Merge branch 'master' into glitch-soc/merge-upstream

Conflicts:
- `app/controllers/activitypub/collections_controller.rb`:
  Conflict due to glitch-soc having to take care of local-only
  pinned toots in that controller.
  Took upstream's changes and restored the local-only special
  handling.
- `app/controllers/auth/sessions_controller.rb`:
  Minor conflicts due to the theming system, applied upstream
  changes, adapted the following two files for glitch-soc's
  theming system:
  - `app/controllers/concerns/sign_in_token_authentication_concern.rb`
  - `app/controllers/concerns/two_factor_authentication_concern.rb`
- `app/services/backup_service.rb`:
  Minor conflict due to glitch-soc having to handle local-only
  toots specially. Applied upstream changes and restored
  the local-only special handling.
- `app/views/admin/custom_emojis/index.html.haml`:
  Minor conflict due to the theming system.
- `package.json`:
  Upstream dependency updated, too close to a glitch-soc-only
  dependency in the file.
- `yarn.lock`:
  Upstream dependency updated, too close to a glitch-soc-only
  dependency in the file.

app/helpers/application_helper.rb

@@ -137,6 +137,11 @@ module ApplicationHelper
       text: [params[:title], params[:text], params[:url]].compact.join(' '),
     }
 
+    permit_visibilities = %w(public unlisted private direct)
+    default_privacy     = current_account&.user&.setting_default_privacy
+    permit_visibilities.shift(permit_visibilities.index(default_privacy) + 1) if default_privacy.present?
+    state_params[:visibility] = params[:visibility] if permit_visibilities.include? params[:visibility]
+
     if user_signed_in?
       state_params[:settings]          = state_params[:settings].merge(Web::Setting.find_by(user: current_user)&.data || {})
       state_params[:push_subscription] = current_account.user.web_push_subscription(current_session)

app/helpers/webfinger_helper.rb

@@ -1,5 +1,16 @@
 # frozen_string_literal: true
 
+# Monkey-patch on monkey-patch.
+# Because it conflicts with the request.rb patch.
+class HTTP::Timeout::PerOperationOriginal < HTTP::Timeout::PerOperation
+  def connect(socket_class, host, port, nodelay = false)
+    ::Timeout.timeout(@connect_timeout, HTTP::TimeoutError) do
+      @socket = socket_class.open(host, port)
+      @socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) if nodelay
+    end
+  end
+end
+
 module WebfingerHelper
   def webfinger!(uri)
     hidden_service_uri = /\.(onion|i2p)(:\d+)?$/.match(uri)
@@ -12,6 +23,14 @@ module WebfingerHelper
       headers: {
         'User-Agent': Mastodon::Version.user_agent,
       },
+
+      timeout_class: HTTP::Timeout::PerOperationOriginal,
+
+      timeout_options: {
+        write_timeout: 10,
+        connect_timeout: 5,
+        read_timeout: 10,
+      },
     }
 
     Goldfinger::Client.new(uri, opts.merge(Rails.configuration.x.http_client_proxy)).finger