Merge branch 'develop' into mkjs-n

2024-11-23 09:23:09 +02:00 · 2023-06-30 07:16:14 +00:00 · 2023-06-30 07:16:14 +00:00 · f4cc9e3d2e
commit f4cc9e3d2e
parent 4d021f315f 1b1f82a2e2
72 changed files with 4617 additions and 4865 deletions
--- a/package.json
+++ b/package.json
@ -56,11 +56,11 @@
 	"devDependencies": {
 		"@types/gulp": "4.0.10",
 		"@types/gulp-rename": "2.0.1",
-		"@typescript-eslint/eslint-plugin": "5.59.8",
-		"@typescript-eslint/parser": "5.59.8",
+		"@typescript-eslint/eslint-plugin": "5.60.0",
+		"@typescript-eslint/parser": "5.60.0",
 		"cross-env": "7.0.3",
-		"cypress": "12.13.0",
-		"eslint": "8.41.0",
+		"cypress": "12.15.0",
+		"eslint": "8.43.0",
 		"start-server-and-test": "2.0.0"
 	},
 	"optionalDependencies": {
--- a/packages/backend/.swcrc
+++ b/packages/backend/.swcrc
@ -17,7 +17,7 @@
 		"paths": {
 			"@/*": ["*"]
 		},
-		"target": "es2021"
+		"target": "es2022"
 	},
 	"minify": false
 }
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@ -54,32 +54,32 @@
 		"@aws-sdk/client-s3": "3.321.1",
 		"@aws-sdk/lib-storage": "3.321.1",
 		"@aws-sdk/node-http-handler": "3.321.1",
-		"@bull-board/api": "5.2.0",
-		"@bull-board/fastify": "5.2.0",
-		"@bull-board/ui": "5.2.0",
+		"@bull-board/api": "5.5.3",
+		"@bull-board/fastify": "5.5.3",
+		"@bull-board/ui": "5.5.3",
 		"@discordapp/twemoji": "14.1.2",
-		"@fastify/accepts": "4.1.0",
+		"@fastify/accepts": "4.2.0",
 		"@fastify/cookie": "8.3.0",
 		"@fastify/cors": "8.3.0",
-		"@fastify/http-proxy": "9.1.0",
-		"@fastify/multipart": "7.6.0",
+		"@fastify/http-proxy": "9.2.1",
+		"@fastify/multipart": "7.7.0",
 		"@fastify/static": "6.10.2",
 		"@fastify/view": "7.4.1",
-		"@nestjs/common": "9.4.2",
-		"@nestjs/core": "9.4.2",
-		"@nestjs/testing": "9.4.2",
+		"@nestjs/common": "10.0.3",
+		"@nestjs/core": "10.0.3",
+		"@nestjs/testing": "10.0.3",
 		"@peertube/http-signature": "1.7.0",
-		"@sinonjs/fake-timers": "10.2.0",
+		"@sinonjs/fake-timers": "10.3.0",
 		"@swc/cli": "0.1.62",
-		"@swc/core": "1.3.61",
+		"@swc/core": "1.3.66",
 		"accepts": "1.3.8",
 		"ajv": "8.12.0",
 		"archiver": "5.3.1",
 		"autwh": "0.1.0",
 		"bcryptjs": "2.4.3",
 		"blurhash": "2.0.5",
-		"bullmq": "3.15.0",
-		"cacheable-lookup": "6.1.0",
+		"bullmq": "4.1.0",
+		"cacheable-lookup": "7.0.0",
 		"cbor": "9.0.0",
 		"chalk": "5.2.0",
 		"chalk-template": "0.4.0",
@ -90,23 +90,24 @@
 		"date-fns": "2.30.0",
 		"deep-email-validator": "0.1.21",
 		"escape-regexp": "0.0.1",
-		"fastify": "4.17.0",
+		"fastify": "4.18.0",
 		"feed": "4.2.2",
-		"file-type": "18.4.0",
+		"file-type": "18.5.0",
 		"fluent-ffmpeg": "2.1.2",
 		"form-data": "4.0.0",
-		"got": "12.6.0",
+		"got": "13.0.0",
 		"happy-dom": "9.20.3",
 		"hpagent": "1.2.0",
 		"ioredis": "5.3.2",
 		"ip-cidr": "3.1.0",
+		"ipaddr.js": "2.1.0",
 		"is-svg": "4.3.2",
 		"js-yaml": "4.1.0",
 		"jsdom": "22.1.0",
 		"json5": "2.2.3",
 		"jsonld": "8.2.0",
 		"jsrsasign": "10.8.6",
-		"meilisearch": "0.32.5",
+		"meilisearch": "0.33.0",
 		"mfm-js": "0.23.3",
 		"mime-types": "2.1.35",
 		"misskey-js": "workspace:*",
@ -120,7 +121,6 @@
 		"otpauth": "9.1.2",
 		"parse5": "7.1.2",
 		"pg": "8.11.0",
-		"private-ip": "3.0.0",
 		"probe-image-size": "7.2.3",
 		"promise-limit": "2.7.0",
 		"pug": "3.0.2",
@ -129,36 +129,34 @@
 		"qrcode": "1.5.3",
 		"random-seed": "0.3.0",
 		"ratelimiter": "3.4.1",
-		"re2": "1.19.0",
+		"re2": "1.19.1",
 		"redis-lock": "0.1.4",
 		"reflect-metadata": "0.1.13",
 		"rename": "1.0.4",
-		"rndstr": "1.0.0",
 		"rss-parser": "3.13.0",
 		"rxjs": "7.8.1",
 		"s-age": "1.1.2",
-		"sanitize-html": "2.10.0",
-		"seedrandom": "3.0.5",
-		"semver": "7.5.1",
+		"sanitize-html": "2.11.0",
+		"semver": "7.5.3",
 		"sharp": "0.32.1",
 		"sharp-read-bmp": "github:misskey-dev/sharp-read-bmp",
 		"slacc": "0.0.9",
 		"strict-event-emitter-types": "2.0.0",
 		"stringz": "2.1.0",
 		"summaly": "github:misskey-dev/summaly",
-		"systeminformation": "5.17.16",
+		"systeminformation": "5.18.4",
 		"tinycolor2": "1.6.0",
 		"tmp": "0.2.1",
 		"tsc-alias": "1.8.6",
 		"tsconfig-paths": "4.2.0",
 		"twemoji-parser": "14.0.0",
-		"typeorm": "0.3.16",
+		"typeorm": "0.3.17",
 		"typescript": "5.1.3",
 		"ulid": "2.3.0",
 		"unzipper": "0.10.14",
 		"uuid": "9.0.0",
 		"vary": "1.1.2",
-		"web-push": "3.6.1",
+		"web-push": "3.6.3",
 		"ws": "8.13.0",
 		"xev": "3.0.2"
 	},
@ -176,14 +174,15 @@
 		"@types/jest": "29.5.2",
 		"@types/js-yaml": "4.0.5",
 		"@types/jsdom": "21.1.1",
-		"@types/jsonld": "1.5.8",
+		"@types/jsonld": "1.5.9",
 		"@types/jsrsasign": "10.5.8",
 		"@types/mime-types": "2.1.1",
-		"@types/node": "20.2.5",
+		"@types/ms": "^0.7.31",
+		"@types/node": "20.3.1",
 		"@types/node-fetch": "3.0.3",
 		"@types/nodemailer": "6.4.8",
 		"@types/oauth": "0.9.1",
-		"@types/pg": "8.10.1",
+		"@types/pg": "8.10.2",
 		"@types/pug": "2.0.6",
 		"@types/punycode": "2.1.0",
 		"@types/qrcode": "1.5.0",
@ -198,16 +197,16 @@
 		"@types/tinycolor2": "1.4.3",
 		"@types/tmp": "0.2.3",
 		"@types/unzipper": "0.10.6",
-		"@types/uuid": "9.0.1",
+		"@types/uuid": "9.0.2",
 		"@types/vary": "1.1.0",
 		"@types/web-push": "3.3.2",
 		"@types/websocket": "1.0.5",
-		"@types/ws": "8.5.4",
-		"@typescript-eslint/eslint-plugin": "5.59.8",
-		"@typescript-eslint/parser": "5.59.8",
+		"@types/ws": "8.5.5",
+		"@typescript-eslint/eslint-plugin": "5.60.0",
+		"@typescript-eslint/parser": "5.60.0",
 		"aws-sdk-client-mock": "2.1.1",
 		"cross-env": "7.0.3",
-		"eslint": "8.41.0",
+		"eslint": "8.43.0",
 		"eslint-plugin-import": "2.27.5",
 		"execa": "6.1.0",
 		"jest": "29.5.0",
--- a/packages/backend/src/core/DownloadService.ts
+++ b/packages/backend/src/core/DownloadService.ts
@ -2,8 +2,7 @@ import * as fs from 'node:fs';
 import * as stream from 'node:stream';
 import * as util from 'node:util';
 import { Inject, Injectable } from '@nestjs/common';
-import IPCIDR from 'ip-cidr';
-import PrivateIp from 'private-ip';
+import ipaddr from 'ipaddr.js';
 import chalk from 'chalk';
 import got, * as Got from 'got';
 import { parse } from 'content-disposition';
@ -140,13 +139,14 @@ export class DownloadService {

 	@bindThis
 	private isPrivateIp(ip: string): boolean {
+		const parsedIp = ipaddr.parse(ip);
+
 		for (const net of this.config.allowedPrivateNetworks ?? []) {
-			const cidr = new IPCIDR(net);
-			if (cidr.contains(ip)) {
+			if (parsedIp.match(ipaddr.parseCIDR(net))) {
 				return false;
 			}
 		}

-		return PrivateIp(ip) ?? false;
+		return parsedIp.range() !== 'unicast';
 	}
 }
--- a/packages/backend/src/core/GlobalEventService.ts
+++ b/packages/backend/src/core/GlobalEventService.ts
@ -20,7 +20,7 @@ import type { Packed } from 'misskey-js';
 import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
 import { bindThis } from '@/decorators.js';
-import { Role } from '@/models';
+import { Role } from '@/models/index.js';

@Injectable()
 export class GlobalEventService {
--- a/packages/backend/src/core/IdService.ts
+++ b/packages/backend/src/core/IdService.ts
@ -5,7 +5,7 @@ import type { Config } from '@/config.js';
 import { genAid, parseAid } from '@/misc/id/aid.js';
 import { genMeid, parseMeid } from '@/misc/id/meid.js';
 import { genMeidg, parseMeidg } from '@/misc/id/meidg.js';
-import { genObjectId } from '@/misc/id/object-id.js';
+import { genObjectId, parseObjectId } from '@/misc/id/object-id.js';
 import { bindThis } from '@/decorators.js';
 import { parseUlid } from '@/misc/id/ulid.js';

@ -38,7 +38,7 @@ export class IdService {
 	public parse(id: string): { date: Date; } {
 		switch (this.method) {
 			case 'aid': return parseAid(id);
-			case 'objectid':
+			case 'objectid': return parseObjectId(id);
 			case 'meid': return parseMeid(id);
 			case 'meidg': return parseMeidg(id);
 			case 'ulid': return parseUlid(id);
--- a/packages/backend/src/core/LoggerService.ts
+++ b/packages/backend/src/core/LoggerService.ts
@ -3,7 +3,7 @@ import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
 import Logger from '@/logger.js';
 import { bindThis } from '@/decorators.js';
-import type { KEYWORD } from 'color-convert/conversions';
+import type { KEYWORD } from 'color-convert/conversions.js';

@Injectable()
 export class LoggerService {
--- a/packages/backend/src/core/QueueService.ts
+++ b/packages/backend/src/core/QueueService.ts
@ -400,11 +400,11 @@ export class QueueService {
 		this.deliverQueue.once('cleaned', (jobs, status) => {
 			//deliverLogger.succ(`Cleaned ${jobs.length} ${status} jobs`);
 		});
-		this.deliverQueue.clean(0, Infinity, 'delayed');
+		this.deliverQueue.clean(0, 0, 'delayed');

 		this.inboxQueue.once('cleaned', (jobs, status) => {
 			//inboxLogger.succ(`Cleaned ${jobs.length} ${status} jobs`);
 		});
-		this.inboxQueue.clean(0, Infinity, 'delayed');
+		this.inboxQueue.clean(0, 0, 'delayed');
 	}
 }
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@ -1,7 +1,7 @@
 import { Inject, Injectable } from '@nestjs/common';
 import { In, Not } from 'typeorm';
 import * as Redis from 'ioredis';
-import Ajv from 'ajv';
+import _Ajv from 'ajv';
 import { ModuleRef } from '@nestjs/core';
 import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
@ -31,6 +31,7 @@ type IsMeAndIsUserDetailed<ExpectsMe extends boolean | null, Detailed extends bo
 		(Packed<'MeDetailed'> | Packed<'UserDetailedNotMe'>) :
 	Packed<'UserLite'>;

+const Ajv = _Ajv.default;
 const ajv = new Ajv();

 function isLocalUser(user: User): user is LocalUser;
--- a/packages/backend/src/logger.ts
+++ b/packages/backend/src/logger.ts
@ -4,7 +4,7 @@ import { default as convertColor } from 'color-convert';
 import { format as dateFormat } from 'date-fns';
 import { bindThis } from '@/decorators.js';
 import { envOption } from './env.js';
-import type { KEYWORD } from 'color-convert/conversions';
+import type { KEYWORD } from 'color-convert/conversions.js';

 type Context = {
 	name: string;
--- a/packages/backend/src/misc/generate-native-user-token.ts
+++ b/packages/backend/src/misc/generate-native-user-token.ts
@ -1,3 +1,3 @@
 import { secureRndstr } from '@/misc/secure-rndstr.js';

-export default () => secureRndstr(16, true);
+export default () => secureRndstr(16);
--- a/packages/backend/src/misc/get-ip-hash.ts
+++ b/packages/backend/src/misc/get-ip-hash.ts
@ -1,6 +1,6 @@
 import IPCIDR from 'ip-cidr';

-export function getIpHash(ip: string) {
+export function getIpHash(ip: string): string {
 	try {
 		// because a single person may control many IPv6 addresses,
 		// only a /64 subnet prefix of any IP will be taken into account.
--- a/packages/backend/src/misc/secure-rndstr.ts
+++ b/packages/backend/src/misc/secure-rndstr.ts
@ -1,10 +1,9 @@
 import * as crypto from 'node:crypto';

-const L_CHARS = '0123456789abcdefghijklmnopqrstuvwxyz';
+export const L_CHARS = '0123456789abcdefghijklmnopqrstuvwxyz';
 const LU_CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

-export function secureRndstr(length = 32, useLU = true): string {
-	const chars = useLU ? LU_CHARS : L_CHARS;
+export function secureRndstr(length = 32, { chars = LU_CHARS } = {}): string {
 	const chars_len = chars.length;

 	let str = '';
--- a/packages/backend/src/queue/processors/ImportAntennasProcessorService.ts
+++ b/packages/backend/src/queue/processors/ImportAntennasProcessorService.ts
@ -1,5 +1,5 @@
 import { Injectable, Inject } from '@nestjs/common';
-import Ajv from 'ajv';
+import _Ajv from 'ajv';
 import { IdService } from '@/core/IdService.js';
 import { GlobalEventService } from '@/core/GlobalEventService.js';
 import Logger from '@/logger.js';
@ -10,6 +10,8 @@ import { QueueLoggerService } from '../QueueLoggerService.js';
 import { DBAntennaImportJobData } from '../types.js';
 import type * as Bull from 'bullmq';

+const Ajv = _Ajv.default;
+
 const validate = new Ajv().compile({
 	type: 'object',
 	properties: {
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@ -54,37 +54,30 @@ export class ApiCallService implements OnApplicationShutdown {
 		}, 1000 * 60 * 60);
 	}

-	@bindThis
-	public handleRequest(
-		endpoint: { name: string, meta: IEndpointMeta, exec: ExecutorWrapper },
-		request: FastifyRequest<{ Body: Record<string, unknown> | undefined, Querystring: Record<string, unknown> }>,
-		reply: FastifyReply,
-	) {
-		const body = request.method === 'GET'
-			? request.query
-			: request.body;
+	#sendApiError(reply: FastifyReply, err: ApiError): void {
+		let statusCode = err.httpStatusCode;
+		if (err.httpStatusCode === 401) {
+			reply.header('WWW-Authenticate', 'Bearer realm="Misskey"');
+		} else if (err.kind === 'client') {
+			reply.header('WWW-Authenticate', `Bearer realm="Misskey", error="invalid_request", error_description="${err.message}"`);
+			statusCode = statusCode ?? 400;
+		} else if (err.kind === 'permission') {
+			// (ROLE_PERMISSION_DENIEDは関係ない)
+			if (err.code === 'PERMISSION_DENIED') {
+				reply.header('WWW-Authenticate', `Bearer realm="Misskey", error="insufficient_scope", error_description="${err.message}"`);
+			}
+			statusCode = statusCode ?? 403;
+		} else if (!statusCode) {
+			statusCode = 500;
+		}
+		this.send(reply, statusCode, err);
+	}

-		const token = body?.['i'];
-		if (token != null && typeof token !== 'string') {
-			reply.code(400);
-			return;
-		}
-		this.authenticateService.authenticate(token).then(([user, app]) => {
-			this.call(endpoint, user, app, body, null, request).then((res) => {
-				if (request.method === 'GET' && endpoint.meta.cacheSec && !body?.['i'] && !user) {
-					reply.header('Cache-Control', `public, max-age=${endpoint.meta.cacheSec}`);
-				}
-				this.send(reply, res);
-			}).catch((err: ApiError) => {
-				this.send(reply, err.httpStatusCode ? err.httpStatusCode : err.kind === 'client' ? 400 : err.kind === 'permission' ? 403 : 500, err);
-			});
-
-			if (user) {
-				this.logIp(request, user);
-			}
-		}).catch(err => {
+	#sendAuthenticationError(reply: FastifyReply, err: unknown): void {
 		if (err instanceof AuthenticationError) {
-				this.send(reply, 403, new ApiError({
+			const message = 'Authentication failed. Please ensure your token is correct.';
+			reply.header('WWW-Authenticate', `Bearer realm="Misskey", error="invalid_token", error_description="${message}"`);
+			this.send(reply, 401, new ApiError({
 				message: 'Authentication failed. Please ensure your token is correct.',
 				code: 'AUTHENTICATION_FAILED',
 				id: 'b0a7f5f8-dc2f-4171-b91f-de88ad238e14',
@ -92,6 +85,41 @@ export class ApiCallService implements OnApplicationShutdown {
 		} else {
 			this.send(reply, 500, new ApiError());
 		}
+	}
+
+	@bindThis
+	public handleRequest(
+		endpoint: { name: string, meta: IEndpointMeta, exec: ExecutorWrapper },
+		request: FastifyRequest<{ Body: Record<string, unknown> | undefined, Querystring: Record<string, unknown> }>,
+		reply: FastifyReply,
+	): void {
+		const body = request.method === 'GET'
+			? request.query
+			: request.body;
+
+		// https://datatracker.ietf.org/doc/html/rfc6750.html#section-2.1 (case sensitive)
+		const token = request.headers.authorization?.startsWith('Bearer ')
+			? request.headers.authorization.slice(7)
+			: body?.['i'];
+		if (token != null && typeof token !== 'string') {
+			reply.code(400);
+			return;
+		}
+		this.authenticateService.authenticate(token).then(([user, app]) => {
+			this.call(endpoint, user, app, body, null, request).then((res) => {
+				if (request.method === 'GET' && endpoint.meta.cacheSec && !token && !user) {
+					reply.header('Cache-Control', `public, max-age=${endpoint.meta.cacheSec}`);
+				}
+				this.send(reply, res);
+			}).catch((err: ApiError) => {
+				this.#sendApiError(reply, err);
+			});
+
+			if (user) {
+				this.logIp(request, user);
+			}
+		}).catch(err => {
+			this.#sendAuthenticationError(reply, err);
 		});
 	}

@ -100,7 +128,7 @@ export class ApiCallService implements OnApplicationShutdown {
 		endpoint: { name: string, meta: IEndpointMeta, exec: ExecutorWrapper },
 		request: FastifyRequest<{ Body: Record<string, unknown>, Querystring: Record<string, unknown> }>,
 		reply: FastifyReply,
-	) {
+	): Promise<void> {
 		const multipartData = await request.file().catch(() => {
 			/* Fastify throws if the remote didn't send multipart data. Return 400 below. */
 		});
@ -118,7 +146,10 @@ export class ApiCallService implements OnApplicationShutdown {
 			fields[k] = typeof v === 'object' && 'value' in v ? v.value : undefined;
 		}

-		const token = fields['i'];
+		// https://datatracker.ietf.org/doc/html/rfc6750.html#section-2.1 (case sensitive)
+		const token = request.headers.authorization?.startsWith('Bearer ')
+			? request.headers.authorization.slice(7)
+			: fields['i'];
 		if (token != null && typeof token !== 'string') {
 			reply.code(400);
 			return;
@ -130,22 +161,14 @@ export class ApiCallService implements OnApplicationShutdown {
 			}, request).then((res) => {
 				this.send(reply, res);
 			}).catch((err: ApiError) => {
-				this.send(reply, err.httpStatusCode ? err.httpStatusCode : err.kind === 'client' ? 400 : err.kind === 'permission' ? 403 : 500, err);
+				this.#sendApiError(reply, err);
 			});

 			if (user) {
 				this.logIp(request, user);
 			}
 		}).catch(err => {
-			if (err instanceof AuthenticationError) {
-				this.send(reply, 403, new ApiError({
-					message: 'Authentication failed. Please ensure your token is correct.',
-					code: 'AUTHENTICATION_FAILED',
-					id: 'b0a7f5f8-dc2f-4171-b91f-de88ad238e14',
-				}));
-			} else {
-				this.send(reply, 500, new ApiError());
-			}
+			this.#sendAuthenticationError(reply, err);
 		});
 	}

@ -256,8 +279,8 @@ export class ApiCallService implements OnApplicationShutdown {
 				throw new ApiError({
 					message: 'Your account has been suspended.',
 					code: 'YOUR_ACCOUNT_SUSPENDED',
+					kind: 'permission',
 					id: 'a8c724b3-6e9c-4b46-b1a8-bc3ed6258370',
-					httpStatusCode: 403,
 				});
 			}
 		}
@ -267,8 +290,8 @@ export class ApiCallService implements OnApplicationShutdown {
 				throw new ApiError({
 					message: 'You have moved your account.',
 					code: 'YOUR_ACCOUNT_MOVED',
+					kind: 'permission',
 					id: '56f20ec9-fd06-4fa5-841b-edd6d7d4fa31',
-					httpStatusCode: 403,
 				});
 			}
 		}
@ -279,6 +302,7 @@ export class ApiCallService implements OnApplicationShutdown {
 				throw new ApiError({
 					message: 'You are not assigned to a moderator role.',
 					code: 'ROLE_PERMISSION_DENIED',
+					kind: 'permission',
 					id: 'd33d5333-db36-423d-a8f9-1a2b9549da41',
 				});
 			}
@ -286,6 +310,7 @@ export class ApiCallService implements OnApplicationShutdown {
 				throw new ApiError({
 					message: 'You are not assigned to an administrator role.',
 					code: 'ROLE_PERMISSION_DENIED',
+					kind: 'permission',
 					id: 'c3d38592-54c0-429d-be96-5636b0431a61',
 				});
 			}
@ -297,6 +322,7 @@ export class ApiCallService implements OnApplicationShutdown {
 				throw new ApiError({
 					message: 'You are not assigned to a required role.',
 					code: 'ROLE_PERMISSION_DENIED',
+					kind: 'permission',
 					id: '7f86f06f-7e15-4057-8561-f4b6d4ac755a',
 				});
 			}
@ -306,6 +332,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			throw new ApiError({
 				message: 'Your app does not have the necessary permissions to use this endpoint.',
 				code: 'PERMISSION_DENIED',
+				kind: 'permission',
 				id: '1370e5b7-d4eb-4566-bb1d-7748ee6a1838',
 			});
 		}
--- a/packages/backend/src/server/api/SignupApiService.ts
+++ b/packages/backend/src/server/api/SignupApiService.ts
@ -1,5 +1,4 @@
 import { Inject, Injectable } from '@nestjs/common';
-import rndstr from 'rndstr';
 import bcrypt from 'bcryptjs';
 import { IsNull } from 'typeorm';
 import { DI } from '@/di-symbols.js';
@ -16,6 +15,7 @@ import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
 import { bindThis } from '@/decorators.js';
 import { SigninService } from './SigninService.js';
 import type { FastifyRequest, FastifyReply } from 'fastify';
+import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';

@Injectable()
 export class SignupApiService {
@ -142,7 +142,7 @@ export class SignupApiService {
 				throw new FastifyReplyError(400, 'DENIED_USERNAME');
 			}

-			const code = rndstr('a-z0-9', 16);
+			const code = secureRndstr(16, { chars: L_CHARS });

 			// Generate hash of password
 			const salt = await bcrypt.genSalt(8);
--- a/packages/backend/src/server/api/StreamingApiServerService.ts
+++ b/packages/backend/src/server/api/StreamingApiServerService.ts
@ -10,7 +10,7 @@ import { GlobalEventService } from '@/core/GlobalEventService.js';
 import { NotificationService } from '@/core/NotificationService.js';
 import { bindThis } from '@/decorators.js';
 import { CacheService } from '@/core/CacheService.js';
-import { LocalUser } from '@/models/entities/User';
+import { LocalUser } from '@/models/entities/User.js';
 import { AuthenticateService, AuthenticationError } from './AuthenticateService.js';
 import MainStreamConnection from './stream/index.js';
 import { ChannelsService } from './stream/ChannelsService.js';
@ -58,11 +58,21 @@ export class StreamingApiServerService {
 			let user: LocalUser | null = null;
 			let app: AccessToken | null = null;

+			// https://datatracker.ietf.org/doc/html/rfc6750.html#section-2.1
+			// Note that the standard WHATWG WebSocket API does not support setting any headers,
+			// but non-browser apps may still be able to set it.
+			const token = request.headers.authorization?.startsWith('Bearer ')
+				? request.headers.authorization.slice(7)
+				: q.get('i');
+
 			try {
-				[user, app] = await this.authenticateService.authenticate(q.get('i'));
+				[user, app] = await this.authenticateService.authenticate(token);
 			} catch (e) {
 				if (e instanceof AuthenticationError) {
-					socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+					socket.write([
+						'HTTP/1.1 401 Unauthorized',
+						'WWW-Authenticate: Bearer realm="Misskey", error="invalid_token", error_description="Failed to authenticate"',
+					].join('\r\n') + '\r\n\r\n');
 				} else {
 					socket.write('HTTP/1.1 500 Internal Server Error\r\n\r\n');
 				}
--- a/packages/backend/src/server/api/endpoint-base.ts
+++ b/packages/backend/src/server/api/endpoint-base.ts
@ -1,5 +1,5 @@
 import * as fs from 'node:fs';
-import Ajv from 'ajv';
+import _Ajv from 'ajv';
 import type { LocalUser } from '@/models/entities/User.js';
 import type { AccessToken } from '@/models/entities/AccessToken.js';
 import { ApiError } from './error.js';
@ -8,6 +8,8 @@ import type { IEndpointMeta, ResponseOf, SchemaOrUndefined } from 'misskey-js/bu
 import type { Endpoints } from 'misskey-js';
 import { WeakSerialized } from 'schema-type';

+const Ajv = _Ajv.default;
+
 const ajv = new Ajv({
 	useDefaults: true,
 });
--- a/packages/backend/src/server/api/endpoints/admin/emoji/add.ts
+++ b/packages/backend/src/server/api/endpoints/admin/emoji/add.ts
@ -1,5 +1,4 @@
 import { Inject, Injectable } from '@nestjs/common';
-import rndstr from 'rndstr';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { DriveFilesRepository } from '@/models/index.js';
 import { DI } from '@/di-symbols.js';
--- a/packages/backend/src/server/api/endpoints/admin/reset-password.ts
+++ b/packages/backend/src/server/api/endpoints/admin/reset-password.ts
@ -1,9 +1,9 @@
 import { Inject, Injectable } from '@nestjs/common';
 import bcrypt from 'bcryptjs';
-import rndstr from 'rndstr';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UsersRepository, UserProfilesRepository } from '@/models/index.js';
 import { DI } from '@/di-symbols.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';

 // eslint-disable-next-line import/no-default-export
@Injectable()
@ -27,7 +27,7 @@ export default class extends Endpoint<'admin/reset-password'> {
 				throw new Error('cannot reset password of root');
 			}

-			const passwd = rndstr('a-zA-Z0-9', 8);
+			const passwd = secureRndstr(8);

 			// Generate hash of password
 			const hash = bcrypt.hashSync(passwd);
--- a/packages/backend/src/server/api/endpoints/app/create.ts
+++ b/packages/backend/src/server/api/endpoints/app/create.ts
@ -20,7 +20,7 @@ export default class extends Endpoint<'app/create'> {
 	) {
 		super(async (ps, me) => {
 			// Generate secret
-			const secret = secureRndstr(32, true);
+			const secret = secureRndstr(32);

 			// for backward compatibility
 			const permission = unique(ps.permission.map(v => v.replace(/^(.+)(\/|-)(read|write)$/, '$3:$1')));
--- a/packages/backend/src/server/api/endpoints/auth/accept.ts
+++ b/packages/backend/src/server/api/endpoints/auth/accept.ts
@ -32,7 +32,7 @@ export default class extends Endpoint<'auth/accept'> {
 				throw new ApiError(this.meta.errors.noSuchSession);
 			}

-			const accessToken = secureRndstr(32, true);
+			const accessToken = secureRndstr(32);

 			// Fetch exist access token
 			const exist = await this.accessTokensRepository.findOneBy({
--- a/packages/backend/src/server/api/endpoints/i/import-blocking.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-blocking.ts
@ -72,7 +72,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const checkMoving = await this.accountMoveService.validateAlsoKnownAs(
 				me,
 				(old, src) => !!src.movedAt && src.movedAt.getTime() + 1000 * 60 * 60 * 2 > (new Date()).getTime(),
-				true
+				true,
 			);
 			if (checkMoving ? file.size > 32 * 1024 * 1024 : file.size > 64 * 1024) throw new ApiError(meta.errors.tooBigFile);

--- a/packages/backend/src/server/api/endpoints/i/import-following.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-following.ts
@ -71,7 +71,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const checkMoving = await this.accountMoveService.validateAlsoKnownAs(
 				me,
 				(old, src) => !!src.movedAt && src.movedAt.getTime() + 1000 * 60 * 60 * 2 > (new Date()).getTime(),
-				true
+				true,
 			);
 			if (checkMoving ? file.size > 32 * 1024 * 1024 : file.size > 64 * 1024) throw new ApiError(meta.errors.tooBigFile);

--- a/packages/backend/src/server/api/endpoints/i/import-muting.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-muting.ts
@ -72,7 +72,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const checkMoving = await this.accountMoveService.validateAlsoKnownAs(
 				me,
 				(old, src) => !!src.movedAt && src.movedAt.getTime() + 1000 * 60 * 60 * 2 > (new Date()).getTime(),
-				true
+				true,
 			);
 			if (checkMoving ? file.size > 32 * 1024 * 1024 : file.size > 64 * 1024) throw new ApiError(meta.errors.tooBigFile);

--- a/packages/backend/src/server/api/endpoints/i/import-user-lists.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-user-lists.ts
@ -71,7 +71,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const checkMoving = await this.accountMoveService.validateAlsoKnownAs(
 				me,
 				(old, src) => !!src.movedAt && src.movedAt.getTime() + 1000 * 60 * 60 * 2 > (new Date()).getTime(),
-				true
+				true,
 			);
 			if (checkMoving ? file.size > 32 * 1024 * 1024 : file.size > 64 * 1024) throw new ApiError(meta.errors.tooBigFile);

--- a/packages/backend/src/server/api/endpoints/i/update-email.ts
+++ b/packages/backend/src/server/api/endpoints/i/update-email.ts
@ -1,5 +1,4 @@
 import { Inject, Injectable } from '@nestjs/common';
-import rndstr from 'rndstr';
 import ms from 'ms';
 import bcrypt from 'bcryptjs';
 import { Endpoint } from '@/server/api/endpoint-base.js';
@ -9,6 +8,7 @@ import { EmailService } from '@/core/EmailService.js';
 import type { Config } from '@/config.js';
 import { DI } from '@/di-symbols.js';
 import { GlobalEventService } from '@/core/GlobalEventService.js';
+import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';
 import { ApiError } from '../../error.js';

 export const meta = {
@ -94,7 +94,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			this.globalEventService.publishMainStream(me.id, 'meUpdated', iObj);

 			if (ps.email != null) {
-				const code = rndstr('a-z0-9', 16);
+				const code = secureRndstr(16, { chars: L_CHARS });

 				await this.userProfilesRepository.update(me.id, {
 					emailVerifyCode: code,
--- a/packages/backend/src/server/api/endpoints/invite.ts
+++ b/packages/backend/src/server/api/endpoints/invite.ts
@ -1,9 +1,9 @@
-import rndstr from 'rndstr';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { RegistrationTicketsRepository } from '@/models/index.js';
 import { IdService } from '@/core/IdService.js';
 import { DI } from '@/di-symbols.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';

 export const meta = {
 	tags: ['meta'],
@ -42,9 +42,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 		private idService: IdService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const code = rndstr({
-				length: 8,
-				chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns)
+			const code = secureRndstr(8, {
+				chars: '23456789ABCDEFGHJKLMNPQRSTUVWXYZ', // [0-9A-Z] w/o [01IO] (32 patterns)
 			});

 			await this.registrationTicketsRepository.insert({
--- a/packages/backend/src/server/api/endpoints/miauth/gen-token.ts
+++ b/packages/backend/src/server/api/endpoints/miauth/gen-token.ts
@ -49,7 +49,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 	) {
 		super(meta, paramDef, async (ps, me) => {
 			// Generate access token
-			const accessToken = secureRndstr(32, true);
+			const accessToken = secureRndstr(32);

 			const now = new Date();

--- a/packages/backend/src/server/api/endpoints/notes/unrenote.ts
+++ b/packages/backend/src/server/api/endpoints/notes/unrenote.ts
@ -4,8 +4,8 @@ import type { UsersRepository, NotesRepository } from '@/models/index.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { NoteDeleteService } from '@/core/NoteDeleteService.js';
 import { DI } from '@/di-symbols.js';
-import { ApiError } from '../../error.js';
 import { GetterService } from '@/server/api/GetterService.js';
+import { ApiError } from '../../error.js';

 export const meta = {
 	tags: ['notes'],
--- a/packages/backend/src/server/api/endpoints/request-reset-password.ts
+++ b/packages/backend/src/server/api/endpoints/request-reset-password.ts
@ -1,4 +1,3 @@
-import rndstr from 'rndstr';
 import ms from 'ms';
 import { IsNull } from 'typeorm';
 import { Inject, Injectable } from '@nestjs/common';
@ -8,6 +7,7 @@ import { IdService } from '@/core/IdService.js';
 import type { Config } from '@/config.js';
 import { DI } from '@/di-symbols.js';
 import { EmailService } from '@/core/EmailService.js';
+import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';

 export const meta = {
 	tags: ['reset password'],
@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				return;
 			}

-			const token = rndstr('a-z0-9', 64);
+			const token = secureRndstr(64, { chars: L_CHARS });

 			await this.passwordResetRequestsRepository.insert({
 				id: this.idService.genId(),
--- a/packages/backend/src/server/api/endpoints/users/report-abuse.ts
+++ b/packages/backend/src/server/api/endpoints/users/report-abuse.ts
@ -1,4 +1,4 @@
-import * as sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from 'sanitize-html';
 import { Inject, Injectable } from '@nestjs/common';
 import type { UsersRepository, AbuseUserReportsRepository } from '@/models/index.js';
 import { IdService } from '@/core/IdService.js';
--- a/packages/backend/src/server/api/stream/channel.ts
+++ b/packages/backend/src/server/api/stream/channel.ts
@ -1,5 +1,5 @@
 import { bindThis } from '@/decorators.js';
-import type Connection from '.';
+import type Connection from './index.js';

 /**
 * Stream channel
--- a/packages/backend/src/server/api/stream/types.ts
+++ b/packages/backend/src/server/api/stream/types.ts
@ -12,7 +12,7 @@ import type { Page } from '@/models/entities/Page.js';
 import type { Packed } from 'misskey-js';
 import type { Webhook } from '@/models/entities/Webhook.js';
 import type { Meta } from '@/models/entities/Meta.js';
-import { Role, RoleAssignment } from '@/models';
+import { Role, RoleAssignment } from '@/models/index.js';
 import type Emitter from 'strict-event-emitter-types';
 import type { EventEmitter } from 'events';

@ -233,7 +233,7 @@ export type StreamMessages = {

 // API event definitions
 // ストリームごとのEmitterの辞書を用意
-type EventEmitterDictionary = { [x in keyof StreamMessages]: Emitter<EventEmitter, { [y in StreamMessages[x]['name']]: (e: StreamMessages[x]['payload']) => void }> };
+type EventEmitterDictionary = { [x in keyof StreamMessages]: Emitter.default<EventEmitter, { [y in StreamMessages[x]['name']]: (e: StreamMessages[x]['payload']) => void }> };
 // 共用体型を交差型にする型 https://stackoverflow.com/questions/54938141/typescript-convert-union-to-intersection
 type UnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends ((k: infer I) => void) ? I : never;
 // Emitter辞書から共用体型を作り、UnionToIntersectionで交差型にする
--- a/packages/backend/src/server/web/views/base.pug
+++ b/packages/backend/src/server/web/views/base.pug
@ -35,7 +35,7 @@ html
 		link(rel='prefetch' href=infoImageUrl)
 		link(rel='prefetch' href=notFoundImageUrl)
 		//- https://github.com/misskey-dev/misskey/issues/9842
-		link(rel='stylesheet' href='/assets/tabler-icons/tabler-icons.min.css?v2.21.0')
+		link(rel='stylesheet' href='/assets/tabler-icons/tabler-icons.min.css?v2.22.0')
 		link(rel='modulepreload' href=`/vite/${clientEntry.file}`)

 		if !config.clientManifestExists
--- a/packages/backend/test/e2e/2fa.ts
+++ b/packages/backend/test/e2e/2fa.ts
@ -7,10 +7,11 @@ import * as OTPAuth from 'otpauth';
 import { loadConfig } from '../../src/config.js';
 import { signup, api, post, react, startServer, waitFire } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('2要素認証', () => {
 	let app: INestApplicationContext;
-	let alice: unknown;
+	let alice: misskey.entities.MeSignup;

 	const config = loadConfig();
 	const password = 'test';
--- a/packages/backend/test/e2e/api-visibility.ts
+++ b/packages/backend/test/e2e/api-visibility.ts
@ -3,6 +3,7 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, post, startServer } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('API visibility', () => {
 	let app: INestApplicationContext;
@ -18,15 +19,15 @@ describe('API visibility', () => {
 	describe('Note visibility', () => {
 		//#region vars
 		/** ヒロイン */
-		let alice: any;
+		let alice: misskey.entities.MeSignup;
 		/** フォロワー */
-		let follower: any;
+		let follower: misskey.entities.MeSignup;
 		/** 非フォロワー */
-		let other: any;
+		let other: misskey.entities.MeSignup;
 		/** 非フォロワーでもリプライやメンションをされた人 */
-		let target: any;
+		let target: misskey.entities.MeSignup;
 		/** specified mentionでmentionを飛ばされる人 */
-		let target2: any;
+		let target2: misskey.entities.MeSignup;

 		/** public-post */
 		let pub: any;
--- a/packages/backend/test/e2e/api.ts
+++ b/packages/backend/test/e2e/api.ts
@ -1,14 +1,16 @@
 process.env.NODE_ENV = 'test';

 import * as assert from 'assert';
-import { signup, api, startServer } from '../utils.js';
+import { signup, api, startServer, successfulApiCall, failedApiCall, uploadFile, waitFire, connectStream } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';
+import { IncomingMessage } from 'http';

 describe('API', () => {
 	let app: INestApplicationContext;
-	let alice: any;
-	let bob: any;
-	let carol: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
@ -80,4 +82,142 @@ describe('API', () => {
 			assert.strictEqual(res.body.nullableDefault, 'hello');
 		});
 	});
+
+	test('管理者専用のAPIのアクセス制限', async () => {
+		// aliceは管理者、APIを使える
+		await successfulApiCall({
+			endpoint: '/admin/get-index-stats',
+			parameters: {},
+			user: alice,
+		});
+
+		// bobは一般ユーザーだからダメ
+		await failedApiCall({
+			endpoint: '/admin/get-index-stats',
+			parameters: {},
+			user: bob,
+		}, {
+			status: 403,
+			code: 'ROLE_PERMISSION_DENIED',
+			id: 'c3d38592-54c0-429d-be96-5636b0431a61',
+		});
+
+		// publicアクセスももちろんダメ
+		await failedApiCall({
+			endpoint: '/admin/get-index-stats',
+			parameters: {},
+			user: undefined,
+		}, {
+			status: 401,
+			code: 'CREDENTIAL_REQUIRED',
+			id: '1384574d-a912-4b81-8601-c7b1c4085df1',
+		});
+
+		// ごまがしもダメ
+		await failedApiCall({
+			endpoint: '/admin/get-index-stats',
+			parameters: {},
+			user: { token: 'tsukawasete' },
+		}, {
+			status: 401,
+			code: 'AUTHENTICATION_FAILED',
+			id: 'b0a7f5f8-dc2f-4171-b91f-de88ad238e14',
+		});
+	});
+
+	describe('Authentication header', () => {
+		test('一般リクエスト', async () => {
+			await successfulApiCall({
+				endpoint: '/admin/get-index-stats',
+				parameters: {},
+				user: {
+					token: alice.token,
+					bearer: true,
+				},
+			});
+		});
+
+		test('multipartリクエスト', async () => {
+			const result = await uploadFile({
+				token: alice.token,
+				bearer: true,
+			});
+			assert.strictEqual(result.status, 200);
+		});
+
+		test('streaming', async () => {
+			const fired = await waitFire(
+				{
+					token: alice.token,
+					bearer: true,
+				},
+				'homeTimeline',
+				() => api('notes/create', { text: 'foo' }, alice),
+				msg => msg.type === 'note' && msg.body.text === 'foo',
+			);
+			assert.strictEqual(fired, true);
+		});
+	});
+
+	describe('tokenエラー応答でWWW-Authenticate headerを送る', () => {
+		describe('invalid_token', () => {
+			test('一般リクエスト', async () => {
+				const result = await api('/admin/get-index-stats', {}, {
+					token: 'syuilo',
+					bearer: true,
+				});
+				assert.strictEqual(result.status, 401);
+				assert.ok(result.headers.get('WWW-Authenticate')?.startsWith('Bearer realm="Misskey", error="invalid_token", error_description'));
+			});
+
+			test('multipartリクエスト', async () => {
+				const result = await uploadFile({
+					token: 'syuilo',
+					bearer: true,
+				});
+				assert.strictEqual(result.status, 401);
+				assert.ok(result.headers.get('WWW-Authenticate')?.startsWith('Bearer realm="Misskey", error="invalid_token", error_description'));
+			});
+
+			test('streaming', async () => {
+				await assert.rejects(connectStream(
+					{
+						token: 'syuilo',
+						bearer: true,
+					},
+					'homeTimeline',
+					() => { },
+				), (err: IncomingMessage) => {
+					assert.strictEqual(err.statusCode, 401);
+					assert.ok(err.headers['www-authenticate']?.startsWith('Bearer realm="Misskey", error="invalid_token", error_description'));
+					return true;
+				});
+			});
+		});
+
+		describe('tokenがないとrealmだけおくる', () => {
+			test('一般リクエスト', async () => {
+				const result = await api('/admin/get-index-stats', {});
+				assert.strictEqual(result.status, 401);
+				assert.strictEqual(result.headers.get('WWW-Authenticate'), 'Bearer realm="Misskey"');
+			});
+
+			test('multipartリクエスト', async () => {
+				const result = await uploadFile();
+				assert.strictEqual(result.status, 401);
+				assert.strictEqual(result.headers.get('WWW-Authenticate'), 'Bearer realm="Misskey"');
+			});
+		});
+
+		test('invalid_request', async () => {
+			const result = await api('/notes/create', { text: true }, {
+				token: alice.token,
+				bearer: true,
+			});
+			assert.strictEqual(result.status, 400);
+			assert.ok(result.headers.get('WWW-Authenticate')?.startsWith('Bearer realm="Misskey", error="invalid_request", error_description'));
+		});
+
+		// TODO: insufficient_scope test (authテストが全然なくて書けない)
+	});
 });
--- a/packages/backend/test/e2e/block.ts
+++ b/packages/backend/test/e2e/block.ts
@ -3,14 +3,15 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, post, startServer } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Block', () => {
 	let app: INestApplicationContext;

 	// alice blocks bob
-	let alice: any;
-	let bob: any;
-	let carol: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/endpoints.ts
+++ b/packages/backend/test/e2e/endpoints.ts
@ -4,17 +4,18 @@ import * as assert from 'assert';
 // node-fetch only supports it's own Blob yet
 // https://github.com/node-fetch/node-fetch/pull/1664
 import { Blob } from 'node-fetch';
+import { User } from '@/models/index.js';
 import { startServer, signup, post, api, uploadFile, simpleGet, initTestDb } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
-import { User } from '@/models/index.js';
+import type * as misskey from 'misskey-js';

 describe('Endpoints', () => {
 	let app: INestApplicationContext;

-	let alice: any;
-	let bob: any;
-	let carol: any;
-	let dave: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;
+	let dave: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/fetch-resource.ts
+++ b/packages/backend/test/e2e/fetch-resource.ts
@ -4,6 +4,7 @@ import * as assert from 'assert';
 import { startServer, channel, clip, cookie, galleryPost, signup, page, play, post, simpleGet, uploadFile } from '../utils.js';
 import type { SimpleGetResponse } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 // Request Accept
 const ONLY_AP = 'application/activity+json';
@ -19,7 +20,7 @@ const JSON_UTF8 = 'application/json; charset=utf-8';
 describe('Webリソース', () => {
 	let app: INestApplicationContext;

-	let alice: any;
+	let alice: misskey.entities.MeSignup;
 	let aliceUploadedFile: any;
 	let alicesPost: any;
 	let alicePage: any;
--- a/packages/backend/test/e2e/ff-visibility.ts
+++ b/packages/backend/test/e2e/ff-visibility.ts
@ -3,12 +3,13 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, startServer, simpleGet } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('FF visibility', () => {
 	let app: INestApplicationContext;

-	let alice: any;
-	let bob: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/move.ts
+++ b/packages/backend/test/e2e/move.ts
@ -1,12 +1,13 @@
 process.env.NODE_ENV = 'test';

 import * as assert from 'assert';
-import rndstr from 'rndstr';
 import { loadConfig } from '@/config.js';
 import { User, UsersRepository } from '@/models/index.js';
 import { jobQueue } from '@/boot/common.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { uploadFile, signup, startServer, initTestDb, api, sleep, successfulApiCall } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Account Move', () => {
 	let app: INestApplicationContext;
@ -14,12 +15,12 @@ describe('Account Move', () => {
 	let url: URL;

 	let root: any;
-	let alice: any;
-	let bob: any;
-	let carol: any;
-	let dave: any;
-	let eve: any;
-	let frank: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;
+	let dave: misskey.entities.MeSignup;
+	let eve: misskey.entities.MeSignup;
+	let frank: misskey.entities.MeSignup;

 	let Users: UsersRepository;

@ -162,7 +163,7 @@ describe('Account Move', () => {
 				alsoKnownAs: [`@alice@${url.hostname}`],
 			}, root);
 			const listRoot = await api('/users/lists/create', {
-				name: rndstr('0-9a-z', 8),
+				name: secureRndstr(8),
 			}, root);
 			await api('/users/lists/push', {
 				listId: listRoot.body.id,
@ -176,9 +177,9 @@ describe('Account Move', () => {
 				userId: eve.id,
 			}, alice);
 			const antenna = await api('/antennas/create', {
-				name: rndstr('0-9a-z', 8),
+				name: secureRndstr(8),
 				src: 'home',
-				keywords: [rndstr('0-9a-z', 8)],
+				keywords: [secureRndstr(8)],
 				excludeKeywords: [],
 				users: [],
 				caseSensitive: false,
@ -210,7 +211,7 @@ describe('Account Move', () => {
 				userId: dave.id,
 			}, eve);
 			const listEve = await api('/users/lists/create', {
-				name: rndstr('0-9a-z', 8),
+				name: secureRndstr(8),
 			}, eve);
 			await api('/users/lists/push', {
 				listId: listEve.body.id,
@ -419,9 +420,9 @@ describe('Account Move', () => {
 		test('Prohibit access after moving: /antennas/update', async () => {
 			const res = await api('/antennas/update', {
 				antennaId,
-				name: rndstr('0-9a-z', 8),
+				name: secureRndstr(8),
 				src: 'users',
-				keywords: [rndstr('0-9a-z', 8)],
+				keywords: [secureRndstr(8)],
 				excludeKeywords: [],
 				users: [eve.id],
 				caseSensitive: false,
--- a/packages/backend/test/e2e/mute.ts
+++ b/packages/backend/test/e2e/mute.ts
@ -3,14 +3,15 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, post, react, startServer, waitFire } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Mute', () => {
 	let app: INestApplicationContext;

 	// alice mutes carol
-	let alice: any;
-	let bob: any;
-	let carol: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/note.ts
+++ b/packages/backend/test/e2e/note.ts
@ -4,13 +4,14 @@ import * as assert from 'assert';
 import { Note } from '@/models/entities/Note.js';
 import { signup, post, uploadUrl, startServer, initTestDb, api, uploadFile } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Note', () => {
 	let app: INestApplicationContext;
 	let Notes: any;

-	let alice: any;
-	let bob: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/renote-mute.ts
+++ b/packages/backend/test/e2e/renote-mute.ts
@ -3,14 +3,15 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, post, react, startServer, waitFire } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Renote Mute', () => {
 	let app: INestApplicationContext;

 	// alice mutes carol
-	let alice: any;
-	let bob: any;
-	let carol: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/streaming.ts
+++ b/packages/backend/test/e2e/streaming.ts
@ -4,6 +4,7 @@ import * as assert from 'assert';
 import { Following } from '@/models/entities/Following.js';
 import { connectStream, signup, api, post, startServer, initTestDb, waitFire } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Streaming', () => {
 	let app: INestApplicationContext;
@ -26,13 +27,13 @@ describe('Streaming', () => {

 	describe('Streaming', () => {
 		// Local users
-		let ayano: any;
-		let kyoko: any;
-		let chitose: any;
+		let ayano: misskey.entities.MeSignup;
+		let kyoko: misskey.entities.MeSignup;
+		let chitose: misskey.entities.MeSignup;

 		// Remote users
-		let akari: any;
-		let chinatsu: any;
+		let akari: misskey.entities.MeSignup;
+		let chinatsu: misskey.entities.MeSignup;

 		let kyokoNote: any;
 		let list: any;
--- a/packages/backend/test/e2e/thread-mute.ts
+++ b/packages/backend/test/e2e/thread-mute.ts
@ -3,13 +3,14 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, post, connectStream, startServer } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('Note thread mute', () => {
 	let app: INestApplicationContext;

-	let alice: any;
-	let bob: any;
-	let carol: any;
+	let alice: misskey.entities.MeSignup;
+	let bob: misskey.entities.MeSignup;
+	let carol: misskey.entities.MeSignup;

 	beforeAll(async () => {
 		app = await startServer();
--- a/packages/backend/test/e2e/user-notes.ts
+++ b/packages/backend/test/e2e/user-notes.ts
@ -3,11 +3,12 @@ process.env.NODE_ENV = 'test';
 import * as assert from 'assert';
 import { signup, api, post, uploadUrl, startServer } from '../utils.js';
 import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';

 describe('users/notes', () => {
 	let app: INestApplicationContext;

-	let alice: any;
+	let alice: misskey.entities.MeSignup;
 	let jpgNote: any;
 	let pngNote: any;
 	let jpgPngNote: any;
--- a/packages/backend/test/tsconfig.json
+++ b/packages/backend/test/tsconfig.json
@ -9,9 +9,9 @@
 		"noFallthroughCasesInSwitch": true,
 		"declaration": false,
 		"sourceMap": true,
-		"target": "es2021",
+		"target": "ES2022",
 		"module": "es2020",
-		"moduleResolution": "node",
+		"moduleResolution": "node16",
 		"allowSyntheticDefaultImports": true,
 		"removeComments": false,
 		"noLib": false,
@ -39,6 +39,6 @@
 	"include": [
 		"./**/*.ts",
 		"../src/**/*.test.ts",
-		"../src/@types/**/*.ts",
+		"../src/@types/**/*.ts"
 	]
 }
--- a/packages/backend/test/unit/RoleService.ts
+++ b/packages/backend/test/unit/RoleService.ts
@ -4,7 +4,6 @@ import { jest } from '@jest/globals';
 import { ModuleMocker } from 'jest-mock';
 import { Test } from '@nestjs/testing';
 import * as lolex from '@sinonjs/fake-timers';
-import rndstr from 'rndstr';
 import { GlobalModule } from '@/GlobalModule.js';
 import { RoleService } from '@/core/RoleService.js';
 import type { Role, RolesRepository, RoleAssignmentsRepository, UsersRepository, User } from '@/models/index.js';
@ -14,6 +13,7 @@ import { genAid } from '@/misc/id/aid.js';
 import { CacheService } from '@/core/CacheService.js';
 import { IdService } from '@/core/IdService.js';
 import { GlobalEventService } from '@/core/GlobalEventService.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { sleep } from '../utils.js';
 import type { TestingModule } from '@nestjs/testing';
 import type { MockFunctionMetadata } from 'jest-mock';
@ -30,7 +30,7 @@ describe('RoleService', () => {
 	let clock: lolex.InstalledClock;

 	function createUser(data: Partial<User> = {}) {
-		const un = rndstr('a-z0-9', 16);
+		const un = secureRndstr(16);
 		return usersRepository.insert({
 			id: genAid(new Date()),
 			createdAt: new Date(),
--- a/packages/backend/test/unit/activitypub.ts
+++ b/packages/backend/test/unit/activitypub.ts
@ -1,7 +1,6 @@
 process.env.NODE_ENV = 'test';

 import * as assert from 'assert';
-import rndstr from 'rndstr';
 import { Test } from '@nestjs/testing';
 import { jest } from '@jest/globals';

@ -13,13 +12,14 @@ import { CoreModule } from '@/core/CoreModule.js';
 import { FederatedInstanceService } from '@/core/FederatedInstanceService.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import type { IActor } from '@/core/activitypub/type.js';
-import { MockResolver } from '../misc/mock-resolver.js';
 import { Note } from '@/models/index.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
+import { MockResolver } from '../misc/mock-resolver.js';

 const host = 'https://host1.test';

 function createRandomActor(): IActor & { id: string } {
-	const preferredUsername = `${rndstr('A-Z', 4)}${rndstr('a-z', 4)}`;
+	const preferredUsername = secureRndstr(8);
 	const actorId = `${host}/users/${preferredUsername.toLowerCase()}`;

 	return {
@ -61,7 +61,7 @@ describe('ActivityPub', () => {

 		const post = {
 			'@context': 'https://www.w3.org/ns/activitystreams',
-			id: `${host}/users/${rndstr('0-9a-z', 8)}`,
+			id: `${host}/users/${secureRndstr(8)}`,
 			type: 'Note',
 			attributedTo: actor.id,
 			to: 'https://www.w3.org/ns/activitystreams#Public',
@ -94,7 +94,7 @@ describe('ActivityPub', () => {
 		test('Truncate long name', async () => {
 			const actor = {
 				...createRandomActor(),
-				name: rndstr('0-9a-z', 129),
+				name: secureRndstr(129),
 			};

 			resolver._register(actor.id, actor);
--- a/packages/backend/test/utils.ts
+++ b/packages/backend/test/utils.ts
@ -2,7 +2,7 @@ import * as assert from 'node:assert';
 import { readFile } from 'node:fs/promises';
 import { isAbsolute, basename } from 'node:path';
 import { inspect } from 'node:util';
-import WebSocket from 'ws';
+import WebSocket, { ClientOptions } from 'ws';
 import fetch, { Blob, File, RequestInit } from 'node-fetch';
 import { DataSource } from 'typeorm';
 import { JSDOM } from 'jsdom';
@ -14,14 +14,19 @@ import { SchemaOrUndefined } from 'misskey-js/built/endpoints.types.js';

 export { server as startServer } from '@/boot/common.js';

+interface UserToken {
+	token: string;
+	bearer?: boolean;
+}
+
 const config = loadConfig();
 export const port = config.port;

-export const cookie = (me: any): string => {
+export const cookie = (me: UserToken): string => {
 	return `token=${me.token};`;
 };

-export const api = async (endpoint: string, params: any, me?: any) => {
+export const api = async (endpoint: string, params: any, me?: UserToken) => {
 	const normalized = endpoint.replace(/^\//, '');
 	return await request(`api/${normalized}`, params, me);
 };
@ -59,27 +64,33 @@ export const failedApiCall = async <X extends keyof misskey.Endpoints>(request:
 	return res.body;
 };

-const request = async (path: string, params: any, me?: any): Promise<{ body: any, status: number }> => {
-	const auth = me ? {
-		i: me.token,
-	} : {};
+const request = async (path: string, params: any, me?: UserToken): Promise<{ status: number, headers: Headers, body: any }> => {
+	const bodyAuth: Record<string, string> = {};
+	const headers: Record<string, string> = {
+		'Content-Type': 'application/json',
+	};
+
+	if (me?.bearer) {
+		headers.Authorization = `Bearer ${me.token}`;
+	} else if (me) {
+		bodyAuth.i = me.token;
+	}

 	const res = await relativeFetch(path, {
 		method: 'POST',
-		headers: {
-			'Content-Type': 'application/json',
-		},
-		body: JSON.stringify(Object.assign(auth, params)),
+		headers,
+		body: JSON.stringify(Object.assign(bodyAuth, params)),
 		redirect: 'manual',
 	});

-	const status = res.status;
 	const body = res.headers.get('content-type') === 'application/json; charset=utf-8'
 		? await res.json()
 		: null;

 	return {
-		body, status,
+		status: res.status,
+		headers: res.headers,
+		body,
 	};
 };

@ -87,7 +98,7 @@ const relativeFetch = async (path: string, init?: RequestInit | undefined) => {
 	return await fetch(new URL(path, `http://127.0.0.1:${port}/`).toString(), init);
 };

-export const signup = async (params?: any): Promise<any> => {
+export const signup = async (params?: Partial<misskey.Endpoints['signup']['req']>): Promise<NonNullable<misskey.Endpoints['signup']['res']>> => {
 	const q = Object.assign({
 		username: 'test',
 		password: 'test',
@ -98,7 +109,7 @@ export const signup = async (params?: any): Promise<any> => {
 	return res.body;
 };

-export const post = async (user: any, params?: misskey.Endpoints['notes/create']['req']): Promise<misskey.entities.Note> => {
+export const post = async (user: UserToken, params?: misskey.Endpoints['notes/create']['req']): Promise<misskey.entities.Note> => {
 	const q = params;

 	const res = await api('notes/create', q, user);
@ -121,21 +132,21 @@ export const hiddenNote = (note: any): any => {
 	return temp;
 };

-export const react = async (user: any, note: any, reaction: string): Promise<any> => {
+export const react = async (user: UserToken, note: any, reaction: string): Promise<any> => {
 	await api('notes/reactions/create', {
 		noteId: note.id,
 		reaction: reaction,
 	}, user);
 };

-export const userList = async (user: any, userList: any = {}): Promise<any> => {
+export const userList = async (user: UserToken, userList: any = {}): Promise<any> => {
 	const res = await api('users/lists/create', {
 		name: 'test',
 	}, user);
 	return res.body;
 };

-export const page = async (user: any, page: any = {}): Promise<any> => {
+export const page = async (user: UserToken, page: any = {}): Promise<any> => {
 	const res = await api('pages/create', {
 		alignCenter: false,
 		content: [
@ -158,7 +169,7 @@ export const page = async (user: any, page: any = {}): Promise<any> => {
 	return res.body;
 };

-export const play = async (user: any, play: any = {}): Promise<any> => {
+export const play = async (user: UserToken, play: any = {}): Promise<any> => {
 	const res = await api('flash/create', {
 		permissions: [],
 		script: 'test',
@ -169,7 +180,7 @@ export const play = async (user: any, play: any = {}): Promise<any> => {
 	return res.body;
 };

-export const clip = async (user: any, clip: any = {}): Promise<any> => {
+export const clip = async (user: UserToken, clip: any = {}): Promise<any> => {
 	const res = await api('clips/create', {
 		description: null,
 		isPublic: true,
@ -179,7 +190,7 @@ export const clip = async (user: any, clip: any = {}): Promise<any> => {
 	return res.body;
 };

-export const galleryPost = async (user: any, channel: any = {}): Promise<any> => {
+export const galleryPost = async (user: UserToken, channel: any = {}): Promise<any> => {
 	const res = await api('gallery/posts/create', {
 		description: null,
 		fileIds: [],
@ -190,7 +201,7 @@ export const galleryPost = async (user: any, channel: any = {}): Promise<any> =>
 	return res.body;
 };

-export const channel = async (user: any, channel: any = {}): Promise<any> => {
+export const channel = async (user: UserToken, channel: any = {}): Promise<any> => {
 	const res = await api('channels/create', {
 		bannerId: null,
 		description: null,
@ -200,7 +211,7 @@ export const channel = async (user: any, channel: any = {}): Promise<any> => {
 	return res.body;
 };

-export const role = async (user: any, role: any = {}, policies: any = {}): Promise<any> => {
+export const role = async (user: UserToken, role: any = {}, policies: any = {}): Promise<any> => {
 	const res = await api('admin/roles/create', {
 		asBadge: false,
 		canEditMembersByModerator: false,
@ -243,7 +254,7 @@ interface UploadOptions {
 * Upload file
 * @param user User
 */
-export const uploadFile = async (user: any, { path, name, blob }: UploadOptions = {}): Promise<any> => {
+export const uploadFile = async (user?: UserToken, { path, name, blob }: UploadOptions = {}): Promise<{ status: number, headers: Headers, body: misskey.Endpoints['drive/files/create']['res'] | null }> => {
 	const absPath = path == null
 		? new URL('resources/Lenna.jpg', import.meta.url)
 		: isAbsolute(path.toString())
@ -251,7 +262,6 @@ export const uploadFile = async (user: any, { path, name, blob }: UploadOptions
 			: new URL(path, new URL('resources/', import.meta.url));

 	const formData = new FormData();
-	formData.append('i', user.token);
 	formData.append('file', blob ??
 		new File([await readFile(absPath)], basename(absPath.toString())));
 	formData.append('force', 'true');
@ -259,20 +269,29 @@ export const uploadFile = async (user: any, { path, name, blob }: UploadOptions
 		formData.append('name', name);
 	}

+	const headers: Record<string, string> = {};
+	if (user?.bearer) {
+		headers.Authorization = `Bearer ${user.token}`;
+	} else if (user) {
+		formData.append('i', user.token);
+	}
+
 	const res = await relativeFetch('api/drive/files/create', {
 		method: 'POST',
 		body: formData,
+		headers,
 	});

-	const body = res.status !== 204 ? await res.json() : null;
+	const body = res.status !== 204 ? await res.json() as misskey.Endpoints['drive/files/create']['res'] : null;

 	return {
 		status: res.status,
+		headers: res.headers,
 		body,
 	};
 };

-export const uploadUrl = async (user: any, url: string) => {
+export const uploadUrl = async (user: UserToken, url: string) => {
 	let file: any;
 	const marker = Math.random().toString();

@ -294,10 +313,18 @@ export const uploadUrl = async (user: any, url: string) => {
 	return file;
 };

-export function connectStream(user: any, channel: string, listener: (message: Record<string, any>) => any, params?: any): Promise<WebSocket> {
+export function connectStream(user: UserToken, channel: string, listener: (message: Record<string, any>) => any, params?: any): Promise<WebSocket> {
 	return new Promise((res, rej) => {
-		const ws = new WebSocket(`ws://127.0.0.1:${port}/streaming?i=${user.token}`);
+		const url = new URL(`ws://127.0.0.1:${port}/streaming`);
+		const options: ClientOptions = {};
+		if (user.bearer) {
+			options.headers = { Authorization: `Bearer ${user.token}` };
+		} else {
+			url.searchParams.set('i', user.token);
+		}
+		const ws = new WebSocket(url, options);

+		ws.on('unexpected-response', (req, res) => rej(res));
 		ws.on('open', () => {
 			ws.on('message', data => {
 				const msg = JSON.parse(data.toString());
@ -321,7 +348,7 @@ export function connectStream(user: any, channel: string, listener: (message: Re
 	});
 }

-export const waitFire = async (user: any, channel: string, trgr: () => any, cond: (msg: Record<string, any>) => boolean, params?: any) => {
+export const waitFire = async (user: UserToken, channel: string, trgr: () => any, cond: (msg: Record<string, any>) => boolean, params?: any) => {
 	return new Promise<boolean>(async (res, rej) => {
 		let timer: NodeJS.Timeout | null = null;

--- a/packages/backend/tsconfig.json
+++ b/packages/backend/tsconfig.json
@ -9,9 +9,9 @@
 		"noFallthroughCasesInSwitch": true,
 		"declaration": false,
 		"sourceMap": false,
-		"target": "es2021",
-		"module": "esnext",
-		"moduleResolution": "node",
+		"target": "ES2022",
+		"module": "ESNext",
+		"moduleResolution": "node16",
 		"allowSyntheticDefaultImports": true,
 		"removeComments": false,
 		"noLib": false,
--- a/packages/frontend/package.json
+++ b/packages/frontend/package.json
@ -20,29 +20,29 @@
 		"@rollup/plugin-replace": "5.0.2",
 		"@rollup/pluginutils": "5.0.2",
 		"@syuilo/aiscript": "0.13.3",
-		"@tabler/icons-webfont": "2.21.0",
+		"@tabler/icons-webfont": "2.22.0",
 		"@vitejs/plugin-vue": "4.2.3",
-		"@vue-macros/reactivity-transform": "0.3.9",
+		"@vue-macros/reactivity-transform": "0.3.10",
 		"@vue/compiler-sfc": "3.3.4",
 		"astring": "1.8.6",
 		"autosize": "6.0.1",
 		"broadcast-channel": "5.1.0",
 		"browser-image-resizer": "github:misskey-dev/browser-image-resizer#v2.2.1-misskey.3",
-		"buraha": "github:misskey-dev/buraha",
+		"buraha": "0.0.1",
 		"canvas-confetti": "1.6.0",
 		"chart.js": "4.3.0",
 		"chartjs-adapter-date-fns": "3.0.0",
 		"chartjs-chart-matrix": "2.0.1",
 		"chartjs-plugin-gradient": "0.6.1",
 		"chartjs-plugin-zoom": "2.0.1",
-		"chromatic": "6.18.0",
+		"chromatic": "6.19.9",
 		"compare-versions": "5.0.3",
-		"cropperjs": "2.0.0-beta.2",
+		"cropperjs": "2.0.0-beta.3",
 		"date-fns": "2.30.0",
 		"escape-regexp": "0.0.1",
 		"estree-walker": "^3.0.3",
 		"eventemitter3": "5.0.1",
-		"gsap": "3.11.5",
+		"gsap": "3.12.1",
 		"idb-keyval": "6.2.1",
 		"insert-text-at-cursor": "0.3.0",
 		"is-file-animated": "1.0.2",
@ -54,12 +54,10 @@
 		"prismjs": "1.29.0",
 		"punycode": "2.3.0",
 		"querystring": "0.2.1",
-		"rndstr": "1.0.0",
-		"rollup": "3.23.0",
+		"rollup": "3.25.1",
 		"s-age": "1.1.2",
-		"sanitize-html": "2.10.0",
-		"sass": "1.62.1",
-		"seedrandom": "3.0.5",
+		"sanitize-html": "2.11.0",
+		"sass": "1.63.6",
 		"strict-event-emitter-types": "2.0.0",
 		"syuilo-password-strength": "0.0.1",
 		"textarea-caret": "3.1.0",
@ -104,31 +102,30 @@
 		"@types/gulp-rename": "2.0.2",
 		"@types/matter-js": "0.18.5",
 		"@types/micromatch": "4.0.2",
-		"@types/node": "20.2.5",
+		"@types/node": "20.3.1",
 		"@types/punycode": "2.1.0",
 		"@types/sanitize-html": "2.9.0",
-		"@types/seedrandom": "3.0.5",
 		"@types/testing-library__jest-dom": "^5.14.6",
 		"@types/throttle-debounce": "5.0.0",
 		"@types/tinycolor2": "1.4.3",
-		"@types/uuid": "9.0.1",
+		"@types/uuid": "9.0.2",
 		"@types/websocket": "1.0.5",
-		"@types/ws": "8.5.4",
-		"@typescript-eslint/eslint-plugin": "5.59.8",
-		"@typescript-eslint/parser": "5.59.8",
-		"@vitest/coverage-c8": "0.31.4",
+		"@types/ws": "8.5.5",
+		"@typescript-eslint/eslint-plugin": "5.60.0",
+		"@typescript-eslint/parser": "5.60.0",
+		"@vitest/coverage-v8": "0.32.2",
 		"@vue/runtime-core": "3.3.4",
-		"acorn": "^8.8.2",
+		"acorn": "8.9.0",
 		"chokidar-cli": "3.0.0",
 		"cross-env": "7.0.3",
-		"cypress": "12.13.0",
-		"eslint": "8.41.0",
+		"cypress": "12.15.0",
+		"eslint": "8.43.0",
 		"eslint-plugin-import": "2.27.5",
-		"eslint-plugin-vue": "9.14.1",
+		"eslint-plugin-vue": "9.15.0",
 		"fast-glob": "3.2.12",
 		"happy-dom": "9.20.3",
 		"micromatch": "3.1.10",
-		"msw": "1.2.1",
+		"msw": "1.2.2",
 		"msw-storybook-addon": "1.8.0",
 		"prettier": "2.8.8",
 		"react": "18.2.0",
@ -138,9 +135,9 @@
 		"storybook-addon-misskey-theme": "github:misskey-dev/storybook-addon-misskey-theme",
 		"summaly": "github:misskey-dev/summaly",
 		"vite-plugin-turbosnap": "1.0.2",
-		"vitest": "0.31.4",
+		"vitest": "0.32.2",
 		"vitest-fetch-mock": "0.2.2",
-		"vue-eslint-parser": "9.3.0",
-		"vue-tsc": "1.6.5"
+		"vue-eslint-parser": "9.3.1",
+		"vue-tsc": "1.8.1"
 	}
 }
--- a/packages/frontend/src/pages/user/home.vue
+++ b/packages/frontend/src/pages/user/home.vue
@ -44,8 +44,10 @@
 					</div>
 					<div v-if="user.roles.length > 0" class="roles">
 						<span v-for="role in user.roles" :key="role.id" v-tooltip="role.description" class="role" :style="{ '--color': role.color }">
+							<MkA v-adaptive-bg :to="`/roles/${role.id}`">
 								<img v-if="role.iconUrl" style="height: 1.3em; vertical-align: -22%;" :src="role.iconUrl"/>
 								{{ role.name }}
+							</MkA>
 						</span>
 					</div>
 					<div v-if="iAmModerator" class="moderationNote">
--- a/packages/frontend/src/ui/deck.vue
+++ b/packages/frontend/src/ui/deck.vue
@ -4,12 +4,13 @@

 	<div :class="$style.main">
 		<XStatusBars/>
-		<div ref="columnsEl" :class="[$style.sections, { [$style.center]: deckStore.reactiveState.columnAlign.value === 'center', [$style.snapScroll]: snapScroll }]" @contextmenu.self.prevent="onContextmenu">
+		<div ref="columnsEl" :class="[$style.sections, { [$style.center]: deckStore.reactiveState.columnAlign.value === 'center', [$style.snapScroll]: snapScroll }]" @contextmenu.self.prevent="onContextmenu" @wheel.self="onWheel">
 			<!-- sectionを利用しているのは、deck.vue側でcolumnに対してfirst-of-typeを効かせるため -->
 			<section
 				v-for="ids in layout"
 				:class="$style.section"
 				:style="columns.filter(c => ids.includes(c.id)).some(c => c.flexible) ? { flex: 1, minWidth: '350px' } : { width: Math.max(...columns.filter(c => ids.includes(c.id)).map(c => c.width)) + 'px' }"
+				@wheel.self="onWheel"
 			>
 				<component
 					:is="columnComponents[columns.find(c => c.id === id)!.type] ?? XTlColumn"
@ -19,6 +20,7 @@
 					:class="$style.column"
 					:column="columns.find(c => c.id === id)"
 					:isStacked="ids.length > 1"
+					@headerWheel="onWheel"
 				/>
 			</section>
 			<div v-if="layout.length === 0" class="_panel" :class="$style.onboarding">
@ -196,15 +198,14 @@ const onContextmenu = (ev) => {
 	}], ev);
 };

-document.documentElement.style.overflowY = 'hidden';
-document.documentElement.style.scrollBehavior = 'auto';
-window.addEventListener('wheel', (ev) => {
-	if (ev.target === columnsEl && ev.deltaX === 0) {
-		columnsEl.scrollLeft += ev.deltaY;
-	} else if (getScrollContainer(ev.target as HTMLElement) == null && ev.deltaX === 0) {
+function onWheel(ev: WheelEvent) {
+	if (ev.deltaX === 0) {
 		columnsEl.scrollLeft += ev.deltaY;
 	}
-});
+}
+
+document.documentElement.style.overflowY = 'hidden';
+document.documentElement.style.scrollBehavior = 'auto';

 loadDeck();

--- a/packages/frontend/src/ui/deck/column.vue
+++ b/packages/frontend/src/ui/deck/column.vue
@ -12,6 +12,7 @@
 		@dragstart="onDragstart"
 		@dragend="onDragend"
 		@contextmenu.prevent.stop="onContextmenu"
+		@wheel="emit('headerWheel', $event)"
 	>
 		<svg viewBox="0 0 256 128" :class="$style.tabShape">
 			<g transform="matrix(6.2431,0,0,6.2431,-677.417,-29.3839)">
@ -56,6 +57,10 @@ const props = withDefaults(defineProps<{
 	naked: false,
 });

+const emit = defineEmits<{
+	(ev: 'headerWheel', ctx: WheelEvent): void;
+}>();
+
 let body = $shallowRef<HTMLDivElement | null>();

 let dragging = $ref(false);
--- a/packages/frontend/src/workers/test-webgl2.ts
+++ b/packages/frontend/src/workers/test-webgl2.ts
@ -1,5 +1,5 @@
-const canvas = new OffscreenCanvas(1, 1);
-const gl = canvas.getContext('webgl2');
+const canvas = globalThis.OffscreenCanvas && new OffscreenCanvas(1, 1);
+const gl = canvas?.getContext('webgl2');
 if (gl) {
    postMessage({ result: true });
 } else {
--- a/packages/frontend/test/tsconfig.json
+++ b/packages/frontend/test/tsconfig.json
@ -9,9 +9,9 @@
 		"noFallthroughCasesInSwitch": true,
 		"declaration": false,
 		"sourceMap": true,
-		"target": "es2021",
+		"target": "ES2022",
 		"module": "es2020",
-		"moduleResolution": "node",
+		"moduleResolution": "node16",
 		"allowSyntheticDefaultImports": true,
 		"removeComments": false,
 		"noLib": false,
@ -27,7 +27,7 @@
 			"@/*": ["../src/*"]
 		},
 		"typeRoots": [
-			"../node_modules/@types",
+			"../node_modules/@types"
 		],
 		"lib": [
 			"esnext",
@ -38,6 +38,6 @@
 	"compileOnSave": false,
 	"include": [
 		"./**/*.ts",
-		"../src/**/*.vue",
+		"../src/**/*.vue"
 	]
 }
--- a/packages/frontend/tsconfig.json
+++ b/packages/frontend/tsconfig.json
@ -9,9 +9,9 @@
 		"noFallthroughCasesInSwitch": true,
 		"declaration": false,
 		"sourceMap": false,
-		"target": "es2021",
+		"target": "ES2022",
 		"module": "esnext",
-		"moduleResolution": "node",
+		"moduleResolution": "node16",
 		"removeComments": false,
 		"noLib": false,
 		"strict": true,
@ -23,12 +23,12 @@
 		"useDefineForClassFields": true,
 		"baseUrl": ".",
 		"paths": {
-			"@/*": ["./src/*"],
+			"@/*": ["./src/*"]
 		},
 		"typeRoots": [
 			"node_modules/@types",
 			"node_modules/@vue-macros",
-			"@types",
+			"@types"
 		],
 		"types": [
 			"vite/client",
@ -47,6 +47,6 @@
 		"./**/*.vue"
 	],
 	"exclude": [
-		".storybook/**/*",
+		".storybook/**/*"
 	]
 }
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@ -960,8 +960,14 @@ export type Endpoints = {
        res: TODO;
    };
    'drive/files/create': {
-        req: TODO;
-        res: TODO;
+        req: {
+            folderId?: string;
+            name?: string;
+            comment?: string;
+            isSentisive?: boolean;
+            force?: boolean;
+        };
+        res: DriveFile;
    };
    'drive/files/delete': {
        req: {
@ -1942,6 +1948,19 @@ export type Endpoints = {
        req: TODO;
        res: TODO;
    };
+    'signup': {
+        req: {
+            username: string;
+            password: string;
+            host?: string;
+            invitationCode?: string;
+            emailAddress?: string;
+            'hcaptcha-response'?: string;
+            'g-recaptcha-response'?: string;
+            'turnstile-response'?: string;
+        };
+        res: MeSignup | null;
+    };
    'stats': {
        req: NoParams;
        res: Stats;
@ -2159,6 +2178,8 @@ declare namespace entities {
        UserGroup,
        UserList,
        MeDetailed,
+        MeDetailedWithSecret,
+        MeSignup,
        DriveFile,
        DriveFolder,
        GalleryPost,
@ -2374,6 +2395,22 @@ type MeDetailed = UserDetailed & {
    [other: string]: any;
 };

+// @public (undocumented)
+type MeDetailedWithSecret = MeDetailed & {
+    email: string;
+    emailVerified: boolean;
+    securityKeysList: {
+        id: string;
+        name: string;
+        lastUsed: string;
+    }[];
+};
+
+// @public (undocumented)
+type MeSignup = MeDetailedWithSecret & {
+    token: string;
+};
+
 // @public (undocumented)
 type MessagingMessage = {
    id: ID;
@ -2719,7 +2756,7 @@ type UserSorting = '+follower' | '-follower' | '+createdAt' | '-createdAt' | '+u
 //
 // src/api.types.ts:16:32 - (ae-forgotten-export) The symbol "TODO" needs to be exported by the entry point index.d.ts
 // src/api.types.ts:18:25 - (ae-forgotten-export) The symbol "NoParams" needs to be exported by the entry point index.d.ts
-// src/api.types.ts:596:18 - (ae-forgotten-export) The symbol "ShowUserReq" needs to be exported by the entry point index.d.ts
+// src/api.types.ts:620:18 - (ae-forgotten-export) The symbol "ShowUserReq" needs to be exported by the entry point index.d.ts
 // src/streaming.types.ts:33:4 - (ae-forgotten-export) The symbol "FIXME" needs to be exported by the entry point index.d.ts

 // (No @packageDocumentation comment for this package)
--- a/packages/misskey-js/package.json
+++ b/packages/misskey-js/package.json
@ -1,6 +1,6 @@
 {
 	"name": "misskey-js",
-	"version": "0.0.15",
+	"version": "0.0.16",
 	"description": "Misskey SDK for JavaScript",
 	"main": "./built/index.js",
 	"types": "./built/index.d.ts",
@ -21,27 +21,27 @@
 		"url": "git+https://github.com/misskey-dev/misskey.js.git"
 	},
 	"devDependencies": {
-		"@microsoft/api-extractor": "7.34.7",
+		"@microsoft/api-extractor": "7.36.0",
 		"@swc/jest": "0.2.26",
-		"@types/jest": "29.5.1",
-		"@types/node": "18.16.3",
-		"@typescript-eslint/eslint-plugin": "5.59.5",
-		"@typescript-eslint/parser": "5.59.5",
+		"@types/jest": "29.5.2",
+		"@types/node": "20.3.1",
+		"@typescript-eslint/eslint-plugin": "5.60.0",
+		"@typescript-eslint/parser": "5.60.0",
 		"ajv": "8.12.0",
-		"eslint": "8.40.0",
+		"eslint": "8.43.0",
 		"jest": "29.5.0",
 		"jest-fetch-mock": "3.0.3",
 		"jest-websocket-mock": "2.4.0",
 		"mock-socket": "9.2.1",
 		"tsd": "0.28.1",
-		"typescript": "5.0.4"
+		"typescript": "5.1.3"
 	},
 	"files": [
 		"built"
 	],
 	"dependencies": {
 		"@swc/cli": "0.1.62",
-		"@swc/core": "1.3.56",
+		"@swc/core": "1.3.66",
 		"@types/json-schema": "^7.0.11",
 		"eventemitter3": "5.0.1",
 		"ms": "3.0.0-canary.1",
--- a/packages/misskey-js/src/api.types.ts
+++ b/packages/misskey-js/src/api.types.ts
@ -2,7 +2,7 @@ import type {
 	Ad, Announcement, Antenna, App, AuthSession, Blocking, Channel, Clip, DateString, DetailedInstanceMetadata, DriveFile, DriveFolder, Following, FollowingFolloweePopulated, FollowingFollowerPopulated, FollowRequest, GalleryPost, Instance,
 	LiteInstanceMetadata,
 	MeDetailed,
-	Note, NoteFavorite, OriginType, Page, ServerInfo, Stats, User, UserDetailed, UserList, UserSorting, Notification, NoteReaction, Signin,
+	Note, NoteFavorite, OriginType, Page, ServerInfo, Stats, User, UserDetailed, MeSignup, UserGroup, UserList, UserSorting, Notification, NoteReaction, Signin, MessagingMessage,
 } from './entities.js';

 type TODO = Record<string, any> | null;
@ -262,7 +262,16 @@ export type Endpoints = {
 	'drive/files': { req: { folderId?: DriveFolder['id'] | null; type?: DriveFile['type'] | null; limit?: number; sinceId?: DriveFile['id']; untilId?: DriveFile['id']; }; res: DriveFile[]; };
 	'drive/files/attached-notes': { req: TODO; res: TODO; };
 	'drive/files/check-existence': { req: TODO; res: TODO; };
-	'drive/files/create': { req: TODO; res: TODO; };
+	'drive/files/create': {
+		req: {
+			folderId?: string,
+			name?: string,
+			comment?: string,
+			isSentisive?: boolean,
+			force?: boolean,
+		};
+		res: DriveFile;
+	};
 	'drive/files/delete': { req: { fileId: DriveFile['id']; }; res: null; };
 	'drive/files/find-by-hash': { req: TODO; res: TODO; };
 	'drive/files/find': { req: { name: string; folderId?: DriveFolder['id'] | null; }; res: DriveFile[]; };
@ -542,6 +551,21 @@ export type Endpoints = {
 	'room/show': { req: TODO; res: TODO; };
 	'room/update': { req: TODO; res: TODO; };

+	// signup
+	'signup': {
+		req: {
+			username: string;
+			password: string;
+			host?: string;
+			invitationCode?: string;
+			emailAddress?: string;
+			'hcaptcha-response'?: string;
+			'g-recaptcha-response'?: string;
+			'turnstile-response'?: string;
+		};
+		res: MeSignup | null;
+	};
+
 	// stats
 	'stats': { req: NoParams; res: Stats; };

--- a/packages/misskey-js/tsconfig.json
+++ b/packages/misskey-js/tsconfig.json
@ -1,9 +1,9 @@
 {
 	"$schema": "http://json.schemastore.org/tsconfig",
 	"compilerOptions": {
-		"target": "es2022",
+		"target": "ES2022",
 		"module": "ES2020",
-		"moduleResolution": "node",
+		"moduleResolution": "node16",
 		"declaration": true,
 		"declarationMap": true,
 		"sourceMap": true,
--- a/packages/sw/package.json
+++ b/packages/sw/package.json
@ -14,10 +14,10 @@
 		"misskey-js": "workspace:*"
 	},
 	"devDependencies": {
-		"@typescript-eslint/parser": "5.59.5",
+		"@typescript-eslint/parser": "5.60.0",
 		"@typescript/lib-webworker": "npm:@types/serviceworker@0.0.67",
-		"eslint": "8.40.0",
+		"eslint": "8.43.0",
 		"eslint-plugin-import": "2.27.5",
-		"typescript": "5.0.4"
+		"typescript": "5.1.3"
 	}
 }
--- a/packages/sw/tsconfig.json
+++ b/packages/sw/tsconfig.json
@ -9,9 +9,9 @@
 		"noFallthroughCasesInSwitch": true,
 		"declaration": false,
 		"sourceMap": false,
-		"target": "es2021",
+		"target": "ES2022",
 		"module": "esnext",
-		"moduleResolution": "node",
+		"moduleResolution": "node16",
 		"removeComments": false,
 		"noLib": false,
 		"strict": true,
@ -21,11 +21,11 @@
 		"isolatedModules": true,
 		"baseUrl": ".",
 		"paths": {
-			"@/*": ["./src/*"],
+			"@/*": ["./src/*"]
 		},
 		"typeRoots": [
 			"node_modules/@types",
-			"@types",
+			"@types"
 		],
 		"lib": [
 			"esnext",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml