What's Changed
- Trim dev-only lint configs from the release archive by @pfefferle in #3214
- Require PKCE by default for public OAuth clients by @pfefferle in #3222
- Require PHPUnit 9.6.33+ (CVE-2026-24765) by @pfefferle in #3224
- Respect force_signature in Delete handler's deferred verification by @pfefferle in #3223
- Enforce caller ownership on OAuth token revocation by @pfefferle in #3221
- Harden HTTP signature verification against replay by @pfefferle in #3212
- Sanitize inbox activity type to prevent action hook pollution by @pfefferle in #3227
- Harden OAuth client discovery and SSE proxy outbound requests by @pfefferle in #3228
- Resolve AAAA records in resolve_public_host so IPv6-only hosts work by @pfefferle in #3229
- Tighten clock tolerance on the deprecated signature verifier by @pfefferle in #3230
- Reject internal-address authority values on followers/sync at the route layer by @pfefferle in #3232
- Fail closed in OAuth rate limits when client IP can't be determined by @pfefferle in #3231
- Block additional reserved IPv6 ranges in resolve_public_host by @pfefferle in #3233
- Require signatures on HEAD requests to peer-only endpoints by @pfefferle in #3235
- Return 429 from the OAuth token endpoint when rate-limited by @pfefferle in #3236
- Decode percent-encoded authority before the followers/sync blocklist by @pfefferle in #3234
- Drop credentialed CORS reflection on ActivityPub REST endpoints by @pfefferle in #3237
- Stop trusting client-supplied proxy headers for rate-limit IP by default by @pfefferle in #3238
New Contributors
Full Changelog: 8.1.1...8.2.0