Hollo 0.7.0 🎉

#Hollo

Hollo 0.7.0: Advanced search, faster notifications, and improved client compatibility

It's been a while since our last release, and we're excited to finally share Hollo 0.7.0 with you. This release brings a lot of improvements that we've been working on over the past months—from powerful new search capabilities to significant performance gains that should make your daily Hollo experience noticeably snappier.

Let's dive into what's new.

Highlights

Search gets a major upgrade

One of the most requested features has been better search, and we're happy to deliver. Hollo now supports Mastodon-compatible search operators, so you can finally filter your searches the way you've always wanted:

• has:media/has:poll — Find posts with attachments or polls
• is:reply/is:sensitive — Filter by post type
• language:xx — Search in a specific language
• from:username — Find posts from a specific person
• mentions:username — Find posts mentioning someone
• before:YYYY-MM-DD/after:YYYY-MM-DD — Search within a date range
• Combine them with - for negation, OR for alternatives, and parentheses for grouping

For example, (from:alice OR from:bob) has:poll -is:reply will find polls from Alice or Bob that aren't replies.

We've also made search much faster. URL and handle searches that used to take 8–10 seconds now complete in about 1.4 seconds—an 85% improvement.

Notifications are faster than ever

We completely rebuilt how notifications work under the hood. Instead of computing notifications on every request, Hollo now stores them as they happen. The result? About 24% faster notification loading (down from 2.5s to 1.9s).

On top of that, we've implemented Mastodon's v2 grouped notifications API, which groups similar notifications together server-side. This means less work for your client app and a cleaner notification experience.

Everything loads faster with compression

All API responses are now compressed, reducing their size by 70–92%. Some real numbers: notification responses dropped from 767KB to 58KB, and home timeline responses went from 91KB to 14KB. You'll notice faster load times, especially on slower connections.

Quote notifications

When someone quotes your post, you'll now get a notification about it. And if the original author edits a post you've quoted, you'll be notified too. These are the new quote and quoted_update notification types from Mastodon 4.5.0.

Background import processing

Importing your data (follows, lists, muted/blocked accounts, bookmarks) used to block the entire request until it finished. Now imports run in the background, and you can watch the progress in real-time. Much better for large imports. Thanks to Juyoung Jung for implementing this in #295.

Other improvements

• Upgraded Fedify to 1.10.0.
• Instance API responses now include proper thumbnails, actual stats, and correct values for max_featured_tags and max_pinned_statuses. Thanks to Juyoung Jung for this improvement in #296.
• The notifications API now includes a prev link in pagination headers, which was tracked in #312.
• Replaced the deprecated fluent-ffmpeg package with direct ffmpeg calls. If video thumbnail generation fails, you'll get a default image instead of an error. Thanks to Peter Jeschke for this fix in #333.

Bug fixes

• Emelia Smith fixed an issue where POST /api/v1/statuses and PUT /api/v1/statuses/:id were rejecting FormData requests in #171.
• Fixed log files writing multiple JSON objects on a single line, as reported in #174.
• Lee ByeongJun fixed POST /api/v1/statuses rejecting null values in optional fields in #179.
• Juyoung Jung fixed OAuth token endpoint issues with clients that send credentials in both the header and body in #296.
• Fixed OAuth token endpoint failing to parse requests from clients that don't send a Content-Type header.
• Peter Jeschke fixed notification endpoints returning 500 errors for unknown notification types in #334.
• Fixed /api/v2/search not respecting the limit parameter, as reported in #210.

Upgrading

Docker

Pull the latest image and restart your container:

docker pull ghcr.io/fedify-dev/hollo:0.7.0
docker compose up -d

Railway

Go to your Railway dashboard, select your Hollo service, and click Redeploy from the deployments menu.

Manual installation

Pull the latest code and reinstall dependencies:

git pull origin stable
pnpm install
pnpm run prod

Thank you to our contributors

This release wouldn't have been possible without the contributions from our community. A big thank you to Emelia Smith (@thisismissem), Juyoung Jung (@quadr), Lee ByeongJun (@joonnot), and Peter Jeschke (@peter@jeschke.dev) for their pull requests and bug reports. We really appreciate your help in making Hollo better!

@mickeymarse We have an issue for it, but there's no progress so far!

@KazukyAkayashi Oh, sorry for our late response. As of now, it's normal with the main branch showing v0.7.0, because our main branch is approaching to v0.7.0 (which is unreleased)!

Trying out pl-fe with @hollo and I'm pretty happy with it. It seems to customize per platform and show features specific to each.

I keep forgetting that Hollo supports emoji reacts and markdown .

https://pl.mkljczk.pl/

Hollo 0.7.0 will introduce advanced search operators!

You'll be able to filter posts using operators like has:media, is:sensitive, language:en, from:username, date ranges with before: and after:, and combine them with OR and negation (-).

For example: cat has:media -is:sensitive

Full documentation: https://canary.docs.hollo.social/search/.

セキュリティアップデート: Hollo 0.6.19 リリース

FedifyのHTMLパースコードにおけるセキュリティ脆弱性に対応したHollo 0.6.19をリリースしました。

この脆弱性 (CVE-2025-68475) は ReDoS (正規表現によるサービス拒否) の問題であり、攻撃者がフェデレーション操作中に特別に細工されたHTMLレスポンスを送信することで、サービス停止を引き起こす可能性があります。悪意のあるペイロードは小さい (約170バイト) ですが、Node.jsのイベントループを長時間ブロックする可能性があります。

すべてのHollo運営者の皆様には、直ちにバージョン 0.6.19 へのアップグレードを強くお勧めします。

#Hollo #セキュリティ #fediverse #ActivityPub

보안 업데이트: Hollo 0.6.19 릴리스

Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.

이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.

모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.

#Hollo #보안 #페디버스 #연합우주 #ActivityPub

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

#Hollo #Security #Fediverse #ActivityPub

#Hollo 0.7 brings a redesigned #notification system with much better performance. We've moved from generating #notifications on-demand to storing them as they happen, which makes the notifications endpoint about 60% faster. We've also added response compression (though if you're using a reverse proxy, you probably had this already).

More notably, Hollo 0.7 implements Mastodon's v2 grouped notifications API. Notifications like favorites, follows, and reblogs targeting the same post or account are now grouped together server-side, reducing clutter. Clients that support the new API (introduced in #Mastodon 4.3) will show cleaner, more organized notifications automatically.

Hollo 0.7 is still in development, but we're excited to share it with you when it's ready!

@KazukyAkayashi Yeah, that's no problem. For the maximum compatibility, we're pinning the version of the pnpm package manager.

@nshki Thanks for your interest in Hollo!

While we don't have officially documented minimum requirements yet, Hollo is designed for single-user instances and is significantly lighter than multi-user software like Mastodon or Misskey.

Rough guidelines:

• RAM: 2GB recommended (including Node.js and PostgreSQL)
• CPU: 1 vCPU/core should be sufficient
• Storage: 10GB+ (depending on media storage needs)
• Database: PostgreSQL 17+

Real-world deployment:

• Works well on basic VPS plans ($5–10/month tier)
• Runs smoothly on DigitalOcean Droplets, Linode, Vultr starter plans
• Railway's Hobby plan handles it fine
• ARM processors are supported (the official hollo.social instance runs on ARM)

Storage considerations:

• If storing media locally, plan for additional disk space
• Using S3-compatible object storage can help reduce local storage requirements
• Resource usage scales with the number of accounts you follow and federation activity

Since it's single-user software, you can start with minimal resources and adjust as needed based on your actual usage patterns.

Security update: Hollo 0.6.12 is now available

We've released #Hollo 0.6.12 to fix a critical privacy #vulnerability where direct messages were being exposed in the replies section of public posts. Please update your instances immediately to ensure your private conversations remain private.

#security

Hollo 0.6.11 significantly improves Bluesky interoperability via BridgyFed! Fixed AT Protocol URI parsing issues that were affecting various cross-platform interactions—not just likes, but overall federation with Bluesky users. 🌉

Found a new web-based fediverse app that looks nice and supports MFM and Emoji. Works great with IceShrimp.NET. (thanks to JoinMastodon.org app listings)

Edit: oh! It works with Hollo, too - I always forget that Hollo supports emoji reacts.

https://codeberg.org/mkljczk/pl-fe

#FediApps

为了解决底层 Fedify 框架的安全漏洞，我们发布了 Hollo 安全更新。（0.4.12、0.5.7 和 0.6.6）这些更新包含了修复 CVE-2025-54888 的最新 Fedify 安全补丁。

我们强烈建议所有 Hollo 实例管理员尽快更新到相应发布分支的最新版本。

更新方法：

• Railway 用户：进入项目仪表板，选择您的 Hollo 服务，点击部署中的三点菜单，然后选择"Redeploy"
• Docker 用户：使用 docker pull ghcr.io/fedify-dev/hollo:latest 拉取最新镜像并重启容器
• 手动安装用户：运行 git pull 获取最新代码，然后执行 pnpm install 并重启服务

#Hollo #安全更新 #安全补丁 #漏洞修复 #Fedify

Fedifyフレームワークの脆弱性に対処するため、Holloのセキュリティアップデートをリリースしました。（0.4.12、0.5.7、0.6.6）これらのアップデートには、CVE-2025-54888を修正する最新のFedifyセキュリティパッチが含まれています。

すべてのHolloインスタンス管理者の皆様には、できるだけ早く該当するリリースブランチの最新バージョンにアップデートしていただくことを強く推奨いたします。

アップデート方法：

• Railwayユーザー： プロジェクトダッシュボードでHolloサービスを選択し、deploymentsの三点メニューをクリックして「Redeploy」を選択してください
• Dockerユーザー： docker pull ghcr.io/fedify-dev/hollo:latestで最新イメージを取得し、コンテナを再起動してください
• 手動インストールユーザー： git pullで最新コードを取得した後、pnpm installを実行してサービスを再起動してください

#Fedify #セキュリティ #脆弱性

Fedify 프레임워크의 #보안 #취약점을 해결하기 위해 #Hollo 보안 업데이트를 릴리스했습니다 (0.4.12, 0.5.7, 0.6.6). 이번 업데이트는 CVE-2025-54888을 수정하는 최신 Fedify 보안 패치를 포함합니다.

모든 Hollo 인스턴스 관리자분들께서는 가능한 한 빨리 해당 릴리스 브랜치의 최신 버전으로 업데이트하시기를 강력히 권장합니다.

업데이트 방법:

• Railway 사용자: 프로젝트 대시보드에서 Hollo 서비스를 선택하고, deployments의 점 세 개 메뉴를 클릭한 후 “Redeploy”를 선택하세요
• Docker 사용자: docker pull ghcr.io/fedify-dev/hollo:latest로 최신 이미지를 받고 컨테이너를 재시작하세요
• 수동 설치 사용자: git pull로 최신 코드를 받은 후 pnpm install을 실행하고 서비스를 재시작하세요

We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.

We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.

Update Instructions:

• Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
• Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
• Manual installations: Run git pull to get the latest code, then pnpm install and restart your service

🚨 安全更新：Hollo 0.6.5 发布

我们发布了 #Hollo 0.6.5，修复了 CVE-2025-53941 关键安全漏洞，解决了联邦帖子中的 HTML 注入漏洞。

请立即更新以保护您的实例免受潜在的钓鱼和 XSS 攻击。

更新方法：

• Railway：转到部署 → 点击三个点 → Redeploy
• Docker：docker pull ghcr.io/fedify-dev/hollo:latest 然后重启
• 手动：git pull origin stable && pnpm install 然后重启服务器

#安全 #更新

🚨 セキュリティアップデート：Hollo 0.6.5 リリース

CVE-2025-53941のセキュリティ脆弱性を修正したHollo 0.6.5をリリースしました。連合投稿のHTMLインジェクション脆弱性が修正されています。

フィッシングやXSS攻撃からインスタンスを保護するため、今すぐアップデートしてください。

アップデート方法:

• Railway：デプロイメント → 縦3点クリック → Redeploy
• Docker：docker pull ghcr.io/fedify-dev/hollo:latest して再起動
• 手動：git pull origin stable && pnpm install してサーバー再起動

#Hollo #セキュリティ #アップデート

🚨 보안 업데이트: Hollo 0.6.5 릴리스

CVE-2025-53941 #보안 취약점을 해결하는 #Hollo 0.6.5를 릴리스했습니다. 연합 게시물의 HTML 주입 취약점이 수정되었습니다.

피싱 및 XSS 공격으로부터 인스턴스를 보호하기 위해 즉시 업데이트해 주세요.

업데이트 방법:

• Railway: 배포 탭 → 점 세 개 클릭 → Redeploy
• Docker: docker pull ghcr.io/fedify-dev/hollo:latest 후 재시작
• 수동: git pull origin stable && pnpm install 후 서버 재시작

#업데이트

🚨 Security Update: Hollo 0.6.5 Released

We've released #Hollo 0.6.5 with a critical #security fix for CVE-2025-53941, addressing an HTML injection vulnerability in federated posts.

Please #update immediately to protect your instance from potential phishing and XSS attacks.

How to update:

• Railway: Go to deployments → click three dots → Redeploy
• Docker: docker pull ghcr.io/fedify-dev/hollo:latest and restart
• Manual: git pull origin stable && pnpm install and restart server

@ysh 혹시 괜찮으시다면 이슈 트래커에 이슈로 만들어 주실 수 있을까요? 😅

Just dropped Hollo 0.6.4 with a minor bug fix.

@ysh 아, 그러시군요. 음, SECRET_KEY를 좀 더 길게 고치셔야 할 것 같긴 하네요. 다만, 이렇게 할 경우 기존 로그인 세션이 다 풀리게 됩니다. 쓰시는 클라이언트 앱들에서 로그아웃 후 다시 로그인을 하셔야 하셔야 할 거예요. 🥲

@lena LLMs are used for documentation!

Fixed in Hollo 0.6.2, so update it now!

What client apps do you use with #Hollo?

🚨 Known Issue: Elk (@elk) login may fail on Hollo instances upgraded from 0.5.x to 0.6.x with 401 Unauthorized errors. Fresh 0.6.x installs work fine. Other clients (Phanpy, Moshidon) are unaffected.

We're investigating: https://github.com/fedify-dev/hollo/issues/167

Workaround: Use alternative clients like Phanpy (@phanpy) for now.