Fedify 1.9.1

Released on October 31, 2025.

@fedify/testing

• Fixed JSR publishing hanging indefinitely at the processing stage by hiding complex type exports from the public API. The JSR type analyzer struggled with complex type dependencies when analyzing the MockFederation, TestFederation, TestContext, and SentActivity types, causing indefinite hangs during the processing stage. [#468]

  • Breaking change: MockFederation class is no longer exported from the public API. Use createFederation() factory function instead.
  • TestFederation<TContextData>, TestContext<TContextData>, and SentActivity interfaces are no longer exported from the public API, but their types are still inferred from createFederation() return type and can be used via TypeScript's type inference.

@fedify/cli

• Fixed fedify command failing on Windows with PermissionDenied error when trying to locate or execute package managers during initialization. The CLI now properly handles *.cmd and *.bat files on Windows by invoking them through cmd /c. [#463]

Fedify 1.8.14

Released on October 19, 2025.

@fedify/testing

• Fixed JSR publishing hanging indefinitely at the processing stage. The issue was caused by TypeScript function overload signatures in MockContext and MockFederation classes that triggered a bug in JSR's type analyzer. All method overloads have been removed and simplified to use any types where necessary. [#468, #470]

@fedify/cli

• Fixed fedify command failing on Windows with PermissionDenied error when trying to locate or execute package managers during initialization. The CLI now properly handles *.cmd and *.bat files on Windows by invoking them through cmd /c. [#463]

Fedify 1.9.0

Released on October 14, 2025.

@fedify/fedify

• Implemented FEP-fe34 origin-based security model to protect against content spoofing attacks and ensure secure federation practices. The security model enforces same-origin policy for ActivityPub objects and their properties, preventing malicious actors from impersonating content from other servers. [#440]

  • Added crossOrigin option to Activity Vocabulary property accessors (get*() methods) with three security levels: "ignore" (default, logs warning and returns null), "throw" (throws error), and "trust" (bypasses checks).
  • Added LookupObjectOptions.crossOrigin option to lookupObject() function and Context.lookupObject() method for controlling cross-origin validation.
  • Embedded objects are now validated against their parent object's origin and only trusted when they share the same origin or are explicitly marked as trusted.
  • Property hydration now respects origin-based security, automatically performing remote fetches when embedded objects have different origins.
  • Internal trust tracking system maintains security context throughout object lifecycles (construction, cloning, and property access).

• Added withIdempotency() method to configure activity idempotency strategies for inbox processing. This addresses issue #441 where activities with the same ID sent to different inboxes were incorrectly deduplicated globally instead of per-inbox. [#441]

  • Added IdempotencyStrategy type.
  • Added IdempotencyKeyCallback type.
  • Added InboxListenerSetters.withIdempotency() method.
  • By default, "per-origin" strategy is used for backward compatibility. This will change to "per-inbox" in Fedify 2.0. We recommend explicitly setting the strategy to avoid unexpected behavior changes.

• Fixed handling of ActivityPub objects containing relative URLs. The Activity Vocabulary classes now automatically resolve relative URLs by inferring the base URL from the object's @id or document URL, eliminating the need for manual baseUrl specification in most cases. This improves interoperability with ActivityPub servers that emit relative URLs in properties like icon.url and image.url. [#411, #443 by Jiwon Kwon]

• Added TypeScript support for all RFC 6570 URI Template expression types in dispatcher path parameters. Previously, only simple string expansion ({identifier}) was supported in TypeScript types, while the runtime already supported all RFC 6570 expressions. Now TypeScript accepts all expression types including {+identifier} (reserved string expansion, recommended for URI identifiers), {#identifier} (fragment expansion), {.identifier} (label expansion), {/identifier} (path segments), {;identifier} (path-style parameters), {?identifier} (query component), and {&identifier} (query continuation). [#426, #446 by Jiwon Kwon]

  • Added Rfc6570Expression<TParam> type helper.
  • Updated all dispatcher path type parameters to accept RFC 6570 expressions: setActorDispatcher(), setObjectDispatcher(), setInboxDispatcher(), setOutboxDispatcher(), setFollowingDispatcher(), setFollowersDispatcher(), setLikedDispatcher(), setFeaturedDispatcher(), setFeaturedTagsDispatcher(), setInboxListeners(), setCollectionDispatcher(), and setOrderedCollectionDispatcher().

• Added inverse properties for collections to Vocabulary API. [FEP-5711, #373, #381 by Jiwon Kwon]

  • new Collection() constructor now accepts likesOf option.
  • Added Collection.likesOfId property.
  • Added Collection.getLikesOf() method.
  • new Collection() constructor now accepts sharesOf option.
  • Added Collection.sharedOfId property.
  • Added Collection.getSharedOf() method.
  • new Collection() constructor now accepts repliesOf option.
  • Added Collection.repliesOfId property.
  • Added Collection.getRepliesOf() method.
  • new Collection() constructor now accepts inboxOf option.
  • Added Collection.inboxOfId property.
  • Added Collection.getInboxOf() method.
  • new Collection() constructor now accepts outboxOf option.
  • Added Collection.outboxOfId property.
  • Added Collection.getOutboxOf() method.
  • new Collection() constructor now accepts followersOf option.
  • Added Collection.followersOfId property.
  • Added Collection.getFollowersOf() method.
  • new Collection() constructor now accepts followingOf option.
  • Added Collection.followingOfId property.
  • Added Collection.getFollowingOf() method.
  • new Collection() constructor now accepts likedOf option.
  • Added Collection.likedOfId property.
  • Added Collection.getLikedOf() method.

• Changed how parseSoftware() function handles non-Semantic Versioning number strings on tryBestEffort mode. [#353, #365 by Hyeonseo Kim]

• Separated modules from @fedify/fedify/x into dedicated packages to improve modularity and reduce bundle size. The existing integration functions in @fedify/fedify/x are now deprecated and will be removed in version 2.0.0. [#375 by Chanhaeng Lee]

  • Deprecated @fedify/fedify/x/cfworkers in favor of @fedify/cfworkers.
  • Deprecated @fedify/fedify/x/denokv in favor of @fedify/denokv.
  • Deprecated @fedify/fedify/x/hono in favor of @fedify/hono.
  • Deprecated @fedify/fedify/x/sveltekit in favor of @fedify/sveltekit.

• Extended Link from @fedify/fedify/webfinger to support OStatus 1.0 Draft 2. [#402, #404 by Hyeonseo Kim]

  • Added an optional template field to the Link interface.
  • Changed the href field optional from the Link interface according to RFC 7033 Section 4.4.4.3.

• Added Federatable.setWebFingerLinksDispatcher() method to set additional links to WebFinger. [#119, #407 by HyeonseoKim]

• Added CommonJS support alongside ESM for better NestJS integration and broader Node.js ecosystem compatibility. This eliminates the need for Node.js's --experimental-require-module flag and resolves dual package hazard issues. [#429, #431]

@fedify/cli

• Added Next.js option to fedify init command. This option allows users to initialize a new Fedify project with Next.js integration. [#313 by Chanhaeng Lee]

• Changed how fedify nodeinfo command handles non-Semantic Versioning number strings on -b/--best-effort mode. Now it uses the same logic as the parseSoftware() function in the @fedify/fedify package, which allows it to parse non-Semantic Versioning number strings more flexibly. [#353, #365 by Hyeonseo Kim]]

• Added -T/--timeout option to fedify lookup command. This option allows users to specify timeout in seconds for network requests to prevent hanging on slow or unresponsive servers. [[#258], #372 by Hyunchae Kim]

@fedify/amqp

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/cfworkers

• Created Cloudflare Workers integration as the @fedify/cfworkers package. Separated from @fedify/fedify/x/cfworkers to improve modularity and reduce bundle size. [#375 by Chanhaeng Lee]

@fedify/denokv

• Created Deno KV integration as the @fedify/denokv package. Separated from @fedify/fedify/x/denokv to improve modularity and reduce bundle size. [#375 by Chanhaeng Lee]

@fedify/elysia

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/express

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/fastify

• Created Fastify integration as the @fedify/fastify package. [#151, #450 by An Subin]

  • Added fedifyPlugin() function for integrating Fedify into Fastify applications.
  • Converts...

Fedify 1.8.13

Released on October 10, 2025.

@fedify/fedify

• Fixed inconsistent encoding/decoding of URI template identifiers with special characters. Updated uri-template-router to version 1.0.0, which properly decodes percent-encoded characters in URI template variables according to RFC 6570. This resolves issues where identifiers containing URIs (e.g., https%3A%2F%2Fexample.com) were being inconsistently decoded in dispatcher callbacks and double-encoded in collection URLs. [#416]

Fedify 1.8.12

Released on September 20, 2025.

@fedify/sqlite

• Fixed bundling issues where incorrect import paths to node_modules were included in the bundled output. The @js-temporal/polyfill dependency was moved from devDependencies to dependencies to ensure proper bundling.

Fedify 1.8.11

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in at:// URIs, supporting did:web, did:key, and other DID methods beyond just did:plc. Also handles URIs without path components correctly. [#436]

Fedify 1.7.13

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in at:// URIs, supporting did:web, did:key, and other DID methods beyond just did:plc. Also handles URIs without path components correctly. [#436]

Fedify 1.6.12

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in at:// URIs, supporting did:web, did:key, and other DID methods beyond just did:plc. Also handles URIs without path components correctly. [#436]

Fedify 1.5.9

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in at:// URIs, supporting did:web, did:key, and other DID methods beyond just did:plc. Also handles URIs without path components correctly. [#436]

Fedify 1.4.17

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and edge cases. The fix now properly percent-encodes any authority component in at:// URIs, supporting did:web, did:key, and other DID methods beyond just did:plc. Also handles URIs without path components correctly. [#436]