Hollo :hollo:

The recent Hollo 0.7.3 and 0.7.4 updates have improved interoperability with #Bonfire. The issue where sending/receiving DMs or mutual following with Bonfire wasn't working properly has been resolved.

Hollo 0.7.0 will introduce advanced search operators!

You'll be able to filter posts using operators like has:media, is:sensitive, language:en, from:username, date ranges with before: and after:, and combine them with OR and negation (-).

For example: cat has:media -is:sensitive

Full documentation: https://canary.docs.hollo.social/search/.

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

#Hollo #Security #Fediverse #ActivityPub

#Hollo 0.7 brings a redesigned #notification system with much better performance. We've moved from generating #notifications on-demand to storing them as they happen, which makes the notifications endpoint about 60% faster. We've also added response compression (though if you're using a reverse proxy, you probably had this already).

More notably, Hollo 0.7 implements Mastodon's v2 grouped notifications API. Notifications like favorites, follows, and reblogs targeting the same post or account are now grouped together server-side, reducing clutter. Clients that support the new API (introduced in #Mastodon 4.3) will show cleaner, more organized notifications automatically.

Hollo 0.7 is still in development, but we're excited to share it with you when it's ready!

@nshki@ruby.social Thanks for your interest in Hollo!

While we don't have officially documented minimum requirements yet, Hollo is designed for single-user instances and is significantly lighter than multi-user software like Mastodon or Misskey.

Rough guidelines:

• RAM: 2GB recommended (including Node.js and PostgreSQL)
• CPU: 1 vCPU/core should be sufficient
• Storage: 10GB+ (depending on media storage needs)
• Database: PostgreSQL 17+

Real-world deployment:

• Works well on basic VPS plans ($5–10/month tier)
• Runs smoothly on DigitalOcean Droplets, Linode, Vultr starter plans
• Railway's Hobby plan handles it fine
• ARM processors are supported (the official hollo.social instance runs on ARM)

Storage considerations:

• If storing media locally, plan for additional disk space
• Using S3-compatible object storage can help reduce local storage requirements
• Resource usage scales with the number of accounts you follow and federation activity

Since it's single-user software, you can start with minimal resources and adjust as needed based on your actual usage patterns.

We've released #Hollo 0.6.12 to fix a critical privacy #vulnerability where direct messages were being exposed in the replies section of public posts. Please update your instances immediately to ensure your private conversations remain private.

#security

Hollo 0.6.11 significantly improves Bluesky interoperability via BridgyFed! Fixed AT Protocol URI parsing issues that were affecting various cross-platform interactions—not just likes, but overall federation with Bluesky users. 🌉

We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.

We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.

Update Instructions:

• Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
• Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
• Manual installations: Run git pull to get the latest code, then pnpm install and restart your service

🚨 Security Update: Hollo 0.6.5 Released

We've released #Hollo 0.6.5 with a critical #security fix for CVE-2025-53941, addressing an HTML injection vulnerability in federated posts.

Please #update immediately to protect your instance from potential phishing and XSS attacks.

How to update:

• Railway: Go to deployments → click three dots → Redeploy
• Docker: docker pull ghcr.io/fedify-dev/hollo:latest and restart
• Manual: git pull origin stable && pnpm install and restart server

Just dropped Hollo 0.6.4 with a minor bug fix.

What client apps do you use with #Hollo?

🚨 Known Issue: Elk (@elk@m.webtoo.ls) login may fail on Hollo instances upgraded from 0.5.x to 0.6.x with 401 Unauthorized errors. Fresh 0.6.x installs work fine. Other clients (Phanpy, Moshidon) are unaffected.

We're investigating: https://github.com/fedify-dev/hollo/issues/167

Workaround: Use alternative clients like Phanpy (@phanpy@hachyderm.io) for now.