Releases: fedify-dev/fedify
Release list
Fedify 2.3.3
Released on July 19, 2026.
@fedify/vocab-runtime
- Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers.
validatePublicUrl()now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]
@fedify/cfworkers
- Fixed
WorkersMessageQueue.enqueueMany()failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiplesendBatch()calls that stay within the limits. [#958, #960 by SJang1]
Fedify 2.2.8
Released on July 19, 2026.
@fedify/vocab-runtime
- Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers.
validatePublicUrl()now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]
@fedify/cfworkers
- Fixed
WorkersMessageQueue.enqueueMany()failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiplesendBatch()calls that stay within the limits. [#958, #960 by SJang1]
Fedify 2.1.19
Released on July 19, 2026.
@fedify/vocab-runtime
- Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers.
validatePublicUrl()now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]
@fedify/cfworkers
- Fixed
WorkersMessageQueue.enqueueMany()failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiplesendBatch()calls that stay within the limits. [#958, #960 by SJang1]
Fedify 2.0.23
Released on July 19, 2026.
@fedify/vocab-runtime
- Fixed document loaders rejecting public URLs backed by CNAMEs on Cloudflare Workers.
validatePublicUrl()now ignores non-IP aliases returned alongside DNS lookup results while continuing to validate every resolved IP address, and rejects lookups that return no IP addresses. [#956, #957 by SJang1]
@fedify/cfworkers
- Fixed
WorkersMessageQueue.enqueueMany()failing when the given messages exceeded Cloudflare Queues' batch limits of 100 messages or 256 KB per batch, which could happen when delivering activities to a large audience. The method now estimates the serialized size of each message and splits the messages into multiplesendBatch()calls that stay within the limits. [#958, #960 by SJang1]
Fedify 2.3.2
Released on July 15, 2026.
@fedify/fedify
-
Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857] -
Fixed custom collection dispatchers registered through
FederationBuilder.setCollectionDispatcher()andsetOrderedCollectionDispatcher()returning404 Not Foundafterbuild().build()now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee] -
Fixed the outbound delivery circuit breaker retaining per-host state in the configured key–value store forever when a remote host never recovered. Circuit breaker state now receives a TTL on writes made with the default failure policy, custom failure policies can opt in with the new
stateTtloption, and stale state written by earlier 2.3 releases is cleared automatically on CAS-backed stores after upgrade, with another sweep after a grace window to cover rolling deployments. [#916, #917] -
Fixed split-origin WebFinger responses for
acct:aliases on the web origin host. When a local actor is queried through the server-originacct:alias, Fedify now returns the canonical handle-hostacct:URI as the JRDsubjectand keeps the queriedacct:URI inaliases. [#920, #921] -
Fixed the npm package published by CI/CD so it includes the Fedify agent skill at skills/fedify/SKILL.md. The package metadata already advertised the skill, and local
pnpm packbuilds included it, but the automated npm publish artifact skipped theprepackstep that materializes the symlinked skill directory before packing.
@fedify/vocab
- Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a
RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]
@fedify/cli
Fedify 2.2.7
Released on July 15, 2026.
@fedify/fedify
-
Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857] -
Fixed custom collection dispatchers registered through
FederationBuilder.setCollectionDispatcher()andsetOrderedCollectionDispatcher()returning404 Not Foundafterbuild().build()now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee] -
Fixed split-origin WebFinger responses for
acct:aliases on the web origin host. When a local actor is queried through the server-originacct:alias, Fedify now returns the canonical handle-hostacct:URI as the JRDsubjectand keeps the queriedacct:URI inaliases. [#920, #921]
@fedify/vocab
- Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a
RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]
@fedify/cli
Fedify 2.1.18
Released on July 15, 2026.
@fedify/fedify
-
Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857] -
Fixed custom collection dispatchers registered through
FederationBuilder.setCollectionDispatcher()andsetOrderedCollectionDispatcher()returning404 Not Foundafterbuild().build()now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee] -
Fixed split-origin WebFinger responses for
acct:aliases on the web origin host. When a local actor is queried through the server-originacct:alias, Fedify now returns the canonical handle-hostacct:URI as the JRDsubjectand keeps the queriedacct:URI inaliases. [#920, #921]
@fedify/vocab
- Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a
RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]
@fedify/cli
Fedify 2.0.22
Released on July 15, 2026.
@fedify/fedify
-
Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857] -
Fixed custom collection dispatchers registered through
FederationBuilder.setCollectionDispatcher()andsetOrderedCollectionDispatcher()returning404 Not Foundafterbuild().build()now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee] -
Fixed split-origin WebFinger responses for
acct:aliases on the web origin host. When a local actor is queried through the server-originacct:alias, Fedify now returns the canonical handle-hostacct:URI as the JRDsubjectand keeps the queriedacct:URI inaliases. [#920, #921]
@fedify/cli
- Fixed
fedify nodeinfochoosing SVG favicons whose filenames use uppercase.SVGextensions or include query strings or fragments. The command now ignores those SVG favicon links and falls back to/favicon.icobefore rendering terminal art. [#891, #918 by Junghoon Ban]
@fedify/vocab
Fedify 1.10.12
Released on July 15, 2026.
@fedify/fedify
- Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]
Fedify 1.9.13
Released on July 15, 2026.
@fedify/fedify
- Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]