Headline
CVE-2022-31263: Release v3.5.0 · mastodon/mastodon
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
Upgrade overview
This release contains upgrade notes that deviate from the norm:
ℹ️ Requires streaming API restart
ℹ️ Requires two-step database migration process for zero-downtime deployment
⚠️ Elasticsearch requirement raised to at least 7
⚠️ PostgreSQL version in docker-compose.yml has been changed from 9.6 to 14, requires manual upgrade
For more information, scroll down to the upgrade instructions section.
Changelog****Added
- Add support for incoming edited posts (Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, ClearlyClaire, Gargron, Gargron, ClearlyClaire, Gargron, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, Gargron, Gargron, ClearlyClaire, ClearlyClaire)
- Previous versions remain available for perusal and comparison
- People who reblogged a post are notified when it’s edited
- New REST APIs:
- PUT /api/v1/statuses/:id
- GET /api/v1/statuses/:id/history
- GET /api/v1/statuses/:id/source
- New streaming API event:
- status.update
- Add appeals for moderator decisions (Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, Gargron, ClearlyClaire, Gargron)
- All default moderator decisions now notify the affected user by e-mail
- They now link to an appeal page instead of suggesting replying to the e-mail
- They can now be found in account settings and not just e-mail
- Users can submit one appeal within 20 days of the decision
- Moderators can approve or reject the appeal
- Add notifications for posts deleted by moderators (Gargron, Gargron, Gargron, Gargron, Gargron)
- New, redesigned report view in admin UI
- Common report actions now only take one click to complete
- Deleting posts or marking as sensitive from report now notifies user
- Reports can be categorized by reason and specific rules violated
- The reasons are automatically cited in the notifications, except for spam
- Marking posts as sensitive now federates using post editing
- Add explore page with trending posts and links (Gargron, Gargron, Gargron, Gargron, Gargron, Gargron, ClearlyClaire, Gargron, tribela, Gargron, Gargron, noiob, mayaeh, mayaeh, Gargron, mayaeh)
- Hashtag trends algorithm is extended to work for posts and links
- Links are only considered if they have an adequate preview card
- Preview card generation has been improved to support structured data
- Links can only trend if the publisher (domain) has been approved
- Posts can only trend if the author has been approved
- Individual approval and rejection for posts and links is also available
- Moderators are notified about pending trends at most once every 2 hours
- Posts and link trends are language-specific
- Search page is redesigned into explore page in web UI
- Discovery tab is coming soon in official iOS and Android apps
- New REST APIs:
- GET /api/v1/trends/links
- GET /api/v1/trends/statuses
- GET /api/v1/trends/tags (alias of GET /api/v1/trends)
- GET /api/v1/admin/trends/links
- GET /api/v1/admin/trends/statuses
- GET /api/v1/admin/trends/tags
- Add graphs and retention metrics to admin dashboard (Gargron, Gargron, ClearlyClaire, ClearlyClaire, ClearlyClaire, mashirozx, ClearlyClaire)
- Dashboard shows more numbers with development over time
- Other data such as most used interface languages and sign-up sources
- User retention graph shows how many new users stick around
- New REST APIs:
- POST /api/v1/admin/measures
- POST /api/v1/admin/dimensions
- POST /api/v1/admin/retention
- Add GET /api/v1/accounts/familiar_followers to REST API (Gargron)
- Add POST /api/v1/accounts/:id/remove_from_followers to REST API (noellabo)
- Add category and rule_ids params to POST /api/v1/reports IN REST API (Gargron, Gargron, Gargron)
- category can be one of: spam, violation, other (default)
- rule_ids must reference rules returned in GET /api/v1/instance
- Add global lang param to REST API (Gargron, Gargron)
- Add types param to GET /api/v1/notifications in REST API (Gargron)
- Add notifications for moderators about new sign-ups (Gargron, ClearlyClaire)
- When a new user confirms e-mail, moderators receive a notification
- New notification type:
- admin.sign_up
- Add authentication history (Gargron, ClearlyClaire, baby-gnu)
- Add ability to automatically delete old posts (ClearlyClaire, ClearlyClaire, tribela)
- Add ability to pin private posts (ClearlyClaire, tribela, ClearlyClaire, MitarashiDango)
- Add ability to filter search results by author using from: syntax (tribela)
- Add ability to delete canonical email blocks in admin UI (ClearlyClaire)
- Add ability to purge undeliverable domains in admin UI (ClearlyClaire, tribela, tribela, tribela)
- Add ability to disable e-mail token authentication for specific users in admin UI (Gargron)
- Add ability to suspend accounts in batches in admin UI (Gargron, ClearlyClaire, Gargron)
- New, redesigned accounts list in admin UI
- Batch suspensions are meant to help clean up spam and bot accounts
- They do not generate notifications
- Add ability to filter reports by origin of target account in admin UI (Gargron)
- Add support for login through OpenID Connect (chandrn7)
- Add lazy loading for emoji picker in web UI (mashirozx, ClearlyClaire)
- Add single option votes tooltip in polls in web UI (Brawaru)
- Add confirmation modal when closing media edit modal with unsaved changes in web UI (ClearlyClaire)
- Add hint about missing media attachment description in web UI (Gargron)
- Add support for fetching Create and Announce activities by URI in ActivityPub (ClearlyClaire)
- Add S3_FORCE_SINGLE_REQUEST environment variable (ClearlyClaire)
- Add OMNIAUTH_ONLY environment variable (ClearlyClaire, ClearlyClaire)
- Add ES_USER and ES_PASS environment variables for Elasticsearch authentication (tribela)
- Add CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED environment variable (baby-gnu)
- Add ability to pass specific domains to tootctl accounts cull (tribela)
- Add --by-uri option to tootctl domains purge (ClearlyClaire)
- Add --batch-size option to tootctl search deploy (aquarla)
- Add --remove-orphans option to tootctl statuses remove (noellabo)
Changed
- Change design of federation pages in admin UI (Gargron, noellabo, Gargron)
- Change design of account cards in web UI (Gargron)
- Change follow scope to be covered by read and write scopes in REST API (Gargron)
- Change design of authorized applications page (Gargron, ClearlyClaire)
- Change e-mail domain blocks to block IPs dynamically (Gargron, ClearlyClaire, ClearlyClaire)
- Change report modal to include category selection in web UI (Gargron, ClearlyClaire, Gargron, ClearlyClaire)
- Change reblogs to not count towards hashtag trends anymore (Gargron)
- Change languages to be listed under standard instead of native name in admin UI (Gargron)
- Change routing paths to use usernames in web UI (Gargron, ClearlyClaire, ClearlyClaire, mashirozx, ClearlyClaire)
- Change list title input design in web UI (ClearlyClaire)
- Change “Opt-in to profile directory” preference to be general discoverability preference (ClearlyClaire)
- Change API rate limits to use /64 masking on IPv6 addresses (tribela, ClearlyClaire, zunda)
- Change allowed formats for locally uploaded custom emojis to include GIF (rgroothuijsen, Gargron)
- Change error message when chosen password is too long (rgroothuijsen)
- Change minimum required Elasticsearch version from 6 to 7 (noellabo)
Removed
- Remove profile directory link from main navigation panel in web UI (Gargron)
- Remove language detection through cld3 (Gargron, ykzts, Gargron, Gargron)
- cld3 is very inaccurate on short-form content even with unique alphabets
- Post language can be overriden individually using language param
- Otherwise, it defaults to the user’s interface language
- Remove support for OAUTH_REDIRECT_AT_SIGN_IN (ClearlyClaire)
- Use OMNIAUTH_ONLY instead
- Remove Keybase integration (Gargron)
- Remove old columns and indexes (ClearlyClaire, Gargron, ClearlyClaire)
- Remove shortcodes from newly-created media attachments (ClearlyClaire, ClearlyClaire)
Deprecated
- GET /api/v1/trends → GET /api/v1/trends/tags
- OAuth follow scope → read and/or write
- text attribute on DELETE /api/v1/statuses/:id → GET /api/v1/statuses/:id/source
Fixed
- Fix IDN domains not being rendered correctly in a few left-over places (Gargron)
- Fix Sanskrit translation not being used in web UI (ClearlyClaire)
- Fix Kurdish languages having the wrong language codes (ClearlyClaire)
- Fix pghero making database schema suggestions (ClearlyClaire)
- Fix encoding glitch in the OpenGraph description of a profile page (ClearlyClaire)
- Fix web manifest not permitting PWA usage from alternate domains (HolgerHuo)
- Fix not being able to edit media attachments for scheduled posts (ClearlyClaire)
- Fix subscribed relay activities being recorded as boosts (ClearlyClaire)
- Fix streaming API server error messages when JSON parsing fails not specifying the source (ClearlyClaire)
- Fix browsers autofilling new password field with old password (mashirozx)
- Fix text being invisible before fonts load in web UI (tribela)
- Fix public profile pages of unconfirmed users being accessible (ClearlyClaire, ClearlyClaire)
- Fix nil error when trying to fetch key for signature verification (Gargron)
- Fix null values being included in some indexes (Gargron)
- Fix POST /api/v1/emails/confirmations not being available after sign-up (Gargron)
- Fix rare race condition when reblogged post is deleted (ClearlyClaire, ClearlyClaire)
- Fix being able to add more than 4 hashtags to hashtag column in web UI (Gargron)
- Fix data integrity of featured tags (Gargron)
- Fix performance of account timelines (Gargron)
- Fix returning empty <p> tag for blank account note in REST API (Gargron)
- Fix leak of existence of otherwise inaccessible posts in REST API (Gargron)
- Fix not showing loading indicator when searching in web UI (Gargron)
- Fix media modal footer’s “external link” not being a link (ClearlyClaire)
- Fix reply button on media modal not giving focus to compose form (ClearlyClaire)
- Fix some media attachments being converted with too high framerates (ClearlyClaire)
- Fix sign in token and warning emails failing to send when contact e-mail address is malformed (helloworldstack)
- Fix opening the emoji picker scrolling the single-column view to the top (ClearlyClaire)
- Fix edge case where settings/admin page sidebar would be incorrectly hidden (ClearlyClaire)
- Fix performance of server-side filtering (ClearlyClaire)
- Fix privacy policy link not being visible on small screens (Gargron)
- Fix duplicate accounts when searching by IP range in admin UI (Gargron, tribela)
- Fix error when performing a batch action on posts in admin UI (ClearlyClaire)
- Fix deletes not being signed in authorized fetch mode (Gargron)
- Fix Undo Announce sometimes inlining the originally Announced status (ClearlyClaire)
- Fix localization of cold-start follow recommendations (Gargron, Gargron)
- Fix replies collection incorrectly looping (ClearlyClaire)
- Fix errors when multiple Delete are received for a given actor (ClearlyClaire)
- Fixed prototype pollution bug and only allow trusted origin (r0hanSH)
- Fix text being incorrectly pre-selected in composer textarea on /share (ClearlyClaire)
- Fix SMTP_ENABLE_STARTTLS_AUTO/SMTP_TLS/SMTP_SSL environment variables don’t work (kgtkr)
- Fix media upload specific rate limits only being applied to v1 endpoint in REST API (tribela)
- Fix media descriptions not being used for client-side filtering (ClearlyClaire)
- Fix cold-start follow recommendation favouring older accounts due to wrong sorting (noellabo)
- Fix not redirect to the right page after authenticating with WebAuthn (heguro)
- Fix searching for additional hashtags in hashtag column (ClearlyClaire)
- Fix color of hashtag column settings inputs (ClearlyClaire)
- Fix performance of tootctl statuses remove (noellabo)
- Fix tootctl accounts cull not excluding domains on timeouts and certificate issues (ClearlyClaire)
- Fix 404 error when filtering admin action logs by non-existent target account (ClearlyClaire)
- Fix error when accessing streaming API without any OAuth scopes (Brawaru)
- Fix follow request count not updating when new follow requests arrive over streaming API in web UI (matildepark)
- Fix error when unsuspending a local account (HolgerHuo)
- Fix crash when a notification contains a not yet processed media attachment in web UI (ClearlyClaire)
- Fix wrong color of download button in audio player in web UI (ClearlyClaire)
- Fix notes for others accounts not being deleted when an account is deleted (ClearlyClaire)
- Fix error when logging occurrence of unsupported video file (noellabo)
- Fix wrong elements in trends widget being hidden on smaller screens in web UI (tribela)
- Fix link to about page being displayed in limited federation mode (weex)
- Fix styling of boost button in media modal not reflecting ability to boost (ClearlyClaire)
- Fix OCR failure when erroneous lang data is in cache (ClearlyClaire)
- Fix downloading media from blocked domains in tootctl media refresh (tribela)
- Fix login form being displayed on landing page when already logged in (ClearlyClaire)
- Fix polling for media processing status too frequently in web UI (tribela)
- Fix hashtag autocomplete overriding user-typed case (weex)
- Fix WebAuthn authentication setup to not prompt for PIN (truongnmt)
Security
- Fix being able to post URLs longer than 4096 characters (Gargron)
- Fix being able to bypass e-mail restrictions (Gargron)
Upgrade notes
To get the code for v3.5.0, use git fetch && git checkout v3.5.0.
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
ℹ️ Some S3-compatible storage providers (such as Tencent Cloud Object Storage) may require setting S3_FORCE_SINGLE_REQUEST=true to properly handle some requests.
ℹ️ OAUTH_REDIRECT_AT_SIGN_IN, which wasn’t working as intended, has been replaced by an OMNIAUTH_ONLY environment variable that should address the same use case
Dependencies
Compatibility with Elasticsearch 6.x and earlier has been dropped, and Elasticsearch 7.x is now required for the optional full-text search feature. Other external dependencies have not changed, although the default Ruby version has changed if you are using rbenv (see below). To summarize, the dependency requirements for v3.5.0rc3 are:
- Ruby: 2.6 up to 3.1
- PostgreSQL: 9.5 or newer
- Elasticsearch (optional, for full-text search): 7.x
- Redis: 4 or newer
- Node: 12 or newer
Update steps
The following instructions are for updating from 3.4.6.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations or dependency updates.
Docker-only:
The PostgreSQL container version in our docker-compose.yml configuration has been changed from 9.6 to 14 due to EOL (End-of-Life) of 9.6. Detailed instructions on how to migrate your data is available here.
Non-Docker only:
- If you are using rbenv, update the list of available versions and install Ruby 3.0.3 by doing RUBY_CONFIGURE_OPTS=–with-jemalloc rbenv install 3.0.3
- Install dependencies: bundle install and yarn install
Both Docker and non-Docker:
- Run the pre-deployment database migrations by specifying the SKIP_POST_DEPLOYMENT_MIGRATIONS=true environment variable:
- Non-Docker: SKIP_POST_DEPLOYMENT_MIGRATIONS=true RAILS_ENV=production bundle exec rails db:migrate
- Docker: docker-compose run --rm -e SKIP_POST_DEPLOYMENT_MIGRATIONS=true web rails db:migrate
- Precompile the assets:
- Non-Docker: RAILS_ENV=production bundle exec rails assets:precompile
- Docker: The assets are already precompiled during the build step
- Restart all Mastodon processes
- Clear cache:
- Non-Docker: RAILS_ENV=production bin/tootctl cache clear
- Docker: docker-compose run --rm web bin/tootctl cache clear
- Now that the new code is running, we can finish the database migrations. This will run the post-deployment ones:
- Non-Docker: RAILS_ENV=production bundle exec rails db:migrate
- Docker: docker-compose run --rm web rails db:migrate
- Restart all Mastodon processes
Translators
- Kristaps_M (Latvian)
- Cyax (Cyaxares) (Kurmanji (Kurdish))
- Sveinn í Felli (sveinki) (Icelandic)
- Kimmo Kujansuu (mrkujansuu) (Finnish)
- Jeong Arm (Kjwon15) (Spanish, Japanese, Korean, Esperanto)
- xatier (Chinese Traditional, Chinese Traditional, Hong Kong)
- Thai Localization (thl10n) (Thai)
- spla (Catalan)
- NCAA (French, Danish)
- Emanuel Pina (emanuelpina) (Portuguese)
- GunChleoc (Scottish Gaelic)
- Xosé M. (XoseM) (Galician)
- Hồ Nhất Duy (honhatduy) (Vietnamese)
- T. E. Kalaycı (tekrei) (Turkish)
- ケインツロ 👾 (KNTRO) (Spanish, Argentina)
- e (diveedd) (Kurmanji (Kurdish))
- Jeff Huang (s8321414) (Chinese Traditional)
- Besnik_b (Albanian)
- Nurul Azeera Hidayah @ Muhammad Nur Hidayat Yasuyoshi (MNH48.moe) (mnh48) (Malay)
- koyu (German)
- Ramdziana F Y (rafeyu) (Indonesian)
- calypsoopenmail (French)
- Alessandro Levati (Oct326) (Italian)
- Bran_Ruz (Breton)
- Tigran (tigransimonyan) (Armenian)
- Allen Zhong (AstroProfundis) (Chinese Simplified)
- Daniele Lira Mereb (danilmereb) (Portuguese, Brazilian)
- Zoltán Gera (gerazo) (Hungarian)
- Martin (miles) (Slovenian)
- Gearguy (Finnish)
- Marek Ľach (mareklach) (Slovak)
- Eshagh (eshagh79) (Persian)
- Asier Iturralde Sarasola (aldatsa) (Basque)
- Takeçi (polygoat) (French, Italian)
- Roboron (Spanish)
- Ihor Hordiichuk (ihor_ck) (Ukrainian)
- xpil (Polish)
- Tagomago (tagomago) (Spanish)
- Rojdayek (Kurmanji (Kurdish))
- Ondřej Pokorný (unextro) (Czech)
- Kristoffer Grundström (Umeaboy) (Swedish)
- Alexander Sorokin (Brawaru) (Portuguese, Russian, Vietnamese)
- Joene (joenepraat) (Dutch)
- ButterflyOfFire (BoFFire) (French, Arabic, Kabyle)
- Balázs Meskó (mesko.balazs) (Czech, Hungarian)
- Catalina (catalina.st) (Romanian)
- Manuel Viens (manuelviens) (French)
- LNDDYL (Chinese Traditional)
- Danial Behzadi (danialbehzadi) (Persian)
- Vik (ViktorOn) (Danish, Russian)
- GCardo (Portuguese, Brazilian)
- enolp (Asturian)
- NadieAishi (Spanish, Mexico)
- Just Spanish (7_7) (Spanish, Mexico)
- bilfri (Danish)
- VaiTon (Italian)
- Frontier Translation Ltd. (frontier-translation) (Chinese Simplified)
- Mastodon 中文译者 (mastodon-linguist) (Chinese Simplified)
- rondnunes (Portuguese, Brazilian)
- Edward Navarro (EdwardNavarro) (Spanish)
- ClearlyClaire (French)
- Kahina Mess (K_hina) (Kabyle)
- GiorgioHerbie (Italian)
- ManeraKai (Arabic)
- හෙළබස (HelaBasa) (Sinhala)
- retiolus (Catalan)
- stan ionut (stanionut12) (Romanian)
- Filbert Salim (gamesbert6) (Indonesian)
- ahangarha (Persian)
- Rex_sa (rex07) (Arabic)
- Sokratis Alichanidis (alichani) (Greek)
- axi (Finnish)
- Delta (Delta-Time) (Japanese)
- Ali Demirtaş (alidemirtas) (Turkish)
- Michael Zeevi (maze88) (Hebrew)
- SarfarazAhmed (Urdu (Pakistan))
- Mo_der Steven (SakuraPuare) (Chinese Simplified)
- Remito (remitocat) (Japanese)
- Maya Minatsuki (mayaeh) (Japanese)
- Врабац (Slovorad) (Serbian (Cyrillic))
- Dženan (Dzenan) (Swedish)
- FreddyG (Esperanto)
- Alix Rossi (palindromordnilap) (Corsican)
- cruz2020 (Portuguese)
- Adrián Graña (alaris83) (Spanish)
- vpei (Chinese Simplified)
- Ryo (DrRyo) (Korean)
- AlexKoala (alexkoala) (Korean)
- 1Alino (Slovak)
- Michał Sidor (michcioperz) (Polish)
- Vedran Serbu (SerenoXGen) (Croatian)
- Yi-Jyun Pan (pan93412) (Chinese Traditional)
- Y.Yamashiro (uist1idrju3i) (Japanese)
- al_._ (German, Russian)
- Matthías Páll Gissurarson (icetritlo) (Icelandic)
- KcKcZi (Chinese Simplified)
- xsml (Chinese Simplified)
- cybergene (cyber-gene) (Japanese)
- mynameismonkey (Welsh)
- Rikard Linde (rikardlinde) (Swedish)
- strubbl (German)
- 北䑓如法 (Nyoho) (Japanese)
- Hexandcube (hexandcube) (Polish)
- abidin toumi (Zet24) (Arabic)
- serapolis (Japanese, Chinese Simplified, Chinese Traditional, Chinese Traditional, Hong Kong)
- Diluns (Occitan)
- 游荡 (MamaShip) (Chinese Simplified)
- megaleo (Portuguese, Brazilian)
- arielcostas3 (Galician)
- sanser (Russian)
- Imre Kristoffer Eilertsen (DandelionSprout) (Norwegian)
- Yamagishi Kazutoshi (ykzts) (Japanese, Vietnamese, Icelandic)
- MODcraft (Chinese Simplified)
- Marcus Myge (mygg-priv) (Norwegian)
- Yuval Nehemia (yuvalne) (Hebrew)
- Amir Reza (ElAmir) (Persian)
- Percy (kecrily) (Chinese Simplified)
- Marek Ľach (marek-lach) (Slovak)
- Nemuj (Dentrado) (Japanese, Esperanto)
- revarioba (Spanish)
- Oymate (Bengali)
- Ifnuth (German)
- 森の子リスのミーコの大冒険 (Phroneris) (Japanese)
- Algustionesa Yoshi (algustionesa) (Indonesian)
- Artem Mikhalitsin (artemmikhalitsin) (Russian)
- gnu-ewm (Polish)
- Tatsuto “Laminne” Yamamoto (laminne) (Japanese)
- filippodb (Italian)
- Maciej Błędkowski (mble) (Polish)
- tunisiano187 (French)
- Timur Seber (seber) (Tatar)
- Mélanie Chauvel (ariasuni) (French, Esperanto)
- Jona (88wcJoWl) (Spanish)
- Ka2n (kaanmetu) (Turkish)
- atriix (Swedish)
- eorn (Breton)
- Lagash (lagash) (Esperanto)
- Chine Sebastien (chine.sebastien) (French)
- Exbu (Dutch)
- A A (sebastien.chine) (French)
- Goudarz Jafari (Goudarz) (Persian)
- Cirelli (cirelli94) (Italian)
- ギャラ (gyara) (Chinese Simplified)
- siamano (Thai)
- Siddharastro Doraku (sidharastro) (Spanish, Mexico)
- asnomgtu (Hungarian)
- Saederup92 (Danish)
- damascene (Arabic)
- dbeaver (German)
- Overflow Cat (OverflowCat) (Chinese Simplified, Chinese Traditional)
- rikrise (Swedish)
- zordsdavini (Lithuanian)
- ThonyVezbe (Breton)
- Slimane Selyan AMIRI (SelyanKab) (Kabyle)
- coxde (Chinese Simplified)
- Maxine B. Vågnes (vagnes) (Norwegian, Norwegian Nynorsk)
- tzium (Sardinian)
- Umi (mtrumi) (Chinese Simplified, Chinese Traditional, Hong Kong)
- Youngeon Lee (YoungeonLee) (Korean)
- Nikita Epifanov (Nikets) (Russian)
- DAI JIE (daijie) (Chinese Simplified)
- X.M (kimonoki) (Chinese Simplified)
- ZQYD (Chinese Simplified)
- v4vachan (Malayalam)
- boni777 (Chinese Simplified)
- Rhys Harrison (rhedders) (Esperanto)
- Stanisław Jelnicki (JelNiSlaw) (Polish)
- iVampireSP (Chinese Simplified)
- nua_kr (Korean)
- SteinarK (Norwegian Nynorsk)
- Paula SIMON (EncoreEutIlFalluQueJeLeSusse) (French)
- CloudSet (Chinese Simplified)
- Adam Sapiński (Adamos9898) (Polish)
- Zlr- (cZeler) (French)
- papayaisnotafood (Chinese Traditional)
- Linnéa (lesbian_subnet) (Swedish)
- Parodper (Galician)
- César Daniel Cavanzo Quintero (LeinadCQ) (Esperanto)
- Artem (Artem4ik) (Russian)
- EzigboOmenana (Cornish)
- Mt Front (mtfront) (Chinese Simplified)
- mkljczk (Polish)
- Lalo Tafolla (lalotafo) (Spanish, Mexico)
- Yassine Aït-El-Mouden (yaitelmouden) (Standard Moroccan Tamazight)
- frumble (German)
- ronee (Kurmanji (Kurdish))
- lokalisoija (Finnish)
- Jason Gibson (barberpike606) (Slovenian, Chinese Simplified)
- María José Vera (mjverap) (Spanish)
- codl (French)
- Tangcuyu (Chinese Simplified)
- Lilian Nabati (Lilounab49) (French)
- Kaede (kaedech) (Japanese)
- mawoka-myblock (mawoka) (German)
- Mohd Bilal (mdb571) (Malayalam)
- Ragnars Eggerts (rmegg1933) (Latvian)
- thisdudeisvegan (braydofficial) (German)
- liffon (Swedish)
- Holger Huo (holgerhuo) (Chinese Simplified)
- Pukima (Pukimaa) (German)
- HSD Channel (kvdbve34) (Russian)
- pullopen (Chinese Simplified)
- hud5634j (Spanish)
- Patrice Boivin (patriceboivin58) (French)
- Jill H. (kokakiwi) (French)
- maksutheam (Finnish)
- majorblazr (Danish)
- 江尚寒 (jiangshanghan) (Chinese Simplified)
- Balázs Meskó (meskobalazs) (Hungarian)
- soheilkhanalipur (Persian)
- Vanege (Esperanto)