Update Fedify packages to v2#1669
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
3 times, most recently
from
6c4d072 to
025b40e
Compare
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
4 times, most recently
from
9af93cf to
12e252c
Compare
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
3 times, most recently
from
9c643b8 to
df1d15a
Compare
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
6 times, most recently
from
49142fa to
6f951b3
Compare
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
4 times, most recently
from
899abca to
1496e8a
Compare
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
from
1496e8a to
ee5c51c
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/major-fedify
branch
from
ee5c51c to
48a64ef
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.10.8→2.2.11.10.8→2.2.11.10.8→2.2.11.10.8→2.2.1Release Notes
fedify-dev/fedify (@fedify/cli)
v2.2.1Compare Source
Released on May 10, 2026.
@fedify/vocab-runtime
validatePublicUrl()allowing private IPv4 addresses encoded asIPv4-mapped IPv6 URL literals, such as
http://[::ffff:7f00:1]/, whichcould bypass private network protections in remote document loading.
v2.2.0Compare Source
Released on April 28, 2026.
@fedify/fedify
Shipped an Agent Skills bundle at skills/fedify/ and declared it in
package.json through the
agents.skillsfield. The skill teaches AIcoding agents how to use Fedify inside a consumer's project (builder
pattern, dispatchers, framework integrations, vocabulary, keys, queues
and storage, observability, CLI, and common pitfalls). Projects that
run a tool implementing the Agent Skills spec, such as skills-npm,
will pick up the skill automatically from node_modules, keeping the
guidance in sync with the installed Fedify version. [#711, #712]
Added
setOutboxListeners()andOutboxContextfor handlingclient-to-server
POSTrequests to actor outboxes. Outbox listeners useapplication-defined authorization through
.authorize(), catch activitytypes with
.on(), and require explicit delivery throughctx.sendActivity()orctx.forwardActivity(). Fedify now also logs aruntime warning when an outbox listener returns without delivering the
posted activity.
[#430, #688]
Allowed actor dispatchers to return
Tombstonefor deleted accounts.Fedify now serves those actor URIs as
410 Gonewith the serializedtombstone body, and the corresponding WebFinger lookups also return
410 Goneinstead of pretending the account was never handled.Added a
RequestContext.getActor()overload that can return thosetombstones to application code when called with
{ tombstone: "passthrough" }.[#644, #680]
Added
DoubleKnockOptions.maxRedirectionto configure the maximum numberof redirects followed by
doubleKnock().getAuthenticatedDocumentLoader()now also respectsGetAuthenticatedDocumentLoaderOptions.maxRedirection.Improved interoperability with threadiverse software by serializing the
public audience as the full
https://www.w3.org/ns/activitystreams#PublicURI in outgoing activities'
to,cc,bto,bcc, andaudiencefields, instead of the compacted
as:PublicorPublicCURIEs thatJSON-LD compaction would otherwise produce. Some ActivityPub
implementations, Lemmy included, match those fields as plain URLs
without JSON-LD expansion and would silently drop activities carrying
the CURIE form; see LemmyNet/lemmy#6465. The rewrite is gated on a
URDNA2015 canonical-form equivalence check, so an application-defined
@contextthat redefines theas:prefix or the barePublictermis preserved as is. The rewrite is also applied before
eddsa-jcs-2022Object Integrity Proof signing so the signed bytesmatch what is sent on the wire. [#710, #721]
Improved interoperability with Pixelfed by serializing outgoing
activities'
attachmentfields as arrays even when there is only oneattachment. JSON-LD compaction would otherwise emit a scalar value for
single attachments, but Pixelfed currently expects an array and may reject
incoming posts; see pixelfed/pixelfed#6588. [#721]
@fedify/lint
outbox-listener-delivery-requiredrule. It warns when anoutbox listener registered through
setOutboxListeners()returns without anexplicit delivery call, which would otherwise leave a posted client
activity unfederated. [#430, #688]
@fedify/testing
createOutboxContext()pluspostOutboxActivity()and mocksetOutboxListeners()support so outbox listeners using eithersendActivity()orforwardActivity()can be tested without spinning upa live federation server. [#430, #688]
@fedify/vocab-runtime
DocumentLoaderFactoryOptions.maxRedirectionto configure themaximum number of redirects followed by
getDocumentLoader().@fedify/vocab
Added
Tombstone.formerTypeplus generated entity type helpers for deletedvocabulary objects. Applications can now construct tombstones with Fedify
entity classes such as
Person, and@fedify/vocabnow exports$EntityType,isEntityType(), andgetEntityTypeById()for working withthose references. Unknown remote
formerTypevalues are ignored with awarning instead of making the whole tombstone fail to parse.
[#645, #681]
Added FEP-044f vocabulary support for Mastodon-style quote posts.
[#452, #679]
QuoteRequestandQuoteAuthorizationclasses.canQuotetoInteractionPolicy.quoteandquoteAuthorizationproperties toArticle,ChatMessage,Note, andQuestion.Added vocabulary types for FEP-0837, economic resource coordination
in federated networks. [#578 by Samuel Brinkmann]
Proposalclass for publishing offers or requests.Intentclass for describing economic transactions withina proposal, with
action,resourceConformsTo,resourceQuantity,availableQuantity, andminimumQuantityproperties.Measureclass for representing quantities with units ofmeasure, with
unitandnumericalValueproperties.@fedify/vocab-tools
fedify:vocabEntityTypepseudo-scalar to the vocabularygenerator. Vocabulary properties can now accept generated Fedify entity
constructors instead of arbitrary IRIs when the schema wants a reference to
a known vocabulary type. Generated code now also emits the supporting
$EntityType,isEntityType(), andgetEntityTypeById()helpers forworking with those references. [#645, #681]
@fedify/cli
Made
fedify lookup --recursehonor-p/--allow-private-addressfor recursively discovered object URLs, matching the policy already used
by
-t/--traverse. Recursive lookups still reject private orlocalhost targets by default unless users explicitly opt in.
[#700, #718]
Added FEP-044f
quotesupport tofedify lookup --recurse, so the CLIcan follow both the new quote-post relation and the older
quoteUrlcompatibility surface. [#452, #679]
@fedify/solidstart
@fedify/solidstartpackage for integrating Fedify withSolidStart. It provides
fedifyMiddleware()for request handlingwith SolidStart's middleware system.
[#476, #601 by Hyeonseo Kim and #652 by ChanHaeng Lee]
@fedify/nuxt
@fedify/nuxtpackage for integrating Fedify with Nuxt.It provides a Nuxt module that delegates non-federation requests to Nuxt,
supports shared-route content negotiation, and returns deferred
406 Not Acceptablewhen Fedify routes are requested withoutActivityPub-compatible
Acceptheaders and Nuxt has no matching page.[#149, #674 by ChanHaeng Lee]
@fedify/init
Added a
--allow-non-emptyoption tofedify initfor automatedscaffolding in directories that already contain unrelated files. The
command still fails before making changes if any file that Fedify would
generate already exists, avoiding accidental merges or appends.
[#716, #717]
Fixed
fedify initso that a directory containing only a freshlyinitialized Git repository is treated as empty. Directories whose Git
HEADalready resolves to a commit, whose Git metadata contains loose orpacked refs, stored objects, an index, or reflogs, or that contain any
files besides .git, still require the existing non-empty-directory
confirmation. [#716, #717]
Fixed generated biome.json files to use Biome 2 configuration syntax,
matching the
@biomejs/biomeversion thatfedify initinstalls.Generated projects now enable import organization through Biome's
assist.actions.source.organizeImportssetting instead of the removedtop-level
organizeImportsoption. [#716, #717]Fixed errors when using
fedify initwith certain web frameworkintegration packages (Astro, ElysiaJS, Nitro) alongside
@fedify/mysql.Environment variables are now properly loaded at runtime, resolving the
TypeError: Cannot read properties of undefinedfrommysql2.[#649, #656 by ChanHaeng Lee]
Supported Nuxt as a web framework option in
fedify init, withtemplates for federation setup, logging, and Nitro middleware.
[#149, #675 by ChanHaeng Lee]
Docs
Added a per-page Markdown action to the docs site so readers can open or
copy the LLM-friendly Markdown for the current page without guessing the
generated
*.mdpath or starting from llms.txt. The action is nowavailable directly from each documentation page while llms.txt and
llms-full.txt continue to exclude high-noise pages such as the changelog,
contribution guide, README.md, and sponsors page. [#706, #715]
Added Building a federated blog tutorial showing how to layer
ActivityPub federation onto an Astro + Bun blog: actor setup,
follower management, SQLite persistence, sending
Create/Update/Delete(Article)activities on server startup, and receivingCreate/Update/Delete(Note)inbox activities as comments.[#691, #695]
Added a new tutorial, Building a threadiverse community platform, that
walks through building a Lemmy-style community server with Fedify and
Next.js. Where the existing Creating your own federated microblog
tutorial is actor- and timeline-centric, this one is community-centric: it
models communities as
Groupactors, threads asPageobjects wrapped inCreate, replies asNoteobjects, and the community-sideAnnounceredistribution that threadiverse software (Lemmy, Mbin, NodeBB) uses to fan
activity out to every subscriber. [#704, #710]
Added Creating an image sharing service tutorial, a Pixelfed-style
image-sharing companion to the microblog walk-through. Built on Nuxt 4
and the new
@fedify/nuxtintegration, the tutorial covers actordispatchers, key pairs, follow/unfollow flows, image-bearing
Create(Note)fan-out and reception, an outboundLike/Undo(Like)heart toggle, and threaded comments through
inReplyTo. Thecompanion example repository keeps one commit per chapter at the
bottom of its log, with a few rehearsal-driven follow-ups landed on top,
and the federation flows are demonstrated against both Mastodon and
Pixelfed. [#693]
Added a custom collections cookbook example for bookmark-like data,
demonstrating cursor pagination, URI-template filtering, collection
counters, actor stream links, and requester-aware collections using
ctx.getSignedKeyOwner(). [#694, #722]v2.1.12Compare Source
Released on May 10, 2026.
@fedify/vocab-runtime
validatePublicUrl()allowing private IPv4 addresses encoded asIPv4-mapped IPv6 URL literals, such as
http://[::ffff:7f00:1]/, whichcould bypass private network protections in remote document loading.
v2.1.11Compare Source
Released on April 27, 2026.
@fedify/init
logging.ts files are loaded during server startup before Fedify handles
requests. Nitro projects now get a server plugin that imports the LogTape
configuration, Next.js projects get an instrumentation.ts
register()hook that imports it in the Node.js runtime, and Astro projects import it
in src/middleware.ts. [#725, #727]
v2.1.10Compare Source
Released on April 23, 2026.
@fedify/vocab-runtime
Lemmy serves this context as
application/jsonwithout a JSON-LD contextLinkheader, which caused the default document loader to rejectLemmy-originated activities before application handlers could run. [#714]
v2.1.9Compare Source
Released on April 22, 2026.
@fedify/mysql
MysqlKvStoreandMysqlMessageQueuethat could reject validmysql2pools when anapplication resolved
mysql2through multiple type sources or differentpackage versions. The constructors now accept the structural pool shape
they actually use, so mixed Deno/npm setups and monorepos no longer need
casts or
@ts-expect-errorworkarounds.v2.1.8Compare Source
Released on April 22, 2026.
@fedify/init
fedify init -w astro -p bungenerating package.jsonscriptsthat invoked Astro through Node.js. Bun + Astro projects now use
bunx --bun astro devandbunx --bun astro build, so the generateddevelopment workflow runs on systems that only have Bun installed.
@fedify/next
@fedify/next's supported Next.js peer dependency range to>=15.4.6 <17, so installing it into a freshcreate-next-app16.xproject no longer fails with an
ERESOLVEpeer dependency conflict.This restores the default
fedify init -w nextflow against the currentNext.js stable release and updates the integration example to track
Next.js 16. [#713]
v2.1.7Compare Source
Released on April 21, 2026.
@fedify/init
fedify initgenerating Astro projects for Bun with the Node.jsadapter and
astro preview, which could fail to run correctly on Bun.Astro + Bun projects now use @nurodev/astro-bun and run the built
Bun server entry point instead. [#707]
v2.1.6Compare Source
Released on April 20, 2026.
@fedify/astro
@fedify/astroby making thebuild emit dist/*.js and dist/*.d.ts files that match the published
package metadata again. This fixes package resolution failures caused by
package.json exporting files that did not exist in the npm tarball.
[#699, #701]
@fedify/cli
fedify lookupfailing to look up URLs on private or localhostaddresses unless
-p/--allow-private-addresswas passed, which was aregression introduced in Fedify 2.1.0 when the CLI began forwarding
the
allowPrivateAddressoption to the underlying document loader.URLs explicitly provided on the command line now always allow private
addresses, while URLs discovered during
-t/--traversehonor theoption to mitigate SSRF attacks against private addresses. Recursive
fetches via
--recursecontinue to always disallow privateaddresses regardless of the option. [#696, #698 by Chanhaeng Lee]
v2.1.5Compare Source
Released on April 8, 2026.
@fedify/fedify
Fixed
Context.getActorKeyPairs()assigning the same key ID to boththe
CryptographicKey(used for HTTP Signatures and Linked DataSignatures) and the
Multikey(used for Object Integrity Proofs) withinan
ActorKeyPair. TheMultikeynow receives a distinct ID(
#multikey-1,#multikey-2, …) so that the actor document no longercontains two objects sharing the same
id, which was invalid JSON-LD.Object Integrity Proof signatures now reference the correct
MultikeyIDinstead of the
CryptographicKeyID. [#663]Object Integrity Proofs signing now takes place before activity fanout,
so all recipients receive the same pre-signed activity. Previously, OIP
signing was deferred until after fanout, meaning each fanout worker would
re-sign independently with potentially different timestamps and the fanout
message itself contained an unsigned activity.
@fedify/cfworkers
pass
wrangler typesor@cloudflare/vite-plugingenerated KV bindings toWorkersKvStore. The package now accepts a minimal structural KV bindinginterface for
WorkersKvStoreandWorkersMessageQueue'sorderingKvoption instead of requiring the nominal
KVNamespacetype imported from@cloudflare/workers-types, so generated local declarations compilewithout casts or
@ts-expect-error. [#665]v2.1.4Compare Source
Released on April 7, 2026.
@fedify/fedify
sendActivity()not awaitingfanoutQueue.enqueue()in the fanoutpath, which could cause fanout messages to be silently dropped on runtimes
like Cloudflare Workers that may terminate an isolate as soon as the
response is sent. [#661]
@fedify/cfworkers
wrangler types-generated binding types (e.g.KVNamespace,Queue)to
WorkersKvStoreandWorkersMessageQueueconstructors. The packagepreviously imported these types from
@cloudflare/workers-types/experimental, which includes extra members(such as
KVNamespace.deleteBulk()) absent from types generated bywrangler types, causing TypeScript assignment errors at the call site.The import now uses the stable
@cloudflare/workers-typesentrypoint,whose definitions match what
wrangler typesgenerates. [#662]v2.1.3Compare Source
Released on March 31, 2026.
@fedify/init
@fedify/initafter thetsdownupgrade started publishing
dist/*.mjsfiles while the package metadatastill exported
dist/*.jsanddist/*.d.ts. Node consumers such as@fedify/clican start again, includingnpx -y @​fedify/cli --help.[#655]
@fedify/create
@fedify/createso the publishedbinandexportspaths once again point to generateddist/mod.jsoutput instead of missing
dist/mod.jsfiles. This prevents the samepackaging regression from breaking
npm init @​fedify. [#655]v2.1.2Compare Source
Released on March 29, 2026.
@fedify/fedify
@fedify/fedify/vocabmissing theObjectexport from the entry point. Older
tsdownoutput generated an invalidCommonJS re-export, causing
require("@​fedify/fedify/vocab").Objectto beundefined. Updated the bundler toolchain and added a regression test forthe built CommonJs entry point. [#651]
v2.1.1Compare Source
Released on May 10, 2026.
@fedify/vocab-runtime
validatePublicUrl()allowing private IPv4 addresses encoded asIPv4-mapped IPv6 URL literals, such as
http://[::ffff:7f00:1]/, whichcould bypass private network protections in remote document loading.
v2.1.0Compare Source
Released on March 24, 2026.
@fedify/fedify
Added
InboxListenerSetters.onUnverifiedActivity()so applications caninspect inbound activities whose signatures could not be verified and
optionally return a custom response instead of the default
401 Unauthorized. This is useful for cases likeDeletedeliveriesfrom actors whose signing keys now return
404 Not Foundor410 Gone.Added the supporting public types
UnverifiedActivityHandlerandUnverifiedActivityReason. [#472, #611]Added
verifyRequestDetailed()plus the public typesVerifyRequestDetailedResult,VerifyRequestFailureReason, andFetchKeyErrorResultso applications can distinguish unsigned requests,invalid signatures, and key-fetch failures during HTTP signature
verification. [#611]
OpenTelemetry spans/events and
FedifySpanExportersignature details nowexpose HTTP signature failure reasons and key-fetch failure details for
inbound activities. [#611]
Fixed
RequestContext.getSignedKeyOwner()to returnnullinstead ofthrowing an error when the remote server requires authorized fetch and
returns
401 Unauthorizedfor the key owner lookup. Previously, thiscaused a
500 Internal Server Errorwhen interoperating with servers likeGoToSocial that have authorized fetch enabled. [#473, #589]
Added RFC 9421 §5
Accept-Signaturenegotiation for both outbound andinbound paths. On the outbound side,
doubleKnock()now parsesAccept-Signaturechallenges from401responses and retries with acompatible RFC 9421 signature before falling back to legacy spec-swap.
On the inbound side, a new
InboxChallengePolicyoption inFederationOptionsenables emittingAccept-Signatureheaders oninbox
401responses, with optional one-time nonce support for replayprotection. [#583, #584, #626 by ChanHaeng Lee]
@fedify/vocab-runtime
Added
Decimal, a branded string type for exactxsd:decimalvalues,along with
isDecimal(),canParseDecimal(), andparseDecimal()forchecking and validating XML Schema decimal lexical forms without
introducing a decimal arithmetic dependency.
isDecimal()performs astrict lexical-form check, while
canParseDecimal()andparseDecimal()apply XML Schema whitespace normalization first. This lays the runtime
groundwork for precision-safe marketplace and measurement values such as
those needed by [FEP-0837]. [#617, #640]
Updated the preloaded https://gotosocial.org/ns JSON-LD context to
match the current GoToSocial v0.21+ namespace, adding new type terms
(
LikeRequest,LikeAuthorization, etc.) and property terms(
automaticApproval,manualApproval,interactingObject, etc.) whileretaining deprecated terms (
always,approvalRequired) for backwardcompatibility. [#453, #622]
Added optional
FetchError.responseso callers can inspect the originalfailed HTTP response when remote document or key fetches return an HTTP
error (such as
404 Not Foundor410 Gone). This enables higher-levelAPIs to distinguish transport failures from specific HTTP fetch failures.
[#611]
@fedify/cli
Added
--reverseoption tofedify lookupto reverse presentation orderof emitted results. It now works across default multi-input lookup,
--traversecollection traversal output, and--recurseobject chains,while preserving existing fetch/error semantics. [#607, #609]
Fixed
fedify lookupprinting separators with extra quotes betweenadjacent objects/items in some output paths (e.g., recurse/traverse
flows). Separators are now printed as plain text consistently.
[#608]
Added
--recurseand--recurse-depthoptions tofedify lookupforrecursively following object relationships (e.g., reply chains via
replyTarget/inReplyTo, and quote chains viaquoteUrland quoteIRIs).
--traverseand--recurseare now mutually exclusive,--recurse-depthdepends on--recurse, and--suppress-errorsnowworks in recurse mode as best-effort lookup.
[#606, #608]
Hardened
fedify lookupby disallowing private/localhost document loadsby default. For local-development workflows,
-p/--allow-private-address(or
lookup.allowPrivateAddress = truein config) can re-enable privateaddress access for explicit lookup/traverse requests. This option does
not apply to recursive fetches, which always disallow private addresses.
[#608]
@fedify/vocab
Added GoToSocial interaction controls vocabulary for expressing who
can like, reply to, or announce posts and for approving interactions.
[#453, #622]
InteractionPolicyandInteractionRuletypeless valueclasses.
LikeRequest,ReplyRequest, andAnnounceRequestactivitytypes for requesting interaction approval.
LikeAuthorization,ReplyAuthorization, andAnnounceAuthorizationtypes for proving approved interactions.Object.interactionPolicy,Object.approvedBy,Object.getLikeAuthorization()/Object.likeAuthorizationId,Object.getReplyAuthorization()/Object.replyAuthorizationId, andObject.getAnnounceAuthorization()/Object.announceAuthorizationId.Fixed
Endpoints.toJsonLd()to no longer emit invalid"type": "as:Endpoints"in the serialized JSON-LD. Theas:Endpointstype does not exist in the ActivityStreams vocabulary, and its presence
caused validation failures on implementations like browser.pub.
[#576]
Fixed
Source.toJsonLd()to no longer emit invalid"type": "as:Source"in the serialized JSON-LD. Theas:Sourcetypedoes not exist in the ActivityStreams vocabulary either.
@fedify/vocab-tools
Added
xsd:decimalsupport to the vocabulary code generator. Propertieswith that range are now generated as
Decimalin TypeScript, serializedas
xsd:decimalJSON-LD literals, validated throughcanParseDecimal()when checking input data, and normalized throughparseDecimal()when decoded. Code generation now also rejects propertyranges that mix
xsd:stringandxsd:decimal, since both map to runtimestrings and would make serialization ambiguous. [#617, #640]
Added
typelessfield to the type YAML schema. When set totrue,the generated
toJsonLd()method does not emit@type(ortypeincompact form) in the serialized JSON-LD. This is useful for types
that are not real vocabulary types but rather anonymous object structures.
@fedify/init
Changed
fedify initto add"temporal"todeno.json's"unstable"field only when the installed Deno version is earlier than 2.7.0.
On Deno 2.7.0 or later, it is no longer added.
fedify initnow omits the"unstable"field entirely when no unstablefeature is required for the generated Deno project.
Supported [Astro] as a web framework option in
fedify init, withruntime-specific templates for Deno, Bun, and Node.js environments.
[#50 by ChanHaeng Lee]
@fedify/astro
@fedify/astropackage for integrating Fedify with [Astro].It provides
fedifyIntegration()for Vite SSR configuration andfedifyMiddleware()for request handling. [#50 by Chanhaeng Lee]@fedify/mysql
Added
MysqlMessageQueueclass to the@fedify/mysqlpackage, aMySQL/MariaDB-backed
MessageQueueimplementation. It uses periodicpolling (
SELECT … FOR UPDATE SKIP LOCKED) to deliver messages andMySQL advisory locks (
GET_LOCK/RELEASE_LOCK) for ordering-keyserialization. Supports delayed delivery, ordering keys,
enqueueMany(), and concurrent workers. Requires MySQL 8.0+ orMariaDB 10.6+. [#586, #599]
Added
@fedify/mysqlpackage, a MySQL/MariaDB-backedKvStoreimplementation. It provides
MysqlKvStore, which stores key–valuepairs in a MySQL table using the
mysql2driver. Supports TTL,prefix listing, and compare-and-swap (
cas()) operations.[#585, #597]
v2.0.16Compare Source
Released on May 10, 2026.
@fedify/vocab-runtime
validatePublicUrl()allowing private IPv4 addresses encoded asIPv4-mapped IPv6 URL literals, such as
http://[::ffff:7f00:1]/, whichcould bypass private network protections in remote document loading.
v2.0.15Compare Source
Released on April 27, 2026.
@fedify/init
logging.ts files are loaded during server startup. Nitro projects now
get a server plugin that imports the LogTape configuration, and Next.js
projects get an instrumentation.ts
register()hook that imports it inthe Node.js runtime before Fedify handles requests. [[#725], [#727]]
v2.0.14Compare Source
Released on April 23, 2026.
@fedify/vocab-runtime
Lemmy serves this context as
application/jsonwithout a JSON-LD contextLinkheader, which caused the default document loader to rejectLemmy-originated activities before application handlers could run. [[#714]]
v2.0.13Compare Source
Released on April 22, 2026.
@fedify/next
@fedify/next's supported Next.js peer dependency range to>=15.4.6 <17, so installing it into a freshcreate-next-app16.xproject no longer fails with an
ERESOLVEpeer dependency conflict.This restores the default
fedify init -w nextflow against the currentNext.js stable release and updates the integration example to track
Next.js 16. [[#713]]
v2.0.12Compare Source
Released on April 8, 2026.
@fedify/fedify
Fixed
Context.getActorKeyPairs()assigning the same key ID to boththe
CryptographicKey(used for HTTP Signatures and Linked DataSignatures) and the
Multikey(used for Object Integrity Proofs) withinan
ActorKeyPair. TheMultikeynow receives a distinct ID(
#multikey-1,#multikey-2, …) so that the actor document no longercontains two objects sharing the same
id, which was invalid JSON-LD.Object Integrity Proof signatures now reference the correct
MultikeyIDinstead of the
CryptographicKeyID. [[#663]]Object Integrity Proofs signing now takes place before activity fanout,
so all recipients receive the same pre-signed activity. Previously, OIP
signing was deferred until after fanout, meaning each fanout worker would
re-sign independently with potentially different timestamps and the fanout
message itself contained an unsigned activity.
@fedify/cfworkers
pass
wrangler typesor@cloudflare/vite-plugingenerated KV bindings toWorkersKvStore. The package now accepts a minimal structural KV bindinginterface for
WorkersKvStoreandWorkersMessageQueue'sorderingKvoption instead of requiring the nominal
KVNamespacetype imported from@cloudflare/workers-types, so generated local declarations compilewithout casts or
@ts-expect-error. [[#665]]v2.0.11Compare Source
Released on April 7, 2026.
@fedify/fedify
sendActivity()not awaitingfanoutQueue.enqueue()in the fanoutpath, which could cause fanout messages to be silently dropped on runtimes
like Cloudflare Workers that may terminate an isolate as soon as the
response is sent. [[#661]]
@fedify/cfworkers
wrangler types-generated binding types (e.g.KVNamespace,Queue)to
WorkersKvStoreandWorkersMessageQueueconstructors. The packagepreviously imported these types from
@cloudflare/workers-types/experimental, which includes extra members(such as
KVNamespace.deleteBulk()) absent from types generated bywrangler types, causing TypeScript assignment errors at the call site.The import now uses the stable
@cloudflare/workers-typesentrypoint,whose definitions match what
wrangler typesgenerates. [[#662]]v2.0.10Compare Source
Released on March 31, 2026.
@fedify/lint
@fedify/lintso the packageexports and type declarations point to the actual files generated by
tsdown. This restores imports such asimport fedifyLint from "@​fedify/lint"in documentation examples and otherTypeScript consumers.
@fedify/init
@fedify/initafter thetsdownupgrade started publishing
dist/*.mjsfiles while the package metadatastill exported
dist/*.jsanddist/*.d.ts. Node consumers such as@fedify/clican start again, includingnpx -y @​fedify/cli --help.[[#655]]
@fedify/create
@fedify/createso the publishedbinandexportspaths once again point to generateddist/mod.jsoutput instead of missing
dist/mod.jsfiles. This prevents the samepackaging regression from breaking
npm init @​fedify. [[#655]]v2.0.9Compare Source
Released on March 29, 2026.
@fedify/fedify
@fedify/fedify/vocabmissing theObjectexport from the entry point. Older
tsdownoutput generated an invalidCommonJS re-export, causing
require("@​fedify/fedify/vocab").Objectto beundefined. Updated the bundler toolchain and added a regression test forthe built CommonJs entry point. [[#651]]
v2.0.8Compare Source
Released on March 27, 2026.
@fedify/fedify
Limited the number of HTTP redirects followed by the remote document
loaders and signed HTTP fetches to mitigate resource exhaustion during
remote key and document resolution. [[CVE-2026-34148] by Abhinav Jaswal]
Stopped the remote document loaders and signed HTTP fetches from
revisiting the same URL within a redirect chain, preventing
self-referential redirect loops. [[CVE-2026-34148] by Abhinav Jaswal]
Persisted negative public key cache entries for failed remote key
fetches, reducing repeated retries against the same unavailable key
across requests. [[CVE-2026-34148] by Abhinav Jaswal]
v2.0.7Compare Source
Released on March 22, 2026.
@fedify/fedify
@fedify/vocab-runtime/jsonldsubpath so generated vocabulary code andLinked Data signature support no longer have to evaluate
jsonldthrougha CommonJS-sensitive package root in Fresh 2, Deno, and other ESM-first
runtimes. Fresh 2 development mode has been verified on Deno 2.7.7
after an upstream Deno 2.7.6 dev server regression was fixed.
[#621, #639]
@fedify/vocab-runtime
Fixed multibase public key handling to stop relying on the deprecated
CommonJS-only
multicodecpackage. This removes the Vite SSR crash thatprevented Fresh 2 applications from importing
@fedify/fedifywithTypeError: varint.encode is not a function. Fresh 2 no longer needs aVite externalization workaround for Fedify. [#621, #639]
Added the new
@fedify/vocab-runtime/jsonldsubpath export so generatedvocabulary code and other Fedify runtime code can share a JSR-safe wrapper
around
jsonld's ESM entrypoint instead of depending on fragile relativeshims or the package-root import path. [#621, #639]
@fedify/init
fedify initoptions. [#632, #638 by ChanHaeng Lee]bare-bonesoption for web framework.in-memoryoption for key-value store.in-processoption for message queue.v2.0.6Compare Source
Released on March 19, 2026.
@fedify/init
fedify initcrashing when@fedify/clior@fedify/initisexecuted through the JSR/Deno distribution.
import.meta.dirnameisundefinedfor remote JSR modules, so the template loading andrepository-relative path logic has been made safe for published JSR
execution. [#624, #633]
@fedify/vocab-runtime
This URL has never served a real JSON-LD context document (Mastodon
has always inlined the term definitions), but some ActivityPub
implementations put it as a bare URL in their
@context, causingJSON-LD processors to fail with a 404. [#630, #631]
v2.0.5Compare Source
Released on March 11, 2026.
@fedify/fedify
contexts.
v2.0.4Compare Source
Released on March 11, 2026.
@fedify/fastify
onNotAcceptablehandler in@fedify/fastifytocreate a fresh
Responsefor each request instead of reusing a sharedsingleton instance. [#612 by Lee Dogeon]
v2.0.3Compare Source
Released on March 3, 2026.
@fedify/postgres
Fixed
PostgresMessageQueue.listen()crashing the process when amalformed
NOTIFYpayload is received.Temporal.Duration.from()was called without error handling, so an invalid duration string
caused an unhandled
RangeErrorthat propagated through the postgresdriver. The
NOTIFYcallback is now wrapped in atry–catchthatlogs the error and falls back to an immediate poll. [#594]
Fixed
PostgresMessageQueue.listen()permanently stalling all messageprocessing when a message handler hangs indefinitely (e.g., due to an
unresponsive remote server). The
serializedPollmechanism chainsevery
poll()invocation onto a single promise, so a single hunghandler blocked the entire queue permanently. Handler invocations
are now wrapped with a configurable timeout (default: 60 seconds)
via the new
handlerTimeoutoption inPostgresMessageQueueOptions.When a handler exceeds the timeout, it is treated as an error and the
poll loop moves on, preventing permanent stalls. [#595]
v2.0.2Compare Source
Released on February 27, 2026.
@fedify/fedify
signedKeyandsignedKeyOwner) fromAuthorizePredicateandObjectAuthorizePredicate. These parameters were deprecated sinceFedify 1.5.0 in favor of
RequestContext.getSignedKey()andRequestContext.getSignedKeyOwner()methods, but were mistakenlyleft in the Fedify 2.0.0 release. The internal handler code that
eagerly called
getSignedKey()andgetSignedKeyOwner()beforeinvoking the predicate has also been removed; predicates should now
call those methods themselves when needed. [[#473], #590]
v2.0.1Compare Source
Released on May 10, 2026.
@fedify/vocab-runtime
validatePublicUrl()allowing private IPv4 addresses encoded asIPv4-mapped IPv6 URL literals, such as
http://[::ffff:7f00:1]/, whichcould bypass private network protections in remote document loading.
v2.0.0Compare Source
Released on February 22, 2026.
@fedify/fedify
Remove
contextLoaderoption (which was deprecated) fromFederationOptionsinterface in favor ofcontextLoaderFactoryoptionfor better flexibility. [[#376], [#445] by Hasang Cho]
Migrated from @phensley/language-tag package and its
LanguageTagclaConfiguration
📅 Schedule: (UTC)
* 7-16 * * 1,2,3,4)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.