941 关键安全漏洞，解决了联邦帖子中的 HTML 注入漏洞。

请立即更新以保护您的实例免受潜在的钓鱼和 XSS 攻击。

更新方法：

• Railway：转到部署 → 点击三个点 → Redeploy
• Docker：docker pull ghcr.io/fedify-dev/hollo:latest 然后重启
• 手动：git pull origin stable && pnpm install 然后重启服务器

#安全 #更新

🚨 セキュリティアップデート：Hollo 0.6.5 リリース

CVE-2025-53941のセキュリティ脆弱性を修正したHollo 0.6.5をリリースしました。連合投稿のHTMLインジェクション脆弱性が修正されています。

フィッシングやXSS攻撃からインスタンスを保護するため、今すぐアップデートしてください。

アップデート方法:

• Railway：デプロイメント → 縦3点クリック → Redeploy
• Docker：docker pull ghcr.io/fedify-dev/hollo:latest して再起動
• 手動：git pull origin stable && pnpm install してサーバー再起動

#Hollo #セキュリティ #アップデート

🚨 보안 업데이트: Hollo 0.6.5 릴리스

CVE-2025-53941 #보안 취약점을 해결하는 #Hollo 0.6.5를 릴리스했습니다. 연합 게시물의 HTML 주입 취약점이 수정되었습니다.

피싱 및 XSS 공격으로부터 인스턴스를 보호하기 위해 즉시 업데이트해 주세요.

업데이트 방법:

• Railway: 배포 탭 → 점 세 개 클릭 → Redeploy
• Docker: docker pull ghcr.io/fedify-dev/hollo:latest 후 재시작
• 수동: git pull origin stable && pnpm install 후 서버 재시작

#업데이트

🚨 Security Update: Hollo 0.6.5 Released

We've released #Hollo 0.6.5 with a critical #security fix for CVE-2025-53941, addressing an HTML injection vulnerability in federated posts.

Please #update immediately to protect your instance from potential phishing and XSS attacks.

How to update:

• Railway: Go to deployments → click three dots → Redeploy
• Docker: docker pull ghcr.io/fedify-dev/hollo:latest and restart
• Manual: git pull origin stable && pnpm install and restart server

@ysh 혹시 괜찮으시다면 이슈 트래커에 이슈로 만들어 주실 수 있을까요? 😅

Just dropped Hollo 0.6.4 with a minor bug fix.

@ysh 아, 그러시군요. 음, SECRET_KEY를 좀 더 길게 고치셔야 할 것 같긴 하네요. 다만, 이렇게 할 경우 기존 로그인 세션이 다 풀리게 됩니다. 쓰시는 클라이언트 앱들에서 로그아웃 후 다시 로그인을 하셔야 하셔야 할 거예요. 🥲

@lena LLMs are used for documentation!

Fixed in Hollo 0.6.2, so update it now!

What client apps do you use with #Hollo?

🚨 Known Issue: Elk (@elk) login may fail on Hollo instances upgraded from 0.5.x to 0.6.x with 401 Unauthorized errors. Fresh 0.6.x installs work fine. Other clients (Phanpy, Moshidon) are unaffected.

We're investigating: https://github.com/fedify-dev/hollo/issues/167

Workaround: Use alternative clients like Phanpy (@phanpy) for now.

We're excited to announce Hollo 0.6.0, a significant release that brings enhanced security, better user experience, and important infrastructure improvements to your single-user microblogging setup.

Enhanced OAuth Security with Modern Standards

This release prioritizes security with comprehensive OAuth 2.0 improvements that align with current best practices. We've implemented several critical RFC standards that significantly strengthen the authorization process:

OAuth 2.0 Authorization Code Flow with Access Grants — We've overhauled the OAuth implementation to properly separate authorization codes from access token issuance, providing better security isolation throughout the authentication process.

RFC 7636 PKCE (Proof Key for Code Exchange) Support — Hollo now supports PKCE with the S256 code challenge method, which prevents authorization code interception attacks. This is particularly important for public clients and follows the latest OAuth 2.0 security recommendations outlined in RFC 9700 (OAuth 2.0 Security Current Best Practices).

RFC 8414 OAuth Authorization Server Metadata — We've added support for OAuth Authorization Server metadata endpoints, allowing clients to automatically discover Hollo's OAuth capabilities and configuration. This makes integration smoother and helps clients adapt to your server's specific OAuth setup.

Enhanced Profile Scope Support — The new /oauth/userinfo endpoint and expanded profile scope support provide applications with standardized ways to access user profile information, improving compatibility with a wider range of OAuth-compliant applications.

These OAuth improvements not only make Hollo more secure but also position it at the forefront of federated social media security standards. We encourage other fediverse projects to adopt these same standards to ensure the entire ecosystem benefits from these security enhancements.

Special thanks to Emelia Smith (@thisismissem) for spearheading these critical OAuth security improvements and ensuring Hollo stays ahead of the curve on authentication best practices.

Revamped Media Storage Configuration

We've significantly improved how Hollo handles media storage configuration, making it more flexible and future-ready:

New Environment Variables — The storage system now uses STORAGE_URL_BASE (replacing the deprecated ASSET_URL_BASE) and FS_STORAGE_PATH for local filesystem storage (replacing FS_ASSET_PATH). These changes provide clearer naming and better organization.

Improved Security Requirements — The SECRET_KEY environment variable now requires a minimum of 44 characters, ensuring sufficient entropy for cryptographic operations. You'll need to update your configuration if your current secret key is shorter.

Network Binding Control — The new BIND environment variable lets you specify exactly which network interface Hollo should listen on, giving you more control over your server's network configuration.

Thanks to Emelia Smith (@thisismissem) for leading these infrastructure improvements.

Better User Experience

Customizable Profile Themes — You can now personalize your profile page with different theme colors. Choose from the full range of Pico CSS color options to make your profile uniquely yours.

Enhanced Administration Dashboard — The dashboard now displays the current Hollo version at the bottom, making it easier to track which version you're running. You can also sign out directly from the dashboard for better session management.

Improved Post Presentation — Shared posts on profile pages now have better visual separation from original content, and the sharing timestamp is clearly displayed. This makes it much easier to distinguish between your original thoughts and content you've shared from others.

Better Image Accessibility — Alt text for images is now displayed within expandable details sections, improving accessibility while keeping the interface clean.

Syntax Highlighting — Code blocks in Markdown posts now feature beautiful syntax highlighting powered by Shiki, supporting a comprehensive range of programming languages. This makes technical discussions much more readable.

Enhanced Character Limit — The maximum post length has been increased from 4,096 to 10,000 characters, giving you more space to express your thoughts in detail.

Thanks to RangHo Lee (@rangho_220) for the version display feature and Okuto Oyama (@yamanoku) for the image accessibility improvements.

Privacy and Content Improvements

EXIF Metadata Removal — Hollo now automatically strips EXIF metadata from uploaded images before storing them, protecting your privacy by removing potentially sensitive location and device information.

Public API Endpoints — Following Mastodon's approach, certain API endpoints are now publicly accessible without authentication, making Hollo more compatible with various client applications and improving the overall federation experience.

Thanks to NTSK (@ntek) for the privacy-focused EXIF metadata stripping implementation.

Technical Foundation

Node.js 24+ Requirement — This release requires Node.js 24.0.0 or later. We've also upgraded to Fedify 1.5.3 and @fedify/postgres 0.3.0 for improved performance and compatibility.

Test Coverage & Quality Assurance — The codebase now includes comprehensive testing infrastructure and test coverage. We're committed to expanding this coverage and integrating testing more deeply into our development and release workflows. This also provides an excellent opportunity for first-time contributors to get involved by writing tests.

Cross-Origin Request Support — OAuth and well-known endpoints now properly support cross-origin requests, aligning with Mastodon's behavior and improving client compatibility.

Cleaner Token Endpoint — The scope parameter is now properly optional for the OAuth token endpoint, clarifying that it only affects client credentials flows (not authorization code flows, where it was already ignored).

Looking Forward

This release represents a major step forward in making Hollo not just a great single-user microblogging platform, but also a leader in federated social media security standards. The OAuth improvements we've implemented should serve as a model for other fediverse projects.

We're particularly excited about the OAuth security enhancements, which demonstrate our commitment to staying ahead of security best practices. As the federated web continues to evolve, we believe these standards will become increasingly important for maintaining user trust and ensuring secure interactions across the fediverse.

Upgrading

Upgrading to Hollo 0.6.0 is straightforward, but there are a few important considerations:

Railway Deployment

1. Go to your Railway dashboard
2. Select your Hollo project and service
3. In the deployments tab, click the three-dot menu and select Redeploy

Docker Deployment

1. Pull the latest image: docker pull ghcr.io/fedify-dev/hollo:latest
2. Stop your current container
3. Start with the new image using your existing configuration

Manual Installation

1. Pull the latest code: git pull
2. Install dependencies: pnpm install
3. Restart the service: pnpm run prod

Important Upgrade Notes

Environment Variables: Update your configuration if you're using deprecated variables:

• Replace ASSET_URL_BASE with STORAGE_URL_BASE
• Replace FS_ASSET_PATH with FS_STORAGE_PATH
• Ensure your SECRET_KEY is at least 44 characters long

Session Reset: Due to the OAuth security improvements, existing user sessions may be invalidated during the upgrade. You'll likely need to log in again through your client apps (like Phanpy, Moshidon, etc.) after upgrading. This is a one-time inconvenience that ensures you benefit from the enhanced security features.

Thank you to everyone who contributed to this release, and to the community for your continued support. Hollo 0.6.0 brings significant improvements to security, usability, and the overall experience of running your own corner of the fediverse.

@hongminhee something else I'm bringing to @hollo is my experience building with Node.js (which is something like 16 years at this point), but I also get to cross-pollinate ideas between the various projects I work on (e.g., bringing S3 storage to Hollo via the same storage adapter model as @adonisframework uses, or figuring out testing infrastructure)

Oh yeah, this quietly happened the other day:
https://hollo.social/@hollo/01973e37-2969-754a-b8c6-4cf20531bad5

@hollo @hongminhee happy to be involved!

I think I'm probably most pleased with getting the OAuth functionality pretty much 100% covered by tests.

At some point, we'll definitely want to integrate test coverage into PR workflows

@hollo Amazing news 👏🏼 so happy to see Emelia join, couldn't think of a better person. Congrats @thisismissem @hongminhee !!

Exciting news for the #Hollo project! We're thrilled to announce that Emelia Smith (@thisismissem) has joined as a co-maintainer alongside Hong Minhee (@hongminhee).

Emelia brings extensive experience in the #fediverse ecosystem, having been a long-time contributor to Mastodon and a leading expert in trust & safety tooling for decentralized social networks. She's dedicated years to improving moderation systems and security across #ActivityPub platforms.

Her recent contributions to Hollo have been substantial—implementing the reporting/flagging system and making significant improvements to OAuth and security features. These valuable contributions naturally led to her joining as a co-maintainer.

This collaboration marks an important milestone for Hollo as we continue building better single-user microblogging software for the fediverse. Welcome aboard, Emelia! 🚀

備忘録書いた
https://blog.esurio1673.net/posts/move-hollo-and-minio/

@julian If you file an issue for this feature we will add it to our roadmap! Thanks!

#Hollo 0.6.0 is coming soon!

We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:

Enhanced #OAuth #security

• RFC 8414 (OAuth metadata discovery)
• RFC 7636 (#PKCE support)
• Improved authorization flows following RFC 9700 best practices

New features

• Extended character limit (4K → 10K)
• Code syntax highlighting
• Customizable profile themes
• EXIF metadata stripping for privacy

Important notes for update

• Node.js 24+ required
• Updated environment variables for asset storage
• Stronger SECRET_KEY requirements (44+ chars)

Special thanks to @thisismissem for the extensive OAuth improvements that help keep the #fediverse secure and compatible! 🙏

Full changelog and upgrade guide coming with the release.

#ActivityPub

Following on from today's earlier PR to @hollo, I've gone ahead and implemented PKCE for OAuth in Hollo

So now they too can have more security for OAuth authorization code grant flows.

(Also added a tonne of extra test coverage)

https://github.com/fedify-dev/hollo/pull/155

So I was getting really misleading code coverage results from c8 / tsx in the tests for @hollo, so after some discussion, we decided to migrate to vitest, and now we have accurate code coverage output!

But my gosh that was a sizeable chunk of work!

https://github.com/fedify-dev/hollo/pull/154

Just ended up implementing much greater test coverage for @hollo as well as access token revocation: https://github.com/fedify-dev/hollo/pull/147

Sometimes I end up doing more than expected in pull requests 🙃

HolloとかFedifyのお話おもしろかったのだ

우리의 코드를 찾아서 – 2막. 민희님과 Fedify & Hollo 알아보기 https://youtu.be/sqxR8zscSDo?si=nQRxPyV7kjplqy01

Hollo is one of the coolest self-hosting options for federated microblogging. If I was self-hosting, I’d be spoiled for choice.

Mastodon is all fun and games until you realise it can become a very heavy and hungry piece of software.

If you're thinking about spinning your own fediverse instance, take a look at GoToSocial, Hollo or Snac.

GoToSocial, for example, is a very secure, privacy-minded alternative and can run without complications in a very cheap VPS with only 512 MB of RAM and a database file (SQLite).

#FediAdmin

If you're wondering why I'm doing tonnes of OAuth implementation work in @hollo, it's because it allows me to more quickly ship prototypes of things like:
- Client ID Metadata Documents
- Expiring Access Tokens & Refresh Tokens
- Public Clients

Both of those are planned for Mastodon, but I'm still waiting on funding & needing to make upstream dependency changes or write entirely new dependencies.

By implementing in Hollo, I can get these features in the hands of downstream client developers like @cheeaun to have them test out and prepare for supporting these features. (They're all discoverable via OAuth Authorizatiob Server Metadata)

Like does a Mastodon API-like server support these things? Check the OAuth Authorization Server Metadata for client_id_metadata_documents_supported (or something) and check if grant_types_supported has refresh_grant and scopes has offline_access, or something like that.

And then that tells you how to interact with that Mastodon API-like server, e.g., do you need to dynamically register a client (current) or can you use Client ID Metadata Documents (future)

Getting these things into Mastodon can take significantly longer because of complex dependencies and extensive test coverage and other interesting issues. And then longer into developers hands due to release cadence & ease of development deployments

In between working on FIRES yesterday, I also finished up a rather substantial contribution to @hollo that I'd been working on.

https://github.com/fedify-dev/hollo/pull/130

It's an OAuth thing, which to end users shouldn't really change anything, but internally it helps pave the way for supporting PKCE and Device Code Authorization Grant Flow, the first shipped in Mastodon 4.3, the second I want to land in a future version of Mastodon (it's a low priority on the oauth roadmap but just because of a dependency issue)

This also increases the test coverage of Hollo too, which is neat.

Admittedly we're able to take some shortcuts in Hollo, like only supporting Bearer tokens and not access_token query parameter, because the latter really shouldn't be used.

We do currently only support client_secret_post as a client authentication mechanism, not client_secret_basic and none, so those need to be added too, to be more compatible.

ブログを書いた。
おひとり様ActivityPub実装Holloを始めた

We're pleased to announce that #Hollo has been included in the Nivenly Fediverse Security Fund program!

The @nivenly Foundation has launched a security bounty fund to support contributors who identify and help fix #security vulnerabilities in popular #fediverse software. Both Hollo and @fedify are among the selected projects that meet their responsible security disclosure requirements.

This program will run from April–September 2025, with bounties of $250–$500 USD for high and critical security vulnerabilities.

We're honored to be recognized alongside other established fediverse projects like Mastodon, Misskey, and Lemmy. This further encourages our commitment to maintaining strong security practices.

If you're interested in contributing to Hollo's security, please follow our responsible disclosure process outlined in our SECURITY.md file.

Learn more about the program:

https://nivenly.org/blog/2025/04/01/nivenly-fediverse-security-fund/