Update Fedify packages to v2 (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@fedify/cli (source)	1.9.7 → 2.1.3
@fedify/fedify (source)	1.9.7 → 2.1.3
@fedify/hono (source)	1.9.7 → 2.1.3
@fedify/redis (source)	1.9.7 → 2.1.3

---

Release Notes

fedify-dev/fedify (@​fedify/cli)

v2.1.3

Compare Source

Released on March 31, 2026.

@​fedify/init

• Restored the npm entrypoint contract for @fedify/init after the tsdown
  upgrade started publishing dist/*.mjs files while the package metadata
  still exported dist/*.js and dist/*.d.ts. Node consumers such as
  @fedify/cli can start again, including npx -y @​fedify/cli --help.
  [#​655]

@​fedify/create

• Restored the npm CLI entrypoint for @fedify/create so the published
  bin and exports paths once again point to generated dist/mod.js
  output instead of missing dist/mod.js files. This prevents the same
  packaging regression from breaking npm init @​fedify. [#​655]

v2.1.2

Compare Source

Released on March 29, 2026.

@​fedify/fedify

• Fixed CommonJS builds of @fedify/fedify/vocab missing the Object
  export from the entry point. Older tsdown output generated an invalid
  CommonJS re-export, causing require("@​fedify/fedify/vocab").Object to be
  undefined. Updated the bundler toolchain and added a regression test for
  the built CommonJs entry point. [#​651]

v2.1.1

Compare Source

Released on March 27, 2026.

@​fedify/fedify

• Limited the number of HTTP redirects followed by the remote document
  loaders and signed HTTP fetches to mitigate resource exhaustion during
  remote key and document resolution. [CVE-2026-34148 by Abhinav Jaswal]

• Stopped the remote document loaders and signed HTTP fetches from
  revisiting the same URL within a redirect chain, preventing
  self-referential redirect loops. [CVE-2026-34148 by Abhinav Jaswal]

• Persisted negative public key cache entries for failed remote key
  fetches, reducing repeated retries against the same unavailable key
  across requests. [CVE-2026-34148 by Abhinav Jaswal]

v2.1.0

Compare Source

Released on March 24, 2026.

@​fedify/fedify

• Added InboxListenerSetters.onUnverifiedActivity() so applications can
  inspect inbound activities whose signatures could not be verified and
  optionally return a custom response instead of the default
  401 Unauthorized. This is useful for cases like Delete deliveries
  from actors whose signing keys now return 404 Not Found or 410 Gone.
  Added the supporting public types UnverifiedActivityHandler and
  UnverifiedActivityReason. [#​472, #​611]

• Added verifyRequestDetailed() plus the public types
  VerifyRequestDetailedResult, VerifyRequestFailureReason, and
  FetchKeyErrorResult so applications can distinguish unsigned requests,
  invalid signatures, and key-fetch failures during HTTP signature
  verification. [#​611]

• OpenTelemetry spans/events and FedifySpanExporter signature details now
  expose HTTP signature failure reasons and key-fetch failure details for
  inbound activities. [#​611]

• Fixed RequestContext.getSignedKeyOwner() to return null instead of
  throwing an error when the remote server requires authorized fetch and
  returns 401 Unauthorized for the key owner lookup. Previously, this
  caused a 500 Internal Server Error when interoperating with servers like
  GoToSocial that have authorized fetch enabled. [#​473, #​589]

• Added RFC 9421 §5 Accept-Signature negotiation for both outbound and
  inbound paths. On the outbound side, doubleKnock() now parses
  Accept-Signature challenges from 401 responses and retries with a
  compatible RFC 9421 signature before falling back to legacy spec-swap.
  On the inbound side, a new InboxChallengePolicy option in
  FederationOptions enables emitting Accept-Signature headers on
  inbox 401 responses, with optional one-time nonce support for replay
  protection. [#​583, #​584, #​626 by ChanHaeng Lee]

@​fedify/vocab-runtime

• Added Decimal, a branded string type for exact xsd:decimal values,
  along with isDecimal(), canParseDecimal(), and parseDecimal() for
  checking and validating XML Schema decimal lexical forms without
  introducing a decimal arithmetic dependency. isDecimal() performs a
  strict lexical-form check, while canParseDecimal() and parseDecimal()
  apply XML Schema whitespace normalization first. This lays the runtime
  groundwork for precision-safe marketplace and measurement values such as
  those needed by FEP-0837. [#​617, #​640]

• Updated the preloaded https://gotosocial.org/ns JSON-LD context to
  match the current GoToSocial v0.21+ namespace, adding new type terms
  (LikeRequest, LikeAuthorization, etc.) and property terms
  (automaticApproval, manualApproval, interactingObject, etc.) while
  retaining deprecated terms (always, approvalRequired) for backward
  compatibility. [#​453, #​622]

• Added optional FetchError.response so callers can inspect the original
  failed HTTP response when remote document or key fetches return an HTTP
  error (such as 404 Not Found or 410 Gone). This enables higher-level
  APIs to distinguish transport failures from specific HTTP fetch failures.
  [#​611]

@​fedify/cli

• Added --reverse option to fedify lookup to reverse presentation order
  of emitted results. It now works across default multi-input lookup,
  --traverse collection traversal output, and --recurse object chains,
  while preserving existing fetch/error semantics. [#​607, #​609]

• Fixed fedify lookup printing separators with extra quotes between
  adjacent objects/items in some output paths (e.g., recurse/traverse
  flows). Separators are now printed as plain text consistently.
  [#​608]

• Added --recurse and --recurse-depth options to fedify lookup for
  recursively following object relationships (e.g., reply chains via
  replyTarget / inReplyTo, and quote chains via quoteUrl and quote
  IRIs). --traverse and --recurse are now mutually exclusive,
  --recurse-depth depends on --recurse, and --suppress-errors now
  works in recurse mode as best-effort lookup.
  [#​606, #​608]

• Hardened fedify lookup by disallowing private/localhost document loads
  by default. For local-development workflows, -p/--allow-private-address
  (or lookup.allowPrivateAddress = true in config) can re-enable private
  address access for explicit lookup/traverse requests. This option does
  not apply to recursive fetches, which always disallow private addresses.
  [#​608]

@​fedify/vocab

• Added GoToSocial interaction controls vocabulary for expressing who
  can like, reply to, or announce posts and for approving interactions.
  [#​453, #​622]

  • Added InteractionPolicy and InteractionRule typeless value
    classes.
  • Added LikeRequest, ReplyRequest, and AnnounceRequest activity
    types for requesting interaction approval.
  • Added LikeAuthorization, ReplyAuthorization, and
    AnnounceAuthorization types for proving approved interactions.
  • Added Object.interactionPolicy, Object.approvedBy,
    Object.getLikeAuthorization()/Object.likeAuthorizationId,
    Object.getReplyAuthorization()/Object.replyAuthorizationId, and
    Object.getAnnounceAuthorization()/Object.announceAuthorizationId.

• Fixed Endpoints.toJsonLd() to no longer emit invalid
  "type": "as:Endpoints" in the serialized JSON-LD. The as:Endpoints
  type does not exist in the ActivityStreams vocabulary, and its presence
  caused validation failures on implementations like browser.pub.
  [#​576]

• Fixed Source.toJsonLd() to no longer emit invalid
  "type": "as:Source" in the serialized JSON-LD. The as:Source type
  does not exist in the ActivityStreams vocabulary either.

@​fedify/vocab-tools

• Added xsd:decimal support to the vocabulary code generator. Properties
  with that range are now generated as Decimal in TypeScript, serialized
  as xsd:decimal JSON-LD literals, validated through
  canParseDecimal() when checking input data, and normalized through
  parseDecimal() when decoded. Code generation now also rejects property
  ranges that mix xsd:string and xsd:decimal, since both map to runtime
  strings and would make serialization ambiguous. [#​617, #​640]

• Added typeless field to the type YAML schema. When set to true,
  the generated toJsonLd() method does not emit @type (or type in
  compact form) in the serialized JSON-LD. This is useful for types
  that are not real vocabulary types but rather anonymous object structures.

@​fedify/init

• Changed fedify init to add "temporal" to deno.json's "unstable"
  field only when the installed Deno version is earlier than 2.7.0.
  On Deno 2.7.0 or later, it is no longer added.

• fedify init now omits the "unstable" field entirely when no unstable
  feature is required for the generated Deno project.

• Supported Astro as a web framework option in fedify init, with
  runtime-specific templates for Deno, Bun, and Node.js environments.
  [#​50 by ChanHaeng Lee]

@​fedify/astro

• Added @fedify/astro package for integrating Fedify with Astro.
  It provides fedifyIntegration() for Vite SSR configuration and
  fedifyMiddleware() for request handling. [#​50 by Chanhaeng Lee]

@​fedify/mysql

• Added MysqlMessageQueue class to the @fedify/mysql package, a
  MySQL/MariaDB-backed MessageQueue implementation. It uses periodic
  polling (SELECT … FOR UPDATE SKIP LOCKED) to deliver messages and
  MySQL advisory locks (GET_LOCK/RELEASE_LOCK) for ordering-key
  serialization. Supports delayed delivery, ordering keys,
  enqueueMany(), and concurrent workers. Requires MySQL 8.0+ or
  MariaDB 10.6+. [#​586, #​599]

• Added @fedify/mysql package, a MySQL/MariaDB-backed KvStore
  implementation. It provides MysqlKvStore, which stores key–value
  pairs in a MySQL table using the mysql2 driver. Supports TTL,
  prefix listing, and compare-and-swap (cas()) operations.
  [#​585, #​597]

v2.0.10

Compare Source

Released on March 31, 2026.

@​fedify/lint

• Fixed the published ESM output paths for @fedify/lint so the package
  exports and type declarations point to the actual files generated by
  tsdown. This restores imports such as
  import fedifyLint from "@​fedify/lint" in documentation examples and other
  TypeScript consumers.

@​fedify/init

• Restored the npm entrypoint contract for @fedify/init after the tsdown
  upgrade started publishing dist/*.mjs files while the package metadata
  still exported dist/*.js and dist/*.d.ts. Node consumers such as
  @fedify/cli can start again, including npx -y @​fedify/cli --help.
  [[#​655]]

@​fedify/create

• Restored the npm CLI entrypoint for @fedify/create so the published
  bin and exports paths once again point to generated dist/mod.js
  output instead of missing dist/mod.js files. This prevents the same
  packaging regression from breaking npm init @​fedify. [[#​655]]

v2.0.9

Compare Source

Released on March 29, 2026.

@​fedify/fedify

• Fixed CommonJS builds of @fedify/fedify/vocab missing the Object
  export from the entry point. Older tsdown output generated an invalid
  CommonJS re-export, causing require("@​fedify/fedify/vocab").Object to be
  undefined. Updated the bundler toolchain and added a regression test for
  the built CommonJs entry point. [[#​651]]

v2.0.8

Compare Source

Released on March 27, 2026.

@​fedify/fedify

• Limited the number of HTTP redirects followed by the remote document
  loaders and signed HTTP fetches to mitigate resource exhaustion during
  remote key and document resolution. [[CVE-2026-34148] by Abhinav Jaswal]

• Stopped the remote document loaders and signed HTTP fetches from
  revisiting the same URL within a redirect chain, preventing
  self-referential redirect loops. [[CVE-2026-34148] by Abhinav Jaswal]

• Persisted negative public key cache entries for failed remote key
  fetches, reducing repeated retries against the same unavailable key
  across requests. [[CVE-2026-34148] by Abhinav Jaswal]

v2.0.7

Compare Source

Released on March 22, 2026.

@​fedify/fedify

• Switched Fedify's source-based JSON-LD loading to the new
  @fedify/vocab-runtime/jsonld subpath so generated vocabulary code and
  Linked Data signature support no longer have to evaluate jsonld through
  a CommonJS-sensitive package root in Fresh 2, Deno, and other ESM-first
  runtimes. Fresh 2 development mode has been verified on Deno 2.7.7
  after an upstream Deno 2.7.6 dev server regression was fixed.
  [#​621, #​639]

@​fedify/vocab-runtime

• Fixed multibase public key handling to stop relying on the deprecated
  CommonJS-only multicodec package. This removes the Vite SSR crash that
  prevented Fresh 2 applications from importing @fedify/fedify with
  TypeError: varint.encode is not a function. Fresh 2 no longer needs a
  Vite externalization workaround for Fedify. [#​621, #​639]

• Added the new @fedify/vocab-runtime/jsonld subpath export so generated
  vocabulary code and other Fedify runtime code can share a JSR-safe wrapper
  around jsonld's ESM entrypoint instead of depending on fragile relative
  shims or the package-root import path. [#​621, #​639]

@​fedify/init

• Revived removed fedify init options. [#​632, #​638 by ChanHaeng Lee]
  • bare-bones option for web framework.
  • in-memory option for key-value store.
  • in-process option for message queue.

v2.0.6

Compare Source

Released on March 19, 2026.

@​fedify/init

• Fixed fedify init crashing when @fedify/cli or @fedify/init is
  executed through the JSR/Deno distribution. import.meta.dirname is
  undefined for remote JSR modules, so the template loading and
  repository-relative path logic has been made safe for published JSR
  execution. [#​624, #​633]

@​fedify/vocab-runtime

• Added http://joinmastodon.org/ns to preloaded JSON-LD contexts.
  This URL has never served a real JSON-LD context document (Mastodon
  has always inlined the term definitions), but some ActivityPub
  implementations put it as a bare URL in their @context, causing
  JSON-LD processors to fail with a 404. [#​630, #​631]

v2.0.5

Compare Source

Released on March 11, 2026.

@​fedify/fedify

• Added https://w3id.org/security/data-integrity/v2 to preloaded JSON-LD
  contexts.

v2.0.4

Compare Source

Released on March 11, 2026.

@​fedify/fastify

• Fixed the default onNotAcceptable handler in @fedify/fastify to
  create a fresh Response for each request instead of reusing a shared
  singleton instance. [#​612 by Lee Dogeon]

v2.0.3

Compare Source

Released on March 3, 2026.

@​fedify/postgres

• Fixed PostgresMessageQueue.listen() crashing the process when a
  malformed NOTIFY payload is received. Temporal.Duration.from()
  was called without error handling, so an invalid duration string
  caused an unhandled RangeError that propagated through the postgres
  driver. The NOTIFY callback is now wrapped in a try–catch that
  logs the error and falls back to an immediate poll. [#​594]

• Fixed PostgresMessageQueue.listen() permanently stalling all message
  processing when a message handler hangs indefinitely (e.g., due to an
  unresponsive remote server). The serializedPoll mechanism chains
  every poll() invocation onto a single promise, so a single hung
  handler blocked the entire queue permanently. Handler invocations
  are now wrapped with a configurable timeout (default: 60 seconds)
  via the new handlerTimeout option in PostgresMessageQueueOptions.
  When a handler exceeds the timeout, it is treated as an error and the
  poll loop moves on, preventing permanent stalls. [#​595]

v2.0.2

Compare Source

Released on February 27, 2026.

@​fedify/fedify

• Removed the deprecated third and fourth parameters (signedKey and
  signedKeyOwner) from AuthorizePredicate and
  ObjectAuthorizePredicate. These parameters were deprecated since
  Fedify 1.5.0 in favor of RequestContext.getSignedKey() and
  RequestContext.getSignedKeyOwner() methods, but were mistakenly
  left in the Fedify 2.0.0 release. The internal handler code that
  eagerly called getSignedKey() and getSignedKeyOwner() before
  invoking the predicate has also been removed; predicates should now
  call those methods themselves when needed. [[#​473], #​590]

v2.0.1

Compare Source

Released on February 24, 2026.

@​fedify/cli

• Fixed fedify command hanging indefinitely when invoked as an executable
  (e.g., via npx @​fedify/cli or npm exec -- fedify) on Linux. The
  shebang line #!/usr/bin/env node --disable-warning=ExperimentalWarning
  was passing node --disable-warning=ExperimentalWarning as a single
  argument to env, which caused an infinite exec loop on Linux because the
  kernel passes all shebang arguments as one string. Fixed by using
  env -S to properly split arguments:
  #!/usr/bin/env -S node --disable-warning=ExperimentalWarning.

@​fedify/postgres

• Fixed PostgresMessageQueue.listen() permanently stopping message
  processing when poll() throws (e.g., transient PostgreSQL errors or
  handler failures). listen() now catches polling errors for subscribe,
  notify, and interval-triggered polls, logs them, and retries on subsequent
  triggers instead of terminating the listener. [#​581]

• PostgresMessageQueue.initialize() now creates an index on the created
  column (idx_{table}_created) to improve dequeue query performance under
  backlog growth. [#​581]

v2.0.0

Compare Source

Released on February 22, 2026.

@​fedify/fedify

• Remove contextLoader option (which was deprecated) from
  FederationOptions interface in favor of contextLoaderFactory option
  for better flexibility. [#​376, #​445 by Hasang Cho]

• Migrated from @​phensley/language-tag package and its LanguageTag class
  to the standardized Intl.Locale class for representing language tags.
  [#​280, #​392 by Jang Hanarae]

  • The LanguageString.language property is now LanguageString.locale and
    is of type Intl.Locale instead of LanguageTag.
  • The LanguageString constructor now accepts either an Intl.Locale
    object or a string for the language parameter.
  • The Link.language property is now of type Intl.Locale instead
    of LanguageTag.
  • Removed the @phensley/language-tag dependency.

• Remove documentLoader option (which was deprecated) from
  FederationOptions interface in favor of documentLoaderFactory option
  for better flexibility. [#​376, #​393 by Hasang Cho]

• Remove CreateFederationOptions<TContextData> interface (which was
  deprecated since 1.6.0). Use FederationOptions<TContextData> instead.
  [#​376]

• Remove fetchDocumentLoader() function (which was deprecated since 0.14.0).
  Use getDocumentLoader() from @fedify/vocab-runtime instead. [#​376]

• Remove { handle: string } parameter form from sendActivity(),
  forwardActivity(), getDocumentLoader(), and ParseUriResult.
  Use { identifier: string } or { username: string } instead. [#​376]

• Changed NodeInfo software.version field type from SemVer to string
  to properly handle non-SemVer version strings in accordance with the
  NodeInfo specification. [#​366, #​433 by Hyeonseo Kim]

  • The parseNodeInfo() function now returns version as string instead
    of SemVer object.
  • The Software.version field is now of string (was of SemVer).
  • Removed parseSemVer() and formatSemVer() functions.
  • Updated related CLI tools and documentation.

• Federation dispatchers are now only triggered when the request accepts
  ActivityPub-compatible content types. This improves compatibility with
  applications that serve both HTML and ActivityPub content from the same
  URLs. [#​434 by Emelia Smith]

  • Actor, object, and collection dispatchers will no longer be called for
    requests with Accept: text/html or other non-ActivityPub content
    types.
  • The notAcceptable callback is now triggered at the middleware level
    before dispatchers are invoked.
  • If your application relies on dispatchers being called regardless of
    Accept header, you may need to adjust your routing logic.

• Changed the default activity idempotency strategy from "per-origin" to
  "per-inbox" to align with standard ActivityPub behavior. [#​441]

  • Activities are now deduplicated per inbox by default, allowing the same
    activity ID to be processed once per inbox independently.
  • The previous "per-origin" strategy (deduplicate per receiving server)
    can still be explicitly configured using
    .withIdempotency("per-origin").
  • This change ensures proper delivery of activities to multiple inboxes
    on the same server, fixing issues where activities were incorrectly
    deduplicated globally.

• Separated modules from @fedify/fedify/runtime to improve modularity and
  reduce coupling between vocabulary generation and core federation
  functionality. [#​444, #​451 by ChanHaeng Lee]

  • Modules related to ActivityPub vocabulary generation have been extracted
    into the new @fedify/vocab-runtime package.
  • Other utility modules from @fedify/fedify/runtime have been
    reorganized into the @fedify/fedify/utils directory within the main
    package.
  • Updated import paths throughout the codebase to reflect the new module
    organization.

• Deprecated the @fedify/fedify/runtime module in favor of the new
  @fedify/vocab-runtime package. The @fedify/fedify/runtime module now
  re-exports all exports from @fedify/vocab-runtime for backward
  compatibility, but will be removed in a future version. Please migrate
  to @fedify/vocab-runtime directly. [#​560]

• The KvCacheParameters.rules option's type became
  [string | URL | URLPattern, Temporal.Duration | Temporal.DurationLike][]
  (was [string | URL | URLPattern, Temporal.Duration][]).

• The @fedify/fedify/x/* modules are removed. Also, there are no Fresh
  integration for now. [#​391 by Chanhaeng Lee]

  • Removed @fedify/fedify/x/cfworkers in favor of @fedify/cfworkers.
  • Removed @fedify/fedify/x/denokv in favor of @fedify/denokv.
  • Removed @fedify/fedify/x/hono in favor of @fedify/hono.
  • Removed @fedify/fedify/x/sveltekit in favor of @fedify/sveltekit.
  • Removed @fedify/fedify/x/fresh (Fresh integration). [#​466]

• Deprecated the @fedify/fedify/vocab module in favor of the new
  @fedify/vocab package. The @fedify/fedify/vocab module now re-exports
  all exports from @fedify/vocab for backward compatibility, but will be
  removed in a future version. Please migrate to @fedify/vocab directly.
  [#​437, #​517 by ChanHaeng Lee]

• The KvStore.list() method is now required instead of optional.
  This method was added as optional in version 1.10.0 to give existing
  implementations time to add support. All official KvStore implementations
  already support this method. [#​499, #​506]

• Added orderingKey option to MessageQueueEnqueueOptions interface for
  ordered message delivery. Messages with the same ordering key are
  guaranteed to be processed in the order they were enqueued, while messages
  with different ordering keys can be processed in parallel. This helps
  prevent race conditions when processing related activities (e.g., ensuring
  a Delete activity is processed after a Create activity for the same
  object). [#​536, #​538, #​540, #​544]

  • Added MessageQueueEnqueueOptions.orderingKey property.
  • All properties in MessageQueueEnqueueOptions are now readonly.
  • InProcessMessageQueue now supports the orderingKey option.
  • Added SendActivityOptions.orderingKey option to ensure ordered
    delivery of activities for the same object. When specified, activities
    with the same orderingKey are guaranteed to be delivered in order
    to each recipient server.

• Added Federatable.setOutboxPermanentFailureHandler() method to handle
  permanent delivery failures (such as 410 Gone or 404 Not Found) when
  sending activities to remote inboxes. This allows applications to clean
  up unreachable followers and avoid future delivery attempts to permanently
  failed inboxes. [#​548, #​559]

• Added permanentFailureStatusCodes option to FederationOptions to
  configure which HTTP status codes are treated as permanent delivery
  failures. By default, 404 and 410 are treated as permanent failures.
  [#​548, #​559]

• Added SendActivityError class, a structured error that is thrown when
  an activity fails to send to a remote inbox. It includes the HTTP status
  code, the inbox URL, and the response body, making it easier to
  programmatically handle delivery errors. [#​548, #​559]

• Added traceId and spanId to LogTape context in federation middleware
  so that log records emitted during request handling and queue processing
  include the OpenTelemetry trace and span IDs in their properties. This
  enables the @fedify/debugger dashboard to display per-trace logs.
  [#​561, #​564]

• Fixed unbounded memory consumption when activity delivery fails with large
  error responses. The SendActivityError.responseBody property is now
  limited to 1 KiB to prevent memory pressure when remote servers return
  large HTML error pages (e.g., Cloudflare error pages of 50–100 KB each).
  This prevents potential OOM crashes in production environments with many
  unreachable inboxes. [#​569]

@​fedify/cli

• The Fedify CLI now runs natively on Node.js and Bun without requiring
  compiled binaries, providing a more natural JavaScript package experience
  for Node.js and Bun users. [#​374, #​456, #​457]

• Added fedify generate-vocab command to generate Activity Vocabulary
  classes from schema files. This command uses the new @​fedify/vocab-tools
  package internally and allows users to extend Activity Vocabulary with
  custom types. [#​444, #​458 by ChanHaeng Lee]

• Updated fedify init command for better DX.
  [#​397, #​435 by Chanhaeng Lee]

  • If the directory is not empty, prompts the user for confirmation
    before proceeding. If the user agrees, it moves the remaining directory
    to trash and continue the initialization from new created directory.
  • Ask again if some options is not specified or invalid.

• The fedify lookup command now supports multiple URLs with the
  -t/--traverse option, allowing users to traverse multiple collections
  in a single command. [#​408, #​449 by Jiwon Kwon]

• The fedify init command now supports Elysia as a web framework option,
  with runtime-specific templates for Deno, Bun, and Node.js environments.
  [#​460, #​496 by Hyeonseo Kim]

• Fixed a bug in the fedify init command where Deno import map generation
  incorrectly handled dependencies with registry prefixes (e.g., npm:),
  creating invalid specifiers in deno.json.
  [#​460, #​496 by Hyeonseo Kim]

• Added fedify relay command to run an ephemeral ActivityPub relay server.
  [#​510, #​518 by Jiwon Kwon]

  • Supports both Mastodon and LitePub relay protocols via --protocol
    option.
  • Provides optional persistent storage via --persistent option with
    SQLite database.
  • Allows configuring subscription approval/rejection via --accept-follow
    and --reject-follow options.
  • Tunnels the relay server to the public internet by default for external
    access, with --no-tunnel option to run locally only.

• Added --tunnel-service option to fedify lookup, fedify inbox, and
  fedify relay commands to select the tunneling service (localhost.run,
  serveo.net, or pinggy.io). Also added --tunnel-service as an alias
  to the existing -s/--service option in fedify tunnel for consistency.
  [#​525, #​529, #​531 by Jiwon Kwon]

• Added configuration file support for CLI commands. The CLI now loads
  settings from configuration files at multiple levels, with a well-defined
  precedence chain. [#​555, #​566 by Jiwon Kwon]

  • By default, configuration is loaded (in order of increasing precedence)
    from a system-wide configuration file (/etc/xdg/fedify/config.toml),
    a user-level configuration file (~/.config/fedify/config.toml),
    and .fedify.toml in the current directory; later files override
    earlier ones.
  • Added --config option to specify a custom configuration file path;
    this file has the highest precedence over all other configuration
    sources.
  • Added --ignore-config option to skip configuration file loading.
  • All command options (inbox, lookup, webfinger, nodeinfo,
    tunnel, relay) can now be configured via any of the configuration
    files.

@​fedify/debugger

• Created the @​fedify/debugger package, an embedded real-time ActivityPub
  debug dashboard for Fedify. It wraps an existing Federation object as
  a proxy, intercepting requests to a configurable path prefix (default
  /__debug__) and serving an SSR-based web UI. [#​561, #​564]

  • Added createFederationDebugger() function that returns a
    Federation proxy with a built-in debug dashboard. When called
    without an exporter option, it automatically sets up OpenTelemetry
    tracing (creating MemoryKvStore, FedifySpanExporter,
    BasicTracerProvider) and registers it as the global tracer
    provider—no manual OTel configuration needed.
  • Traces list page showing trace IDs, activity types, activity counts,
    and timestamps, with auto-polling for real-time updates.
  • Trace detail page showing activity direction, type, actor, signature
    verification details, inbox URL, and expandable activity JSON.
  • JSON API endpoint at /__debug__/api/traces for programmatic access.
  • Added per-trace log collection using LogTape. The returned federation
    object now includes a sink property (a LogTape Sink function)
    that captures log records grouped by trace ID. In the simplified
    overload (without exporter), LogTape is auto-configured.
  • Trace detail page now shows a “Logs” section with log level, timestamp,
    logger category, and message for each log record in the trace.
  • JSON API endpoint at /__debug__/api/logs/:traceId for retrieving
    log records for a specific trace.
  • Added optional auth configuration for protecting the debug dashboard
    with authentication. Supports three modes: password-only,
    username + password, and request-based (e.g., IP filtering).
    Each mode supports both static credentials and callback functions.
    Uses cookie-based sessions with HMAC-signed tokens.

@​fedify/relay

• Created ActivityPub relay integration as the @​fedify/relay package.
  [#​359, #​459, #​471, #​490, #​510, #​518 by Jiwon Kwon]

  • Added Relay interface defining the common contract for relay
    implementations.
  • Added MastodonRelay class implementing Mastodon-compatible relay
    protocol.
  • Added LitePubRelay class implementing LitePub-compatible relay
    protocol.
  • Added SubscriptionRequestHandler type for custom subscription approval
    logic.
  • Added RelayOptions interface for relay configuration.
  • Added RelayType type alias to document the type-safe parameter
  • Added createRelay() factory function as a key public API

@​fedify/vocab-tools

• Created Activity Vocabulary code generator as the @​fedify/vocab-tools
  package. Separated vocabulary code generation tools from the main
  @​fedify/fedify package to improve modularity and enable custom vocabulary
  extensions across different JavaScript runtimes.
  [#​444, #​458 by ChanHaeng Lee]

  • Made the code generator runtime-agnostic, supporting Deno, Node.js,
    and Bun environments.
  • Provides programmatic API for generating vocabulary classes from
    schema files.
  • Integrated with fedify generate-vocab CLI command.
  • Published to both npm and JSR for broad ecosystem compatibility.

@​fedify/vocab-runtime

• Created ActivityPub vocabulary runtime as the @​fedify/vocab-runtime
  package. Separated core vocabulary generation and processing modules
  from the main @​fedify/fedify package to improve modularity and reduce
  coupling between vocabulary processing and federation functionality.
  [#​444, #​451 by ChanHaeng Lee]

  • Extracted DocumentLoader, RemoteDocument, and related types from
    the main package.
  • Moved cryptographic key processing utilities, e.g., importSpki,
    exportSpki, importMultibaseKey, exportMultibaseKey.
  • Relocated multibase encoding/decoding functionality.
  • Separated language string processing (LanguageString class).
  • This package is primarily used by generated vocabulary classes and
    provides the runtime infrastructure for ActivityPub object processing.

@​fedify/elysia

• Added deno.json configuration file to enable proper Deno tooling support
  in the package. [#​460, #​496]

@​fedify/lint

• Created Fedify linting tools as the @​fedify/lint package.
  This package provides shared Deno Lint and ESLint configurations for
  consistent code style across Fedify packages and user projects.
  [#​297, #​494 by ChanHaeng Lee]

@​fedify/fresh

• Created a new @​fedify/fresh package that provides seamless integration
  between Fedify and Fresh 2.0, replacing the deprecated
  @fedify/fedify/x/fresh module that was designed for Fresh 1.x.
  [#​466, #​478 by Hyeonseo Kim]

@​fedify/webfinger

• Created WebFinger utilities as the @​fedify/webfinger package.
  This package provides tools for working with WebFinger resources,
  including parsing and generating WebFinger documents.
  [#​517 by ChanHaeng Lee]

@​fedify/vocab

• Created ActivityPub Vocabulary API package as the @​fedify/vocab package.
  This package contains the generated Activity Vocabulary classes and
  related types, separated from the main @​fedify/fedify package to
  improve modularity and enable custom vocabulary extensions.
  The previous @fedify/fedify/vocab module is now deprecated and
  re-exports all exports from this package for backward compatibility.
  [#​437, #​517 by ChanHaeng Lee]

• @fedify/vocab now re-exports LanguageString, DocumentLoader,
  GetUserAgentOptions, and RemoteDocument from @fedify/vocab-runtime
  so that downstream consumers do not need to depend on
  @fedify/vocab-runtime directly. [#​560]

• Fixed @fedify/vocab-runtime being bundled inline into @fedify/vocab's
  ESM/CJS output instead of being kept as an external dependency. This
  caused instanceof LanguageString checks to fail because two distinct
  LanguageString classes existed at runtime. [#​560]

@​fedify/sqlite

• Added SqliteMessageQueue class implementing MessageQueue interface
  using SQLite as the backing store. This implementation uses polling to
  check for new messages and is suitable for single-node deployments and
  development environments. [#​477, #​526 by ChanHaeng Lee]

  • Added SqliteMessageQueue class.
  • Added SqliteMessageQueueOptions interface.

• SqliteMessageQueue now supports the orderingKey option to ensure
  messages with the same ordering key are processed sequentially.
  [#​538, #​540]

  • Added ordering_key column to the message queue table schema.
  • The new table schema is created when SqliteMessageQueue.initialize()
    is called on a fresh database.

@​fedify/testing

• Added testMessageQueue() utility function for standardized testing of
  MessageQueue implementations. This function provides a reusable test
  harness that covers common message queue operations including enqueue(),
  enqueue() with delay, enqueueMany(), and multiple listener scenarios.
  [#​477, #​526 by ChanHaeng Lee]

  • Added testMessageQueue() function.
  • Added waitFor() helper function.
  • Added getRandomKey() helper function.

• Added TestMessageQueueOptions interface and optional options parameter
  to testMessageQueue() function. [#​538, #​540]

  • Added TestMessageQueueOptions interface.
  • Added testOrderingKey option to enable ordering key tests.

@​fedify/redis

• Fixed a race condition in RedisMessageQueue.listen() where pub/sub
  notifications could be missed if enqueue() was called immediately after
  listen() started. The issue occurred because the message handler was
  attached inside an async callback, allowing a timing window where messages
  could be published before the handler was ready.
  [#​515, #​532 by Jiwon Kwon]

• RedisMessageQueue now supports the orderingKey option to ensure
  messages with the same ordering key are processed sequentially.
  [#​538, #​540]

@​fedify/postgres

• PostgresMessageQueue now supports the orderingKey option to ensure
  messages with the same ordering key are processed sequentially.
  [#​538, #​540]

  • Added ordering_key column to the message queue table schema.
  • The new table schema is created when PostgresMessageQueue.initialize()
    is called on a fresh database.

• Fixed a race condition in PostgresMessageQueue.initialize() where
  concurrent calls from listen() and enqueue() would run DDL
  statements in parallel, causing redundant table creation and
  ALTER TABLE operations. The initialization promise is now cached
  so that concurrent callers share the same work.

• Fixed PostgresMessageQueue.listen() spawning many concurrent
  poll() calls when a burst of NOTIFY signals arrived (e.g., from
  bulk enqueue of 100 messages), causing excessive database contention.
  Poll executions are now serialized so that at most one runs at a time,
  with subsequent requests queued after the current one finishes.

@​fedify/amqp

• AmqpMessageQueue now supports the orderingKey option to ensure
  messages with the same ordering key are processed sequentially.
  [#​538, #​540]

  • Uses RabbitMQ's rabbitmq_consistent_hash_exchange plugin to route
    messages with the same ordering key to the same queue.
  • The plugin must be enabled on the RabbitMQ server for ordering key
    support to work.

@​fedify/cfworkers

• WorkersMessageQueue now supports the orderingKey option to ensure
  messages with the same ordering key are processed sequentially.
  [#​538, #​540]

  • Added WorkersMessageQueueOptions interface with orderingKv,
    orderingKeyPrefix, and orderingLockTtl options.
  • Added processMessage() method to handle lock acquisition and release.
  • Requires a Workers KV namespace for lock management.
  • Due to Workers KV eventual consistency, ordering is best-effort.

@​fedify/init

• Created project initializer as the @​fedify/init package. Separated
  the fedify init functionality from @​fedify/cli into a standalone
  package to improve modularity and enable reuse by other tools such as
  @fedify/create. [#​482 by Chanhaeng Lee]

  • Added runInit() function as the main initialization action handler.
  • Added initCommand and initOptions for CLI integration.
  • Added testInitCommand for comprehensive testing of all init
    combinations.

@​fedify/create

• Created standalone project scaffolding CLI as the @​fedify/create
  package. This enables creating new Fedify projects without installing
  the full @fedify/cli toolchain. [#​351 by Chanhaeng Lee]

  • Supports npm init @​fedify, pnpm create @​fedify,
    yarn create @​fedify, and bunx @​fedify/create.
  • Uses @fedify/init internally for all initialization logic.
  • Supports the same interactive prompts and CLI options as
    fedify init.

v1.10.6

Compare Source

Released on March 29, 2026.

@​fedify/fedify

• Fixed CommonJS builds of @fedify/fedify/vocab missing the Object
  export from the entry point. Older tsdown output generated an invalid
  CommonJS re-export, causing require("@​fedify/fedify/vocab").Object to be
  undefined. Updated the bundler toolchain and added a regression test for
  the built CommonJs entry point. [[#​651]]

v1.10.5

Compare Source

Released on March 27, 2026.

@​fedify/fedify

• Limited the number of HTTP redirects followed by the remote document
  loaders and signed HTTP fetc

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 07:00 AM and 04:59 PM, only on Monday, Tuesday, Wednesday, and Thursday ( * 7-16 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.