Skip to content

Fedify changelog

Version 1.3.2

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.3.1

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.3.0

Released on November 30, 2024.

Version 1.2.10

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.2.9

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.2.8

Released on November 23, 2024.

  • Fixed warnings from the fedify inbox command. [#177, #181 by WinterHana]
  • Fixed ShikiError on the fedify inbox command rendering web interface. [#178, #185 by Heesun Jung]
  • Fixed text overflow of the fedify inbox command's web log view. [#180, #188 by Lim Kyunghee]

Version 1.2.7

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 1.2.6

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 1.2.5

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 1.2.4

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

  • Fixed a bug where verifySignature() and verifyJsonLd() functions sometimes had thrown a jsonld.ValidationError error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid.

Version 1.2.3

Released on November 6, 2024.

  • The fedify node subcommand now can recognize multiple values of the rel attribute in the <link> HTML elements.

Version 1.2.2

Released on November 1, 2024.

  • Handle connection errors (rather than HTTP errors) in the Context.sendActivity() method.

  • Support the fedify command on Windows on ARM64 via x64 emulation. [#160]

Version 1.2.1

Released on October 31, 2024.

  • Now fedify node command can render the node's favicon with image/vnd.microsoft.icon or image/x-icon format.

Version 1.2.0

Released on October 31, 2024.

Version 1.1.10

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.1.9

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.1.8

Released on November 23, 2024.

  • Fixed ShikiError on the fedify inbox command rendering web interface. [#178, #185 by Heesun Jung]
  • Fixed text overflow of the fedify inbox command's web log view. [#180, #188 by Lim Kyunghee]

Version 1.1.7

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 1.1.6

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 1.1.5

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 1.1.4

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

  • Fixed a bug where verifySignature() and verifyJsonLd() functions sometimes had thrown a jsonld.ValidationError error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid.

Version 1.1.3

Released on October 31, 2024.

  • Fixed a bug where fetchDocumentLoader() function had disallowed redirecting to a private network address when the second parameter, a boolean value to allow private network addresses, was true.

Version 1.1.2

Released on October 27, 2024.

Version 1.1.1

Released on October 23, 2024.

Version 1.1.0

Released on October 20, 2024.

Version 1.0.13

Released on December 18, 2024.

  • Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Version 1.0.12

Released on December 11, 2024.

  • Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.

Version 1.0.11

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 1.0.10

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 1.0.9

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 1.0.8

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

  • Fixed a bug where verifySignature() and verifyJsonLd() functions sometimes had thrown a jsonld.ValidationError error. Now such errors are caught and logged as warnings, and the signature to verify is considered as invalid.

Version 1.0.7

Released on October 31, 2024.

  • Fixed a bug where fetchDocumentLoader() function had disallowed redirecting to a private network address when the second parameter, a boolean value to allow private network addresses, was true.

Version 1.0.6

Released on October 27, 2024.

Version 1.0.5

Released on October 23, 2024.

Version 1.0.4

Released on October 17, 2024.

  • Fixed a bug where Actor.aliasId and Actor.aliasIds properties had been represented as as:alsoKnownAs property instead of alsoKnownAs property in compacted JSON-LD objects.

  • Improved compatibility with Bridgy Fed for Bluesky where it puts an invalid URI with the format at://... in the alsoKnownAs property.

Version 1.0.3

Released on October 17, 2024.

  • Improved compatibility with some implementations (e.g., Nexkey) where some CryptographicKey objects are incorrectly typed in JSON-LD objects.

Version 1.0.2

Released on September 27, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had incorrectly compacted the name property when it was not a language map.

  • The Delete(Application) activities sent by the fedify inbox command now embed the entire actor object instead of just the actor's URI so that the peers can verify the actor's signature without fetching the actor object.

Version 1.0.1

Released on September 26, 2024.

  • Fixed deprecation messages related to the {handle} variable in URL templates; they had had wrong placeholders in the message templates.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 1.0.0

Released on September 26, 2024.

Version 0.15.9

Released on November 22, 2024.

  • Fixed a bug where lookupWebFinger() function had thrown a TypeError when the .well-known/webfinger redirects to a relative URI. [#166]

Version 0.15.8

Released on November 19, 2024.

  • Fix a bug where Actor's inbox and outbox properties had not been able to be set to an OrderedCollectionPage object, even though it is a subtype of OrderedCollection according to Activity Vocabulary specification. [#165]

    • The type of Application() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Application.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Application.getInbox() and Application.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Group() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Group.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Group.getInbox() and Group.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Organization() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Organization.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Organization.getInbox() and Organization.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Person() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Person.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Person.getInbox() and Person.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).
    • The type of Service() constructor's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The type of Service.clone() method's inbox and outbox options is now OrderedCollection | OrderedCollectionPage | null | undefined (was OrderedCollection | null | undefined).
    • The return type of Service.getInbox() and Service.getOutbox() methods is now OrderedCollection | OrderedCollectionPage | null (was OrderedCollection | null).

Version 0.15.7

Released on November 14, 2024.

  • Suppressed a TypeError with a message unusable due to Node.js's mysterious behavior. [#159]

    • The verifyRequest() function no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "sig", "http"] logger category and returns null.
    • The Federation.fetch() method no longer throws a TypeError when a given Request object's body is already consumed or locked. Instead, it logs an error message to the ["fedify", "federation", "inbox"] logger category and responds with a 500 Internal Server Error.

Version 0.15.6

Released on November 12, 2024.

  • Fixed a bug where default document loaders had thrown a TypeError with a message Body is unusable: Body has already been read or Body already consumed when the content type of the response was an HTML document and there's no link to a JSON-LD document.

Version 0.15.5

Released on October 30, 2024.

  • Fixed a bug where fetchDocumentLoader() function had disallowed redirecting to a private network address when the second parameter, a boolean value to allow private network addresses, was true.

Version 0.15.4

Released on October 27, 2024.

Version 0.15.3

Released on October 23, 2024.

Version 0.15.2

Released on September 26, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 0.15.1

Released on September 15, 2024.

Version 0.15.0

Released on September 11, 2024.

  • Actors, collections, and objects now can have their URIs that do not consist of a WebFinger username, which means actors can change their fediverse handles.

  • Added quoteUrl property to Article, ChatMessage, Note, and Question classes in Activity Vocabulary API.

  • The element type of the liked collection is now Object or URL instead of Like.

    • Changed the type of Federation.setLikedDispatcher() method's second parameter to CollectionDispatcher<Object | URL, RequestContext<TContextData>, TContextData, void> (was CollectionDispatcher<Like, RequestContext<TContextData>, TContextData, void>).
  • Removed expand option of Object.toJsonLd() method, which was deprecated in version 0.14.0. Use format: "expand" option instead.

  • Added Context.lookupObject() method.

  • Default document loaders now recognize ActivityStream objects in more ways:

    • Loaders now recognize alternate ActivityStreams objects in the Link header.
    • Loaders now recognize alternate ActivityStreams objects in the <link>/<a> HTML elements.
  • Added allowPrivateAddress option to CreateFederationOptions interface.

  • Fixed a bug where the WebFinger response had had a subject property with an unmatched URI to the requested resource when a non-acct: URI was given.

  • Renamed the short option -c for --compact of fedify lookup command to -C to avoid conflict with the short option -c for --cache-dir.

  • Added -r/--raw option to fedify lookup command to output the raw JSON object.

Version 0.14.5

Released on September 26, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 0.14.4

Released on September 6, 2024.

  • Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Version 0.14.3

Released on September 1, 2024.

  • Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Version 0.14.2

Released on August 30, 2024.

  • Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Version 0.14.1

Released on August 29, 2024.

  • Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

  • Fixed a bug where the Compact Activity tab of fedify inbox command's web interface had shown an expanded JSON-LD object instead of a compacted one.

Version 0.14.0

Released on August 27, 2024.

Version 0.13.5

Released on September 6, 2024.

  • Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Version 0.13.4

Released on September 1, 2024.

  • Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Version 0.13.3

Released on August 30, 2024.

  • Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Version 0.13.2

Released on August 29, 2024.

  • Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

Version 0.13.1

Released on August 18, 2024.

  • Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Version 0.13.0

Released on August 7, 2024.

Version 0.12.3

Released on August 18, 2024.

  • Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Version 0.12.2

Released on July 31, 2024.

  • Fixed a bug where incoming activities had not been enqueued even if the queue option was provided to the createFederation() function.

Version 0.12.1

Released on July 27, 2024.

  • Fixed a bug where fedify init -w hono had generated scaffold files without Fedify integration.
  • Fixed a bug where fedify init -r bun -w hono had generated scaffold files with a wrong port number (was 3000).

Version 0.12.0

Released on July 24, 2024.

Version 0.11.3

Released on July 15, 2024.

Version 0.11.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.11.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.11.0

Released on June 29, 2024.

Version 0.10.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.10.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.10.0

Released on June 18, 2024.

Starting with this release, Fedify, previously distributed under AGPL 3.0, is now distributed under the MIT License to encourage wider adoption.

Version 0.9.3

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.9.2

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.9.1

Released on June 13, 2024.

  • Fixed a bug of Activity Vocabulary API that clone() method of Vocabulary classes had not cloned the id property from the source object.

Version 0.9.0

Released on June 2, 2024.

  • Added Tombstone class to Activity Vocabulary API.

  • Added Hashtag class to Activity Vocabulary API. [#48]

  • Added Emoji class to Activity Vocabulary API. [#48]

  • Added an actor handle normalization function.

  • Added excludeBaseUris option to Context.sendActivity() and Federation.sendActivity() methods.

  • The Context now can parse URIs of objects, inboxes, and collections as well as actors.

  • The time window for signature verification is now configurable. [#52]

    • The default time window for signature verification is now a minute (was 30 seconds).
    • Added signatureTimeWindow option to FederationParameters interface.
    • Added VerifyOptions interface.
    • The signature of the verify() function is revamped; it now optionally takes a VerifyOptions object as the second parameter.
  • Renamed the @fedify/fedify/httpsig module to @fedify/fedify/sig, and also:

  • When signing an HTTP request, the algorithm parameter is now added to the Signature header. This change improves the compatibility with Misskey and other implementations that require the algorithm parameter.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "actor"]
    • ["fedify", "federation", "http"]
    • ["fedify", "sig", "http"]
    • ["fedify", "sig", "key"]
    • ["fedify", "sig", "owner"]

Version 0.8.0

Released on May 6, 2024.

  • The CLI toolchain for testing and debugging is now available on JSR: @fedify/cli. You can install it with deno install -A --unstable-fs --unstable-kv --unstable-temporal -n fedify jsr:@fedify/cli, or download a standalone executable from the releases page.

    • Added fedify command.
    • Added fedify lookup subcommand.
    • Added fedify inbox subcommand.
  • Implemented followers collection synchronization mechanism.

  • Relaxed the required type for activity recipients.

    • Added Recipient interface.
    • The type of the second parameter of Context.sendActivity() method became Recipient | Recipient[] (was Actor | Actor[]). However, since Recipient is a supertype of Actor, the existing code should work without any change.
  • Followers collection now has to consist of Recipient objects only. (It could consist of URLs as well as Actors before.)

    • The type of Federation.setFollowersDispatcher() method's second parameter became CollectionDispatcher<Recipient, TContextData, URL> (was CollectionDispatcher<Actor | URL, TContextData>).
  • Some of the responsibility of a document loader was separated to a context loader and a document loader.

  • Added width and height properties to Document class for better compatibility with Mastodon. [#47]

  • Removed the dependency on @js-temporal/polyfill on Deno, and Fedify now requires --unstable-temporal flag. On other runtime, it still depends on @js-temporal/polyfill.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "collection"]
    • ["fedify", "httpsig", "verify"]
    • ["fedify", "runtime", "docloader"]
  • Fixed a bug where the authenticated document loader had thrown InvalidUrl error when the URL redirection was involved in Bun.

  • Fixed a bug of lookupObject() that it had failed to look up the actor object when WebFinger response had no links with "type": "application/activity+json" but had "type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"".

Version 0.7.0

Released on April 23, 2024.

Version 0.6.1

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.6.0

Released on April 9, 2024.

Version 0.5.2

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.5.1

Released on April 5, 2024.

  • Fixed a bug of Federation that its actor/collection dispatchers had done content negotiation before determining if the resource exists or not. It also fixed a bug that integrateHandler() from @fedify/fedify/x/fresh had responded with 406 Not Acceptable instead of 404 Not Found when the resource does not exist in the web browser. [#34]

Version 0.5.0

Released on April 2, 2024.

Version 0.4.0

Released on March 26, 2024.

Version 0.3.0

Released on March 15, 2024.

Version 0.2.0

Released on March 10, 2024.

Version 0.1.0

Initial release. Released on March 8, 2024.