Releases: fedify-dev/fedify
Fedify 0.10.2
Released on July 9, 2024.
-
Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]
- The
fetchDocumentLoader()function now throws an error when the given domain name has any records referring to a private network address. - The
getAuthenticatedDocumentLoader()function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.
- The
Fedify 0.9.3
Released on July 9, 2024.
-
Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]
- The
fetchDocumentLoader()function now throws an error when the given domain name has any records referring to a private network address. - The
getAuthenticatedDocumentLoader()function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.
- The
Fedify 0.11.1
Released on July 5, 2024.
-
Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]
- The
fetchDocumentLoader()function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address. - The
getAuthenticatedDocumentLoader()function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
- The
Fedify 0.10.1
Released on July 5, 2024.
-
Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]
- The
fetchDocumentLoader()function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address. - The
getAuthenticatedDocumentLoader()function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
- The
Fedify 0.9.2
Released on July 5, 2024.
-
Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]
- The
fetchDocumentLoader()function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address. - The
getAuthenticatedDocumentLoader()function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
- The
Fedify 0.11.0
Released on June 29, 2024.
-
Improved runtime type error messages for Activity Vocabulary API. [#79]
-
Added
suppressErroroption to dereferencing accessors of Activity Vocabulary classes. -
Added more collection dispatchers. [#78]
- Added
Federation.setInboxDispatcher()method. [#71] - Added
Federation.setLikedDispatcher()method. - Added
Context.getLikedUri()method. - Added
{ type: "liked"; handle: string }case toParseUriResulttype. - Renamed
linkedproperty (which was a typo) tolikedinApplication,Group,Organization,Person, andServiceclasses. - Added
Federation.setFeaturedDispatcher()method. - Added
Context.getFeaturedUri()method. - Added
{ type: "featured"; handle: string }case toParseUriResulttype. - Added
Federation.setFeaturedTagsDispatcher()method. - Added
Context.getFeaturedTagsUri()method. - Added
{ type: "featuredTags"; handle: string }case toParseUriResulttype.
- Added
-
Frequently used JSON-LD contexts are now preloaded. [#74]
-
The
fetchDocumentLoader()function now preloads the following JSON-LD contexts: -
The default
rulesforkvCache()function are now 5 minutes for all URLs.
-
-
Added
Inviteclass to Activity Vocabulary API. [#65, #80 by Randy Wressell] -
Added
Joinclass to Activity Vocabulary API. [#65, #80 by Randy Wressell] -
Added
Leaveclass to Activity Vocabulary API. [#65, #80 by Randy Wressell] -
Added
Listenclass to Activity Vocabulary API. [#65, #80 by Randy Wressell] -
Added
Offerclass to Activity Vocabulary API. [#65, #76 by Lee Dogeon] -
The below properties of
CollectionandCollectionPagein Activity Vocabulary API now do not acceptLinkobjects:Collection.currentCollection.firstCollection.lastCollectionPage.partOfCollectionPage.nextCollectionPage.prev
-
Added
featuredproperty toActortypes in Activity Vocabulary API. [#78]- Added
Application.getFeatured()method. - Added
Application.featuredIdproperty. new Application()constructor now acceptsfeaturedoption.Application.clone()method now acceptsfeaturedoption.- Added
Group.getFeatured()method. - Added
Group.featuredIdproperty. new Group()constructor now acceptsfeaturedoption.Group.clone()method now acceptsfeaturedoption.- Added
Organization.getFeatured()method. - Added
Organization.featuredIdproperty. new Organization()constructor now acceptsfeaturedoption.Organization.clone()method now acceptsfeaturedoption.- Added
Person.getFeatured()method. - Added
Person.featuredIdproperty. new Person()constructor now acceptsfeaturedoption.Person.clone()method now acceptsfeaturedoption.- Added
Service.getFeatured()method. - Added
Service.featuredIdproperty. new Service()constructor now acceptsfeaturedoption.Service.clone()method now acceptsfeaturedoption.
- Added
-
Added
featuredTagsproperty toActortypes in Activity Vocabulary API. [#78]- Added
Application.getFeaturedTags()method. - Added
Application.featuredTagsIdproperty. new Application()constructor now acceptsfeaturedTagsoption.Application.clone()method now acceptsfeaturedTagsoption.- Added
Group.getFeaturedTags()method. - Added
Group.featuredTagsIdproperty. new Group()constructor now acceptsfeaturedTagsoption.Group.clone()method now acceptsfeaturedTagsoption.- Added
Organization.getFeaturedTags()method. - Added
Organization.featuredTagsIdproperty. new Organization()constructor now acceptsfeaturedTagsoption.Organization.clone()method now acceptsfeaturedTagsoption.- Added
Person.getFeaturedTags()method. - Added
Person.featuredTagsIdproperty. new Person()constructor now acceptsfeaturedTagsoption.Person.clone()method now acceptsfeaturedTagsoption.- Added
Service.getFeaturedTags()method. - Added
Service.featuredTagsIdproperty. new Service()constructor now acceptsfeaturedTagsoption.Service.clone()method now acceptsfeaturedTagsoption.
- Added
-
Added
targetproperty toActivityclass in Activity Vocabulary API.- Added
Activity.getTarget()method. - Added
Activity.getTargets()method. - Added
Activity.targetIdproperty. - Added
Activity.targetIdsproperty. new Activity()constructor now acceptstargetoption.new Activity()constructor now acceptstargetsoption.Activity.clone()method now acceptstargetoption.Activity.clone()method now acceptstargetsoption.
- Added
-
Added
resultproperty toActivityclass in Activity Vocabulary API.- Added
Activity.getResult()method. - Added
Activity.getResults()method. - Added
Activity.resultIdproperty. - Added
Activity.resultIdsproperty. new Activity()constructor now acceptsresultoption.new Activity()constructor now acceptsresultsoption.Activity.clone()method now acceptsresultoption.Activity.clone()method now acceptsresultsoption.
- Added
-
Added
originproperty toActivityclass in Activity Vocabulary API.- Added
Activity.getOrigin()method. - Added
Activity.getOrigins()method. - Added
Activity.originIdproperty. - Added
Activity.originIdsproperty. new Activity()constructor now acceptsoriginoption.new Activity()constructor now acceptsoriginsoption.Activity.clone()method now acceptsoriginoption.Activity.clone()method now acceptsoriginsoption.
- Added
-
Added
instrumentproperty toActivityclass in Activity Vocabulary API.- Added
Activity.getInstrument()method. - Added
Activity.getInstruments()method. - Added
Activity.instrumentIdproperty. - Added
Activity.instrumentIdsproperty. new Activity()constructor now acceptsinstrumentoption.new Activity()constructor now acceptsinstrumentsoption.Activity.clone()method now acceptsinstrumentoption.Activity.clone()method now acceptsinstrumentsoption.
- Added
-
The
itemsproperty ofOrderedCollectionandOrderedCollectionPagein Activity Vocabulary API is now represented asorderedItems(wasitems) in JSON-LD. -
The key pair or the key pair for signing outgoing HTTP requests made from the shared inbox now can be configured. This improves the compatibility with other ActivityPub implementations that require authorized fetches (i.e., secure mode).
- Added
SharedInboxKeyDispatchertype. - Renamed
InboxListenerSetterinterface toInboxListenerSetters. - Added
InboxListenerSetters.setSharedKeyDispatcher()method.
- Added
-
Followed up the change in
eddsa-jcs-2022specification for Object Integrity Proofs. [FEP-8b32, #54]
Fedify 0.10.0
Released on June 18, 2024.
Starting with this release, Fedify, previously distributed under AGPL 3.0, is now distributed under the MIT License to encourage wider adoption.
-
Besides RSA-PKCS#1-v1.5, Fedify now supports Ed25519 for signing and verifying the activities. [#55]
- Added an optional parameter to
generateCryptoKeyPair()function,algorithm, which can be either"RSASSA-PKCS1-v1_5"or"Ed25519". - The
importJwk()function now accepts Ed25519 keys. - The
exportJwk()function now exports Ed25519 keys. - The
importSpki()function now accepts Ed25519 keys. - The
exportJwk()function now exports Ed25519 keys.
- Added an optional parameter to
-
Now multiple key pairs can be registered for an actor. [FEP-521a, #55]
- Added
Context.getActorKeyPairs()method. - Deprecated
Context.getActorKey()method. UseContext.getActorKeyPairs()method instead. - Added
ActorKeyPairinterface. - Added
ActorCallbackSetters.setKeyPairsDispatcher()method. - Added
ActorKeyPairsDispatchertype. - Deprecated
ActorCallbackSetters.setKeyPairDispatcher()method. - Deprecated
ActorKeyPairDispatchertype. - Deprecated the third parameter of the
ActorDispatchercallback type. UseContext.getActorKeyPairs()method instead.
- Added
-
Added
Multikeyclass to Activity Vocabulary API. [FEP-521a, #55]- Added
importMultibaseKey()function. - Added
exportMultibaseKey()function.
- Added
-
Added
assertionMethodproperty to theActortypes in the Activity Vocabulary API. [FEP-521a, #55]- Added
Application.getAssertionMethod()method. - Added
Application.getAssertionMethods()method. new Application()constructor now acceptsassertionMethodoption.new Application()constructor now acceptsassertionMethodsoption.Application.clone()method now acceptsassertionMethodoption.Application.clone()method now acceptsassertionMethodsoption.- Added
Group.getAssertionMethod()method. - Added
Group.getAssertionMethods()method. new Group()constructor now acceptsassertionMethodoption.new Group()constructor now acceptsassertionMethodsoption.Group.clone()method now acceptsassertionMethodoption.Group.clone()method now acceptsassertionMethodsoption.- Added
Organization.getAssertionMethod()method. - Added
Organization.getAssertionMethods()method. new Organization()constructor now acceptsassertionMethodoption.new Organization()constructor now acceptsassertionMethodsoption.Organization.clone()method now acceptsassertionMethodoption.Organization.clone()method now acceptsassertionMethodsoption.- Added
Person.getAssertionMethod()method. - Added
Person.getAssertionMethods()method. new Person()constructor now acceptsassertionMethodoption.new Person()constructor now acceptsassertionMethodsoption.Person.clone()method now acceptsassertionMethodoption.Person.clone()method now acceptsassertionMethodsoption.- Added
Service.getAssertionMethod()method. - Added
Service.getAssertionMethods()method. new Service()constructor now acceptsassertionMethodoption.new Service()constructor now acceptsassertionMethodsoption.Service.clone()method now acceptsassertionMethodoption.Service.clone()method now acceptsassertionMethodsoption.
- Added
-
Added
DataIntegrityProofclass to Activity Vocabulary API. [FEP-8b32, #54] -
Added
proofproperty to theObjectclass in the Activity Vocabulary API. [FEP-8b32, #54]- Added
Object.getProof()method. - Added
Object.getProofs()method. new Object()constructor now acceptsproofoption.new Object()constructor now acceptsproofsoption.Object.clone()method now acceptsproofoption.Object.clone()method now acceptsproofsoption.
- Added
-
Implemented Object Integrity Proofs. [FEP-8b32, #54]
- If there are any Ed25519 key pairs, the
Context.sendActivity()andFederation.sendActivity()methods now make Object Integrity Proofs for the activity to be sent. - If the incoming activity has Object Integrity Proofs, the inbox listener now verifies them and ignores HTTP Signatures (if any).
- Added
signObject()function. - Added
SignObjectOptionsinterface. - Added
createProof()function. - Added
CreateProofOptionsinterface. - Added
verifyObject()function. - Added
VerifyObjectOptionsinterface. - Added
verifyProof()function. - Added
VerifyProofOptionsinterface. - Added
fetchKey()function. - Added
FetchKeyOptionsinterface. - Added
SenderKeyPairinterface. - The type of
Federation.sendActivity()method's first parameter becameSenderKeyPair[](was{ keyId: URL; privateKey: CryptoKey }). - The
Context.sendActivity()method's first parameter now acceptsSenderKeyPair[]as well.
- If there are any Ed25519 key pairs, the
-
In the future,
Federationclass will become an interface. For the forward compatibility, the following changes are made:- Added
createFederation()function. - Added
CreateFederationOptionsinterface. - Deprecated
new Federation()constructor. UsecreateFederation()function instead. - Deprecated
FederationParametersinterface.
- Added
-
Added
Arriveclass to Activity Vocabulary API. [#65, #68 by Randy Wressell] -
Added
Questionclass to Activity Vocabulary API. -
Added
contextoption toObject.toJsonLd()method. This applies to any subclasses of theObjectclass too. -
Deprecated
treatHttpsoption inFederationParametersinterface. Instead, use the x-forwarded-fetch library to recognize theX-Forwarded-HostandX-Forwarded-Protoheaders. -
Removed the
Federation.handle()method which was deprecated in version 0.6.0. -
Removed the
integrateHandlerOptions()function from@fedify/fedify/x/freshwhich was deprecated in version 0.6.0. -
Ephemeral actors and inboxes that the
fedify inboxcommand spawns are now more interoperable with other ActivityPub implementations.- Ephemeral actors now have the following properties:
summary,following,followers,outbox,manuallyApprovesFollowers, andurl. - Improved the compatibility of the
fedify inboxcommand with Misskey and Mitra.
- Ephemeral actors now have the following properties:
-
Added more log messages using the LogTape library. Currently the below logger categories are used:
["fedify", "sig", "proof"]["fedify", "sig", "key"]["fedify", "vocab", "lookup"]["fedify", "webfinger", "lookup"]
Fedify 0.9.1
Released on June 13, 2024.
- Fixed a bug of Activity Vocabulary API that
clone()method of Vocabulary classes had not cloned theidproperty from the source object.
Fedify 0.9.0
Released on June 2, 2024.
-
Added
Tombstoneclass to Activity Vocabulary API. -
Added
Hashtagclass to Activity Vocabulary API. [#48] -
Added
Emojiclass to Activity Vocabulary API. [#48] -
Added an actor handle normalization function.
- Added
normalizeActorHandle()function. - Added
NormalizeActorHandleOptionsinterface. - The
getActorHandle()function now guarantees that the returned actor handle is normalized. - Added the second optional parameter to
getActorHandle()function. - The return type of
getActorHandle()function becamePromise<`@${string}@${string}` | `${string}@${string}`>(wasPromise<`@${string}@${string}`>).
- Added
-
Added
excludeBaseUrisoption toContext.sendActivity()andFederation.sendActivity()methods.- Added
SendActivityOptions.excludeBaseUrisproperty. - Added
ExtractInboxesParameters.excludeBaseUrisproperty.
- Added
-
The
Contextnow can parse URIs of objects, inboxes, and collections as well as actors.- Added
Context.parseUri()method. - Added
ParseUriResulttype. - Deprecated
Context.getHandleFromActorUri()method.
- Added
-
The time window for signature verification is now configurable. [#52]
- The default time window for signature verification is now a minute (was 30 seconds).
- Added
signatureTimeWindowoption toFederationParametersinterface. - Added
VerifyOptionsinterface. - The signature of the
verify()function is revamped; it now optionally takes aVerifyOptionsobject as the second parameter.
-
Renamed the
@fedify/fedify/httpsigmodule to@fedify/fedify/sig, and also:- Deprecated
sign()function. UsesignRequest()instead. - Deprecated
verify()function. UseverifyRequest()instead. - Deprecated
VerifyOptionsinterface. UseVerifyRequestOptionsinstead.
- Deprecated
-
When signing an HTTP request, the
algorithmparameter is now added to theSignatureheader. This change improves the compatibility with Misskey and other implementations that require thealgorithmparameter. -
Added more log messages using the LogTape library. Currently the below logger categories are used:
["fedify", "federation", "actor"]["fedify", "federation", "http"]["fedify", "sig", "http"]["fedify", "sig", "key"]["fedify", "sig", "owner"]
Fedify 0.8.0
Released on May 6, 2024.
-
The CLI toolchain for testing and debugging is now available on JSR: @fedify/cli. You can install it with
deno install -A --unstable-fs --unstable-kv --unstable-temporal -n fedify jsr:@fedify/cli, or download a standalone executable from the releases page.- Added
fedifycommand. - Added
fedify lookupsubcommand. - Added
fedify inboxsubcommand.
- Added
-
Implemented followers collection synchronization mechanism.
- Added
RequestContext.sendActivity()overload that takes"followers"as the second parameter. - Added the second type parameter to
CollectionCallbackSettersinterface. - Added the second type parameter to
CollectionDispatchertype. - Added the fourth parameter to
CollectionDispatchertype. - Added the second type parameter to
CollectionCountertype. - Added the third parameter to
CollectionCountertype. - Added the second type parameter to
CollectionCursortype. - Added the third parameter to
CollectionCursortype.
- Added
-
Relaxed the required type for activity recipients.
- Added
Recipientinterface. - The type of the second parameter of
Context.sendActivity()method becameRecipient | Recipient[](wasActor | Actor[]). However, sinceRecipientis a supertype ofActor, the existing code should work without any change.
- Added
-
Followers collection now has to consist of
Recipientobjects only. (It could consist ofURLs as well asActors before.)- The type of
Federation.setFollowersDispatcher()method's second parameter becameCollectionDispatcher<Recipient, TContextData, URL>(wasCollectionDispatcher<Actor | URL, TContextData>).
- The type of
-
Some of the responsibility of a document loader was separated to a context loader and a document loader.
- Added
contextLoaderoption to constructors,fromJsonLd()static methods,clone()methods, and all non-scalar accessors (get*()) of Activity Vocabulary classes. - Renamed
documentLoaderoption tocontextLoaderintoJsonLd()methods of Activity Vocabulary objects. - Added
contextLoaderoption toLookupObjectOptionsinterface. - Added
contextLoaderproperty toContextinterface. - Added
contextLoaderoption toFederationParametersinterface. - Renamed
documentLoaderoption tocontextLoaderinRespondWithObjectOptionsinterface. - Added
GetKeyOwnerOptionsinterface. - The type of the second parameter of
getKeyOwner()function becameGetKeyOwnerOptions(wasDocumentLoader). - Added
DoesActorOwnKeyOptionsinterface. - The type of the third parameter of
doesActorOwnKey()function becameDoesActorOwnKeyOptions(wasDocumentLoader).
- Added
-
Added
widthandheightproperties toDocumentclass for better compatibility with Mastodon. [#47]- Added
Document.widthproperty. - Added
Document.heightproperty. new Document()constructor now acceptswidthoption.new Document()constructor now acceptsheightoption.Document.clone()method now acceptswidthoption.Document.clone()method now acceptsheightoption.
- Added
-
Removed the dependency on @js-temporal/polyfill on Deno, and Fedify now requires
--unstable-temporalflag. On other runtime, it still depends on @js-temporal/polyfill. -
Added more log messages using the LogTape library. Currently the below logger categories are used:
["fedify", "federation", "collection"]["fedify", "httpsig", "verify"]["fedify", "runtime", "docloader"]
-
Fixed a bug where the authenticated document loader had thrown
InvalidUrlerror when the URL redirection was involved in Bun. -
Fixed a bug of
lookupObject()that it had failed to look up the actor object when WebFinger response had no links with"type": "application/activity+json"but had"type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"".