Skip to content

Releases: fedify-dev/fedify

Fedify 2.3.3

Choose a tag to compare

@github-actions github-actions released this 19 Jul 09:46
2.3.3
a455153

Released on July 19, 2026.

@fedify/vocab-runtime

  • Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers. validatePublicUrl() now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]

@fedify/cfworkers

  • Fixed WorkersMessageQueue.enqueueMany() failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiple sendBatch() calls that stay within the limits. [#958, #960 by SJang1]

Fedify 2.2.8

Choose a tag to compare

@github-actions github-actions released this 19 Jul 09:07
2.2.8
8404208

Released on July 19, 2026.

@fedify/vocab-runtime

  • Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers. validatePublicUrl() now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]

@fedify/cfworkers

  • Fixed WorkersMessageQueue.enqueueMany() failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiple sendBatch() calls that stay within the limits. [#958, #960 by SJang1]

Fedify 2.1.19

Choose a tag to compare

@github-actions github-actions released this 19 Jul 08:54
2.1.19
90a73f2

Released on July 19, 2026.

@fedify/vocab-runtime

  • Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers. validatePublicUrl() now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]

@fedify/cfworkers

  • Fixed WorkersMessageQueue.enqueueMany() failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiple sendBatch() calls that stay within the limits. [#958, #960 by SJang1]

Fedify 2.0.23

Choose a tag to compare

@github-actions github-actions released this 19 Jul 08:43
2.0.23
3811248

Released on July 19, 2026.

@fedify/vocab-runtime

  • Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers. validatePublicUrl() now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]

@fedify/cfworkers

  • Fixed WorkersMessageQueue.enqueueMany() failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiple sendBatch() calls that stay within the limits. [#958, #960 by SJang1]

Fedify 2.3.2

Choose a tag to compare

@github-actions github-actions released this 15 Jul 04:11
2.3.2
9d67b22

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]

  • Fixed custom collection dispatchers registered through FederationBuilder.setCollectionDispatcher() and setOrderedCollectionDispatcher() returning 404 Not Found after build(). build() now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee]

  • Fixed the outbound delivery circuit breaker retaining per-host state in the configured key–value store forever when a remote host never recovered. Circuit breaker state now receives a TTL on writes made with the default failure policy, custom failure policies can opt in with the new stateTtl option, and stale state written by earlier 2.3 releases is cleared automatically on CAS-backed stores after upgrade, with another sweep after a grace window to cover rolling deployments. [#916, #917]

  • Fixed split-origin WebFinger responses for acct: aliases on the web origin host. When a local actor is queried through the server-origin acct: alias, Fedify now returns the canonical handle-host acct: URI as the JRD subject and keeps the queried acct: URI in aliases. [#920, #921]

  • Fixed the npm package published by CI/CD so it includes the Fedify agent skill at skills/fedify/SKILL.md. The package metadata already advertised the skill, and local pnpm pack builds included it, but the automated npm publish artifact skipped the prepack step that materializes the symlinked skill directory before packing.

@fedify/vocab

  • Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]

@fedify/cli

  • Fixed fedify nodeinfo choosing SVG favicons whose filenames use uppercase .SVG extensions or include query strings or fragments. The command now ignores those SVG favicon links and falls back to /favicon.ico before rendering terminal art. [#891, #918 by Junghoon Ban]

Fedify 2.2.7

Choose a tag to compare

@github-actions github-actions released this 15 Jul 04:05
2.2.7
27a189f

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]

  • Fixed custom collection dispatchers registered through FederationBuilder.setCollectionDispatcher() and setOrderedCollectionDispatcher() returning 404 Not Found after build(). build() now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee]

  • Fixed split-origin WebFinger responses for acct: aliases on the web origin host. When a local actor is queried through the server-origin acct: alias, Fedify now returns the canonical handle-host acct: URI as the JRD subject and keeps the queried acct: URI in aliases. [#920, #921]

@fedify/vocab

  • Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]

@fedify/cli

  • Fixed fedify nodeinfo choosing SVG favicons whose filenames use uppercase .SVG extensions or include query strings or fragments. The command now ignores those SVG favicon links and falls back to /favicon.ico before rendering terminal art. [#891, #918 by Junghoon Ban]

Fedify 2.1.18

Choose a tag to compare

@github-actions github-actions released this 15 Jul 04:01
2.1.18
fb5adc3

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]

  • Fixed custom collection dispatchers registered through FederationBuilder.setCollectionDispatcher() and setOrderedCollectionDispatcher() returning 404 Not Found after build(). build() now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee]

  • Fixed split-origin WebFinger responses for acct: aliases on the web origin host. When a local actor is queried through the server-origin acct: alias, Fedify now returns the canonical handle-host acct: URI as the JRD subject and keeps the queried acct: URI in aliases. [#920, #921]

@fedify/vocab

  • Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]

@fedify/cli

  • Fixed fedify nodeinfo choosing SVG favicons whose filenames use uppercase .SVG extensions or include query strings or fragments. The command now ignores those SVG favicon links and falls back to /favicon.ico before rendering terminal art. [#891, #918 by Junghoon Ban]

Fedify 2.0.22

Choose a tag to compare

@github-actions github-actions released this 15 Jul 03:58
2.0.22
0225032

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]

  • Fixed custom collection dispatchers registered through FederationBuilder.setCollectionDispatcher() and setOrderedCollectionDispatcher() returning 404 Not Found after build(). build() now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee]

  • Fixed split-origin WebFinger responses for acct: aliases on the web origin host. When a local actor is queried through the server-origin acct: alias, Fedify now returns the canonical handle-host acct: URI as the JRD subject and keeps the queried acct: URI in aliases. [#920, #921]

@fedify/cli

  • Fixed fedify nodeinfo choosing SVG favicons whose filenames use uppercase .SVG extensions or include query strings or fragments. The command now ignores those SVG favicon links and falls back to /favicon.ico before rendering terminal art. [#891, #918 by Junghoon Ban]

@fedify/vocab

  • Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]

Fedify 1.10.12

Choose a tag to compare

@github-actions github-actions released this 15 Jul 03:47
1.10.12
a9fdf26

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]

Fedify 1.9.13

Choose a tag to compare

@github-actions github-actions released this 15 Jul 03:44
1.9.13
6220cf8

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]