Fedify changelog ================ Version 2.1.0 ------------- To be released. ### @fedify/fedify - Added `InboxListenerSetters.onUnverifiedActivity()` so applications can inspect inbound activities whose signatures could not be verified and optionally return a custom response instead of the default `401 Unauthorized`. This is useful for cases like `Delete` deliveries from actors whose signing keys now return `404 Not Found` or `410 Gone`. Added the supporting public types `UnverifiedActivityHandler` and `UnverifiedActivityReason`. [[#472], [#611]] - Added `verifyRequestDetailed()` plus the public types `VerifyRequestDetailedResult`, `VerifyRequestFailureReason`, and `FetchKeyErrorResult` so applications can distinguish unsigned requests, invalid signatures, and key-fetch failures during HTTP signature verification. [[#611]] - OpenTelemetry spans/events and `FedifySpanExporter` signature details now expose HTTP signature failure reasons and key-fetch failure details for inbound activities. [[#611]] - Fixed `RequestContext.getSignedKeyOwner()` to return `null` instead of throwing an error when the remote server requires authorized fetch and returns `401 Unauthorized` for the key owner lookup. Previously, this caused a `500 Internal Server Error` when interoperating with servers like GoToSocial that have authorized fetch enabled. [[#473], [#589]] - Added RFC 9421 §5 `Accept-Signature` negotiation for both outbound and inbound paths. On the outbound side, `doubleKnock()` now parses `Accept-Signature` challenges from `401` responses and retries with a compatible RFC 9421 signature before falling back to legacy spec-swap. On the inbound side, a new `InboxChallengePolicy` option in `FederationOptions` enables emitting `Accept-Signature` headers on inbox `401` responses, with optional one-time nonce support for replay protection. [[#583], [#584], [#626] by ChanHaeng Lee] [#472]: https://github.com/fedify-dev/fedify/issues/472 [#473]: https://github.com/fedify-dev/fedify/issues/473 [#583]: https://github.com/fedify-dev/fedify/issues/583 [#584]: https://github.com/fedify-dev/fedify/issues/584 [#589]: https://github.com/fedify-dev/fedify/pull/589 [#611]: https://github.com/fedify-dev/fedify/pull/611 [#626]: https://github.com/fedify-dev/fedify/pull/626 ### @fedify/vocab-runtime - Updated the preloaded JSON-LD context to match the current [GoToSocial] v0.21+ namespace, adding new type terms (`LikeRequest`, `LikeAuthorization`, etc.) and property terms (`automaticApproval`, `manualApproval`, `interactingObject`, etc.) while retaining deprecated terms (`always`, `approvalRequired`) for backward compatibility. [[#453], [#622]] - Added optional `FetchError.response` so callers can inspect the original failed HTTP response when remote document or key fetches return an HTTP error (such as `404 Not Found` or `410 Gone`). This enables higher-level APIs to distinguish transport failures from specific HTTP fetch failures. [[#611]] [GoToSocial]: https://gotosocial.org/ [#453]: https://github.com/fedify-dev/fedify/issues/453 [#622]: https://github.com/fedify-dev/fedify/pull/622 ### @fedify/cli - Added `--reverse` option to `fedify lookup` to reverse presentation order of emitted results. It now works across default multi-input lookup, `--traverse` collection traversal output, and `--recurse` object chains, while preserving existing fetch/error semantics. [[#607], [#609]] - Fixed `fedify lookup` printing separators with extra quotes between adjacent objects/items in some output paths (e.g., recurse/traverse flows). Separators are now printed as plain text consistently. [[#608]] - Added `--recurse` and `--recurse-depth` options to `fedify lookup` for recursively following object relationships (e.g., reply chains via `replyTarget` / `inReplyTo`, and quote chains via `quoteUrl` and quote IRIs). `--traverse` and `--recurse` are now mutually exclusive, `--recurse-depth` depends on `--recurse`, and `--suppress-errors` now works in recurse mode as best-effort lookup. [[#606], [#608]] - Hardened `fedify lookup` by disallowing private/localhost document loads by default. For local-development workflows, `-p`/`--allow-private-address` (or `lookup.allowPrivateAddress = true` in config) can re-enable private address access for explicit lookup/traverse requests. This option does not apply to recursive fetches, which always disallow private addresses. [[#608]] [#606]: https://github.com/fedify-dev/fedify/issues/606 [#607]: https://github.com/fedify-dev/fedify/issues/607 [#608]: https://github.com/fedify-dev/fedify/pull/608 [#609]: https://github.com/fedify-dev/fedify/pull/609 ### @fedify/vocab - Added [GoToSocial] interaction controls vocabulary for expressing who can like, reply to, or announce posts and for approving interactions. [[#453], [#622]] - Added `InteractionPolicy` and `InteractionRule` typeless value classes. - Added `LikeRequest`, `ReplyRequest`, and `AnnounceRequest` activity types for requesting interaction approval. - Added `LikeAuthorization`, `ReplyAuthorization`, and `AnnounceAuthorization` types for proving approved interactions. - Added `Object.interactionPolicy`, `Object.approvedBy`, `Object.getLikeAuthorization()`/`Object.likeAuthorizationId`, `Object.getReplyAuthorization()`/`Object.replyAuthorizationId`, and `Object.getAnnounceAuthorization()`/`Object.announceAuthorizationId`. - Fixed `Endpoints.toJsonLd()` to no longer emit invalid `"type": "as:Endpoints"` in the serialized JSON-LD. The `as:Endpoints` type does not exist in the ActivityStreams vocabulary, and its presence caused validation failures on implementations like [browser.pub]. [[#576]] - Fixed `Source.toJsonLd()` to no longer emit invalid `"type": "as:Source"` in the serialized JSON-LD. The `as:Source` type does not exist in the ActivityStreams vocabulary either. [browser.pub]: https://browser.pub/ [#576]: https://github.com/fedify-dev/fedify/issues/576 ### @fedify/vocab-tools - Added `typeless` field to the type YAML schema. When set to `true`, the generated `toJsonLd()` method does not emit `@type` (or `type` in compact form) in the serialized JSON-LD. This is useful for types that are not real vocabulary types but rather anonymous object structures. ### @fedify/init - Changed `fedify init` to add `"temporal"` to `deno.json`'s `"unstable"` field only when the installed Deno version is earlier than 2.7.0. On Deno 2.7.0 or later, it is no longer added. - `fedify init` now omits the `"unstable"` field entirely when no unstable feature is required for the generated Deno project. - Supported [Astro] as a web framework option in `fedify init`, with runtime-specific templates for Deno, Bun, and Node.js environments. [[#50] by ChanHaeng Lee] [Astro]: https://astro.build/ [#50]: https://github.com/fedify-dev/fedify/issues/50 ### @fedify/astro - Added `@fedify/astro` package for integrating Fedify with [Astro]. It provides `fedifyIntegration()` for Vite SSR configuration and `fedifyMiddleware()` for request handling. [[#50] by Chanhaeng Lee] ### @fedify/mysql - Added `MysqlMessageQueue` class to the `@fedify/mysql` package, a MySQL/MariaDB-backed `MessageQueue` implementation. It uses periodic polling (`SELECT … FOR UPDATE SKIP LOCKED`) to deliver messages and MySQL advisory locks (`GET_LOCK`/`RELEASE_LOCK`) for ordering-key serialization. Supports delayed delivery, ordering keys, `enqueueMany()`, and concurrent workers. Requires MySQL 8.0+ or MariaDB 10.6+. [[#586], [#599]] - Added `@fedify/mysql` package, a MySQL/MariaDB-backed `KvStore` implementation. It provides `MysqlKvStore`, which stores key–value pairs in a MySQL table using the [`mysql2`] driver. Supports TTL, prefix listing, and compare-and-swap (`cas()`) operations. [[#585], [#597]] [`mysql2`]: https://www.npmjs.com/package/mysql2 [#585]: https://github.com/fedify-dev/fedify/issues/585 [#586]: https://github.com/fedify-dev/fedify/issues/586 [#597]: https://github.com/fedify-dev/fedify/pull/597 [#599]: https://github.com/fedify-dev/fedify/pull/599 Version 2.0.7 ------------- Released on March 22, 2026. ### @fedify/fedify - Switched Fedify's source-based JSON-LD loading to the new `@fedify/vocab-runtime/jsonld` subpath so generated vocabulary code and Linked Data signature support no longer have to evaluate `jsonld` through a CommonJS-sensitive package root in Fresh 2, Deno, and other ESM-first runtimes. Fresh 2 development mode has been verified on Deno 2.7.7 after an upstream Deno 2.7.6 dev server regression was fixed. [[#621], [#639]] [#621]: https://github.com/fedify-dev/fedify/issues/621 [#639]: https://github.com/fedify-dev/fedify/pull/639 ### @fedify/vocab-runtime - Fixed multibase public key handling to stop relying on the deprecated CommonJS-only `multicodec` package. This removes the Vite SSR crash that prevented Fresh 2 applications from importing `@fedify/fedify` with `TypeError: varint.encode is not a function`. Fresh 2 no longer needs a Vite externalization workaround for Fedify. [[#621], [#639]] - Added the new `@fedify/vocab-runtime/jsonld` subpath export so generated vocabulary code and other Fedify runtime code can share a JSR-safe wrapper around `jsonld`'s ESM entrypoint instead of depending on fragile relative shims or the package-root import path. [[#621], [#639]] ### @fedify/init - Revived removed `fedify init` options. [[#632], [#638] by ChanHaeng Lee] - `bare-bones` option for web framework. - `in-memory` option for key-value store. - `in-process` option for message queue. [#632]: https://github.com/fedify-dev/fedify/issues/632 [#638]: https://github.com/fedify-dev/fedify/pull/638 Version 2.0.6 ------------- Released on March 19, 2026. ### @fedify/init - Fixed `fedify init` crashing when `@fedify/cli` or `@fedify/init` is executed through the JSR/Deno distribution. `import.meta.dirname` is `undefined` for remote JSR modules, so the template loading and repository-relative path logic has been made safe for published JSR execution. [[#624], [#633]] [#624]: https://github.com/fedify-dev/fedify/issues/624 [#633]: https://github.com/fedify-dev/fedify/pull/633 ### @fedify/vocab-runtime - Added to preloaded JSON-LD contexts. This URL has never served a real JSON-LD context document (Mastodon has always inlined the term definitions), but some ActivityPub implementations put it as a bare URL in their `@context`, causing JSON-LD processors to fail with a 404. [[#630], [#631]] [#630]: https://github.com/fedify-dev/fedify/issues/630 [#631]: https://github.com/fedify-dev/fedify/pull/631 Version 2.0.5 ------------- Released on March 11, 2026. ### @fedify/fedify - Added to preloaded JSON-LD contexts. Version 2.0.4 ------------- Released on March 11, 2026. ### @fedify/fastify - Fixed the default `onNotAcceptable` handler in `@fedify/fastify` to create a fresh `Response` for each request instead of reusing a shared singleton instance. [[#612] by Lee Dogeon] [#612]: https://github.com/fedify-dev/fedify/pull/612 Version 2.0.3 ------------- Released on March 3, 2026. ### @fedify/postgres - Fixed `PostgresMessageQueue.listen()` crashing the process when a malformed `NOTIFY` payload is received. `Temporal.Duration.from()` was called without error handling, so an invalid duration string caused an unhandled `RangeError` that propagated through the postgres driver. The `NOTIFY` callback is now wrapped in a `try`–`catch` that logs the error and falls back to an immediate poll. [[#594]] - Fixed `PostgresMessageQueue.listen()` permanently stalling all message processing when a message handler hangs indefinitely (e.g., due to an unresponsive remote server). The `serializedPoll` mechanism chains every `poll()` invocation onto a single promise, so a single hung handler blocked the entire queue permanently. Handler invocations are now wrapped with a configurable timeout (default: 60 seconds) via the new `handlerTimeout` option in `PostgresMessageQueueOptions`. When a handler exceeds the timeout, it is treated as an error and the poll loop moves on, preventing permanent stalls. [[#595]] [#594]: https://github.com/fedify-dev/fedify/issues/594 [#595]: https://github.com/fedify-dev/fedify/issues/595 Version 2.0.2 ------------- Released on February 27, 2026. ### @fedify/fedify - Removed the deprecated third and fourth parameters (`signedKey` and `signedKeyOwner`) from `AuthorizePredicate` and `ObjectAuthorizePredicate`. These parameters were deprecated since Fedify 1.5.0 in favor of `RequestContext.getSignedKey()` and `RequestContext.getSignedKeyOwner()` methods, but were mistakenly left in the Fedify 2.0.0 release. The internal handler code that eagerly called `getSignedKey()` and `getSignedKeyOwner()` before invoking the predicate has also been removed; predicates should now call those methods themselves when needed. [[#473], [#590]] [#590]: https://github.com/fedify-dev/fedify/pull/590 Version 2.0.1 ------------- Released on February 24, 2026. ### @fedify/cli - Fixed `fedify` command hanging indefinitely when invoked as an executable (e.g., via `npx @fedify/cli` or `npm exec -- fedify`) on Linux. The shebang line `#!/usr/bin/env node --disable-warning=ExperimentalWarning` was passing `node --disable-warning=ExperimentalWarning` as a single argument to `env`, which caused an infinite exec loop on Linux because the kernel passes all shebang arguments as one string. Fixed by using `env -S` to properly split arguments: `#!/usr/bin/env -S node --disable-warning=ExperimentalWarning`. ### @fedify/postgres - Fixed `PostgresMessageQueue.listen()` permanently stopping message processing when `poll()` throws (e.g., transient PostgreSQL errors or handler failures). `listen()` now catches polling errors for subscribe, notify, and interval-triggered polls, logs them, and retries on subsequent triggers instead of terminating the listener. [[#581]] - `PostgresMessageQueue.initialize()` now creates an index on the `created` column (`idx_{table}_created`) to improve dequeue query performance under backlog growth. [[#581]] [#581]: https://github.com/fedify-dev/fedify/issues/581 Version 2.0.0 ------------- Released on February 22, 2026. ### @fedify/fedify - Remove `contextLoader` option (which was deprecated) from `FederationOptions` interface in favor of `contextLoaderFactory` option for better flexibility. [[#376], [#445] by Hasang Cho] - Migrated from *@phensley/language-tag* package and its `LanguageTag` class to the standardized `Intl.Locale` class for representing language tags. [[#280], [#392] by Jang Hanarae] - The `LanguageString.language` property is now `LanguageString.locale` and is of type `Intl.Locale` instead of `LanguageTag`. - The `LanguageString` constructor now accepts either an `Intl.Locale` object or a string for the language parameter. - The `Link.language` property is now of type `Intl.Locale` instead of `LanguageTag`. - Removed the `@phensley/language-tag` dependency. - Remove `documentLoader` option (which was deprecated) from `FederationOptions` interface in favor of `documentLoaderFactory` option for better flexibility. [[#376], [#393] by Hasang Cho] - Remove `CreateFederationOptions` interface (which was deprecated since 1.6.0). Use `FederationOptions` instead. [[#376]] - Remove `fetchDocumentLoader()` function (which was deprecated since 0.14.0). Use `getDocumentLoader()` from `@fedify/vocab-runtime` instead. [[#376]] - Remove `{ handle: string }` parameter form from `sendActivity()`, `forwardActivity()`, `getDocumentLoader()`, and `ParseUriResult`. Use `{ identifier: string }` or `{ username: string }` instead. [[#376]] - Changed NodeInfo `software.version` field type from `SemVer` to `string` to properly handle non-SemVer version strings in accordance with the NodeInfo specification. [[#366], [#433] by Hyeonseo Kim] - The `parseNodeInfo()` function now returns version as `string` instead of `SemVer` object. - The `Software.version` field is now of `string` (was of `SemVer`). - Removed `parseSemVer()` and `formatSemVer()` functions. - Updated related CLI tools and documentation. - Federation dispatchers are now only triggered when the request accepts ActivityPub-compatible content types. This improves compatibility with applications that serve both HTML and ActivityPub content from the same URLs. [[#434] by Emelia Smith] - Actor, object, and collection dispatchers will no longer be called for requests with `Accept: text/html` or other non-ActivityPub content types. - The `notAcceptable` callback is now triggered at the middleware level before dispatchers are invoked. - If your application relies on dispatchers being called regardless of `Accept` header, you may need to adjust your routing logic. - Changed the default activity idempotency strategy from `"per-origin"` to `"per-inbox"` to align with standard ActivityPub behavior. [[#441]] - Activities are now deduplicated per inbox by default, allowing the same activity ID to be processed once per inbox independently. - The previous `"per-origin"` strategy (deduplicate per receiving server) can still be explicitly configured using `.withIdempotency("per-origin")`. - This change ensures proper delivery of activities to multiple inboxes on the same server, fixing issues where activities were incorrectly deduplicated globally. - Separated modules from `@fedify/fedify/runtime` to improve modularity and reduce coupling between vocabulary generation and core federation functionality. [[#444], [#451] by ChanHaeng Lee] - Modules related to ActivityPub vocabulary generation have been extracted into the new `@fedify/vocab-runtime` package. - Other utility modules from `@fedify/fedify/runtime` have been reorganized into the `@fedify/fedify/utils` directory within the main package. - Updated import paths throughout the codebase to reflect the new module organization. - Deprecated the `@fedify/fedify/runtime` module in favor of the new `@fedify/vocab-runtime` package. The `@fedify/fedify/runtime` module now re-exports all exports from `@fedify/vocab-runtime` for backward compatibility, but will be removed in a future version. Please migrate to `@fedify/vocab-runtime` directly. [[#560]] - The `KvCacheParameters.rules` option's type became `[string | URL | URLPattern, Temporal.Duration | Temporal.DurationLike][]` (was `[string | URL | URLPattern, Temporal.Duration][]`). - The `@fedify/fedify/x/*` modules are removed. Also, there are no Fresh integration for now. [[#391] by Chanhaeng Lee] - Removed `@fedify/fedify/x/cfworkers` in favor of `@fedify/cfworkers`. - Removed `@fedify/fedify/x/denokv` in favor of `@fedify/denokv`. - Removed `@fedify/fedify/x/hono` in favor of `@fedify/hono`. - Removed `@fedify/fedify/x/sveltekit` in favor of `@fedify/sveltekit`. - Removed `@fedify/fedify/x/fresh` (Fresh integration). [[#466]] - Deprecated the `@fedify/fedify/vocab` module in favor of the new `@fedify/vocab` package. The `@fedify/fedify/vocab` module now re-exports all exports from `@fedify/vocab` for backward compatibility, but will be removed in a future version. Please migrate to `@fedify/vocab` directly. [[#437], [#517] by ChanHaeng Lee] - The `KvStore.list()` method is now required instead of optional. This method was added as optional in version 1.10.0 to give existing implementations time to add support. All official `KvStore` implementations already support this method. [[#499], [#506]] - Added `orderingKey` option to `MessageQueueEnqueueOptions` interface for ordered message delivery. Messages with the same ordering key are guaranteed to be processed in the order they were enqueued, while messages with different ordering keys can be processed in parallel. This helps prevent race conditions when processing related activities (e.g., ensuring a `Delete` activity is processed after a `Create` activity for the same object). [[#536], [#538], [#540], [#544]] - Added `MessageQueueEnqueueOptions.orderingKey` property. - All properties in `MessageQueueEnqueueOptions` are now `readonly`. - `InProcessMessageQueue` now supports the `orderingKey` option. - Added `SendActivityOptions.orderingKey` option to ensure ordered delivery of activities for the same object. When specified, activities with the same `orderingKey` are guaranteed to be delivered in order to each recipient server. - Added `Federatable.setOutboxPermanentFailureHandler()` method to handle permanent delivery failures (such as `410 Gone` or `404 Not Found`) when sending activities to remote inboxes. This allows applications to clean up unreachable followers and avoid future delivery attempts to permanently failed inboxes. [[#548], [#559]] - Added `permanentFailureStatusCodes` option to `FederationOptions` to configure which HTTP status codes are treated as permanent delivery failures. By default, `404` and `410` are treated as permanent failures. [[#548], [#559]] - Added `SendActivityError` class, a structured error that is thrown when an activity fails to send to a remote inbox. It includes the HTTP status code, the inbox URL, and the response body, making it easier to programmatically handle delivery errors. [[#548], [#559]] - Added `traceId` and `spanId` to LogTape context in federation middleware so that log records emitted during request handling and queue processing include the OpenTelemetry trace and span IDs in their properties. This enables the `@fedify/debugger` dashboard to display per-trace logs. [[#561], [#564]] - Fixed unbounded memory consumption when activity delivery fails with large error responses. The `SendActivityError.responseBody` property is now limited to 1 KiB to prevent memory pressure when remote servers return large HTML error pages (e.g., Cloudflare error pages of 50–100 KB each). This prevents potential OOM crashes in production environments with many unreachable inboxes. [[#569]] [#280]: https://github.com/fedify-dev/fedify/issues/280 [#366]: https://github.com/fedify-dev/fedify/issues/366 [#376]: https://github.com/fedify-dev/fedify/issues/376 [#391]: https://github.com/fedify-dev/fedify/pull/391 [#392]: https://github.com/fedify-dev/fedify/pull/392 [#393]: https://github.com/fedify-dev/fedify/pulls/393 [#433]: https://github.com/fedify-dev/fedify/pull/433 [#434]: https://github.com/fedify-dev/fedify/pull/434 [#437]: https://github.com/fedify-dev/fedify/issues/437 [#441]: https://github.com/fedify-dev/fedify/issues/441 [#444]: https://github.com/fedify-dev/fedify/issues/444 [#445]: https://github.com/fedify-dev/fedify/pull/445 [#451]: https://github.com/fedify-dev/fedify/pull/451 [#466]: https://github.com/fedify-dev/fedify/issues/466 [#499]: https://github.com/fedify-dev/fedify/issues/499 [#506]: https://github.com/fedify-dev/fedify/pull/506 [#517]: https://github.com/fedify-dev/fedify/pull/517 [#536]: https://github.com/fedify-dev/fedify/issues/536 [#538]: https://github.com/fedify-dev/fedify/issues/538 [#540]: https://github.com/fedify-dev/fedify/pull/540 [#544]: https://github.com/fedify-dev/fedify/pull/544 [#548]: https://github.com/fedify-dev/fedify/issues/548 [#559]: https://github.com/fedify-dev/fedify/pull/559 [#560]: https://github.com/fedify-dev/fedify/issues/560 [#561]: https://github.com/fedify-dev/fedify/issues/561 [#564]: https://github.com/fedify-dev/fedify/pull/564 [#569]: https://github.com/fedify-dev/fedify/issues/569 ### @fedify/cli - The Fedify CLI now runs natively on Node.js and Bun without requiring compiled binaries, providing a more natural JavaScript package experience for Node.js and Bun users. [[#374], [#456], [#457]] - Added `fedify generate-vocab` command to generate Activity Vocabulary classes from schema files. This command uses the new *@fedify/vocab-tools* package internally and allows users to extend Activity Vocabulary with custom types. [[#444], [#458] by ChanHaeng Lee] - Updated `fedify init` command for better DX. [[#397], [#435] by Chanhaeng Lee] - If the directory is not empty, prompts the user for confirmation before proceeding. If the user agrees, it moves the remaining directory to trash and continue the initialization from new created directory. - Ask again if some options is not specified or invalid. - The `fedify lookup` command now supports multiple URLs with the `-t`/`--traverse` option, allowing users to traverse multiple collections in a single command. [[#408], [#449] by Jiwon Kwon] - The `fedify init` command now supports [Elysia] as a web framework option, with runtime-specific templates for Deno, Bun, and Node.js environments. [[#460], [#496] by Hyeonseo Kim] - Fixed a bug in the `fedify init` command where Deno import map generation incorrectly handled dependencies with registry prefixes (e.g., `npm:`), creating invalid specifiers in *deno.json*. [[#460], [#496] by Hyeonseo Kim] - Added `fedify relay` command to run an ephemeral ActivityPub relay server. [[#510], [#518] by Jiwon Kwon] - Supports both Mastodon and LitePub relay protocols via `--protocol` option. - Provides optional persistent storage via `--persistent` option with SQLite database. - Allows configuring subscription approval/rejection via `--accept-follow` and `--reject-follow` options. - Tunnels the relay server to the public internet by default for external access, with `--no-tunnel` option to run locally only. - Added `--tunnel-service` option to `fedify lookup`, `fedify inbox`, and `fedify relay` commands to select the tunneling service (localhost.run, serveo.net, or pinggy.io). Also added `--tunnel-service` as an alias to the existing `-s`/`--service` option in `fedify tunnel` for consistency. [[#525], [#529], [#531] by Jiwon Kwon] - Added configuration file support for CLI commands. The CLI now loads settings from configuration files at multiple levels, with a well-defined precedence chain. [[#555], [#566] by Jiwon Kwon] - By default, configuration is loaded (in order of increasing precedence) from a system-wide configuration file (*/etc/xdg/fedify/config.toml*), a user-level configuration file (*~/.config/fedify/config.toml*), and *.fedify.toml* in the current directory; later files override earlier ones. - Added `--config` option to specify a custom configuration file path; this file has the highest precedence over all other configuration sources. - Added `--ignore-config` option to skip configuration file loading. - All command options (`inbox`, `lookup`, `webfinger`, `nodeinfo`, `tunnel`, `relay`) can now be configured via any of the configuration files. [Elysia]: https://elysiajs.com/ [#374]: https://github.com/fedify-dev/fedify/issues/374 [#397]: https://github.com/fedify-dev/fedify/issues/397 [#408]: https://github.com/fedify-dev/fedify/issues/408 [#435]: https://github.com/fedify-dev/fedify/issues/435 [#449]: https://github.com/fedify-dev/fedify/pull/449 [#456]: https://github.com/fedify-dev/fedify/issues/456 [#457]: https://github.com/fedify-dev/fedify/pull/457 [#458]: https://github.com/fedify-dev/fedify/pull/458 [#460]: https://github.com/fedify-dev/fedify/issues/460 [#496]: https://github.com/fedify-dev/fedify/pull/496 [#510]: https://github.com/fedify-dev/fedify/issues/510 [#518]: https://github.com/fedify-dev/fedify/pull/518 [#525]: https://github.com/fedify-dev/fedify/issues/525 [#529]: https://github.com/fedify-dev/fedify/pull/529 [#531]: https://github.com/fedify-dev/fedify/pull/531 [#555]: https://github.com/fedify-dev/fedify/issues/555 [#566]: https://github.com/fedify-dev/fedify/pull/566 ### @fedify/debugger - Created the *@fedify/debugger* package, an embedded real-time ActivityPub debug dashboard for Fedify. It wraps an existing `Federation` object as a proxy, intercepting requests to a configurable path prefix (default `/__debug__`) and serving an SSR-based web UI. [[#561], [#564]] - Added `createFederationDebugger()` function that returns a `Federation` proxy with a built-in debug dashboard. When called without an `exporter` option, it automatically sets up OpenTelemetry tracing (creating `MemoryKvStore`, `FedifySpanExporter`, `BasicTracerProvider`) and registers it as the global tracer provider—no manual OTel configuration needed. - Traces list page showing trace IDs, activity types, activity counts, and timestamps, with auto-polling for real-time updates. - Trace detail page showing activity direction, type, actor, signature verification details, inbox URL, and expandable activity JSON. - JSON API endpoint at `/__debug__/api/traces` for programmatic access. - Added per-trace log collection using LogTape. The returned federation object now includes a `sink` property (a LogTape `Sink` function) that captures log records grouped by trace ID. In the simplified overload (without `exporter`), LogTape is auto-configured. - Trace detail page now shows a “Logs” section with log level, timestamp, logger category, and message for each log record in the trace. - JSON API endpoint at `/__debug__/api/logs/:traceId` for retrieving log records for a specific trace. - Added optional `auth` configuration for protecting the debug dashboard with authentication. Supports three modes: password-only, username + password, and request-based (e.g., IP filtering). Each mode supports both static credentials and callback functions. Uses cookie-based sessions with HMAC-signed tokens. ### @fedify/relay - Created ActivityPub relay integration as the *@fedify/relay* package. [[#359], [#459], [#471], [#490], [#510], [#518] by Jiwon Kwon] - Added `Relay` interface defining the common contract for relay implementations. - Added `MastodonRelay` class implementing Mastodon-compatible relay protocol. - Added `LitePubRelay` class implementing LitePub-compatible relay protocol. - Added `SubscriptionRequestHandler` type for custom subscription approval logic. - Added `RelayOptions` interface for relay configuration. - Added `RelayType` type alias to document the type-safe parameter - Added `createRelay()` factory function as a key public API [#359]: https://github.com/fedify-dev/fedify/issues/359 [#459]: https://github.com/fedify-dev/fedify/pull/459 [#471]: https://github.com/fedify-dev/fedify/pull/471 [#490]: https://github.com/fedify-dev/fedify/pull/490 ### @fedify/vocab-tools - Created Activity Vocabulary code generator as the *@fedify/vocab-tools* package. Separated vocabulary code generation tools from the main *@fedify/fedify* package to improve modularity and enable custom vocabulary extensions across different JavaScript runtimes. [[#444], [#458] by ChanHaeng Lee] - Made the code generator runtime-agnostic, supporting Deno, Node.js, and Bun environments. - Provides programmatic API for generating vocabulary classes from schema files. - Integrated with `fedify generate-vocab` CLI command. - Published to both npm and JSR for broad ecosystem compatibility. ### @fedify/vocab-runtime - Created ActivityPub vocabulary runtime as the *@fedify/vocab-runtime* package. Separated core vocabulary generation and processing modules from the main *@fedify/fedify* package to improve modularity and reduce coupling between vocabulary processing and federation functionality. [[#444], [#451] by ChanHaeng Lee] - Extracted `DocumentLoader`, `RemoteDocument`, and related types from the main package. - Moved cryptographic key processing utilities, e.g., `importSpki`, `exportSpki`, `importMultibaseKey`, `exportMultibaseKey`. - Relocated multibase encoding/decoding functionality. - Separated language string processing (`LanguageString` class). - This package is primarily used by generated vocabulary classes and provides the runtime infrastructure for ActivityPub object processing. ### @fedify/elysia - Added *deno.json* configuration file to enable proper Deno tooling support in the package. [[#460], [#496]] ### @fedify/lint - Created Fedify linting tools as the *@fedify/lint* package. This package provides shared Deno Lint and ESLint configurations for consistent code style across Fedify packages and user projects. [[#297], [#494] by ChanHaeng Lee] [#297]: https://github.com/fedify-dev/fedify/issues/297 [#494]: https://github.com/fedify-dev/fedify/pull/494 ### @fedify/fresh - Created a new @fedify/fresh package that provides seamless integration between Fedify and Fresh 2.0, replacing the deprecated `@fedify/fedify/x/fresh` module that was designed for Fresh 1.x. [[#466], [#478] by Hyeonseo Kim] [#478]: https://github.com/fedify-dev/fedify/pull/478 ### @fedify/webfinger - Created WebFinger utilities as the *@fedify/webfinger* package. This package provides tools for working with WebFinger resources, including parsing and generating WebFinger documents. [[#517] by ChanHaeng Lee] ### @fedify/vocab - Created ActivityPub Vocabulary API package as the *@fedify/vocab* package. This package contains the generated Activity Vocabulary classes and related types, separated from the main *@fedify/fedify* package to improve modularity and enable custom vocabulary extensions. The previous `@fedify/fedify/vocab` module is now deprecated and re-exports all exports from this package for backward compatibility. [[#437], [#517] by ChanHaeng Lee] - `@fedify/vocab` now re-exports `LanguageString`, `DocumentLoader`, `GetUserAgentOptions`, and `RemoteDocument` from `@fedify/vocab-runtime` so that downstream consumers do not need to depend on `@fedify/vocab-runtime` directly. [[#560]] - Fixed `@fedify/vocab-runtime` being bundled inline into `@fedify/vocab`'s ESM/CJS output instead of being kept as an external dependency. This caused `instanceof LanguageString` checks to fail because two distinct `LanguageString` classes existed at runtime. [[#560]] ### @fedify/sqlite - Added `SqliteMessageQueue` class implementing `MessageQueue` interface using SQLite as the backing store. This implementation uses polling to check for new messages and is suitable for single-node deployments and development environments. [[#477], [#526] by ChanHaeng Lee] - Added `SqliteMessageQueue` class. - Added `SqliteMessageQueueOptions` interface. - `SqliteMessageQueue` now supports the `orderingKey` option to ensure messages with the same ordering key are processed sequentially. [[#538], [#540]] - Added `ordering_key` column to the message queue table schema. - The new table schema is created when `SqliteMessageQueue.initialize()` is called on a fresh database. [#477]: https://github.com/fedify-dev/fedify/issues/477 [#526]: https://github.com/fedify-dev/fedify/pull/526 ### @fedify/testing - Added `testMessageQueue()` utility function for standardized testing of `MessageQueue` implementations. This function provides a reusable test harness that covers common message queue operations including `enqueue()`, `enqueue()` with delay, `enqueueMany()`, and multiple listener scenarios. [[#477], [#526] by ChanHaeng Lee] - Added `testMessageQueue()` function. - Added `waitFor()` helper function. - Added `getRandomKey()` helper function. - Added `TestMessageQueueOptions` interface and optional `options` parameter to `testMessageQueue()` function. [[#538], [#540]] - Added `TestMessageQueueOptions` interface. - Added `testOrderingKey` option to enable ordering key tests. ### @fedify/redis - Fixed a race condition in `RedisMessageQueue.listen()` where pub/sub notifications could be missed if `enqueue()` was called immediately after `listen()` started. The issue occurred because the message handler was attached inside an async callback, allowing a timing window where messages could be published before the handler was ready. [[#515], [#532] by Jiwon Kwon] - `RedisMessageQueue` now supports the `orderingKey` option to ensure messages with the same ordering key are processed sequentially. [[#538], [#540]] [#515]: https://github.com/fedify-dev/fedify/issues/515 [#532]: https://github.com/fedify-dev/fedify/pull/532 ### @fedify/postgres - `PostgresMessageQueue` now supports the `orderingKey` option to ensure messages with the same ordering key are processed sequentially. [[#538], [#540]] - Added `ordering_key` column to the message queue table schema. - The new table schema is created when `PostgresMessageQueue.initialize()` is called on a fresh database. - Fixed a race condition in `PostgresMessageQueue.initialize()` where concurrent calls from `listen()` and `enqueue()` would run DDL statements in parallel, causing redundant table creation and `ALTER TABLE` operations. The initialization promise is now cached so that concurrent callers share the same work. - Fixed `PostgresMessageQueue.listen()` spawning many concurrent `poll()` calls when a burst of `NOTIFY` signals arrived (e.g., from bulk enqueue of 100 messages), causing excessive database contention. Poll executions are now serialized so that at most one runs at a time, with subsequent requests queued after the current one finishes. ### @fedify/amqp - `AmqpMessageQueue` now supports the `orderingKey` option to ensure messages with the same ordering key are processed sequentially. [[#538], [#540]] - Uses RabbitMQ's `rabbitmq_consistent_hash_exchange` plugin to route messages with the same ordering key to the same queue. - The plugin must be enabled on the RabbitMQ server for ordering key support to work. ### @fedify/cfworkers - `WorkersMessageQueue` now supports the `orderingKey` option to ensure messages with the same ordering key are processed sequentially. [[#538], [#540]] - Added `WorkersMessageQueueOptions` interface with `orderingKv`, `orderingKeyPrefix`, and `orderingLockTtl` options. - Added `processMessage()` method to handle lock acquisition and release. - Requires a Workers KV namespace for lock management. - Due to Workers KV eventual consistency, ordering is best-effort. ### @fedify/init - Created project initializer as the *@fedify/init* package. Separated the `fedify init` functionality from *@fedify/cli* into a standalone package to improve modularity and enable reuse by other tools such as `@fedify/create`. [[#482] by Chanhaeng Lee] - Added `runInit()` function as the main initialization action handler. - Added `initCommand` and `initOptions` for CLI integration. - Added `testInitCommand` for comprehensive testing of all init combinations. [#482]: https://github.com/fedify-dev/fedify/issues/482 ### @fedify/create - Created standalone project scaffolding CLI as the *@fedify/create* package. This enables creating new Fedify projects without installing the full `@fedify/cli` toolchain. [[#351] by Chanhaeng Lee] - Supports `npm init @fedify`, `pnpm create @fedify`, `yarn create @fedify`, and `bunx @fedify/create`. - Uses `@fedify/init` internally for all initialization logic. - Supports the same interactive prompts and CLI options as `fedify init`. [#351]: https://github.com/fedify-dev/fedify/issues/351 Version 1.10.4 -------------- Released on March 11, 2026. ### @fedify/fedify - Added to preloaded JSON-LD contexts. Version 1.10.3 -------------- Released on February 1, 2026. ### @fedify/fedify - Fixed `traverseCollection()` yielding no items when a `Collection` has an inline `CollectionPage` in its `first` property without an explicit `id`. This is common in Mastodon's `replies` collections. The function previously used `collection.firstId` to determine pagination, which returned `null` for inline pages without an `id`, causing it to incorrectly fall into the non-paginated branch. [[#550] by Lee Dogeon] [#550]: https://github.com/fedify-dev/fedify/pull/550 Version 1.10.2 -------------- Released on January 23, 2026. ### @fedify/testing - Fixed `TestContext.getActorKeyPairs()` returning empty array instead of calling registered key pairs dispatcher. The method now properly invokes the key pairs dispatcher when it is registered via `setKeyPairsDispatcher()`. [[#530]] [#530]: https://github.com/fedify-dev/fedify/issues/530 Version 1.10.1 -------------- Released on January 22, 2026. ### @fedify/testing - Fixed `TestContext.getActor()` and `TestContext.getObject()` returning `null` instead of calling registered dispatchers. The methods now properly invoke actor and object dispatchers when they are registered via `setActorDispatcher()` and `setObjectDispatcher()`. [[#530]] Version 1.10.0 -------------- Released on December 24, 2025. ### @fedify/fedify - Enhanced OpenTelemetry instrumentation with span events for capturing detailed activity data. Span events now record complete activity JSON payloads and verification status, enabling richer observability and debugging capabilities without relying solely on span attributes (which only support primitive values). [[#323]] - Added `activitypub.activity.received` span event to the `activitypub.inbox` span, recording the full activity JSON, verification status (activity verified, HTTP signatures verified, Linked Data signatures verified), and actor information. - Added `activitypub.activity.sent` span event to the `activitypub.send_activity` span, recording the full activity JSON and target inbox URL. - Added `activitypub.object.fetched` span event to the `activitypub.lookup_object` span, recording the fetched object's type and complete JSON-LD representation. - Added OpenTelemetry spans for previously uninstrumented operations: [[#323]] - Added `activitypub.fetch_document` span for document loader operations, tracking URL fetching, HTTP redirects, and final document URLs. - Added `activitypub.verify_key_ownership` span for cryptographic key ownership verification, recording actor ID, key ID, verification result, and the verification method used. - Added optional `list()` method to the `KvStore` interface for enumerating entries by key prefix. This method takes an optional `prefix` parameter; when omitted or empty, it returns all entries. This enables efficient prefix scanning which is useful for implementing features like distributed trace storage, cache invalidation by prefix, and listing related entries. [[#498], [#500]] - Added `KvStoreListEntry` interface. - Implemented in `MemoryKvStore`. - Added `FedifySpanExporter` class that persists ActivityPub activity traces to a `KvStore` for distributed tracing support. This enables aggregating trace data across multiple nodes in a distributed deployment, making it possible to build debug dashboards that show complete request flows across web servers and background workers. [[#497], [#502]] - Added `@fedify/fedify/otel` module. - Added `FedifySpanExporter` class implementing OpenTelemetry's `SpanExporter` interface. - Added `TraceActivityRecord` interface for stored activity data, including `actorId` and `signatureDetails` fields for debug dashboard support. - Added `SignatureVerificationDetails` interface for detailed signature verification information. - Added `TraceSummary` interface for trace listing. - Added `FedifySpanExporterOptions` interface. - Added `GetRecentTracesOptions` interface. - Added `ActivityDirection` type. [#323]: https://github.com/fedify-dev/fedify/issues/323 [#497]: https://github.com/fedify-dev/fedify/issues/497 [#498]: https://github.com/fedify-dev/fedify/issues/498 [#500]: https://github.com/fedify-dev/fedify/pull/500 [#502]: https://github.com/fedify-dev/fedify/pull/502 ### @fedify/nestjs - Allowed Express 5 in the `express` peer dependency range to support NestJS 11. [[#492], [#493] by Cho Hasang] [#492]: https://github.com/fedify-dev/fedify/issues/492 [#493]: https://github.com/fedify-dev/fedify/pull/493 ### @fedify/sqlite - Implemented `list()` method in `SqliteKvStore`. [[#498], [#500]] ### @fedify/postgres - Implemented `list()` method in `PostgresKvStore`. [[#498], [#500]] ### @fedify/redis - Implemented `list()` method in `RedisKvStore`. [[#498], [#500]] ### @fedify/denokv - Implemented `list()` method in `DenoKvStore`. [[#498], [#500]] ### @fedify/cfworkers - Implemented `list()` method in `WorkersKvStore`. [[#498], [#500]] Version 1.9.5 ------------- Released on February 1, 2026. ### @fedify/fedify - Fixed `traverseCollection()` yielding no items when a `Collection` has an inline `CollectionPage` in its `first` property without an explicit `id`. This is common in Mastodon's `replies` collections. The function previously used `collection.firstId` to determine pagination, which returned `null` for inline pages without an `id`, causing it to incorrectly fall into the non-paginated branch. [[#550] by Lee Dogeon] Version 1.9.4 ------------- Released on January 23, 2026. ### @fedify/testing - Fixed `TestContext.getActorKeyPairs()` returning empty array instead of calling registered key pairs dispatcher. The method now properly invokes the key pairs dispatcher when it is registered via `setKeyPairsDispatcher()`. [[#530]] Version 1.9.3 ------------- Released on January 22, 2026. ### @fedify/testing - Fixed `TestContext.getActor()` and `TestContext.getObject()` returning `null` instead of calling registered dispatchers. The methods now properly invoke actor and object dispatchers when they are registered via `setActorDispatcher()` and `setObjectDispatcher()`. [[#530]] Version 1.9.2 ------------- Released on December 20, 2025. ### @fedify/fedify - Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [[CVE-2025-68475]] [CVE-2025-68475]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93 ### @fedify/sqlite - Fixed `SyntaxError: Identifier 'Temporal' has already been declared` error that occurred when using `SqliteKvStore` on Node.js or Bun. The error was caused by duplicate `Temporal` imports during the build process. [[#487]] [#487]: https://github.com/fedify-dev/fedify/issues/487 Version 1.9.1 ------------- Released on October 31, 2025. ### @fedify/testing - Fixed JSR publishing hanging indefinitely at the *processing* stage by hiding complex type exports from the public API. The JSR type analyzer struggled with complex type dependencies when analyzing the `MockFederation`, `TestFederation`, `TestContext`, and `SentActivity` types, causing indefinite hangs during the processing stage. [[#468]] - *Breaking change*: `MockFederation` class is no longer exported from the public API. Use `createFederation()` factory function instead. - `TestFederation`, `TestContext`, and `SentActivity` interfaces are no longer exported from the public API, but their types are still inferred from `createFederation()` return type and can be used via TypeScript's type inference. [#468]: https://github.com/fedify-dev/fedify/issues/468 ### @fedify/cli - Fixed `fedify` command failing on Windows with `PermissionDenied` error when trying to locate or execute package managers during initialization. The CLI now properly handles _\*.cmd_ and _\*.bat_ files on Windows by invoking them through `cmd /c`. [[#463]] [#463]: https://github.com/fedify-dev/fedify/issues/463 Version 1.9.0 ------------- Released on October 14, 2025. ### @fedify/fedify - Implemented [FEP-fe34] origin-based security model to protect against content spoofing attacks and ensure secure federation practices. The security model enforces same-origin policy for ActivityPub objects and their properties, preventing malicious actors from impersonating content from other servers. [[#440]] - Added `crossOrigin` option to Activity Vocabulary property accessors (`get*()` methods) with three security levels: `"ignore"` (default, logs warning and returns `null`), `"throw"` (throws error), and `"trust"` (bypasses checks). - Added `LookupObjectOptions.crossOrigin` option to `lookupObject()` function and `Context.lookupObject()` method for controlling cross-origin validation. - Embedded objects are now validated against their parent object's origin and only trusted when they share the same origin or are explicitly marked as trusted. - Property hydration now respects origin-based security, automatically performing remote fetches when embedded objects have different origins. - Internal trust tracking system maintains security context throughout object lifecycles (construction, cloning, and property access). - Added `withIdempotency()` method to configure activity idempotency strategies for inbox processing. This addresses issue [#441] where activities with the same ID sent to different inboxes were incorrectly deduplicated globally instead of per-inbox. [[#441]] - Added `IdempotencyStrategy` type. - Added `IdempotencyKeyCallback` type. - Added `InboxListenerSetters.withIdempotency()` method. - By default, `"per-origin"` strategy is used for backward compatibility. This will change to `"per-inbox"` in Fedify 2.0. We recommend explicitly setting the strategy to avoid unexpected behavior changes. - Fixed handling of ActivityPub objects containing relative URLs. The Activity Vocabulary classes now automatically resolve relative URLs by inferring the base URL from the object's `@id` or document URL, eliminating the need for manual `baseUrl` specification in most cases. This improves interoperability with ActivityPub servers that emit relative URLs in properties like `icon.url` and `image.url`. [[#411], [#443] by Jiwon Kwon] - Added TypeScript support for all [RFC 6570] URI Template expression types in dispatcher path parameters. Previously, only simple string expansion (`{identifier}`) was supported in TypeScript types, while the runtime already supported all RFC 6570 expressions. Now TypeScript accepts all expression types including `{+identifier}` (reserved string expansion, recommended for URI identifiers), `{#identifier}` (fragment expansion), `{.identifier}` (label expansion), `{/identifier}` (path segments), `{;identifier}` (path-style parameters), `{?identifier}` (query component), and `{&identifier}` (query continuation). [[#426], [#446] by Jiwon Kwon] - Added `Rfc6570Expression` type helper. - Updated all dispatcher path type parameters to accept RFC 6570 expressions: `setActorDispatcher()`, `setObjectDispatcher()`, `setInboxDispatcher()`, `setOutboxDispatcher()`, `setFollowingDispatcher()`, `setFollowersDispatcher()`, `setLikedDispatcher()`, `setFeaturedDispatcher()`, `setFeaturedTagsDispatcher()`, `setInboxListeners()`, `setCollectionDispatcher()`, and `setOrderedCollectionDispatcher()`. - Added inverse properties for collections to Vocabulary API. [[FEP-5711], [#373], [#381] by Jiwon Kwon] - `new Collection()` constructor now accepts `likesOf` option. - Added `Collection.likesOfId` property. - Added `Collection.getLikesOf()` method. - `new Collection()` constructor now accepts `sharesOf` option. - Added `Collection.sharedOfId` property. - Added `Collection.getSharedOf()` method. - `new Collection()` constructor now accepts `repliesOf` option. - Added `Collection.repliesOfId` property. - Added `Collection.getRepliesOf()` method. - `new Collection()` constructor now accepts `inboxOf` option. - Added `Collection.inboxOfId` property. - Added `Collection.getInboxOf()` method. - `new Collection()` constructor now accepts `outboxOf` option. - Added `Collection.outboxOfId` property. - Added `Collection.getOutboxOf()` method. - `new Collection()` constructor now accepts `followersOf` option. - Added `Collection.followersOfId` property. - Added `Collection.getFollowersOf()` method. - `new Collection()` constructor now accepts `followingOf` option. - Added `Collection.followingOfId` property. - Added `Collection.getFollowingOf()` method. - `new Collection()` constructor now accepts `likedOf` option. - Added `Collection.likedOfId` property. - Added `Collection.getLikedOf()` method. - Changed how `parseSoftware()` function handles non-Semantic Versioning number strings on `tryBestEffort` mode. [[#353], [#365] by Hyeonseo Kim] - Separated modules from `@fedify/fedify/x` into dedicated packages to improve modularity and reduce bundle size. The existing integration functions in `@fedify/fedify/x` are now deprecated and will be removed in version 2.0.0. [[#375] by Chanhaeng Lee] - Deprecated `@fedify/fedify/x/cfworkers` in favor of `@fedify/cfworkers`. - Deprecated `@fedify/fedify/x/denokv` in favor of `@fedify/denokv`. - Deprecated `@fedify/fedify/x/hono` in favor of `@fedify/hono`. - Deprecated `@fedify/fedify/x/sveltekit` in favor of `@fedify/sveltekit`. - Extended `Link` from `@fedify/fedify/webfinger` to support [OStatus 1.0 Draft 2]. [[#402], [#404] by Hyeonseo Kim] - Added an optional `template` field to the `Link` interface. - Changed the `href` field optional from the `Link` interface according to [RFC 7033 Section 4.4.4.3]. - Added `Federatable.setWebFingerLinksDispatcher()` method to set additional links to WebFinger. [[#119], [#407] by Hyeonseo Kim] - Added CommonJS support alongside ESM for better NestJS integration and broader Node.js ecosystem compatibility. This eliminates the need for Node.js's `--experimental-require-module` flag and resolves dual package hazard issues. [[#429], [#431]] [FEP-fe34]: https://w3id.org/fep/fe34 [RFC 6570]: https://tools.ietf.org/html/rfc6570 [FEP-5711]: https://w3id.org/fep/5711 [OStatus 1.0 Draft 2]: https://www.w3.org/community/ostatus/wiki/images/9/93/OStatus_1.0_Draft_2.pdf [RFC 7033 Section 4.4.4.3]: https://datatracker.ietf.org/doc/html/rfc7033#section-4.4.4.3 [#119]: https://github.com/fedify-dev/fedify/issues/119 [#353]: https://github.com/fedify-dev/fedify/issues/353 [#365]: https://github.com/fedify-dev/fedify/pull/365 [#373]: https://github.com/fedify-dev/fedify/issues/373 [#375]: https://github.com/fedify-dev/fedify/issues/375 [#381]: https://github.com/fedify-dev/fedify/pull/381 [#402]: https://github.com/fedify-dev/fedify/issues/402 [#404]: https://github.com/fedify-dev/fedify/pull/404 [#407]: https://github.com/fedify-dev/fedify/pull/407 [#411]: https://github.com/fedify-dev/fedify/issues/411 [#426]: https://github.com/fedify-dev/fedify/issues/426 [#429]: https://github.com/fedify-dev/fedify/issues/429 [#431]: https://github.com/fedify-dev/fedify/pull/431 [#440]: https://github.com/fedify-dev/fedify/issues/440 [#443]: https://github.com/fedify-dev/fedify/pull/443 [#446]: https://github.com/fedify-dev/fedify/pull/446 ### @fedify/cli - Added `Next.js` option to `fedify init` command. This option allows users to initialize a new Fedify project with Next.js integration. [[#313] by Chanhaeng Lee] - Changed how `fedify nodeinfo` command handles non-Semantic Versioning number strings on `-b`/`--best-effort` mode. Now it uses the same logic as the `parseSoftware()` function in the *@fedify/fedify* package, which allows it to parse non-Semantic Versioning number strings more flexibly. [[#353], [#365] by Hyeonseo Kim]] - Added `-T`/`--timeout` option to `fedify lookup` command. This option allows users to specify timeout in seconds for network requests to prevent hanging on slow or unresponsive servers. [[#258], [#372] by Hyunchae Kim] [#258]: https://github.com/fedify-dev/fedify/issues/258 [#313]: https://github.com/fedify-dev/fedify/issues/313 [#372]: https://github.com/fedify-dev/fedify/pull/372 ### @fedify/amqp - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/cfworkers - Created Cloudflare Workers integration as the *@fedify/cfworkers* package. Separated from `@fedify/fedify/x/cfworkers` to improve modularity and reduce bundle size. [[#375] by Chanhaeng Lee] ### @fedify/denokv - Created Deno KV integration as the *@fedify/denokv* package. Separated from `@fedify/fedify/x/denokv` to improve modularity and reduce bundle size. [[#375] by Chanhaeng Lee] ### @fedify/elysia - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/express - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/fastify - Created [Fastify] integration as the *@fedify/fastify* package. [[#151], [#450] by An Subin] - Added `fedifyPlugin()` function for integrating Fedify into Fastify applications. - Converts between Fastify's request/reply API and Web Standards `Request`/`Response`. - Supports both ESM and CommonJS for broad Node.js compatibility. [Fastify]: https://fastify.dev/ [#151]: https://github.com/fedify-dev/fedify/issues/151 [#450]: https://github.com/fedify-dev/fedify/pull/450 ### @fedify/h3 - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/hono - Created Hono integration as the *@fedify/hono* package. Separated from `@fedify/fedify/x/hono` to improve modularity and reduce bundle size. [[#375] by Chanhaeng Lee] - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/koa - Created [Koa] integration as the *@fedify/koa* package. [[#454], [#455]] - Added `createMiddleware()` function for integrating Fedify into Koa applications. - Supports both Koa v2.x and v3.x via peer dependencies. - Converts between Koa's context-based API and Web Standards Request/Response. - Builds for both npm (ESM/CJS) and JSR distribution. [Koa]: https://koajs.com/ [#454]: https://github.com/fedify-dev/fedify/issues/454 [#455]: https://github.com/fedify-dev/fedify/pull/455 ### @fedify/next - Created [Next.js] integration as the *@fedify/next* package. [[#313] by Chanhaeng Lee] - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] [Next.js]: https://nextjs.org/ ### @fedify/postgres - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/redis - Added support for Redis Cluster to the *@fedify/redis* package. [[#368] by Michael Barrett] - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] [#368]: https://github.com/fedify-dev/fedify/pull/368 ### @fedify/sqlite - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] ### @fedify/sveltekit - Created SvelteKit integration as the *@fedify/sveltekit* package. Separated from `@fedify/fedify/x/sveltekit` to improve modularity and reduce bundle size. [[#375] by Chanhaeng Lee] - Fixed SvelteKit integration hook types to correctly infer the request and response types in hooks. [[#271], [#394] by Chanhaeng Lee] - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] [#271]: https://github.com/fedify-dev/fedify/pull/271 [#394]: https://github.com/fedify-dev/fedify/pull/394 ### @fedify/testing - Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [[#429], [#431]] Version 1.8.15 -------------- Released on December 20, 2025. ### @fedify/fedify - Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [[CVE-2025-68475]] ### @fedify/sqlite - Fixed `SyntaxError: Identifier 'Temporal' has already been declared` error that occurred when using `SqliteKvStore` on Node.js or Bun. The error was caused by duplicate `Temporal` imports during the build process. [[#487]] Version 1.8.14 -------------- Released on October 19, 2025. ### @fedify/testing - Fixed JSR publishing hanging indefinitely at the *processing* stage. The issue was caused by TypeScript function overload signatures in `MockContext` and `MockFederation` classes that triggered a bug in JSR's type analyzer. All method overloads have been removed and simplified to use `any` types where necessary. [[#468], [#470]] [#470]: https://github.com/fedify-dev/fedify/pull/470 ### @fedify/cli - Fixed `fedify` command failing on Windows with `PermissionDenied` error when trying to locate or execute package managers during initialization. The CLI now properly handles _\*.cmd_ and _\*.bat_ files on Windows by invoking them through `cmd /c`. [[#463]] Version 1.8.13 -------------- Released on October 10, 2025. ### @fedify/fedify - Fixed inconsistent encoding/decoding of URI template identifiers with special characters. Updated *uri-template-router* to version 1.0.0, which properly decodes percent-encoded characters in URI template variables according to RFC 6570. This resolves issues where identifiers containing URIs (e.g., `https%3A%2F%2Fexample.com`) were being inconsistently decoded in dispatcher callbacks and double-encoded in collection URLs. [[#416]] [#416]: https://github.com/fedify-dev/fedify/issues/416 Version 1.8.12 -------------- Released on September 20, 2025. ### @fedify/sqlite - Fixed bundling issues where incorrect import paths to *node\_modules* were included in the bundled output. The *@js-temporal/polyfill* dependency was moved from `devDependencies` to `dependencies` to ensure proper bundling. Version 1.8.11 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] [#436]: https://github.com/fedify-dev/fedify/issues/436 Version 1.8.10 -------------- Released on September 17, 2025. ### @fedify/fedify - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.8.9 ------------- Released on September 10, 2025. - Integration and database adapter packages (*@fedify/amqp*, *@fedify/elysia*, *@fedify/express*, *@fedify/h3*, *@fedify/nestjs*, *@fedify/postgres*, *@fedify/redis*, *@fedify/sqlite*, *@fedify/testing*) now specify explicit version ranges for the *@fedify/fedify* peer dependency instead of accepting any version, improving compatibility guarantees. Version 1.8.8 ------------- Released on August 25, 2025. ### @fedify/fedify - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.8.7 ------------- Released on August 25, 2025. ### @fedify/fedify - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.8.6 ------------- Released on August 24, 2025. ### @fedify/nestjs - Fixed a critical error that prevented the middleware from processing ActivityPub requests in NestJS applications. The middleware now correctly handles request bodies that have been pre-processed by other NestJS middleware or interceptors. [[#279], [#386] by Jaeyeol Lee] [#279]: https://github.com/fedify-dev/fedify/issues/279 [#386]: https://github.com/fedify-dev/fedify/pull/386 ### @fedify/testing - Updated exports to include context creation functions. [[#382] by Colin Mitchell] - Added `createContext()` function. - Added `createInboxContext()` function. - Added `createRequestContext()` function. [#382]: https://github.com/fedify-dev/fedify/pull/382 Version 1.8.5 ------------- Released on August 8, 2025. ### @fedify/fedify - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] [CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4 ### @fedify/cli - Fixed `fedify nodeinfo` color support in Windows Terminal. [[#358], [#360] by KeunHyeong Park] [#358]: https://github.com/fedify-dev/fedify/issues/358 [#360]: https://github.com/fedify-dev/fedify/pull/360 Version 1.8.4 ------------- Released on August 7, 2025. ### @fedify/cli - Fixed `fedify lookup` command's `-r`/`--raw`, `-C`/`--compact`, and `-e`/`--expand` options to properly output valid JSON format instead of Deno's object inspection format. [[#357]] [#357]: https://github.com/fedify-dev/fedify/issues/357 Version 1.8.3 ------------- Released on August 6, 2025. ### @fedify/cli - Restored image resizing functionality in `fedify lookup` command by using the existing [Jimp] library for image manipulation. This properly displays `icon` and `image` fields with appropriate sizing in terminals. - Added support for Ghostty terminal emulator for image rendering in `fedify lookup` command. [Jimp]: https://jimp-dev.github.io/jimp/ Version 1.8.2 ------------- Released on August 6, 2025. ### @fedify/cli - Fixed `npx @fedify/cli` command not working on various platforms by correcting the binary path resolution in the Node.js wrapper script. - Temporarily removed Sharp dependency to resolve installation issues across different platforms. As a result, `fedify lookup` command will no longer resize images when displaying them in the terminal. This is a temporary workaround and image resizing functionality will be restored in a future patch version using an alternative approach. - Fixed build artifact paths in GitHub Actions workflow to correctly reference CLI package location in the monorepo structure. Version 1.8.1 ------------- Released on August 6, 2025. Note that 1.8.0 was skipped due to a mistake in the versioning. - The repository has been restructured as a monorepo, consolidating all Fedify packages into a single repository with unified versioning. This change affects the following packages: - *@fedify/fedify* (main library) - *@fedify/cli* (CLI toolchain) - *@fedify/amqp* (AMQP/RabbitMQ driver) - *@fedify/express* (Express integration) - *@fedify/h3* (h3 framework integration) - *@fedify/postgres* (PostgreSQL drivers) - *@fedify/redis* (Redis drivers) All packages now follow the same version number and are released together. Previously, each package had independent versioning. - Several new packages have been added to the monorepo: - *@fedify/elysia* ([Elysia] integration) - *@fedify/nestjs* ([NestJS] integration) - *@fedify/sqlite* (SQLite drivers) - *@fedify/testing* (testing utilities) [NestJS]: https://nestjs.com/ ### @fedify/fedify - Added custom collection dispatchers. [[#310], [#332] by ChanHaeng Lee] - Added `CustomCollectionDispatcher`, `CustomCollectionCounter`, and `CustomCollectionCursor` types for custom collection dispatching. - Added `CustomCollectionCallbackSetters` type for setting custom collection callbacks. - Added `CustomCollectionHandler` class and `handleCustomCollection()` and `handleOrderedCollection()` functions to process custom collections. - Added `setCollectionDispatcher()` and `setOrderedCollectionDispatcher()` methods to the `Federatable` interface. Implemented in `FederationBuilderImpl` class. - Added `getCollectionUri()` method to the `Context` interface. - Added utility types `ConstructorWithTypeId` and `ParamsKeyPath` for custom collection dispatchers. - Key–value stores now optionally support CAS (compare-and-swap) operation for atomic updates. This is useful for implementing optimistic locking and preventing lost updates in concurrent environments. - Added optional `KvStore.cas()` method. - Added `MemoryKvStore.cas()` method. - Added `DenoKvStore.cas()` method. - Added useful functions for fediverse handles at `@fedify/fedify/vocab`. This functions simplify working with fediverse handles and URLs. [[#278] by ChanHaeng Lee] - `FediverseHandle`: An interface representing a fediverse handle. - `parseFediverseHandle()`: A function to parse a fediverse handle into its components. - `isFediverseHandle()`: A function to check if a string is a valid fediverse handle. - `toAcctUrl()`: A function to convert a fediverse handle to a `URL`. - Added `LookupWebFingerOptions.maxRedirection` option. [[#248], [#281] by Lee ByeongJun] - APIs making HTTP requests became able to optionally take `AbortSignal`. [[#51], [#315] by Hyunchae Kim] - Added `DocumentLoaderOptions` interface. - The `DocumentLoader` type became able to optionally take the second parameter. - Added `LookupObjectOptions.signal` option. - Added `LookupWebFingerOptions.signal` option. - Added `DoubleKnockOptions.signal` option. [#51]: https://github.com/fedify-dev/fedify/issues/51 [#248]: https://github.com/fedify-dev/fedify/issues/248 [#278]: https://github.com/fedify-dev/fedify/pull/278 [#281]: https://github.com/fedify-dev/fedify/pull/281 [#310]: https://github.com/fedify-dev/fedify/issues/310 [#315]: https://github.com/fedify-dev/fedify/pull/315 [#332]: https://github.com/fedify-dev/fedify/pull/332 ### @fedify/cli - The `fedify` CLI now correctly disables color output when standard output isn't a TTY (for example, when redirecting to a file) or when the `NO_COLOR` environment variable is set. [[#257], [#341] by Cho Hasang] - Added `fedify nodeinfo` command, and deprecated `fedify node` command in favor of `fedify nodeinfo`. [[#267], [#331] by Hyeonseo Kim] - Added `fedify webfinger` command. This command allows users to look up WebFinger information for a given resource. [[#260], [#278] by ChanHaeng Lee] - The input can be a handle (e.g., `@user@server`, `user@server`) or a URL (e.g., `https://server/users/path`). - The `--user-agent` or `-a` option used as `User-Agent` header value in the WebFinger request. - The `--allow-private-address` or `-p` option allows looking up WebFinger information for private addresses (e.g., `localhost`). - The `--max-redirection` option allows uses to specify the maximum number of redirects to follow when performing WebFinger lookups. [[#311], [#328] by KeunHyeong Park] - The `fedify lookup` command now displays images depending on user's terminal emulator. [[#169], [#348] by Jiwon Kwon] - Supported terminal emulators are [Kitty], [WezTerm], [Konsole], [Warp], [Wayst], [st], and [iTerm]. - Added `-o`/`--output` option to `fedify lookup` command. This option allows users to save retrieved lookup results to specified path. [[#261], [#321] by Jiwon Kwon] - Added options to customize the temporary actor information when running `fedify inbox` command. [[#262], [#285] by Hasang Cho] - Added `--actor-name` option to customize the actor display name. - Added `--actor-summary` option to customize the actor description. - Both options provide sensible defaults when not specified. - The `fedify inbox` command now displays the type of the object contained in each activity, in addition to the activity's own type. [[#191], [#342] by Jang Hanarae] - Added `--dry-run` option to `fedify init` command. This option allows users to preview what files and configurations would be created without actually creating them. [[#263], [#298] by Lee ByeongJun] - Fixed a bug where the `fedify nodeinfo` command (was `fedify node`) had failed to correctly render the favicon in terminal emulators that do not support 24-bit colors. [[#168], [#282], [#304] by Hyeonseo Kim] [Kitty]: https://sw.kovidgoyal.net/kitty/ [WezTerm]: https://wezterm.org/ [Konsole]: https://konsole.kde.org/ [Warp]: https://www.warp.dev/ [Wayst]: https://github.com/91861/wayst [st]: https://st.suckless.org/ [iTerm]: https://iterm2.com/ [#168]: https://github.com/fedify-dev/fedify/issues/168 [#169]: https://github.com/fedify-dev/fedify/issues/169 [#191]: https://github.com/fedify-dev/fedify/issues/191 [#257]: https://github.com/fedify-dev/fedify/issues/257 [#260]: https://github.com/fedify-dev/fedify/issues/260 [#261]: https://github.com/fedify-dev/fedify/issues/261 [#262]: https://github.com/fedify-dev/fedify/issues/262 [#263]: https://github.com/fedify-dev/fedify/issues/263 [#267]: https://github.com/fedify-dev/fedify/issues/267 [#282]: https://github.com/fedify-dev/fedify/pull/282 [#285]: https://github.com/fedify-dev/fedify/pull/285 [#298]: https://github.com/fedify-dev/fedify/pull/298 [#304]: https://github.com/fedify-dev/fedify/issues/304 [#311]: https://github.com/fedify-dev/fedify/issues/311 [#321]: https://github.com/fedify-dev/fedify/pull/321 [#328]: https://github.com/fedify-dev/fedify/pull/328 [#331]: https://github.com/fedify-dev/fedify/pull/331 [#341]: https://github.com/fedify-dev/fedify/pull/341 [#342]: https://github.com/fedify-dev/fedify/pull/342 [#348]: https://github.com/fedify-dev/fedify/pull/348 ### @fedify/elysia - Supported [Elysia] integration with the *@fedify/elysia* package. [[#286], [#339] by Hyeonseo Kim] - Added *@fedify/elysia* package. - Added `fedify` Elysia plugin for integrating Fedify into Elysia applications. [#286]: https://github.com/fedify-dev/fedify/issues/286 [#339]: https://github.com/fedify-dev/fedify/pull/339 ### @fedify/nestjs - Supported [NestJS] integration with the *@fedify/nestjs* package. [[#269], [#309] by Jaeyeol Lee] - Added *@fedify/nestjs* package. - Added `FedifyModule` for integrating Fedify into NestJS applications. [#269]: https://github.com/fedify-dev/fedify/issues/269 [#309]: https://github.com/fedify-dev/fedify/pull/309 ### @fedify/sqlite - Added `SqliteKvStore`, implementing `KvStore` using SQLite with the *@fedify/sqlite* package. Compatible with Bun, Deno, and Node.js. [[#274], [#318] by An Subin] - Added *@fedify/sqlite* package. - Added `SqliteKvStore`, a SQLite implementation of `KvStore`. [#274]: https://github.com/fedify-dev/fedify/issues/274 [#318]: https://github.com/fedify-dev/fedify/pull/318 ### @fedify/testing - Added mock classes for `Federation` and `Context` interfaces to improve testability without requiring a real federation server setup. The mock classes track all sent activities with metadata and support all standard Fedify patterns including custom path registration and multiple activity type listeners. [[#197], [#283] by Lee ByeongJun] - Added *@fedify/testing* package. - Added `MockFederation` class. - Added `MockContext` class. [#197]: https://github.com/fedify-dev/fedify/issues/197 [#283]: https://github.com/fedify-dev/fedify/pull/283 Version 1.7.16 -------------- Released on December 20, 2025. - Fixed a bug where the npm package failed to load at runtime with an error like `SyntaxError: The requested module '../types.js' does not provide an export named 'i'`. This was a regression introduced in version 1.7.15. Version 1.7.15 -------------- Released on December 20, 2025. - Fixed a bug where TypeScript declaration files (*.d.ts*) were not included in the npm package, causing type errors when importing the package. Version 1.7.14 -------------- Released on December 20, 2025. - Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [[CVE-2025-68475]] Version 1.7.13 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.7.12 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.7.11 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.7.10 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.7.9 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.7.8 ------------- Released on August 5, 2025. - Updated `kvCache()` wrapper to read from preloaded contexts rather than from the `KvStore`. This saves network and disk overheads when parsing activities and objects using the JSON-LD processor. [[#352] by Fabien O'Carroll] [#352]: https://github.com/fedify-dev/fedify/pull/352 Version 1.7.7 ------------- Released on July 28, 2025. - Optimized `doubleKnock()` function to avoid multiple request body clones during redirects. The request body is now read once and reused throughout the entire operation, preventing potential `TypeError: unusable` errors and improving performance. [[#300], [#335] by Fabien O'Carroll] - Added `SignRequestOptions.body` option. - Added `DoubleKnockOptions.body` option. - Updated internal signing functions to accept pre-read body buffers. [#300]: https://github.com/fedify-dev/fedify/pull/300 [#335]: https://github.com/fedify-dev/fedify/pull/335 Version 1.7.6 ------------- Released on July 24, 2025. - Fixed `doubleKnock()` to properly handle redirects with path-only `Location` headers by resolving them relative to the original request URL. [[#324] by Fabien O'Carroll] [#324]: https://github.com/fedify-dev/fedify/pull/324 Version 1.7.5 ------------- Released on July 15, 2025. - Fixed `TypeError: unusable` error that occurred when `doubleKnock()` encountered redirects during HTTP signature retry attempts. [[#294], [#295]] [#294]: https://github.com/fedify-dev/fedify/issues/294 [#295]: https://github.com/fedify-dev/fedify/pull/295 Version 1.7.4 ------------- Released on July 13, 2025. - Fixed a bug the `-T`/`--no-tunnel` option in the `fedify inbox` command was being ignored, causing the server to always create a public tunnel regardless of the flag. [[#243], [#284] by Lee ByeongJun] [#243]: https://github.com/fedify-dev/fedify/issues/243 [#284]: https://github.com/fedify-dev/fedify/pull/284 Version 1.7.3 ------------- Released on July 9, 2025. - Added `"default"` export conditions to all package exports in *package.json* for improved Node.js compatibility. Version 1.7.2 ------------- Released on July 2, 2025. - Fixed HTTP signature verification to handle malformed RFC 9421 signatures gracefully instead of returning `500 Internal Server Error` responses. Malformed signatures now properly fail verification and return appropriate error responses. Version 1.7.1 ------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.7.0 ------------- Released on June 25, 2025. - Added optional `MessageQueue.nativeRetrial` property to indicate whether the message queue backend provides native retry mechanisms. When `true`, Fedify will skip its own retry logic and rely on the backend to handle retries. When `false` or omitted, Fedify will handle retries using its own retry policies. [[#250], [#251]] - `DenoKvMessageQueue.nativeRetrial` is `true`. - `WorkersMessageQueue.nativeRetrial` is `true`. - `InProcessMessageQueue.nativeRetrial` is `false`. - `ParallelMessageQueue.nativeRetrial` inherits from the wrapped queue. - Added `FederationOptions.firstKnock` option to configure the HTTP Signatures specification used for the first signature attempt when communicating with unknown servers. This implements the [double-knocking] mechanism for better compatibility across different ActivityPub servers. Defaults to `"rfc9421"` (RFC 9421: HTTP Message Signatures), with fallback to `"draft-cavage-http-signatures-12"` if the first attempt fails. [[#252] by Fabien O'Carroll] [double-knocking]: https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions [#250]: https://github.com/fedify-dev/fedify/issues/250 [#251]: https://github.com/fedify-dev/fedify/pull/251 [#252]: https://github.com/fedify-dev/fedify/pull/252 Version 1.6.15 -------------- Released on December 20, 2025. - Fixed a bug where the npm package failed to load at runtime with an error like `SyntaxError: The requested module '../types.js' does not provide an export named 'i'`. This was a regression introduced in version 1.6.14. Version 1.6.14 -------------- Released on December 20, 2025. - Fixed a bug where TypeScript declaration files (*.d.ts*) were not included in the npm package, causing type errors when importing the package. Version 1.6.13 -------------- Released on December 20, 2025. - Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [[CVE-2025-68475]] Version 1.6.12 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.6.11 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.6.10 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.6.9 ------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.6.8 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.6.7 ------------- Released on July 24, 2025. - Fixed `doubleKnock()` to properly handle redirects with path-only `Location` headers by resolving them relative to the original request URL. [[#324] by Fabien O'Carroll] Version 1.6.6 ------------- Released on July 15, 2025. - Fixed `TypeError: unusable` error that occurred when `doubleKnock()` encountered redirects during HTTP signature retry attempts. [[#294], [#295]] Version 1.6.5 ------------- Released on July 9, 2025. - Added `"default"` export conditions to all package exports in *package.json* for improved Node.js compatibility. Version 1.6.4 ------------- Released on July 2, 2025. - Fixed HTTP signature verification to handle malformed RFC 9421 signatures gracefully instead of returning `500 Internal Server Error` responses. Malformed signatures now properly fail verification and return appropriate error responses. Version 1.6.3 ------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.6.2 ------------- Released on June 19, 2025. - Fixed compatibility issue with Mastodon servers running bleeding-edge versions with RFC 9421 implementation bugs. Extended double-knocking to retry with draft-cavage-http-signatures-12 on `5xx` errors as a temporary workaround for Mastodon's RFC 9421 implementation that returns `500 Internal Server Error`. Version 1.6.1 ------------- Released on June 7, 2025. Note that 1.6.0 was skipped due to a mistake in the versioning. - Added `Context.lookupWebFinger()` method to make WebFinger lookups accessible from the context. [[#227]] - Added `Context.federation` property to access the `Federation` object from the context. [[#235]] - Added `Context.clone()` method. [[#237]] - Introduced `FederationBuilder` for creating a federation instance with a builder pattern. - Added `createFederationBuilder()` function. - Added `Federatable` interface. - Added `FederationBuilder` interface. - Deprecated `CreateFederationOptions` interface. Use `FederationOptions` interface. - Added `Router.trailingSlashInsensitive` property. - Added `Router.clone()` method. - Implemented HTTP Message Signatures ([RFC 9421]) with [double-knocking]. Currently, it only works with RSA-PKCS#1-v1.5. [[#208]] - Added `HttpMessageSignaturesSpec` type. - Added `SignRequestOptions.spec` option. - Added `SignRequestOptions.currentTime` option. - Added `VerifyRequestOptions.spec` option. - Added `GetAuthenticatedDocumentLoaderOptions.specDeterminer` option. - Added `GetAuthenticatedDocumentLoaderOptions.traceProvider` option. - Added `HttpMessageSignaturesSpecDeterminer` interface. - Added `--first-knock` option to `fedify lookup` command. - Fedify now supports [Cloudflare Workers]. [[#233]] - Added `Federation.processQueuedTask()` method. [[#242]] - Added `Message` type. [[#242]] - Added `WorkersKvStore` class. [[#241], [#242]] - Added `WorkersMessageQueue` class. [[#241], [#242]] - The minimum supported version of Node.js is now 22.0.0. [RFC 9421]: https://www.rfc-editor.org/rfc/rfc9421 [Cloudflare Workers]: https://workers.cloudflare.com/ [#208]: https://github.com/fedify-dev/fedify/issues/208 [#227]: https://github.com/fedify-dev/fedify/issues/227 [#233]: https://github.com/fedify-dev/fedify/issues/233 [#235]: https://github.com/fedify-dev/fedify/pull/235 [#237]: https://github.com/fedify-dev/fedify/pull/237 [#241]: https://github.com/fedify-dev/fedify/issues/241 [#242]: https://github.com/fedify-dev/fedify/pull/242 Version 1.5.9 ------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.5.8 ------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.5.7 ------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.5.6 ------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.5.5 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.5.4 ------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.5.3 ------------- Released on May 16, 2025. - Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which caused a `500 Internal Server Error` when the received activity had an invalid JSON-LD syntax. Now it logs the error and responds with a `400 Bad Request` error instead. [[#232]] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. [#232]: https://github.com/fedify-dev/fedify/issues/232 Version 1.5.2 ------------- Released on May 11, 2025. - Fixed the `fedify init` command to install the correct version of *@fedify/express* package. [[#230], [#231] by Emelia Smith] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. [#230]: https://github.com/fedify-dev/fedify/issues/230 [#231]: https://github.com/fedify-dev/fedify/pull/231 Version 1.5.1 ------------- Released on April 8, 2025. - Activity Vocabulary API became to accept [RFC 3339] date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [[#226]] - Added the following default context to `Undo` class: ~~~~ json { "litepub": "http://litepub.social/ns#", "toot": "http://joinmastodon.org/ns#", "EmojiReact": "litepub:EmojiReact", "Emoji": "toot:Emoji" } ~~~~ [RFC 3339]: https://datatracker.ietf.org/doc/html/rfc3339 [#226]: https://github.com/fedify-dev/fedify/issues/226 Version 1.5.0 ------------- Released on March 28, 2025. - Improved activity delivery performance with large audiences through a two-stage queuing system. Sending activities to many recipients (e.g., accounts with many followers) is now significantly faster and uses less memory. [[#220]] - Added `FederationQueueOptions.fanout` option. - Changed the type of `FederationStartQueueOptions.queue` option to `"inbox" | "outbox" | "fanout" | undefined` (was `"inbox" | "outbox" | undefined`). - Added `SendActivityOptions.fanout` option. - Added OpenTelemetry instrumented span `activitypub.fanout`. - The `ForwardActivityOptions` interface became a type alias of `Omit & { skipIfUnsigned: boolean }`, which is still compatible with the previous version. - A `Federation` object now can have a canonical origin for web URLs and a canonical host for fediverse handles. This affects the URLs constructed by `Context` objects, and the WebFinger responses. - Added `CreateFederationOptions.origin` option. - Added `FederationOrigin` interface. - Added `Context.canonicalOrigin` property. - Followers collection synchronization ([FEP-8fcf]) is now turned off by default. - Added `SendActivityOptionsForCollection` interface. - The type of `Context.sendActivity({ identifier: string } | { username: string } | { handle: string }, "followers", Activity)` overload's fourth parameter became `SendActivityOptionsForCollection | undefined` (was `SendActivityOptions | undefined`). - Fedify now accepts PEM-PKCS#1 besides PEM-SPKI for RSA public keys. [[#209]] - `CryptographicKey` now can contain a `publicKey` with a PEM-PKCS#1 format (in addition to PEM-SPKI). - Added `importPkcs1()` function. - Added `importPem()` function. - The `fetchKey()` function became to choose the public key of the actor if `keyId` has no fragment and the actor has only one public key. [[#211]] - Added an optional parameter with `GetSignedKeyOptions` type to the `RequestContext.getSignedKey()` method. - Added `GetSignedKeyOptions` interface. - Added an optional parameter with `GetKeyOwnerOptions` type to the `RequestContext.getSignedKeyOwner()` method. - Deprecated the parameters of the `AuthorizePredicate` and `ObjectAuthorizePredicate` types to get the signed key and its owner in favor of the `RequestContext.getSignedKey()` and `RequestContext.getSignedKeyOwner()` methods. - Deprecated the third parameter of the `AuthorizePredicate` type in favor of the `RequestContext.getSignedKey()` method. - Deprecated the fourth parameter of the `AuthorizePredicate` type in favor of the `RequestContext.getSignedKeyOwner()` method. - Deprecated the third parameter of the `ObjectAuthorizePredicate` type in favor of the `RequestContext.getSignedKey()` method. - Deprecated the fourth parameter of the `ObjectAuthorizePredicate` type in favor of the `RequestContext.getSignedKeyOwner()` method. - Added an optional method `enqueueMany()` to `MessageQueue` interface for sending multiple activities at once. - Updated *@js-temporal/polyfill* to 0.5.0 for Node.js and Bun. On Deno, there is no change because the polyfill is not used. - Updated *uri-template-router* to 0.0.17 which fixes bundler errors on Rollup. [[#221]] - Improved error handling and logging for document loader when KV store operations fail. [[#223] by Revath S Kumar] - Fixed a bug of the `fedify inbox` command where it had failed to render the web interface when the `fedify` command was installed using `deno install` command from JSR. - The web interface of the `fedify inbox` command was slightly redesigned: - The Fedify logo with the cute dinosaur is now displayed at the top of the page. - You can easily copy the fediverse handle of the ephemeral actor. - Internalized the [multibase] package, which is obsolete and no longer maintained. [[#127], [#215] by Fróði Karlsson] - Added more log messages using the [LogTape] library. Currently the below logger categories are used: - `["fedify", "federation", "fanout"]` - `["fedify", "federation", "object"]` [FEP-8fcf]: https://w3id.org/fep/8fcf [multibase]: https://github.com/multiformats/js-multibase [LogTape]: https://github.com/dahlia/logtape [#127]: https://github.com/fedify-dev/fedify/issues/127 [#209]: https://github.com/fedify-dev/fedify/issues/209 [#211]: https://github.com/fedify-dev/fedify/issues/211 [#215]: https://github.com/fedify-dev/fedify/pull/215 [#220]: https://github.com/fedify-dev/fedify/issues/220 [#221]: https://github.com/fedify-dev/fedify/issues/221 [#223]: https://github.com/fedify-dev/fedify/pull/223 Version 1.4.17 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.4.16 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.4.15 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.4.14 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.4.13 -------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.4.12 -------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.4.11 -------------- Released on May 16, 2025. - Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which caused a `500 Internal Server Error` when the received activity had an invalid JSON-LD syntax. Now it logs the error and responds with a `400 Bad Request` error instead. [[#232]] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. Version 1.4.10 -------------- Released on April 8, 2025. - Activity Vocabulary API became to accept [RFC 3339] date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [[#226]] - Added the following default context to `Undo` class: ~~~~ json { "litepub": "http://litepub.social/ns#", "toot": "http://joinmastodon.org/ns#", "EmojiReact": "litepub:EmojiReact", "Emoji": "toot:Emoji" } ~~~~ Version 1.4.9 ------------- Released on March 26, 2025. - Fixed a `TypeError` thrown by the followers collection dispatcher when the `base-url` parameter was provided. - Fixed a `TypeError` thrown by the `signRequest()` function on Node.js. [[#222]] [#222]: https://github.com/fedify-dev/fedify/issues/222 Version 1.4.8 ------------- Released on March 26, 2025. - Fixed a bug where the `totalItems` property of `OrderedCollection` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. - Fixed a bug where the `id` property of `OrderedCollection` and `OrderedCollectionPage` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. Version 1.4.7 ------------- Released on March 20, 2025. - Fixed a bug of WebFinger handler where it had failed to match `acct:` URIs with a host having a port number. [[#218], [#219] by Revath S Kumar] - Fixed a server error thrown when an invalid URL was passed to the `base-url` parameter of the followers collection. [[#217]] [#217]: https://github.com/fedify-dev/fedify/issues/217 [#218]: https://github.com/fedify-dev/fedify/issues/218 [#219]: https://github.com/fedify-dev/fedify/pull/219 Version 1.4.6 ------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] [#212]: https://github.com/fedify-dev/fedify/issues/212 [#214]: https://github.com/fedify-dev/fedify/pull/214 Version 1.4.5 ------------- Released on February 28, 2025. - Made `fedify init` to install *@fedify/h3* 0.1.2 which is compatible with Fedify 1.0.0 or later versions when `--web-framework nitro` option is provided. [[#213]] - Fixed a bug where `fedify init` had failed to initialize a project with the `--runtime node --package-manager pnpm --web-framework nitro` option. [[#213]] [#213]: https://github.com/fedify-dev/fedify/issues/213 Version 1.4.4 ------------- Released on February 25, 2025. - Added the following default context to `Application`, `Group`, `Organization`, `Person`, and `Service` classes: ~~~~ json { "Emoji": "http://joinmastodon.org/ns#Emoji" } ~~~~ Version 1.4.3 ------------- Released on February 22, 2025. - Added the following default contexts to `Follow`, `Undo`, and `Update` classes: - - - Version 1.4.2 ------------- Released on February 19, 2025. - Fixed a bug where the `fedify init` command had failed to locate package managers on Windows. [[#210]] - The `fedify` command became aware of `FEDIFY_LOG_FILE` environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable. [#210]: https://github.com/fedify-dev/fedify/issues/210 Version 1.4.1 ------------- Released on February 10, 2025. - Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like `Object.getAttribution()` on `Activity.getObject()`) were't being properly hydrated during `toJsonLd()` calls. Previously, subsequent calls to `toJsonLd()` on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded. Version 1.4.0 ------------- Released on February 5, 2025. - Document loader and context loader are now configurable with a factory function for more flexibility. - Deprecated `CreateFederationOptions.documentLoader` option. Use `CreateFederationOptions.documentLoaderFactory` option instead. - Deprecated `CreateFederationOptions.contextLoader` option. Use `CreateFederationOptions.contextLoaderFactory` option instead. - Added `DocumentLoaderFactory` type. - Added `DocumentLoaderFactoryOptions` interface. - Added the second parameter with `DocumentLoaderFactoryOptions` type to `AuthenticatedDocumentLoaderFactory` type. - `GetAuthenticatedDocumentLoaderOptions` interface became to extend `DocumentLoaderFactoryOptions` interface. - Added a type parameter `TContextData` to `CreateFederationOptions` interface. - Fedify now assigns a random-generated *http:*/*https:* URI to activities if these do not have explicit `id` properties. This behavior can be disabled by excluding `autoIdAssigner()` from the `CreateFederationOptions.activityTransformers` option. - Introduced `ActivityTransformer`s for adjusting outgoing activities before sending them so that some ActivityPub implementations with quirks are satisfied. - Added `@fedify/fedify/compat` module. - Added `ActivityTransformer` type. - Added `autoIdAssigner()` function. - Added `actorDehydrator()` function. - Added `defaultActivityTransformers` constant. - Added `CreateFederationOptions.activityTransformers` option. - The `suppressError` option of Activity Vocabulary APIs, `traverseCollection()` function, and `Context.traverseCollection()` method now suppresses errors occurred JSON-LD processing. - WebFinger responses are now customizable. [[#3]] - Added `ActorCallbackSetters.mapAlias()` method. - Added `ActorAliasMapper` type. - Added `Context.getNodeInfo()` method. [[#203]] - Added `shares` property to `Object` class in Activity Vocabulary API. - Added `Object.sharesId` property. - Added `Object.getShares()` method. - `new Object()` constructor now accepts `shares` option. - `Object.clone()` method now accepts `shares` option. - Added `likes` property to `Object` class in Activity Vocabulary API. - Added `Object.likesId` property. - Added `Object.getLikes()` method. - `new Object()` constructor now accepts `likes` option. - `Object.clone()` method now accepts `likes` option. - Added `emojiReactions` property to `Object` class in Activity Vocabulary API. - Added `Object.emojiReactionsId` property - Added `Object.getEmojiReactions()` method. - `new Object()` constructor now accepts `emojiReactions` option. - `Object.clone()` method now accepts `emojiReactions` option. - Added `allowPrivateAddress` option to `LookupWebFingerOptions` interface. - Added more log messages using the [LogTape] library. Currently the below logger categories are used: - `["fedify", "compat", "transformers"]` - Added `-t`/`--traverse` option to the `fedify lookup` subcommand. [[#195]] - Added `-S`/`--suppress-errors` option to the `fedify lookup` subcommand. [[#195]] [#3]: https://github.com/fedify-dev/fedify/issues/3 [#195]: https://github.com/fedify-dev/fedify/issues/195 [#203]: https://github.com/fedify-dev/fedify/issues/203 Version 1.3.24 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.3.23 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.3.22 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.3.21 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.3.20 -------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.3.19 -------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.3.18 -------------- Released on May 16, 2025. - Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which caused a `500 Internal Server Error` when the received activity had an invalid JSON-LD syntax. Now it logs the error and responds with a `400 Bad Request` error instead. [[#232]] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. Version 1.3.17 -------------- Released on April 8, 2025. - Activity Vocabulary API became to accept [RFC 3339] date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [[#226]] - Added the following default context to `Undo` class: ~~~~ json { "litepub": "http://litepub.social/ns#", "toot": "http://joinmastodon.org/ns#", "EmojiReact": "litepub:EmojiReact", "Emoji": "toot:Emoji" } ~~~~ Version 1.3.16 -------------- Released on March 26, 2025. - Fixed a `TypeError` thrown by the followers collection dispatcher when the `base-url` parameter was provided. - Fixed a `TypeError` thrown by the `signRequest()` function on Node.js. [[#222]] Version 1.3.15 -------------- Released on March 26, 2025. - Fixed a bug where the `totalItems` property of `OrderedCollection` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. - Fixed a bug where the `id` property of `OrderedCollection` and `OrderedCollectionPage` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. Version 1.3.14 -------------- Released on March 20, 2025. - Fixed a bug of WebFinger handler where it had failed to match `acct:` URIs with a host having a port number. [[#218], [#219] by Revath S Kumar] - Fixed a server error thrown when an invalid URL was passed to the `base-url` parameter of the followers collection. [[#217]] Version 1.3.13 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.3.12 -------------- Released on February 28, 2025. - Made `fedify init` to install *@fedify/h3* 0.1.2 which is compatible with Fedify 1.0.0 or later versions when `--web-framework nitro` option is provided. [[#213]] - Fixed a bug where `fedify init` had failed to initialize a project with the `--runtime node --package-manager pnpm --web-framework nitro` option. [[#213]] Version 1.3.11 -------------- Released on February 25, 2025. - Added the following default context to `Application`, `Group`, `Organization`, `Person`, and `Service` classes: ~~~~ json { "Emoji": "http://joinmastodon.org/ns#Emoji" } ~~~~ Version 1.3.10 -------------- Released on February 22, 2025. - Added the following default contexts to `Follow`, `Undo`, and `Update` classes: - - - Version 1.3.9 ------------- Released on February 19, 2025. - Fixed a bug where the `fedify init` command had failed to locate package managers on Windows. [[#210]] - The `fedify` command became aware of `FEDIFY_LOG_FILE` environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable. Version 1.3.8 ------------- Released on February 10, 2025. - Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like `Object.getAttribution()` on `Activity.getObject()`) were't being properly hydrated during `toJsonLd()` calls. Previously, subsequent calls to `toJsonLd()` on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded. Version 1.3.7 ------------- Released on February 1, 2025. - Updated [LogTape] to version 0.8.1, which fixes a bug where `lowestLevel` option had incorrectly behaved. Version 1.3.6 ------------- Released on January 31, 2025. - Fixed a bug where `getUserAgent()` function had returned a `User-Agent` string with a wrong JavaScript runtime name on Node.js. [[#203]] Version 1.3.5 ------------- Released on January 21, 2025. - Fixed a bug where `CreateFederationOptions.allowPrivateAddress` option had been ignored by the `Context.lookupObject()` method when it had taken a fediverse handle. - The `lookupWebFinger()` function became to silently return `null` when it fails to fetch the WebFinger document due to accessing a private network address, instead of throwing a `UrlError`. Version 1.3.4 ------------- Released on January 21, 2025. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. [[CVE-2025-23221]] - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses. [CVE-2025-23221]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-c59p-wq67-24wx Version 1.3.3 ------------- Released on December 30, 2024. - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . Version 1.3.2 ------------- Released on December 18, 2024. - Fixed the default document loader to handle the `Link` header with incorrect syntax. [[#196]] [#196]: https://github.com/fedify-dev/fedify/issues/196 Version 1.3.1 ------------- Released on December 11, 2024. - Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly. Version 1.3.0 ------------- Released on November 30, 2024. - `MessageQueue`s now can be differently configured for incoming and outgoing activities. - Changed the type of `CreateFederationOptions.queue` option to `FederationQueueOptions | MessageQueue | undefined` (was `MessageQueue | undefined`). - Added `FederationQueueOptions` interface. - Added `FederationStartQueueOptions.queue` option. - Fedify now makes HTTP requests with the proper `User-Agent` header. [[#162]] - Added `getUserAgent()` function. - Added `GetUserAgentOptions` interface. - Added `getDocumentLoader()` function. - Added `GetDocumentLoaderOptions` interface. - The type of `getAuthenticatedDocumentLoader()` function's second parameter became `GetAuthenticatedDocumentLoaderOptions | undefined` (was `boolean | undefined`). - Added `GetAuthenticatedDocumentLoaderOptions` interface. - Deprecated `fetchDocumentLoader()` function. - Added `LookupObjectOptions.userAgent` option. - Added the type of `getActorHandle()` function's second parameter became `GetActorHandleOptions | undefined` (was `NormalizeActorHandleOptions | undefined`). - Added `GetActorHandleOptions` interface. - Added the optional second parameter to `lookupWebFinger()` function. - Added `LookupWebFingerOptions` interface. - Added `GetNodeInfoOptions.userAgent` option. - Added `-u`/`--user-agent` option to `fedify lookup` subcommand. - Added `-u`/`--user-agent` option to `fedify node` subcommand. - Fedify now caches unavailable keys of remote actors as well to avoid trying fetching the same unavailable key multiple times. - The return type of the `KeyCache.get()` method became `Promise` (was `Promise`). - The type of the `KeyCache.set()` method's second parameter became `CryptographicKey | MultiKey | null` (was `CryptographicKey | MultiKey`). - Added `fetchKey()` function. - Added `FetchKeyOptions` interface. - Added `FetchKeyResult` interface. - The `Router` now provide the matched route's URI template besides the name. - The return type of `Router.route()` method became `RouterRouteResult | null` (was `{ name: string; values: Record } | null`). - Added `RouterRouteResult` interface. - Added `getTypeId()` function. - `Context.sendActivity()` and `InboxContext.forwardActivity()` methods now reject when they fail to enqueue the task. [[#192]] - Fedify now allows you to manually route an `Activity` to the corresponding inbox listener. [[#193]] - Added `Context.routeActivity()` method. - Added `RouteActivityOptions` interface. - `Object.toJsonLd()` without any `format` option now returns its original JSON-LD object even if it not created from `Object.fromJsonLd()` but it is returned from another `Object`'s `get*()` method. - Fedify now supports OpenTelemetry for tracing. [[#170]] - Added `Context.tracerProvider` property. - Added `CreateFederationOptions.tracerProvider` option. - Added `LookupWebFingerOptions.tracerProvider` option. - Added `LookupObjectOptions.tracerProvider` option. - Added `GetActorHandleOptions.tracerProvider` option. - Added `VerifyRequestOptions.tracerProvider` option. - Added `SignRequestOptions` interface. - Added the optional fourth parameter to `signRequest()` function. - Added `VerifyProofOptions.tracerProvider` option. - Added `VerifyObjectOptions.tracerProvider` option. - Added `SignObjectOptions.tracerProvider` option. - Added `VerifySignatureOptions.tracerProvider` option. - Added `VerifyJsonLdOptions.tracerProvider` option. - Added `SignJsonLdOptions.tracerProvider` option. - Added `DoesActorOwnKeyOptions.tracerProvider` option. - Added `GetKeyOwnerOptions.tracerProvider` option. - Added `tracerProvider` option to the following Activity Vocabulary APIs: - The second parameters of constructors. - The second parameters of `fromJsonLd()` static methods. - The second parameters of `get*()` methods. - Added `@fedify/fedify/x/sveltekit` module for integrating with [SvelteKit] hook. [[#171], [#183] by Jiyu Park] - Added `fedifyHook()` function. - The scaffold project generated by `fedify init` command now enables tracing data into log messages. - Let the `fedify lookup` command take multiple arguments. [[#173], [#186] by PGD] [SvelteKit]: https://kit.svelte.dev/ [#162]: https://github.com/fedify-dev/fedify/issues/162 [#170]: https://github.com/fedify-dev/fedify/issues/170 [#171]: https://github.com/fedify-dev/fedify/issues/171 [#173]: https://github.com/fedify-dev/fedify/issues/173 [#183]: https://github.com/fedify-dev/fedify/pull/183 [#186]: https://github.com/fedify-dev/fedify/pull/186 [#192]: https://github.com/fedify-dev/fedify/issues/192 [#193]: https://github.com/fedify-dev/fedify/issues/193 Version 1.2.27 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.2.26 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.2.25 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.2.24 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.2.23 -------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.2.22 -------------- Released on May 16, 2025. - Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which caused a `500 Internal Server Error` when the received activity had an invalid JSON-LD syntax. Now it logs the error and responds with a `400 Bad Request` error instead. [[#232]] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. Version 1.2.21 -------------- Released on April 8, 2025. - Activity Vocabulary API became to accept [RFC 3339] date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [[#226]] - Added the following default context to `Undo` class: ~~~~ json { "litepub": "http://litepub.social/ns#", "toot": "http://joinmastodon.org/ns#", "EmojiReact": "litepub:EmojiReact", "Emoji": "toot:Emoji" } ~~~~ Version 1.2.20 -------------- Released on March 26, 2025. - Fixed a `TypeError` thrown by the followers collection dispatcher when the `base-url` parameter was provided. - Fixed a `TypeError` thrown by the `signRequest()` function on Node.js. [[#222]] Version 1.2.19 -------------- Released on March 26, 2025. - Fixed a bug where the `totalItems` property of `OrderedCollection` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. - Fixed a bug where the `id` property of `OrderedCollection` and `OrderedCollectionPage` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. Version 1.2.18 -------------- Released on March 20, 2025. - Fixed a bug of WebFinger handler where it had failed to match `acct:` URIs with a host having a port number. [[#218], [#219] by Revath S Kumar] - Fixed a server error thrown when an invalid URL was passed to the `base-url` parameter of the followers collection. [[#217]] Version 1.2.17 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.2.16 -------------- Released on February 28, 2025. - Made `fedify init` to install *@fedify/h3* 0.1.2 which is compatible with Fedify 1.0.0 or later versions when `--web-framework nitro` option is provided. [[#213]] - Fixed a bug where `fedify init` had failed to initialize a project with the `--runtime node --package-manager pnpm --web-framework nitro` option. [[#213]] - Made `fedify init` to install *@logtape/logtape* 0.7.2 which is the version used in Fedify 1.2.x. Version 1.2.15 -------------- Released on February 25, 2025. - Added the following default context to `Application`, `Group`, `Organization`, `Person`, and `Service` classes: ~~~~ json { "Emoji": "http://joinmastodon.org/ns#Emoji" } ~~~~ Version 1.2.14 -------------- Released on February 22, 2025. - Added the following default contexts to `Follow`, `Undo`, and `Update` classes: - - - Version 1.2.13 -------------- Released on February 19, 2025. - Fixed a bug where the `fedify init` command had failed to locate package managers on Windows. [[#210]] - The `fedify` command became aware of `FEDIFY_LOG_FILE` environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable. Version 1.2.12 -------------- Released on February 10, 2025. - Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like `Object.getAttribution()` on `Activity.getObject()`) were't being properly hydrated during `toJsonLd()` calls. Previously, subsequent calls to `toJsonLd()` on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded. Version 1.2.11 -------------- Released on January 21, 2025. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. [[CVE-2025-23221]] - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses. Version 1.2.10 -------------- Released on December 18, 2024. - Fixed the default document loader to handle the `Link` header with incorrect syntax. [[#196]] Version 1.2.9 ------------- Released on December 11, 2024. - Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly. Version 1.2.8 ------------- Released on November 23, 2024. - Fixed warnings from the `fedify inbox` command. [[#177], [#181] by WinterHana] - Fixed `ShikiError` on the `fedify inbox` command rendering web interface. [[#178], [#185] by Heesun Jung] - Fixed text overflow of the `fedify inbox` command's web log view. [[#180], [#188] by Lim Kyunghee] [#177]: https://github.com/fedify-dev/fedify/issues/177 [#178]: https://github.com/fedify-dev/fedify/issues/178 [#180]: https://github.com/fedify-dev/fedify/issues/180 [#181]: https://github.com/fedify-dev/fedify/pull/181 [#185]: https://github.com/fedify-dev/fedify/pull/185 [#188]: https://github.com/fedify-dev/fedify/pull/188 Version 1.2.7 ------------- Released on November 22, 2024. - Fixed a bug where `lookupWebFinger()` function had thrown a `TypeError` when the *.well-known/webfinger* redirects to a relative URI. [[#166]] [#166]: https://github.com/fedify-dev/fedify/issues/166 Version 1.2.6 ------------- Released on November 19, 2024. - Fix a bug where `Actor`'s `inbox` and `outbox` properties had not been able to be set to an `OrderedCollectionPage` object, even though it is a subtype of `OrderedCollection` according to Activity Vocabulary specification. [[#165]] - The type of `Application()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Application.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Application.getInbox()` and `Application.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Group()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Group.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Group.getInbox()` and `Group.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Organization()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Organization.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Organization.getInbox()` and `Organization.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Person()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Person.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Person.getInbox()` and `Person.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Service()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Service.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Service.getInbox()` and `Service.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). [#165]: https://github.com/fedify-dev/fedify/issues/165 Version 1.2.5 ------------- Released on November 14, 2024. - Suppressed a `TypeError` with a message unusable due to Node.js's mysterious behavior. [[#159]] - The `verifyRequest()` function no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "sig", "http"]` logger category and returns `null`. - The `Federation.fetch()` method no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "federation", "inbox"]` logger category and responds with a `500 Internal Server Error`. [#159]: https://github.com/fedify-dev/fedify/issues/159 Version 1.2.4 ------------- Released on November 12, 2024. - Fixed a bug where default document loaders had thrown a `TypeError` with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document. - Fixed a bug where `verifySignature()` and `verifyJsonLd()` functions sometimes had thrown a `jsonld.ValidationError` error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid. Version 1.2.3 ------------- Released on November 6, 2024. - The `fedify node` subcommand now can recognize multiple values of the `rel` attribute in the `` HTML elements. Version 1.2.2 ------------- Released on November 1, 2024. - Handle connection errors (rather than HTTP errors) in the `Context.sendActivity()` method. - Support the `fedify` command on Windows on ARM64 via x64 emulation. [[#160]] [#160]: https://github.com/fedify-dev/fedify/issues/160 Version 1.2.1 ------------- Released on October 31, 2024. - Now `fedify node` command can render the node's favicon with `image/vnd.microsoft.icon` or `image/x-icon` format. Version 1.2.0 ------------- Released on October 31, 2024. - Added `InboxContext.recipient` property. - Added NodeInfo client functions. - Added `getNodeInfo()` function. - Added `GetNodeInfoOptions` interface. - Added `parseNodeInfo()` function. - Added `ParseNodeInfoOptions` interface. - Re-exported Semantic Versioning-related types and functions: - Added `SemVer` type. - Added `formatSemVer()` function. - Added `parseSemVer()` function. - Added `followedMessage` property to `Actor` type in Activity Vocabulary API. - Added `Application.followedMessage` property. - `new Application()` constructor now accepts `followedMessage` option. - `Application.clone()` method now accepts `followedMessage` option. - Added `Group.followedMessage` property. - `new Group()` constructor now accepts `followedMessage` option. - `Group.clone()` method now accepts `followedMessage` option. - Added `Organization.followedMessage` property. - `new Organization()` constructor now accepts `followedMessage` option. - `Organization.clone()` method now accepts `followedMessage` option. - Added `Person.followedMessage` property. - `new Person()` constructor now accepts `followedMessage` option. - `Person.clone()` method now accepts `followedMessage` option. - Added `Service.followedMessage` property. - `new Service()` constructor now accepts `followedMessage` option. - `Service.clone()` method now accepts `followedMessage` option. - Log messages now can be traced using [LogTape]'s [implicit contexts]. [[#118]] - Added options for an AMQP driver to `fedify init` command. - Added `amqp` value to the `-q`/`--message-queue` option of the `fedify init` command. - Added `fedify node` subcommand. - Added more log messages using the [LogTape] library. Currently the below logger categories are used: - `["fedify", "nodeinfo", "client"]` [implicit contexts]: https://logtape.org/manual/contexts#implicit-contexts [#118]: https://github.com/fedify-dev/fedify/issues/118 Version 1.1.27 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.1.26 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.1.25 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.1.24 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.1.23 -------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.1.22 -------------- Released on May 16, 2025. - Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which caused a `500 Internal Server Error` when the received activity had an invalid JSON-LD syntax. Now it logs the error and responds with a `400 Bad Request` error instead. [[#232]] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. Version 1.1.21 -------------- Released on April 8, 2025. - Activity Vocabulary API became to accept [RFC 3339] date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [[#226]] - Added the following default context to `Undo` class: ~~~~ json { "litepub": "http://litepub.social/ns#", "toot": "http://joinmastodon.org/ns#", "EmojiReact": "litepub:EmojiReact", "Emoji": "toot:Emoji" } ~~~~ Version 1.1.20 -------------- Released on March 26, 2025. - Fixed a `TypeError` thrown by the followers collection dispatcher when the `base-url` parameter was provided. - Fixed a `TypeError` thrown by the `signRequest()` function on Node.js. [[#222]] Version 1.1.19 -------------- Released on March 26, 2025. - Fixed a bug where the `totalItems` property of `OrderedCollection` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. - Fixed a bug where the `id` property of `OrderedCollection` and `OrderedCollectionPage` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. Version 1.1.18 -------------- Released on March 20, 2025. - Fixed a bug of WebFinger handler where it had failed to match `acct:` URIs with a host having a port number. [[#218], [#219] by Revath S Kumar] - Fixed a server error thrown when an invalid URL was passed to the `base-url` parameter of the followers collection. [[#217]] Version 1.1.17 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.1.16 -------------- Released on February 28, 2025. - Made `fedify init` to install *@fedify/h3* 0.1.2 which is compatible with Fedify 1.0.0 or later versions when `--web-framework nitro` option is provided. [[#213]] - Fixed a bug where `fedify init` had failed to initialize a project with the `--runtime node --package-manager pnpm --web-framework nitro` option. [[#213]] - Made `fedify init` to install *@logtape/logtape* 0.6.5 which is the version used in Fedify 1.1.x. Version 1.1.15 -------------- Released on February 25, 2025. - Added the following default context to `Application`, `Group`, `Organization`, `Person`, and `Service` classes: ~~~~ json { "Emoji": "http://joinmastodon.org/ns#Emoji" } ~~~~ Version 1.1.14 -------------- Released on February 22, 2025. - Added the following default contexts to `Follow`, `Undo`, and `Update` classes: - - - Version 1.1.13 -------------- Released on February 19, 2025. - Fixed a bug where the `fedify init` command had failed to locate package managers on Windows. [[#210]] - The `fedify` command became aware of `FEDIFY_LOG_FILE` environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable. Version 1.1.12 -------------- Released on February 10, 2025. - Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like `Object.getAttribution()` on `Activity.getObject()`) were't being properly hydrated during `toJsonLd()` calls. Previously, subsequent calls to `toJsonLd()` on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded. Version 1.1.11 -------------- Released on January 21, 2025. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. [[CVE-2025-23221]] - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses. Version 1.1.10 -------------- Released on December 18, 2024. - Fixed the default document loader to handle the `Link` header with incorrect syntax. [[#196]] Version 1.1.9 ------------- Released on December 11, 2024. - Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly. Version 1.1.8 ------------- Released on November 23, 2024. - Fixed `ShikiError` on the `fedify inbox` command rendering web interface. [[#178], [#185] by Heesun Jung] - Fixed text overflow of the `fedify inbox` command's web log view. [[#180], [#188] by Lim Kyunghee] Version 1.1.7 ------------- Released on November 22, 2024. - Fixed a bug where `lookupWebFinger()` function had thrown a `TypeError` when the *.well-known/webfinger* redirects to a relative URI. [[#166]] Version 1.1.6 ------------- Released on November 19, 2024. - Fix a bug where `Actor`'s `inbox` and `outbox` properties had not been able to be set to an `OrderedCollectionPage` object, even though it is a subtype of `OrderedCollection` according to Activity Vocabulary specification. [[#165]] - The type of `Application()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Application.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Application.getInbox()` and `Application.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Group()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Group.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Group.getInbox()` and `Group.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Organization()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Organization.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Organization.getInbox()` and `Organization.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Person()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Person.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Person.getInbox()` and `Person.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Service()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Service.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Service.getInbox()` and `Service.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). Version 1.1.5 ------------- Released on November 14, 2024. - Suppressed a `TypeError` with a message unusable due to Node.js's mysterious behavior. [[#159]] - The `verifyRequest()` function no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "sig", "http"]` logger category and returns `null`. - The `Federation.fetch()` method no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "federation", "inbox"]` logger category and responds with a `500 Internal Server Error`. Version 1.1.4 ------------- Released on November 12, 2024. - Fixed a bug where default document loaders had thrown a `TypeError` with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document. - Fixed a bug where `verifySignature()` and `verifyJsonLd()` functions sometimes had thrown a `jsonld.ValidationError` error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid. Version 1.1.3 ------------- Released on October 31, 2024. - Fixed a bug where `fetchDocumentLoader()` function had disallowed redirecting to a private network address when the second parameter, a `boolean` value to allow private network addresses, was `true`. Version 1.1.2 ------------- Released on October 27, 2024. - Fixed default document loaders' incorrect handling of relative URIs in `Link` headers with `rel=alternate`. [[#155] by Emelia Smith] - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . [#155]: https://github.com/fedify-dev/fedify/pull/155 Version 1.1.1 ------------- Released on October 23, 2024. - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . Version 1.1.0 ------------- Released on October 20, 2024. - Added utility functions for traversing remote collections. [[#150]] - Added `Context.traverseCollection()` method. - Added `traverseCollection()` function. - Added `TraverseCollectionOptions` interface. - Added `EmojiReact` class to Activity Vocabulary API. [[FEP-c0e0]] - Added `successor` property to the `Actor` types in the Activity Vocabulary API. - Added `Application.getSuccessor()` method. - `new Application()` constructor now accepts `successor` option. - `Application.clone()` method now accepts `successor` option. - Added `Group.getSuccessor()` method. - `new Group()` constructor now accepts `successor` option. - `Group.clone()` method now accepts `successor` option. - Added `Organization.getSuccessor()` method. - `new Organization()` constructor now accepts `successor` option. - `Organization.clone()` method now accepts `successor` option. - Added `Person.getSuccessor()` method. - `new Person()` constructor now accepts `successor` option. - `Person.clone()` method now accepts `successor` option. - Added `Service.getSuccessor()` method. - `new Service()` constructor now accepts `successor` option. - `Service.clone()` method now accepts `successor` option. - Added `DidService` class to Activity Vocabulary API. [[FEP-9091], [#146]] - Added `Export` class to Activity Vocabulary API. [[FEP-9091], [#146]] - Added `service` property to the `Actor` types in the Activity Vocabulary API. [[FEP-9091], [#146]] - Added `Application.getService()` method. - Added `Application.getServices()` method. - `new Application()` constructor now accepts `service` option. - `new Application()` constructor now accepts `services` option. - `Application.clone()` method now accepts `service` option. - `Application.clone()` method now accepts `services` option. - Added `Group.getService()` method. - Added `Group.getServices()` method. - `new Group()` constructor now accepts `service` option. - `new Group()` constructor now accepts `services` option. - `Group.clone()` method now accepts `service` option. - `Group.clone()` method now accepts `services` option. - Added `Organization.getService()` method. - Added `Organization.getServices()` method. - `new Organization()` constructor now accepts `service` option. - `new Organization()` constructor now accepts `services` option. - `Organization.clone()` method now accepts `service` option. - `Organization.clone()` method now accepts `services` option. - Added `Person.getService()` method. - Added `Person.getServices()` method. - `new Person()` constructor now accepts `service` option. - `new Person()` constructor now accepts `services` option. - `Person.clone()` method now accepts `service` option. - `Person.clone()` method now accepts `services` option. - Added `Service.getService()` method. - Added `Service.getServices()` method. - `new Service()` constructor now accepts `service` option. - `new Service()` constructor now accepts `services` option. - `Service.clone()` method now accepts `service` option. - `Service.clone()` method now accepts `services` option. - The default time window for verifying HTTP Signatures of incoming requests is now an hour (was a minute). This new default window is according to the [ActivityPub and HTTP Signatures] document. - The default value of `VerifyRequestOptions.timeWindow` option became `{ hours: 1 }` (was `{ minutes: 1 }`). - The default value of `CreateFederationOptions.signatureTimeWindow` option became `{ hours: 1 }` (was `{ minutes: 1 }`). - The type of `VerifyRequestOptions.timeWindow` property became `Temporal.Duration | Temporal.DurationLike | false` (was `Temporal.DurationLike | false`). - The type of `CreateFederationOptions.signatureTimeWindow` property became `Temporal.Duration | Temporal.DurationLike | false` (was `Temporal.DurationLike | false`). - In the `fedify inbox` command's web interface, the *Raw Activity* tab is added to show the raw JSON object of the received activity. [FEP-c0e0]: https://w3id.org/fep/c0e0 [FEP-9091]: https://w3id.org/fep/9091 [ActivityPub and HTTP Signatures]: https://swicg.github.io/activitypub-http-signature/ [#146]: https://github.com/fedify-dev/fedify/issues/146 [#150]: https://github.com/fedify-dev/fedify/issues/150 Version 1.0.30 -------------- Released on September 17, 2025. - Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in `at://` URIs, supporting `did:web`, `did:key`, and other DID methods beyond just `did:plc`. Also handles URIs without path components correctly. [[#436]] Version 1.0.29 -------------- Released on September 17, 2025. - Added a temporary workaround for invalid AT Protocol URIs from BridgyFed. URIs like `at://did:plc:...` that violate RFC 3986 URI syntax are now automatically URL-encoded to `at://did%3Aplc%3A...` to prevent parsing failures when processing bridged Bluesky content. [[#436]] Version 1.0.28 -------------- Released on August 25, 2025. - Fixed a bug where `verifyRequest()` function threw a `TypeError` when verifying HTTP Signatures with `created` or `expires` fields in the `Signature` header as defined in draft-cavage-http-signatures-12, causing `500 Internal Server Error` responses in inbox handlers. Now it correctly handles these fields as unquoted integers according to the specification. Version 1.0.27 -------------- Released on August 25, 2025. - Fixed a bug where ActivityPub Discovery failed to recognize XHTML self-closing `` tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (`/>`), improving compatibility with XHTML documents that follow the self-closing tag format. Version 1.0.26 -------------- Released on June 30, 2025. - Fixed JSON-LD serialization of the `Question.voters` property to correctly serialize as a plain number (e.g., `"votersCount": 123`) instead of as a typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger", "@value":123}`). Version 1.0.25 -------------- Released on May 16, 2025. - Fixed a bug where inbox handler had thrown a `jsonld.SyntaxError` which caused a `500 Internal Server Error` when the received activity had an invalid JSON-LD syntax. Now it logs the error and responds with a `400 Bad Request` error instead. [[#232]] - The `exportJwk()` function now populates the `alg` property of a returned `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key. Version 1.0.24 -------------- Released on April 8, 2025. - Activity Vocabulary API became to accept [RFC 3339] date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [[#226]] Version 1.0.23 -------------- Released on March 26, 2025. - Fixed a `TypeError` thrown by the followers collection dispatcher when the `base-url` parameter was provided. - Fixed a `TypeError` thrown by the `signRequest()` function on Node.js. [[#222]] Version 1.0.22 -------------- Released on March 26, 2025. - Fixed a bug where the `totalItems` property of `OrderedCollection` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. - Fixed a bug where the `id` property of `OrderedCollection` and `OrderedCollectionPage` objects returned by followers collection dispatcher had been an incorrect value if a `base-url` parameter was provided. Version 1.0.21 -------------- Released on March 20, 2025. - Fixed a bug of WebFinger handler where it had failed to match `acct:` URIs with a host having a port number. [[#218], [#219] by Revath S Kumar] - Fixed a server error thrown when an invalid URL was passed to the `base-url` parameter of the followers collection. [[#217]] Version 1.0.20 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.0.19 -------------- Released on February 28, 2025. - Made `fedify init` to install *@fedify/h3* 0.1.2 which is compatible with Fedify 1.0.0 or later versions when `--web-framework nitro` option is provided. [[#213]] - Fixed a bug where `fedify init` had failed to initialize a project with the `--runtime node --package-manager pnpm --web-framework nitro` option. [[#213]] - Made `fedify init` to install *@logtape/logtape* 0.6.5 which is the version used in Fedify 1.0.x. Version 1.0.18 -------------- Released on February 25, 2025. - Added the following default context to `Application`, `Group`, `Organization`, `Person`, and `Service` classes: ~~~~ json { "Emoji": "http://joinmastodon.org/ns#Emoji" } ~~~~ Version 1.0.17 -------------- Released on February 22, 2025. - Added the following default contexts to `Follow`, `Undo`, and `Update` classes: - - - Version 1.0.16 -------------- Released on February 19, 2025. - Fixed a bug where the `fedify init` command had failed to locate package managers on Windows. [[#210]] - The `fedify` command became aware of `FEDIFY_LOG_FILE` environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable. Version 1.0.15 -------------- Released on February 10, 2025. - Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like `Object.getAttribution()` on `Activity.getObject()`) were't being properly hydrated during `toJsonLd()` calls. Previously, subsequent calls to `toJsonLd()` on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded. Version 1.0.14 -------------- Released on January 21, 2025. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. [[CVE-2025-23221]] - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses. Version 1.0.13 -------------- Released on December 18, 2024. - Fixed the default document loader to handle the `Link` header with incorrect syntax. [[#196]] Version 1.0.12 -------------- Released on December 11, 2024. - Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly. Version 1.0.11 -------------- Released on November 22, 2024. - Fixed a bug where `lookupWebFinger()` function had thrown a `TypeError` when the *.well-known/webfinger* redirects to a relative URI. [[#166]] Version 1.0.10 -------------- Released on November 19, 2024. - Fix a bug where `Actor`'s `inbox` and `outbox` properties had not been able to be set to an `OrderedCollectionPage` object, even though it is a subtype of `OrderedCollection` according to Activity Vocabulary specification. [[#165]] - The type of `Application()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Application.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Application.getInbox()` and `Application.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Group()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Group.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Group.getInbox()` and `Group.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Organization()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Organization.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Organization.getInbox()` and `Organization.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Person()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Person.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Person.getInbox()` and `Person.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Service()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Service.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Service.getInbox()` and `Service.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). Version 1.0.9 ------------- Released on November 14, 2024. - Suppressed a `TypeError` with a message unusable due to Node.js's mysterious behavior. [[#159]] - The `verifyRequest()` function no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "sig", "http"]` logger category and returns `null`. - The `Federation.fetch()` method no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "federation", "inbox"]` logger category and responds with a `500 Internal Server Error`. Version 1.0.8 ------------- Released on November 12, 2024. - Fixed a bug where default document loaders had thrown a `TypeError` with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document. - Fixed a bug where `verifySignature()` and `verifyJsonLd()` functions sometimes had thrown a `jsonld.ValidationError` error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid. Version 1.0.7 ------------- Released on October 31, 2024. - Fixed a bug where `fetchDocumentLoader()` function had disallowed redirecting to a private network address when the second parameter, a `boolean` value to allow private network addresses, was `true`. Version 1.0.6 ------------- Released on October 27, 2024. - Fixed default document loaders' incorrect handling of relative URIs in `Link` headers with `rel=alternate`. [[#155] by Emelia Smith] - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . Version 1.0.5 ------------- Released on October 23, 2024. - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . Version 1.0.4 ------------- Released on October 17, 2024. - Fixed a bug where `Actor.aliasId` and `Actor.aliasIds` properties had been represented as `as:alsoKnownAs` property instead of `alsoKnownAs` property in compacted JSON-LD objects. - Improved compatibility with Bridgy Fed for Bluesky where it puts an invalid URI with the format `at://...` in the `alsoKnownAs` property. Version 1.0.3 ------------- Released on October 17, 2024. - Improved compatibility with some implementations (e.g., Nexkey) where some `CryptographicKey` objects are incorrectly typed in JSON-LD objects. Version 1.0.2 ------------- Released on September 27, 2024. - Fixed a bug of `Object.toJsonLd()` method where it had incorrectly compacted the `name` property when it was not a language map. - The `Delete(Application)` activities sent by the `fedify inbox` command now embed the entire actor object instead of just the actor's URI so that the peers can verify the actor's signature without fetching the actor object. Version 1.0.1 ------------- Released on September 26, 2024. - Fixed deprecation messages related to the `{handle}` variable in URL templates; they had had wrong placeholders in the message templates. - Fixed a bug of `Object.toJsonLd()` method where it had not fall back to the proper compact form when the heuristic compact form was not available. Version 1.0.0 ------------- Released on September 26, 2024. - The term `handle` for dispatching actors is deprecated in favor of `identifier`. - The URI template for the following methods now accepts variable `{identifier}` instead of `{handle}`: - `Federation.setActorDispatcher()` - `Federation.setInboxDispatcher()` - `Federation.setOutboxDispatcher()` - `Federation.setFollowingDispatcher()` - `Federation.setFollowersDispatcher()` - `Federation.setLikedDispatcher()` - `Federation.setFeaturedDispatcher()` - `Federation.setFeaturedTagsDispatcher()` - `Federation.setInboxListeners()` The `{handle}` variable is deprecated, and it will be removed in the future. - The type of `Federation.setActorDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setInboxDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setOutboxDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setFollowingDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setFollowersDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setLikedDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setFeaturedDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setFeaturedTagsDispatcher()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Federation.setInboxListeners()` method's first parameter became ``${string}{identifier}${string}` | `${string}{handle}${string}`` (was ```${string}{handle}${string}```). - The type of `Context.getDocumentLoader()` method's first parameter became `{ identifier: string } | { username: string } | { handle: string } | { keyId: URL; privateKey: CryptoKey }` (was `{ handle: string } | { keyId: URL; privateKey: CryptoKey }`). - Passing `{ handle: string }` to `Context.getDocumentLoader()` method is deprecated in favor of `{ username: string }`. - The type of `Context.sendActivity()` method's first parameter became `SenderKeyPair | SenderKeyPair[] | { identifier: string } | { username: string } | { handle: string }` (was `SenderKeyPair | SenderKeyPair[] | { handle: string }`). - All properties of `ParseUriResult` type became readonly. - Added `identifier` properties next to `handle` properties in `ParseUriResult` type. - The `handle` properties of `ParseUriResult` type are deprecated in favor of `identifier` properties. - The return type of `SharedInboxKeyDispatcher` callback type became `SenderKeyPair | { identifier: string } | { username: string } | { handle: string } | null | Promise` (was `SenderKeyPair | { handle: string } | null | Promise`). - Fedify now supports [Linked Data Signatures], which is outdated but still widely used in the fediverse. - A `Federation` object became to verify an activity's Linked Data Signatures if it has one. If Linked Data Signatures are verified, Object Integrity Proofs and HTTP Signatures are not verified. - `Context.sendActivity()` method became to sign an activity with Linked Data Signatures if there is at least one RSA-PKCS#1-v1.5 key pair. - Added `Signature` interface. - Added `signJsonLd()` function. - Added `SignJsonLdOptions` interface. - Added `createSignature()` function. - Added `CreateSignatureOptions` interface. - Added `verifyJsonLd()` function. - Added `VerifyJsonLdOptions` interface. - Added `verifySignature()` function. - Added `VerifySignatureOptions` interface. - Added `attachSignature()` function. - Added `detachSignature()` function. - In inbox listeners, a received activity now can be forwarded to another server. [[#137]] - Added `InboxContext` interface. - Added `ForwardActivityOptions` interface. - The first parameter of the `InboxListener` callback type became `InboxContext` (was `Context`). - Added `cat` property to `Actor` type in Activity Vocabulary API. - Added `Application.cat` property. - `new Application()` constructor now accepts `cat` option. - `Application.clone()` method now accepts `cat` option. - Added `Group.cat` property. - `new Group()` constructor now accepts `cat` option. - `Group.clone()` method now accepts `cat` option. - Added `Organization.cat` property. - `new Organization()` constructor now accepts `cat` option. - `Organization.clone()` method now accepts `cat` option. - Added `Person.cat` property. - `new Person()` constructor now accepts `cat` option. - `Person.clone()` method now accepts `cat` option. - Added `Service.cat` property. - `new Service()` constructor now accepts `cat` option. - `Service.clone()` method now accepts `cat` option. - The `Context.parseUri()` method's parameter type became `URL | null` (was `URL`). - `Context.sendActivity()` method now adds Object Integrity Proofs to the activity to be sent only once. It had added Object Integrity Proofs to the activity for every recipient before. - The message queue is now able to be stopped manually by providing an `AbortSignal` object to the `Federation.startQueue()` method. - Added the optional second parameter to `Federation.startQueue()` method, which is a `FederationStartQueueOptions` object. - Added `FederationStartQueueOptions` interface. - Added the optional second parameter to `MessageQueue.listen()` method, which is a `MessageQueueListenOptions` object. - Added `MessageQueueListenOptions` interface. - The return type of `MessageQueue.listen()` method became `Promise` (was `void`). - Added `ParallelMessageQueue` class. [[#106]] - WebFinger responses now include links if the `Actor` object returned by the actor dispatcher has `icon`/`icons` property. - `DenoKvMessageQueue` now implements `Disposable` interface. - The `fedify inbox` command now sends `Delete(Application)` activities when it's terminated so that the peers can clean up data related to the temporary actor. [[#135]] - Added options for PostgreSQL drivers to `fedify init` command. - Added `postgres` value to the `-k`/`--kv-store` option of the `fedify init` command. - Added `postgres` value to the `-q`/`--message-queue` option of the `fedify init` command. - The generated project by the `fedify init` command now enables dotenv by default. - The `fedify init` command now generates *.env* file with default values. - Added more log messages using the [LogTape] library. Currently the below logger categories are used: - `["fedify", "sig", "ld"]` [Linked Data Signatures]: https://web.archive.org/web/20170923124140/https://w3c-dvcg.github.io/ld-signatures/ [#106]: https://github.com/fedify-dev/fedify/issues/106 [#135]: https://github.com/fedify-dev/fedify/issues/135 [#137]: https://github.com/fedify-dev/fedify/issues/137 Version 0.15.9 -------------- Released on November 22, 2024. - Fixed a bug where `lookupWebFinger()` function had thrown a `TypeError` when the *.well-known/webfinger* redirects to a relative URI. [[#166]] Version 0.15.8 -------------- Released on November 19, 2024. - Fix a bug where `Actor`'s `inbox` and `outbox` properties had not been able to be set to an `OrderedCollectionPage` object, even though it is a subtype of `OrderedCollection` according to Activity Vocabulary specification. [[#165]] - The type of `Application()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Application.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Application.getInbox()` and `Application.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Group()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Group.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Group.getInbox()` and `Group.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Organization()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Organization.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Organization.getInbox()` and `Organization.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Person()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Person.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Person.getInbox()` and `Person.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). - The type of `Service()` constructor's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The type of `Service.clone()` method's `inbox` and `outbox` options is now `OrderedCollection | OrderedCollectionPage | null | undefined` (was `OrderedCollection | null | undefined`). - The return type of `Service.getInbox()` and `Service.getOutbox()` methods is now `OrderedCollection | OrderedCollectionPage | null` (was `OrderedCollection | null`). Version 0.15.7 -------------- Released on November 14, 2024. - Suppressed a `TypeError` with a message unusable due to Node.js's mysterious behavior. [[#159]] - The `verifyRequest()` function no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "sig", "http"]` logger category and returns `null`. - The `Federation.fetch()` method no longer throws a `TypeError` when a given `Request` object's body is already consumed or locked. Instead, it logs an error message to the `["fedify", "federation", "inbox"]` logger category and responds with a `500 Internal Server Error`. Version 0.15.6 -------------- Released on November 12, 2024. - Fixed a bug where default document loaders had thrown a `TypeError` with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document. Version 0.15.5 -------------- Released on October 30, 2024. - Fixed a bug where `fetchDocumentLoader()` function had disallowed redirecting to a private network address when the second parameter, a `boolean` value to allow private network addresses, was `true`. Version 0.15.4 -------------- Released on October 27, 2024. - Fixed default document loaders' incorrect handling of relative URIs in `Link` headers with `rel=alternate`. [[#155] by Emelia Smith] - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . Version 0.15.3 -------------- Released on October 23, 2024. - The `fetchDocumentLoader()` function now preloads the following JSON-LD context: . Version 0.15.2 -------------- Released on September 26, 2024. - Fixed a bug of `Object.toJsonLd()` method where it had not fall back to the proper compact form when the heuristic compact form was not available. Version 0.15.1 -------------- Released on September 15, 2024. - Fixed a bug where even if the `ActorCallbackSetters.mapHandle()` method was called, a WebFinger username was used as an actor's handle. [[#136]] [#136]: https://github.com/fedify-dev/fedify/pull/136 Version 0.15.0 -------------- Released on September 11, 2024. - Actors, collections, and objects now can have their URIs that do not consist of a WebFinger username, which means actors can change their fediverse handles. - Added `ActorCallbackSetters.mapHandle()` method. - Added `ActorHandleMapper` type. - Added `quoteUrl` property to `Article`, `ChatMessage`, `Note`, and `Question` classes in Activity Vocabulary API. - Added `Article.quoteUrl` property. - `new Article()` constructor now accepts `quoteUrl` option. - `Article.clone()` method now accepts `quoteUrl` option. - Added `ChatMessage.quoteUrl` property. - `new ChatMessage()` constructor now accepts `quoteUrl` option. - `ChatMessage.clone()` method now accepts `quoteUrl` option. - Added `Note.quoteUrl` property. - `new Note()` constructor now accepts `quoteUrl` option. - `Note.clone()` method now accepts `quoteUrl` option. - Added `Question.quoteUrl` property. - `new Question()` constructor now accepts `quoteUrl` option. - `Question.clone()` method now accepts `quoteUrl` option. - The element type of the liked collection is now `Object` or `URL` instead of `Like`. - Changed the type of `Federation.setLikedDispatcher()` method's second parameter to `CollectionDispatcher