Skip to content

Fedify changelog

Version 1.5.2

Released on May 11, 2025.

  • Fixed the fedify init command to install the correct version of @fedify/express package. [#230, #231 by Emelia Smith]

  • The exportJwk() function now populates the alg property of a returned JsonWebKey object with "Ed25519" if the input key is an Ed25519 key.

Version 1.5.1

Released on April 8, 2025.

  • Activity Vocabulary API became to accept RFC 3339 date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [#226]

  • Added the following default context to Undo class:

    json
    {
      "litepub": "http://litepub.social/ns#",
      "toot": "http://joinmastodon.org/ns#",
      "EmojiReact": "litepub:EmojiReact",
      "Emoji": "toot:Emoji"
    }

Version 1.5.0

Released on March 28, 2025.

  • Improved activity delivery performance with large audiences through a two-stage queuing system. Sending activities to many recipients (e.g., accounts with many followers) is now significantly faster and uses less memory. [#220]

  • A Federation object now can have a canonical origin for web URLs and a canonical host for fediverse handles. This affects the URLs constructed by Context objects, and the WebFinger responses.

  • Followers collection synchronization (FEP-8fcf) is now turned off by default.

    • Added SendActivityOptionsForCollection interface.
    • The type of Context.sendActivity({ identifier: string } | { username: string } | { handle: string }, "followers", Activity) overload's fourth parameter became SendActivityOptionsForCollection | undefined (was SendActivityOptions | undefined).
  • Fedify now accepts PEM-PKCS#1 besides PEM-SPKI for RSA public keys. [#209]

  • The fetchKey() function became to choose the public key of the actor if keyId has no fragment and the actor has only one public key. [#211]

  • Added an optional parameter with GetSignedKeyOptions type to the RequestContext.getSignedKey() method.

  • Added GetSignedKeyOptions interface.

  • Added an optional parameter with GetKeyOwnerOptions type to the RequestContext.getSignedKeyOwner() method.

  • Deprecated the parameters of the AuthorizePredicate and ObjectAuthorizePredicate types to get the signed key and its owner in favor of the RequestContext.getSignedKey() and RequestContext.getSignedKeyOwner() methods.

  • Added an optional method enqueueMany() to MessageQueue interface for sending multiple activities at once.

  • Updated @js-temporal/polyfill to 0.5.0 for Node.js and Bun. On Deno, there is no change because the polyfill is not used.

  • Updated uri-template-router to 0.0.17 which fixes bundler errors on Rollup. [#221]

  • Improved error handling and logging for document loader when KV store operations fail. [#223 by Revath S Kumar]

  • Fixed a bug of the fedify inbox command where it had failed to render the web interface when the fedify command was installed using deno install command from JSR.

  • The web interface of the fedify inbox command was slightly redesigned:

    • The Fedify logo with the cute dinosaur is now displayed at the top of the page.
    • You can easily copy the fediverse handle of the ephemeral actor.
  • Internalized the multibase package, which is obsolete and no longer maintained. [#127, #215 by Fróði Karlsson]

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "fanout"]
    • ["fedify", "federation", "object"]

Version 1.4.10

Released on April 8, 2025.

  • Activity Vocabulary API became to accept RFC 3339 date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [#226]

  • Added the following default context to Undo class:

    json
    {
      "litepub": "http://litepub.social/ns#",
      "toot": "http://joinmastodon.org/ns#",
      "EmojiReact": "litepub:EmojiReact",
      "Emoji": "toot:Emoji"
    }

Version 1.4.9

Released on March 26, 2025.

  • Fixed a TypeError thrown by the followers collection dispatcher when the base-url parameter was provided.

  • Fixed a TypeError thrown by the signRequest() function on Node.js. [#222]

Version 1.4.8

Released on March 26, 2025.

  • Fixed a bug where the totalItems property of OrderedCollection objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

  • Fixed a bug where the id property of OrderedCollection and OrderedCollectionPage objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

Version 1.4.7

Released on March 20, 2025.

  • Fixed a bug of WebFinger handler where it had failed to match acct: URIs with a host having a port number. [#218, #219 by Revath S Kumar]

  • Fixed a server error thrown when an invalid URL was passed to the base-url parameter of the followers collection. [#217]

Version 1.4.6

Released on March 9, 2025.

  • Fedify no more depends on node:punycode module, which is deprecated in Node.js. Now it uses the built-in node:url module instead. [#212, #214 by Fróði Karlsson]

Version 1.4.5

Released on February 28, 2025.

  • Made fedify init to install @fedify/h3 0.1.2 which is compatible with Fedify 1.0.0 or later versions when --web-framework nitro option is provided. [#213]

  • Fixed a bug where fedify init had failed to initialize a project with the --runtime node --package-manager pnpm --web-framework nitro option. [#213]

Version 1.4.4

Released on February 25, 2025.

Version 1.4.3

Released on February 22, 2025.

Version 1.4.2

Released on February 19, 2025.

  • Fixed a bug where the fedify init command had failed to locate package managers on Windows. [#210]

  • The fedify command became aware of FEDIFY_LOG_FILE environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable.

Version 1.4.1

Released on February 10, 2025.

  • Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like Object.getAttribution() on Activity.getObject()) were't being properly hydrated during toJsonLd() calls. Previously, subsequent calls to toJsonLd() on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded.

Version 1.4.0

Released on February 5, 2025.

Version 1.3.17

Released on April 8, 2025.

  • Activity Vocabulary API became to accept RFC 3339 date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [#226]

  • Added the following default context to Undo class:

    json
    {
      "litepub": "http://litepub.social/ns#",
      "toot": "http://joinmastodon.org/ns#",
      "EmojiReact": "litepub:EmojiReact",
      "Emoji": "toot:Emoji"
    }

Version 1.3.16

Released on March 26, 2025.

  • Fixed a TypeError thrown by the followers collection dispatcher when the base-url parameter was provided.

  • Fixed a TypeError thrown by the signRequest() function on Node.js. [#222]

Version 1.3.15

Released on March 26, 2025.

  • Fixed a bug where the totalItems property of OrderedCollection objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

  • Fixed a bug where the id property of OrderedCollection and OrderedCollectionPage objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

Version 1.3.14

Released on March 20, 2025.

  • Fixed a bug of WebFinger handler where it had failed to match acct: URIs with a host having a port number. [#218, #219 by Revath S Kumar]

  • Fixed a server error thrown when an invalid URL was passed to the base-url parameter of the followers collection. [#217]

Version 1.3.13

Released on March 9, 2025.

  • Fedify no more depends on node:punycode module, which is deprecated in Node.js. Now it uses the built-in node:url module instead. [#212, #214 by Fróði Karlsson]

Version 1.3.12

Released on February 28, 2025.

  • Made fedify init to install @fedify/h3 0.1.2 which is compatible with Fedify 1.0.0 or later versions when --web-framework nitro option is provided. [#213]

  • Fixed a bug where fedify init had failed to initialize a project with the --runtime node --package-manager pnpm --web-framework nitro option. [#213]

Version 1.3.11

Released on February 25, 2025.

Version 1.3.10

Released on February 22, 2025.

Version 1.3.9

Released on February 19, 2025.

  • Fixed a bug where the fedify init command had failed to locate package managers on Windows. [#210]

  • The fedify command became aware of FEDIFY_LOG_FILE environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable.

Version 1.3.8

Released on February 10, 2025.

  • Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like Object.getAttribution() on Activity.getObject()) were't being properly hydrated during toJsonLd() calls. Previously, subsequent calls to toJsonLd() on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded.

Version 1.3.7

Released on February 1, 2025.

  • Updated LogTape to version 0.8.1, which fixes a bug where lowestLevel option had incorrectly behaved.

Version 1.3.6

Released on January 31, 2025.

  • Fixed a bug where getUserAgent() function had returned a User-Agent string with a wrong JavaScript runtime name on Node.js. [#203]

Version 1.3.5

Released on January 21, 2025.

  • Fixed a bug where CreateFederationOptions.allowPrivateAddress option had been ignored by the Context.lookupObject() method when it had taken a fediverse handle.

  • The lookupWebFinger() function became to silently return null when it fails to fetch the WebFinger document due to accessing a private network address, instead of throwing a UrlError.

Version 1.3.4

Released on January 21, 2025.

  • Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Version 1.3.3

Released on December 30, 2024.

Version 1.3.2

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.3.1

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.3.0

Released on November 30, 2024.

Version 1.2.21

Released on April 8, 2025.

  • Activity Vocabulary API became to accept RFC 3339 date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [#226]

  • Added the following default context to Undo class:

    json
    {
      "litepub": "http://litepub.social/ns#",
      "toot": "http://joinmastodon.org/ns#",
      "EmojiReact": "litepub:EmojiReact",
      "Emoji": "toot:Emoji"
    }

Version 1.2.20

Released on March 26, 2025.

  • Fixed a TypeError thrown by the followers collection dispatcher when the base-url parameter was provided.
  • Fixed a TypeError thrown by the signRequest() function on Node.js. [#222]

Version 1.2.19

Released on March 26, 2025.

  • Fixed a bug where the totalItems property of OrderedCollection objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

  • Fixed a bug where the id property of OrderedCollection and OrderedCollectionPage objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

Version 1.2.18

Released on March 20, 2025.

  • Fixed a bug of WebFinger handler where it had failed to match acct: URIs with a host having a port number. [#218, #219 by Revath S Kumar]

  • Fixed a server error thrown when an invalid URL was passed to the base-url parameter of the followers collection. [#217]

Version 1.2.17

Released on March 9, 2025.

  • Fedify no more depends on node:punycode module, which is deprecated in Node.js. Now it uses the built-in node:url module instead. [#212, #214 by Fróði Karlsson]

Version 1.2.16

Released on February 28, 2025.

  • Made fedify init to install @fedify/h3 0.1.2 which is compatible with Fedify 1.0.0 or later versions when --web-framework nitro option is provided. [#213]

  • Fixed a bug where fedify init had failed to initialize a project with the --runtime node --package-manager pnpm --web-framework nitro option. [#213]

  • Made fedify init to install @logtape/logtape 0.7.2 which is the version used in Fedify 1.2.x.

Version 1.2.15

Released on February 25, 2025.

Version 1.2.14

Released on February 22, 2025.

Version 1.2.13

Released on February 19, 2025.

  • Fixed a bug where the fedify init command had failed to locate package managers on Windows. [#210]

  • The fedify command became aware of FEDIFY_LOG_FILE environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable.

Version 1.2.12

Released on February 10, 2025.

  • Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like Object.getAttribution() on Activity.getObject()) were't being properly hydrated during toJsonLd() calls. Previously, subsequent calls to toJsonLd() on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded.

Version 1.2.11

Released on January 21, 2025.

  • Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Version 1.2.10

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.2.9

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.2.8

Released on November 23, 2024.

  • Fixed warnings from the fedify inbox command. [#177, #181 by WinterHana]
  • Fixed ShikiError on the fedify inbox command rendering web interface. [#178, #185 by Heesun Jung]
  • Fixed text overflow of the fedify inbox command's web log view. [#180, #188 by Lim Kyunghee]

Version 1.2.7

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 1.2.6

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 1.2.5

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 1.2.4

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

  • Fixed a bug where verifySignature() and verifyJsonLd() functions sometimes had thrown a jsonld.ValidationError error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid.

Version 1.2.3

Released on November 6, 2024.

  • The fedify node subcommand now can recognize multiple values of the rel attribute in the <link> HTML elements.

Version 1.2.2

Released on November 1, 2024.

  • Handle connection errors (rather than HTTP errors) in the Context.sendActivity() method.

  • Support the fedify command on Windows on ARM64 via x64 emulation. [#160]

Version 1.2.1

Released on October 31, 2024.

  • Now fedify node command can render the node's favicon with image/vnd.microsoft.icon or image/x-icon format.

Version 1.2.0

Released on October 31, 2024.

Version 1.1.21

Released on April 8, 2025.

  • Activity Vocabulary API became to accept RFC 3339 date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [#226]

  • Added the following default context to Undo class:

    json
    {
      "litepub": "http://litepub.social/ns#",
      "toot": "http://joinmastodon.org/ns#",
      "EmojiReact": "litepub:EmojiReact",
      "Emoji": "toot:Emoji"
    }

Version 1.1.20

Released on March 26, 2025.

  • Fixed a TypeError thrown by the followers collection dispatcher when the base-url parameter was provided.
  • Fixed a TypeError thrown by the signRequest() function on Node.js. [#222]

Version 1.1.19

Released on March 26, 2025.

  • Fixed a bug where the totalItems property of OrderedCollection objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

  • Fixed a bug where the id property of OrderedCollection and OrderedCollectionPage objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

Version 1.1.18

Released on March 20, 2025.

  • Fixed a bug of WebFinger handler where it had failed to match acct: URIs with a host having a port number. [#218, #219 by Revath S Kumar]

  • Fixed a server error thrown when an invalid URL was passed to the base-url parameter of the followers collection. [#217]

Version 1.1.17

Released on March 9, 2025.

  • Fedify no more depends on node:punycode module, which is deprecated in Node.js. Now it uses the built-in node:url module instead. [#212, #214 by Fróði Karlsson]

Version 1.1.16

Released on February 28, 2025.

  • Made fedify init to install @fedify/h3 0.1.2 which is compatible with Fedify 1.0.0 or later versions when --web-framework nitro option is provided. [#213]

  • Fixed a bug where fedify init had failed to initialize a project with the --runtime node --package-manager pnpm --web-framework nitro option. [#213]

  • Made fedify init to install @logtape/logtape 0.6.5 which is the version used in Fedify 1.1.x.

Version 1.1.15

Released on February 25, 2025.

Version 1.1.14

Released on February 22, 2025.

Version 1.1.13

Released on February 19, 2025.

  • Fixed a bug where the fedify init command had failed to locate package managers on Windows. [#210]

  • The fedify command became aware of FEDIFY_LOG_FILE environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable.

Version 1.1.12

Released on February 10, 2025.

  • Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like Object.getAttribution() on Activity.getObject()) were't being properly hydrated during toJsonLd() calls. Previously, subsequent calls to toJsonLd() on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded.

Version 1.1.11

Released on January 21, 2025.

  • Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Version 1.1.10

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.1.9

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.1.8

Released on November 23, 2024.

  • Fixed ShikiError on the fedify inbox command rendering web interface. [#178, #185 by Heesun Jung]
  • Fixed text overflow of the fedify inbox command's web log view. [#180, #188 by Lim Kyunghee]

Version 1.1.7

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 1.1.6

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 1.1.5

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 1.1.4

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

  • Fixed a bug where verifySignature() and verifyJsonLd() functions sometimes had thrown a jsonld.ValidationError error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid.

Version 1.1.3

Released on October 31, 2024.

  • Fixed a bug where fetchDocumentLoader() function had disallowed redirecting to a private network address when the second parameter, a boolean value to allow private network addresses, was true.

Version 1.1.2

Released on October 27, 2024.

Version 1.1.1

Released on October 23, 2024.

Version 1.1.0

Released on October 20, 2024.

Version 1.0.24

Released on April 8, 2025.

  • Activity Vocabulary API became to accept RFC 3339 date-time strings without a timezone offset. This is not a bug fix, but improves interoperability with some implementations that do not include a timezone offset in their date-time strings including WordPress. [#226]

Version 1.0.23

Released on March 26, 2025.

  • Fixed a TypeError thrown by the followers collection dispatcher when the base-url parameter was provided.
  • Fixed a TypeError thrown by the signRequest() function on Node.js. [#222]

Version 1.0.22

Released on March 26, 2025.

  • Fixed a bug where the totalItems property of OrderedCollection objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

  • Fixed a bug where the id property of OrderedCollection and OrderedCollectionPage objects returned by followers collection dispatcher had been an incorrect value if a base-url parameter was provided.

Version 1.0.21

Released on March 20, 2025.

  • Fixed a bug of WebFinger handler where it had failed to match acct: URIs with a host having a port number. [#218, #219 by Revath S Kumar]

  • Fixed a server error thrown when an invalid URL was passed to the base-url parameter of the followers collection. [#217]

Version 1.0.20

Released on March 9, 2025.

  • Fedify no more depends on node:punycode module, which is deprecated in Node.js. Now it uses the built-in node:url module instead. [#212, #214 by Fróði Karlsson]

Version 1.0.19

Released on February 28, 2025.

  • Made fedify init to install @fedify/h3 0.1.2 which is compatible with Fedify 1.0.0 or later versions when --web-framework nitro option is provided. [#213]

  • Fixed a bug where fedify init had failed to initialize a project with the --runtime node --package-manager pnpm --web-framework nitro option. [#213]

  • Made fedify init to install @logtape/logtape 0.6.5 which is the version used in Fedify 1.0.x.

Version 1.0.18

Released on February 25, 2025.

Version 1.0.17

Released on February 22, 2025.

Version 1.0.16

Released on February 19, 2025.

  • Fixed a bug where the fedify init command had failed to locate package managers on Windows. [#210]

  • The fedify command became aware of FEDIFY_LOG_FILE environment variable to log messages to a file. If the variable is set, the command logs messages to the file specified by the variable.

Version 1.0.15

Released on February 10, 2025.

  • Fixed a bug with nested object hydration in Activity Vocabulary API where deeply nested properties (like Object.getAttribution() on Activity.getObject()) were't being properly hydrated during toJsonLd() calls. Previously, subsequent calls to toJsonLd() on nested objects could result in inconsistent JSON-LD output where nested objects remained as URLs instead of being fully expanded.

Version 1.0.14

Released on January 21, 2025.

  • Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

    • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Version 1.0.13

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.0.12

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.0.11

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 1.0.10

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 1.0.9

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 1.0.8

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

  • Fixed a bug where verifySignature() and verifyJsonLd() functions sometimes had thrown a jsonld.ValidationError error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid.

Version 1.0.7

Released on October 31, 2024.

  • Fixed a bug where fetchDocumentLoader() function had disallowed redirecting to a private network address when the second parameter, a boolean value to allow private network addresses, was true.

Version 1.0.6

Released on October 27, 2024.

Version 1.0.5

Released on October 23, 2024.

Version 1.0.4

Released on October 17, 2024.

  • Fixed a bug where Actor.aliasId and Actor.aliasIds properties had been represented as as:alsoKnownAs property instead of alsoKnownAs property in compacted JSON-LD objects.

  • Improved compatibility with Bridgy Fed for Bluesky where it puts an invalid URI with the format at://... in the alsoKnownAs property.

Version 1.0.3

Released on October 17, 2024.

  • Improved compatibility with some implementations (e.g., Nexkey) where some CryptographicKey objects are incorrectly typed in JSON-LD objects.

Version 1.0.2

Released on September 27, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had incorrectly compacted the name property when it was not a language map.

  • The Delete(Application) activities sent by the fedify inbox command now embed the entire actor object instead of just the actor's URI so that the peers can verify the actor's signature without fetching the actor object.

Version 1.0.1

Released on September 26, 2024.

  • Fixed deprecation messages related to the {handle} variable in URL templates; they had had wrong placeholders in the message templates.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 1.0.0

Released on September 26, 2024.

  • The term handle for dispatching actors is deprecated in favor of identifier.

    • The URI template for the following methods now accepts variable {identifier} instead of {handle}:

      • Federation.setActorDispatcher()
      • Federation.setInboxDispatcher()
      • Federation.setOutboxDispatcher()
      • Federation.setFollowingDispatcher()
      • Federation.setFollowersDispatcher()
      • Federation.setLikedDispatcher()
      • Federation.setFeaturedDispatcher()
      • Federation.setFeaturedTagsDispatcher()
      • Federation.setInboxListeners()

      The {handle} variable is deprecated, and it will be removed in the future.

    • The type of Federation.setActorDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setInboxDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setOutboxDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setFollowingDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setFollowersDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setLikedDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setFeaturedDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setFeaturedTagsDispatcher() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Federation.setInboxListeners() method's first parameter became ${string}{identifier}${string}` | `${string}{handle}${string} (was ${string}{handle}${string}).

    • The type of Context.getDocumentLoader() method's first parameter became { identifier: string } | { username: string } | { handle: string } | { keyId: URL; privateKey: CryptoKey } (was { handle: string } | { keyId: URL; privateKey: CryptoKey }).

    • Passing { handle: string } to Context.getDocumentLoader() method is deprecated in favor of { username: string }.

    • The type of Context.sendActivity() method's first parameter became SenderKeyPair | SenderKeyPair[] | { identifier: string } | { username: string } | { handle: string } (was SenderKeyPair | SenderKeyPair[] | { handle: string }).

    • All properties of ParseUriResult type became readonly.

    • Added identifier properties next to handle properties in ParseUriResult type.

    • The handle properties of ParseUriResult type are deprecated in favor of identifier properties.

    • The return type of SharedInboxKeyDispatcher callback type became SenderKeyPair | { identifier: string } | { username: string } | { handle: string } | null | Promise<SenderKeyPair | { identifier: string } | { username: string } | { handle: string } | null> (was SenderKeyPair | { handle: string } | null | Promise<SenderKeyPair | { handle: string } | null>).

  • Fedify now supports Linked Data Signatures, which is outdated but still widely used in the fediverse.

  • In inbox listeners, a received activity now can be forwarded to another server. [#137]

  • Added cat property to Actor type in Activity Vocabulary API.

  • The Context.parseUri() method's parameter type became URL | null (was URL).

  • Context.sendActivity() method now adds Object Integrity Proofs to the activity to be sent only once. It had added Object Integrity Proofs to the activity for every recipient before.

  • The message queue is now able to be stopped manually by providing an AbortSignal object to the Federation.startQueue() method.

  • Added ParallelMessageQueue class. [#106]

  • WebFinger responses now include http://webfinger.net/rel/avatar links if the Actor object returned by the actor dispatcher has icon/icons property.

  • DenoKvMessageQueue now implements Disposable interface.

  • The fedify inbox command now sends Delete(Application) activities when it's terminated so that the peers can clean up data related to the temporary actor. [#135]

  • Added options for PostgreSQL drivers to fedify init command.

    • Added postgres value to the -k/--kv-store option of the fedify init command.
    • Added postgres value to the -q/--message-queue option of the fedify init command.
  • The generated project by the fedify init command now enables dotenv by default.

  • The fedify init command now generates .env file with default values.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "sig", "ld"]

Version 0.15.9

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 0.15.8

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 0.15.7

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 0.15.6

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

Version 0.15.5

Released on October 30, 2024.

  • Fixed a bug where fetchDocumentLoader() function had disallowed redirecting to a private network address when the second parameter, a boolean value to allow private network addresses, was true.

Version 0.15.4

Released on October 27, 2024.

Version 0.15.3

Released on October 23, 2024.

Version 0.15.2

Released on September 26, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 0.15.1

Released on September 15, 2024.

Version 0.15.0

Released on September 11, 2024.

  • Actors, collections, and objects now can have their URIs that do not consist of a WebFinger username, which means actors can change their fediverse handles.

  • Added quoteUrl property to Article, ChatMessage, Note, and Question classes in Activity Vocabulary API.

  • The element type of the liked collection is now Object or URL instead of Like.

    • Changed the type of Federation.setLikedDispatcher() method's second parameter to CollectionDispatcher<Object | URL, RequestContext<TContextData>, TContextData, void> (was CollectionDispatcher<Like, RequestContext<TContextData>, TContextData, void>).
  • Removed expand option of Object.toJsonLd() method, which was deprecated in version 0.14.0. Use format: "expand" option instead.

  • Added Context.lookupObject() method.

  • Default document loaders now recognize ActivityStream objects in more ways:

    • Loaders now recognize alternate ActivityStreams objects in the Link header.
    • Loaders now recognize alternate ActivityStreams objects in the <link>/<a> HTML elements.
  • Added allowPrivateAddress option to CreateFederationOptions interface.

  • Fixed a bug where the WebFinger response had had a subject property with an unmatched URI to the requested resource when a non-acct: URI was given.

  • Renamed the short option -c for --compact of fedify lookup command to -C to avoid conflict with the short option -c for --cache-dir.

  • Added -r/--raw option to fedify lookup command to output the raw JSON object.

Version 0.14.5

Released on September 26, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 0.14.4

Released on September 6, 2024.

  • Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Version 0.14.3

Released on September 1, 2024.

  • Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Version 0.14.2

Released on August 30, 2024.

  • Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Version 0.14.1

Released on August 29, 2024.

  • Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

  • Fixed a bug where the Compact Activity tab of fedify inbox command's web interface had shown an expanded JSON-LD object instead of a compacted one.

Version 0.14.0

Released on August 27, 2024.

Version 0.13.5

Released on September 6, 2024.

  • Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Version 0.13.4

Released on September 1, 2024.

  • Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Version 0.13.3

Released on August 30, 2024.

  • Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Version 0.13.2

Released on August 29, 2024.

  • Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

Version 0.13.1

Released on August 18, 2024.

  • Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Version 0.13.0

Released on August 7, 2024.

  • Added closed property to Question class in Activity Vocabulary API.

  • Added voters property to Question class in Activity Vocabulary API.

  • HTTP Signatures verification now can be optionally skipped for the sake of testing. [#110]

    • The type of CreateFederationOptions.signatureTimeWindow property became Temporal.DurationLike | false (was Temporal.DurationLike).
    • The type of VerifyRequestOptions.timeWindow property became Temporal.DurationLike | false (was Temporal.DurationLike).
    • Added CreateFederationOptions.skipSignatureVerification property.
  • Removed the singular actor key pair dispatcher APIs which were deprecated in version 0.10.0.

  • The Federation is no more a class, but an interface, which has been planned since version 0.10.0. [#69]

  • Added fedify tunnel command to expose a local HTTP server to the public internet.

  • A scaffold project generated by the fedify init command has several changes:

    • Added support for Express framework.
    • Added support for Nitro framework.
    • Now a scaffold project uses a x-forwarded-fetch middleware to support X-Forwarded-Proto and X-Forwarded-Host headers.
    • Now a scaffold project has hot reloading by default.
    • Now a scaffold project has logging configuration using the LogTape library.
  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "webfinger", "server"]

Version 0.12.3

Released on August 18, 2024.

  • Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Version 0.12.2

Released on July 31, 2024.

  • Fixed a bug where incoming activities had not been enqueued even if the queue option was provided to the createFederation() function.

Version 0.12.1

Released on July 27, 2024.

  • Fixed a bug where fedify init -w hono had generated scaffold files without Fedify integration.
  • Fixed a bug where fedify init -r bun -w hono had generated scaffold files with a wrong port number (was 3000).

Version 0.12.0

Released on July 24, 2024.

Version 0.11.3

Released on July 15, 2024.

  • Fixed a bug where use of Federation.setInboxDispatcher() after Federation.setInboxListeners() had caused a RouterError to be thrown even if the paths match. [#101 by Fabien O'Carroll]

Version 0.11.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.11.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.11.0

Released on June 29, 2024.

Version 0.10.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.10.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.10.0

Released on June 18, 2024.

Starting with this release, Fedify, previously distributed under AGPL 3.0, is now distributed under the MIT License to encourage wider adoption.

Version 0.9.3

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.9.2

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.9.1

Released on June 13, 2024.

  • Fixed a bug of Activity Vocabulary API that clone() method of Vocabulary classes had not cloned the id property from the source object.

Version 0.9.0

Released on June 2, 2024.

  • Added Tombstone class to Activity Vocabulary API.

  • Added Hashtag class to Activity Vocabulary API. [#48]

  • Added Emoji class to Activity Vocabulary API. [#48]

  • Added an actor handle normalization function.

  • Added excludeBaseUris option to Context.sendActivity() and Federation.sendActivity() methods.

  • The Context now can parse URIs of objects, inboxes, and collections as well as actors.

  • The time window for signature verification is now configurable. [#52]

    • The default time window for signature verification is now a minute (was 30 seconds).
    • Added signatureTimeWindow option to FederationParameters interface.
    • Added VerifyOptions interface.
    • The signature of the verify() function is revamped; it now optionally takes a VerifyOptions object as the second parameter.
  • Renamed the @fedify/fedify/httpsig module to @fedify/fedify/sig, and also:

  • When signing an HTTP request, the algorithm parameter is now added to the Signature header. This change improves the compatibility with Misskey and other implementations that require the algorithm parameter.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "actor"]
    • ["fedify", "federation", "http"]
    • ["fedify", "sig", "http"]
    • ["fedify", "sig", "key"]
    • ["fedify", "sig", "owner"]

Version 0.8.0

Released on May 6, 2024.

  • The CLI toolchain for testing and debugging is now available on JSR: @fedify/cli. You can install it with deno install -A --unstable-fs --unstable-kv --unstable-temporal -n fedify jsr:@fedify/cli, or download a standalone executable from the releases page.

    • Added fedify command.
    • Added fedify lookup subcommand.
    • Added fedify inbox subcommand.
  • Implemented followers collection synchronization mechanism.

  • Relaxed the required type for activity recipients.

    • Added Recipient interface.
    • The type of the second parameter of Context.sendActivity() method became Recipient | Recipient[] (was Actor | Actor[]). However, since Recipient is a supertype of Actor, the existing code should work without any change.
  • Followers collection now has to consist of Recipient objects only. (It could consist of URLs as well as Actors before.)

    • The type of Federation.setFollowersDispatcher() method's second parameter became CollectionDispatcher<Recipient, TContextData, URL> (was CollectionDispatcher<Actor | URL, TContextData>).
  • Some of the responsibility of a document loader was separated to a context loader and a document loader.

  • Added width and height properties to Document class for better compatibility with Mastodon. [#47]

  • Removed the dependency on @js-temporal/polyfill on Deno, and Fedify now requires --unstable-temporal flag. On other runtime, it still depends on @js-temporal/polyfill.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "collection"]
    • ["fedify", "httpsig", "verify"]
    • ["fedify", "runtime", "docloader"]
  • Fixed a bug where the authenticated document loader had thrown InvalidUrl error when the URL redirection was involved in Bun.

  • Fixed a bug of lookupObject() that it had failed to look up the actor object when WebFinger response had no links with "type": "application/activity+json" but had "type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"".

Version 0.7.0

Released on April 23, 2024.

Version 0.6.1

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.6.0

Released on April 9, 2024.

Version 0.5.2

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.5.1

Released on April 5, 2024.

  • Fixed a bug of Federation that its actor/collection dispatchers had done content negotiation before determining if the resource exists or not. It also fixed a bug that integrateHandler() from @fedify/fedify/x/fresh had responded with 406 Not Acceptable instead of 404 Not Found when the resource does not exist in the web browser. [#34]

Version 0.5.0

Released on April 2, 2024.

Version 0.4.0

Released on March 26, 2024.

Version 0.3.0

Released on March 15, 2024.

Version 0.2.0

Released on March 10, 2024.

Version 0.1.0

Initial release. Released on March 8, 2024.