Fedify 1.8.4

Released on August 7, 2025.

@fedify/cli

• Fixed fedify lookup command's -r/--raw, -C/--compact, and -e/--expand options to properly output valid JSON format instead of Deno's object inspection format. [#357]

Fedify 1.7.9

Released on August 8, 2025.

• Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [CVE-2025-54888]

Fedify 1.6.8

Released on August 8, 2025.

• Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [CVE-2025-54888]

Fedify 1.5.5

Released on August 8, 2025.

• Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [CVE-2025-54888]

Fedify 1.4.13

Released on August 8, 2025.

• Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [CVE-2025-54888]

Fedify 1.3.20

Released on August 8, 2025.

• Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [CVE-2025-54888]

Fedify 1.8.3

Released on August 6, 2025.

@fedify/cli

• Restored image resizing functionality in fedify lookup command by using the existing Jimp library for image manipulation. This properly displays icon and image fields with appropriate sizing in terminals.

• Added support for Ghostty terminal emulator for image rendering in fedify lookup command.

Fedify 1.8.2

Released on August 6, 2025.

@fedify/cli

• Fixed npx @fedify/cli command not working on various platforms by correcting the binary path resolution in the Node.js wrapper script.

• Temporarily removed Sharp dependency to resolve installation issues across different platforms. As a result, fedify lookup command will no longer resize images when displaying them in the terminal. This is a temporary workaround and image resizing functionality will be restored in a future patch version using an alternative approach.

• Fixed build artifact paths in GitHub Actions workflow to correctly reference CLI package location in the monorepo structure.

Fedify 1.8.1

Released on August 6, 2025. Note that 1.8.0 was skipped due to a mistake in the versioning.

• The repository has been restructured as a monorepo, consolidating all Fedify packages into a single repository with unified versioning. This change affects the following packages:

  • @fedify/fedify (main library)
  • @fedify/cli (CLI toolchain)
  • @fedify/amqp (AMQP/RabbitMQ driver)
  • @fedify/express (Express integration)
  • @fedify/h3 (h3 framework integration)
  • @fedify/postgres (PostgreSQL drivers)
  • @fedify/redis (Redis drivers)

  All packages now follow the same version number and are released together. Previously, each package had independent versioning.

• Several new packages have been added to the monorepo:

  • @fedify/elysia (Elysia integration)
  • @fedify/nestjs (NestJS integration)
  • @fedify/sqlite (SQLite drivers)
  • @fedify/testing (testing utilities)

@fedify/fedify

• Added custom collection dispatchers. [#310, #332 by ChanHaeng Lee]

  • Added CustomCollectionDispatcher, CustomCollectionCounter, and CustomCollectionCursor types for custom collection dispatching.
  • Added CustomCollectionCallbackSetters type for setting custom collection callbacks.
  • Added CustomCollectionHandler class and handleCustomCollection() and handleOrderedCollection() functions to process custom collections.
  • Added setCollectionDispatcher() and setOrderedCollectionDispatcher() methods to the Federatable interface. Implemented in FederationBuilderImpl class.
  • Added getCollectionUri() method to the Context interface.
  • Added utility types ConstructorWithTypeId and ParamsKeyPath for custom collection dispatchers.

• Key–value stores now optionally support CAS (compare-and-swap) operation for atomic updates. This is useful for implementing optimistic locking and preventing lost updates in concurrent environments.

  • Added optional KvStore.cas() method.
  • Added MemoryKvStore.cas() method.
  • Added DenoKvStore.cas() method.

• Added useful functions for fediverse handles at @fedify/fedify/vocab. This functions simplify working with fediverse handles and URLs. [#278 by ChanHaeng Lee]

  • FediverseHandle: An interface representing a fediverse handle.
  • parseFediverseHandle(): A function to parse a fediverse handle into its components.
  • isFediverseHandle(): A function to check if a string is a valid fediverse handle.
  • toAcctUrl(): A function to convert a fediverse handle to a URL.

• Added LookupWebFingerOptions.maxRedirection option. [#248, #281 by Lee ByeongJun]

• APIs making HTTP requests became able to optionally take AbortSignal. [#51, #315 by Hyunchae Kim]

  • Added DocumentLoaderOptions interface.
  • The DocumentLoader type became able to optionally take the second parameter.
  • Added LookupObjectOptions.signal option.
  • Added LookupWebFingerOptions.signal option.
  • Added DoubleKnockOptions.signal option.

@fedify/cli

• The fedify CLI now correctly disables color output when standard output isn't a TTY (for example, when redirecting to a file) or when the NO_COLOR environment variable is set. [#257, #341 by Cho Hasang]

• Added fedify nodeinfo command, and deprecated fedify node command in favor of fedify nodeinfo. [#267, #331 by Hyeonseo Kim]

• Added fedify webfinger command. This command allows users to look up WebFinger information for a given resource. [#260, #278 by ChanHaeng Lee]

  • The input can be a handle (e.g., @user@server, user@server) or a URL (e.g., https://server/users/path).
  • The --user-agent or -a option used as User-Agent header value in the WebFinger request.
  • The --allow-private-address or -p option allows looking up WebFinger information for private addresses (e.g., localhost).
  • The --max-redirection option allows uses to specify the maximum number of redirects to follow when performing WebFinger lookups. [#311, #328 by KeunHyeong Park]

• The fedify lookup command now displays images depending on user's terminal emulator. [#169, #348 by Jiwon Kwon]

  • Supported terminal emulators are Kitty, WezTerm, Konsole, Warp, Wayst, st, and iTerm.

• Added -o/--output option to fedify lookup command. This option allows users to save retrieved lookup results to specified path. [#261, #321 by Jiwon Kwon]

• Added options to customize the temporary actor information when running fedify inbox command. [#262, #285 by Hasang Cho]

  • Added --actor-name option to customize the actor display name.
  • Added --actor-summary option to customize the actor description.
  • Both options provide sensible defaults when not specified.

• The fedify inbox command now displays the type of the object contained in each activity, in addition to the activity's own type. [#191, #342 by Jang Hanarae]

• Added --dry-run option to fedify init command. This option allows users to preview what files and configurations would be created without actually creating them. [#263, #298 by Lee ByeongJun]

• Fixed a bug where the fedify nodeinfo command (was fedify node) had failed to correctly render the favicon in terminal emulators that do not support 24-bit colors. [#168, #282, #304 by Hyeonseo Kim]

@fedify/elysia

• Supported Elysia integration with the @fedify/elysia package. [#286, #339 by Hyeonseo Kim]

  • Added @fedify/elysia package.
  • Added fedify Elysia plugin for integrating Fedify into Elysia applications.

@fedify/nestjs

• Supported NestJS integration with the @fedify/nestjs package. [#269, #309 by Jaeyeol Lee]

  • Added @fedify/nestjs package.
  • Added FedifyModule for integrating Fedify into NestJS applications.

@fedify/sqlite

• Added SqliteKvStore, implementing KvStore using SQLite with the @fedify/sqlite package. Compatible with Bun, Deno, and Node.js. [#274, #318 by An Subin]

  • Added @fedify/sqlite package.
  • Added SqliteKvStore, a SQLite implementation of KvStore.

@fedify/testing

• Added mock classes for Federation and Context interfaces to improve testability without requiring a real federation server setup. The mock classes track all sent activities with metadata and support all standard Fedify patterns including custom path registration and multiple activity type listeners. [#197, #283 by Lee ByeongJun]

  • Added @fedify/testing package.
  • Added MockFederation class.
  • Added MockContext class.

Fedify 1.7.8

Released on August 5, 2025.

• Updated kvCache() wrapper to read from preloaded contexts rather than from the KvStore. This saves network and disk overheads when parsing activities and objects using the JSON-LD processor. [#352 by Fabien O'Carroll]