Fedify

Appearance

Fedify changelog

Version 1.1.0

To be released.

Version 1.0.4

Released on October 17, 2024.

  • Fixed a bug where Actor.aliasId and Actor.aliasIds properties had been represented as as:alsoKnownAs property instead of alsoKnownAs property in compacted JSON-LD objects.

  • Improved compatibility with Bridgy Fed for Bluesky where it puts an invalid URI with the format at://... in the alsoKnownAs property.

Version 1.0.3

Released on October 17, 2024.

  • Improved compatibility with some implementations (e.g., Nexkey) where some CryptographicKey objects are incorrectly typed in JSON-LD objects.

Version 1.0.2

Released on September 27, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had incorrectly compacted the name property when it was not a language map.

  • The Delete(Application) activities sent by the fedify inbox command now embed the entire actor object instead of just the actor's URI so that the peers can verify the actor's signature without fetching the actor object.

Version 1.0.1

Released on September 26, 2024.

  • Fixed deprecation messages related to the {handle} variable in URL templates; they had had wrong placeholders in the message templates.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 1.0.0

Released on September 26, 2024.

Version 0.15.2

Released on September 26, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 0.15.1

Released on September 15, 2024.

Version 0.15.0

Released on September 11, 2024.

  • Actors, collections, and objects now can have their URIs that do not consist of a WebFinger username, which means actors can change their fediverse handles.

  • Added quoteUrl property to Article, ChatMessage, Note, and Question classes in Activity Vocabulary API.

  • The element type of the liked collection is now Object or URL instead of Like.

    • Changed the type of Federation.setLikedDispatcher() method's second parameter to CollectionDispatcher<Object | URL, RequestContext<TContextData>, TContextData, void> (was CollectionDispatcher<Like, RequestContext<TContextData>, TContextData, void>).

  • Removed expand option of Object.toJsonLd() method, which was deprecated in version 0.14.0. Use format: "expand" option instead.

  • Added Context.lookupObject() method.

  • Default document loaders now recognize ActivityStream objects in more ways:

    • Loaders now recognize alternate ActivityStreams objects in the Link header.
    • Loaders now recognize alternate ActivityStreams objects in the <link>/<a> HTML elements.

  • Added allowPrivateAddress option to CreateFederationOptions interface.

  • Fixed a bug where the WebFinger response had had a subject property with an unmatched URI to the requested resource when a non-acct: URI was given.

  • Renamed the short option -c for --compact of fedify lookup command to -C to avoid conflict with the short option -c for --cache-dir.

  • Added -r/--raw option to fedify lookup command to output the raw JSON object.

Version 0.14.5

Released on September 26, 2024.

  • Fixed a bug of Object.toJsonLd() method where it had not fall back to the proper compact form when the heuristic compact form was not available.

Version 0.14.4

Released on September 6, 2024.

  • Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Version 0.14.3

Released on September 1, 2024.

  • Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Version 0.14.2

Released on August 30, 2024.

  • Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Version 0.14.1

Released on August 29, 2024.

  • Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

  • Fixed a bug where the Compact Activity tab of fedify inbox command's web interface had shown an expanded JSON-LD object instead of a compacted one.

Version 0.14.0

Released on August 27, 2024.

Version 0.13.5

Released on September 6, 2024.

  • Fixed a bug of Object.fromJsonLd() method where it had thrown a TypeError when the given JSON-LD object had an @id property with an empty string.

Version 0.13.4

Released on September 1, 2024.

  • Fixed fedify inbox command where it had ignored -a/--accept-follow options when no -f/--follow option was provided. [#132]

Version 0.13.3

Released on August 30, 2024.

  • Fixed an incompatibility with Meta's Threads where sent activities had not been verified by their inbox. [#125]

Version 0.13.2

Released on August 29, 2024.

  • Fixed fedify inbox command that had not been able to parse activities even if they are valid JSON-LD. [#126]

Version 0.13.1

Released on August 18, 2024.

  • Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Version 0.13.0

Released on August 7, 2024.

Version 0.12.3

Released on August 18, 2024.

  • Fixed a vulnerability where the getActorHandle() function had trusted the hostname of WebFinger aliases that had not matched the hostname of the actor ID (URI).

Version 0.12.2

Released on July 31, 2024.

  • Fixed a bug where incoming activities had not been enqueued even if the queue option was provided to the createFederation() function.

Version 0.12.1

Released on July 27, 2024.

  • Fixed a bug where fedify init -w hono had generated scaffold files without Fedify integration.
  • Fixed a bug where fedify init -r bun -w hono had generated scaffold files with a wrong port number (was 3000).

Version 0.12.0

Released on July 24, 2024.

Version 0.11.3

Released on July 15, 2024.

Version 0.11.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.11.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.11.0

Released on June 29, 2024.

Version 0.10.2

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.10.1

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.10.0

Released on June 18, 2024.

Starting with this release, Fedify, previously distributed under AGPL 3.0, is now distributed under the MIT License to encourage wider adoption.

Version 0.9.3

Released on July 9, 2024.

  • Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given domain name has any records referring to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given domain name has any records referring to a private network address.

Version 0.9.2

Released on July 5, 2024.

  • Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687]

    • The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.
    • The getAuthenticatedDocumentLoader() function now returns a document loader that throws an error when the given URL is not an HTTP or HTTPS URL or refers to a private network address.

Version 0.9.1

Released on June 13, 2024.

  • Fixed a bug of Activity Vocabulary API that clone() method of Vocabulary classes had not cloned the id property from the source object.

Version 0.9.0

Released on June 2, 2024.

  • Added Tombstone class to Activity Vocabulary API.

  • Added Hashtag class to Activity Vocabulary API. [#48]

  • Added Emoji class to Activity Vocabulary API. [#48]

  • Added an actor handle normalization function.

  • Added excludeBaseUris option to Context.sendActivity() and Federation.sendActivity() methods.

  • The Context now can parse URIs of objects, inboxes, and collections as well as actors.

  • The time window for signature verification is now configurable. [#52]

    • The default time window for signature verification is now a minute (was 30 seconds).
    • Added signatureTimeWindow option to FederationParameters interface.
    • Added VerifyOptions interface.
    • The signature of the verify() function is revamped; it now optionally takes a VerifyOptions object as the second parameter.

  • Renamed the @fedify/fedify/httpsig module to @fedify/fedify/sig, and also:

  • When signing an HTTP request, the algorithm parameter is now added to the Signature header. This change improves the compatibility with Misskey and other implementations that require the algorithm parameter.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "actor"]
    • ["fedify", "federation", "http"]
    • ["fedify", "sig", "http"]
    • ["fedify", "sig", "key"]
    • ["fedify", "sig", "owner"]

Version 0.8.0

Released on May 6, 2024.

  • The CLI toolchain for testing and debugging is now available on JSR: @fedify/cli. You can install it with deno install -A --unstable-fs --unstable-kv --unstable-temporal -n fedify jsr:@fedify/cli, or download a standalone executable from the releases page.

    • Added fedify command.
    • Added fedify lookup subcommand.
    • Added fedify inbox subcommand.

  • Implemented followers collection synchronization mechanism.

  • Relaxed the required type for activity recipients.

    • Added Recipient interface.
    • The type of the second parameter of Context.sendActivity() method became Recipient | Recipient[] (was Actor | Actor[]). However, since Recipient is a supertype of Actor, the existing code should work without any change.

  • Followers collection now has to consist of Recipient objects only. (It could consist of URLs as well as Actors before.)

    • The type of Federation.setFollowersDispatcher() method's second parameter became CollectionDispatcher<Recipient, TContextData, URL> (was CollectionDispatcher<Actor | URL, TContextData>).

  • Some of the responsibility of a document loader was separated to a context loader and a document loader.

  • Added width and height properties to Document class for better compatibility with Mastodon. [#47]

  • Removed the dependency on @js-temporal/polyfill on Deno, and Fedify now requires --unstable-temporal flag. On other runtime, it still depends on @js-temporal/polyfill.

  • Added more log messages using the LogTape library. Currently the below logger categories are used:

    • ["fedify", "federation", "collection"]
    • ["fedify", "httpsig", "verify"]
    • ["fedify", "runtime", "docloader"]

  • Fixed a bug where the authenticated document loader had thrown InvalidUrl error when the URL redirection was involved in Bun.

  • Fixed a bug of lookupObject() that it had failed to look up the actor object when WebFinger response had no links with "type": "application/activity+json" but had "type": "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"".

Version 0.7.0

Released on April 23, 2024.

Version 0.6.1

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.6.0

Released on April 9, 2024.

Version 0.5.2

Released on April 17, 2024.

  • Fixed a bug of new Federation() constructor that if it is once called the process will never exit. [#39]

Version 0.5.1

Released on April 5, 2024.

  • Fixed a bug of Federation that its actor/collection dispatchers had done content negotiation before determining if the resource exists or not. It also fixed a bug that integrateHandler() from @fedify/fedify/x/fresh had responded with 406 Not Acceptable instead of 404 Not Found when the resource does not exist in the web browser. [#34]

Version 0.5.0

Released on April 2, 2024.

Version 0.4.0

Released on March 26, 2024.

Version 0.3.0

Released on March 15, 2024.

Version 0.2.0

Released on March 10, 2024.

Version 0.1.0

Initial release. Released on March 8, 2024.