@dansup @mdwalters this is actually consistent with best practices: update immediately / as soon as possible, but we're aware people may take some time to upgrade, so we're allowing two weeks before releasing details.
Here's the advisory: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf
@thisismissem @dansup @mdwalters doesn't the git commit history already reveal everything? I'm not familiar with pixelfed's codebase, but it wont take me a lot of time to figure it out.