Skip to content

Fedify changelog

Version 0.12.0

To be released.

Version 0.11.3

Released on July 15, 2024.

Version 0.11.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.11.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.11.0

Released on June 29, 2024.

Version 0.10.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.10.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.10.0

Released on June 18, 2024.

Starting with this release, Fedify, previously distributed under AGPL 3.0, is now distributed under the MIT License to encourage wider adoption.

Version 0.9.3

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.9.2

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.9.1

Released on June 13, 2024.

  • Fixed a bug of Activity Vocabulary API that clone() method of Vocabulary classes had not cloned the id property from the source object.

Version 0.9.0

Released on June 2, 2024.

  • Added Tombstone class to Activity Vocabulary API.

  • Added Hashtag class to Activity Vocabulary API. [#48]

  • Added Emoji class to Activity Vocabulary API. [#48]

  • Added an actor handle normalization function.

  • Added excludeBaseUris option to Context.sendActivity() and Federation.sendActivity() methods.

  • The Context now can parse URIs of objects, inboxes, and collections as well as actors.

  • The time window for signature verification is now configurable. [#52]

    • The default time window for signature verification is now a minute (was 30 seconds).
    • Added signatureTimeWindow option to FederationParameters interface.
    • Added VerifyOptions interface.
    • The signature of the verify() function is revamped; it now optionally takes a VerifyOptions object as the second parameter.
  • Renamed the @fedify/fedify/httpsig module to @fedify/fedify/sig, and also:

  • When signing an HTTP request, the algorithm parameter is now added to the Signature header. This change improves the compatibility with Misskey and other implementations that require the algorithm parameter.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "actor"]
    • ["fedify", "federation", "http"]
    • ["fedify", "sig", "http"]
    • ["fedify", "sig", "key"]
    • ["fedify", "sig", "owner"]

Version 0.8.0

Released on May 6, 2024.

  • The CLI toolchain for testing and debugging is now available on JSR: @fedify/cli. You can install it with deno install -A --unstable-fs --unstable-kv --unstable-temporal -n fedify jsr:@fedify/cli, or download a standalone executable from the releases page.

    • Added fedify command.
    • Added fedify lookup subcommand.
    • Added fedify inbox subcommand.
  • Implemented followers collection synchronization mechanism.

  • Relaxed the required type for activity recipients.

    • Added Recipient interface.
    • The type of the second parameter of Context.sendActivity() method became Recipient | Recipient[] (was Actor | Actor[]). However, since Recipient is a supertype of Actor, the existing code should work without any change.
  • Followers collection now has to consist of Recipient objects only. (It could consist of URLs as well as Actors before.)

    • The type of Federation.setFollowersDispatcher() method's second parameter became CollectionDispatcher<Recipient, TContextData, URL> (was CollectionDispatcher<Actor | URL, TContextData>).
  • Some of the responsibility of a document loader was separated to a context loader and a document loader.

  • Added width and height properties to Document class for better compatibility with Mastodon. [#47]

  • Removed the dependency on @js-temporal/polyfill on Deno, and Fedify now requires --unstable-temporal flag. On other runtime, it still depends on @js-temporal/polyfill.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "collection"]
    • ["fedify", "httpsig", "verify"]
    • ["fedify", "runtime", "docloader"]
  • Fixed a bug where the authenticated document loader had thrown InvalidUrl error when the URL redirection was involved in Bun.

  • Fixed a bug of lookupObject() that it had failed to look up the actor object when WebFinger response had no links with "type": "application/activity+json" but had "type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"".

Version 0.7.0

Released on April 23, 2024.

Version 0.6.1

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.6.0

Released on April 9, 2024.

Version 0.5.2

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.5.1

Released on April 5, 2024.

  • Fixed a bug of Federation that its actor/collection dispatchers had done content negotiation before determining if the resource exists or not. It also fixed a bug that integrateHandler() from @fedify/fedify/x/fresh had responded with 406 Not Acceptable instead of 404 Not Found when the resource does not exist in the web browser. [#34]

Version 0.5.0

Released on April 2, 2024.

Version 0.4.0

Released on March 26, 2024.

Version 0.3.0

Released on March 15, 2024.

Version 0.2.0

Released on March 10, 2024.

Version 0.1.0

Initial release. Released on March 8, 2024.