Pinafore v1.18.1 is a small bugfix release. Thanks to @shadow8t4 for fixing the Docker file! https://github.com/nolanlawson/pinafore/releases/tag/v1.18.1
Whoohoo, a shiny new version of @pinafore ! With a new Emoji picker! 😄 And totally accessible! 👍️
There are also some bugfixes in this release, notably for iOS Safari. See the full release notes for details: https://github.com/nolanlawson/pinafore/releases/tag/v1.18.0
Typically, the only thing you need to do to update is to press the refresh button. See https://pinafore.social/settings/about to check your version number.
Emoji update! Pinafore has a new emoji picker (https://github.com/nolanlawson/emoji-picker-element), which is faster and lower-memory than the previous one. It also supports more emoji, up to the latest (v13) if your OS supports it. https://github.com/nolanlawson/pinafore/pull/1804#issuecomment-651258463
You can also type things like ":grin" to search for both native emoji and custom emoji. Mouse users may also hover the emoji to see the shortcodes.
Pinafore v1.18.0 released! https://github.com/nolanlawson/pinafore/releases/tag/v1.18.0 (thread)
The main feature of this release is that the focus ring (i.e. the glowing outline around buttons and links) should be less prominent for mouse users. If you prefer to use the keyboard to navigate, then nothing should change. This follows a new web standard called "focus-visible."
If you prefer the old behavior, you can enable "Always show focus ring" in the settings.
Loading threads when clicking on statuses should also be faster.
@nolan It is nice to see that Pinafore supports use of Markdown codes in post for GlitchSoc instances --
* doesn't strip the inserted codes from the post.
* and displays the result later as it would appear on the GS instance
...where MarkDown is selected in user preferences as default Toot Format option.
Lovely client. Thanks again.
(screenshot taken from inside Pinafore, at Koyu.space)
This release adds a Docker compose for self-hosters (thanks @shadow8t4!) and fixes a bug where polls weren't properly hidden on toots with content warnings. Enjoy!
And while I still have media on my mind, here's a friendly reminder that if you post images to your timeline, give them descriptions. Blind people like myself really appreciate them. One really awesome thing about the fediverse is that in my experience most people actually do this, which is just amazing.
Looks like the @pinafore update that came out today to patch a security issue also incorporates some improvements to how toots that include media are presented to screen readers which I suggested some time ago. It's not perfect, but finding out if a toot has media and what kind it is is much easier now, so it's very much appreciated! :)
(Worth noting is that Mastodon by default will sanitize all HTML, so you don't have to worry about malicious instances federating content to well-behaved instances.)
Here's an example attack vector that CSP blocks: if you sign into a malicious instance, that instance might include <script> tags in the HTML content of a toot. Since Pinafore directly injects this HTML into the page, these scripts could read your locally-stored data, even if it belonged to *another* instance you were logged into.
However, Pinafore's CSP disallows arbitrary inline scripts, so this attack vector is impossible.
In practice, Pinafore is unlikely to have serious security vulnerabilities because it's deployed as a static site that doesn't run any server-side logic. (The flagship site uses Vercel's "static build," and for self-hosters it's a basic Express.js app.)
The main source of potential vulnerabilities is therefore client-side, which is why Pinafore has very strict CSP (Content Security Policy) headers. On Mozilla Observatory, Pinafore earns an A+ security score. https://observatory.mozilla.org/analyze/pinafore.social
🕫 For those who self-host Pinafore: a vulnerability was discovered in Sapper (Pinafore's UI framework). https://snyk.io/vuln/SNYK-JS-SAPPER-561051
However, it does *not* affect Pinafore, because Pinafore only runs Sapper in dev mode, not prod mode. Just to safe, though, Pinafore v1.15.9 contains the security fix. https://github.com/nolanlawson/pinafore/pull/1757
This releases contains some performance fixes, accessibility fixes, and bug fixes. Enjoy!
Alternative web client for Mastodon. Free and open-source, built by @nolan and contributors.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!