[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.26 to 1.0.27 (#3081)

[chore]: Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#3080)

[chore] upstep activity to v1.7.0-gts (#3074)

[chore] Update ncruces/go-sqlite3 to 0.17 (#3072)

This fixes some linkname shenanigans previous versions of the library
were using. It's now safe to upgrade to Go 1.23 and beyond once they
become available.

[bugfix] Handle ErrHideStatus when preparing timeline statuses (#3071)

[feature] Set some security related headers (#3065)

* Set frame-ancestors in the CSP
   This ensures we can't be loaded/embedded in an iframe. It also sets the
   older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
   This sets the policy such that browsers will never send the Referer
   header along with a request, unless it's a request to the same protocol,
   host/domain and port. Basically, only send it when navigating through
   our own UI, but not anything external.

   The default is strict-origin-when-cross-origin when unset, which sends
   the Referer header for requests unless it's going from HTTPS to HTTP
   (i.e a security downgrade, hence the 'strict').

[chore] Allow gtsmodel to depend on util (#3068)

Convert one free function into a gtsmodel.Emoji method so that util does not depend on gtsmodel and can be used from it in the future

[docs] Update how to enable http2 on nginx (#3066)

Since 1.25.1 the newer 'http2 on;' syntax should be used. The previous
syntax still works, but throws warnings when testing the configuration
with 'nginx -t'.

This also updates the certbot template to match what's currently
generated. It removes ipv6only=on as that's the default on a listen
directive binding on a wildcard IPv6 address.

[chore]: Bump github.com/yuin/goldmark from 1.7.3 to 1.7.4 (#3059)

Bumps [github.com/yuin/goldmark](https://github.com/yuin/goldmark) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/yuin/goldmark/releases)
- [Commits](https://github.com/yuin/goldmark/compare/v1.7.3...v1.7.4)

---
updated-dependencies:
- dependency-name: github.com/yuin/goldmark
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[bugfix] update SignupURL routing in email template. (#3055)

[bugfix] use instance configured emoji maxsize on emoji update validation (#3056)

[feature] Default to WASM-based SQLite driver (#3053)

* [feature] Default to WASM-based SQLite driver

With 0.16 out this switches our default SQLite driver to the WASM-based
solution instead. So far the driver seems to perform just as well.
Switching our default should result in it getting a bit more testing
during the 0.17 development cycle.

* add the ol' john hancock

---------

Co-authored-by: tobi <tobi.smethurst@protonmail.com>

[bugfix] Fix typo in instance cache copyF (#3052)

[chore] Add envparsing test for advanced-header-filter-mode (#3051)

[docs] Tidy up API auth docs a little bit (#3050)

[chore]: Bump golang.org/x/image from 0.17.0 to 0.18.0 (#3044)

Bumps [golang.org/x/image](https://github.com/golang/image) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/image/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/image
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[chore] media and emoji refactoring (#3000)

* start updating media manager interface ready for storing attachments / emoji right away

* store emoji and media as uncached immediately, then (re-)cache on Processing{}.Load()

* remove now unused media workers

* fix tests and issues

* fix another test!

* fix emoji activitypub uri setting behaviour, fix remainder of test compilation issues

* fix more tests

* fix (most of) remaining tests, add debouncing to repeatedly failing media / emojis

* whoops, rebase issue

* remove kim's whacky experiments

* do some reshuffling, ensure emoji uri gets set

* ensure marked as not cached on cleanup

* tweaks to media / emoji processing to handle context canceled better

* ensure newly fetched emojis actually get set in returned slice

* use different varnames to be a bit more obvious

* move emoji refresh rate limiting to dereferencer

* add exported dereferencer functions for remote media, use these for recaching in processor

* add check for nil attachment in updateAttachment()

* remove unused emoji and media fields + columns

* see previous commit

* fix old migrations expecting image_updated_at to exists (from copies of old models)

* remove freshness checking code (seems to be broken...)

* fix error arg causing nil ptr exception

* finish documentating functions with comments, slight tweaks to media / emoji deref error logic

* remove some extra unneeded boolean checking

* finish writing documentation (code comments) for exported media manager methods

* undo changes to migration snapshot gtsmodels, updated failing migration to have its own snapshot

* move doesColumnExist() to util.go in migrations package

[docs] restructure federation section (#3038)

[chore]: Bump github.com/gorilla/feeds from 1.1.2 to 1.2.0 (#3035)

[docs] fix: traefik redirect regex (#3032)