Fedify 1.9.0

Released on October 14, 2025.

@fedify/fedify

• Implemented FEP-fe34 origin-based security model to protect against content spoofing attacks and ensure secure federation practices. The security model enforces same-origin policy for ActivityPub objects and their properties, preventing malicious actors from impersonating content from other servers. [#440]

  • Added crossOrigin option to Activity Vocabulary property accessors (get*() methods) with three security levels: "ignore" (default, logs warning and returns null), "throw" (throws error), and "trust" (bypasses checks).
  • Added LookupObjectOptions.crossOrigin option to lookupObject() function and Context.lookupObject() method for controlling cross-origin validation.
  • Embedded objects are now validated against their parent object's origin and only trusted when they share the same origin or are explicitly marked as trusted.
  • Property hydration now respects origin-based security, automatically performing remote fetches when embedded objects have different origins.
  • Internal trust tracking system maintains security context throughout object lifecycles (construction, cloning, and property access).

• Added withIdempotency() method to configure activity idempotency strategies for inbox processing. This addresses issue #441 where activities with the same ID sent to different inboxes were incorrectly deduplicated globally instead of per-inbox. [#441]

  • Added IdempotencyStrategy type.
  • Added IdempotencyKeyCallback type.
  • Added InboxListenerSetters.withIdempotency() method.
  • By default, "per-origin" strategy is used for backward compatibility. This will change to "per-inbox" in Fedify 2.0. We recommend explicitly setting the strategy to avoid unexpected behavior changes.

• Fixed handling of ActivityPub objects containing relative URLs. The Activity Vocabulary classes now automatically resolve relative URLs by inferring the base URL from the object's @id or document URL, eliminating the need for manual baseUrl specification in most cases. This improves interoperability with ActivityPub servers that emit relative URLs in properties like icon.url and image.url. [#411, #443 by Jiwon Kwon]

• Added TypeScript support for all RFC 6570 URI Template expression types in dispatcher path parameters. Previously, only simple string expansion ({identifier}) was supported in TypeScript types, while the runtime already supported all RFC 6570 expressions. Now TypeScript accepts all expression types including {+identifier} (reserved string expansion, recommended for URI identifiers), {#identifier} (fragment expansion), {.identifier} (label expansion), {/identifier} (path segments), {;identifier} (path-style parameters), {?identifier} (query component), and {&identifier} (query continuation). [#426, #446 by Jiwon Kwon]

  • Added Rfc6570Expression<TParam> type helper.
  • Updated all dispatcher path type parameters to accept RFC 6570 expressions: setActorDispatcher(), setObjectDispatcher(), setInboxDispatcher(), setOutboxDispatcher(), setFollowingDispatcher(), setFollowersDispatcher(), setLikedDispatcher(), setFeaturedDispatcher(), setFeaturedTagsDispatcher(), setInboxListeners(), setCollectionDispatcher(), and setOrderedCollectionDispatcher().

• Added inverse properties for collections to Vocabulary API. [FEP-5711, #373, #381 by Jiwon Kwon]

  • new Collection() constructor now accepts likesOf option.
  • Added Collection.likesOfId property.
  • Added Collection.getLikesOf() method.
  • new Collection() constructor now accepts sharesOf option.
  • Added Collection.sharedOfId property.
  • Added Collection.getSharedOf() method.
  • new Collection() constructor now accepts repliesOf option.
  • Added Collection.repliesOfId property.
  • Added Collection.getRepliesOf() method.
  • new Collection() constructor now accepts inboxOf option.
  • Added Collection.inboxOfId property.
  • Added Collection.getInboxOf() method.
  • new Collection() constructor now accepts outboxOf option.
  • Added Collection.outboxOfId property.
  • Added Collection.getOutboxOf() method.
  • new Collection() constructor now accepts followersOf option.
  • Added Collection.followersOfId property.
  • Added Collection.getFollowersOf() method.
  • new Collection() constructor now accepts followingOf option.
  • Added Collection.followingOfId property.
  • Added Collection.getFollowingOf() method.
  • new Collection() constructor now accepts likedOf option.
  • Added Collection.likedOfId property.
  • Added Collection.getLikedOf() method.

• Changed how parseSoftware() function handles non-Semantic Versioning number strings on tryBestEffort mode. [#353, #365 by Hyeonseo Kim]

• Separated modules from @fedify/fedify/x into dedicated packages to improve modularity and reduce bundle size. The existing integration functions in @fedify/fedify/x are now deprecated and will be removed in version 2.0.0. [#375 by Chanhaeng Lee]

  • Deprecated @fedify/fedify/x/cfworkers in favor of @fedify/cfworkers.
  • Deprecated @fedify/fedify/x/denokv in favor of @fedify/denokv.
  • Deprecated @fedify/fedify/x/hono in favor of @fedify/hono.
  • Deprecated @fedify/fedify/x/sveltekit in favor of @fedify/sveltekit.

• Extended Link from @fedify/fedify/webfinger to support OStatus 1.0 Draft 2. [#402, #404 by Hyeonseo Kim]

  • Added an optional template field to the Link interface.
  • Changed the href field optional from the Link interface according to RFC 7033 Section 4.4.4.3.

• Added Federatable.setWebFingerLinksDispatcher() method to set additional links to WebFinger. [#119, #407 by HyeonseoKim]

• Added CommonJS support alongside ESM for better NestJS integration and broader Node.js ecosystem compatibility. This eliminates the need for Node.js's --experimental-require-module flag and resolves dual package hazard issues. [#429, #431]

@fedify/cli

• Added Next.js option to fedify init command. This option allows users to initialize a new Fedify project with Next.js integration. [#313 by Chanhaeng Lee]

• Changed how fedify nodeinfo command handles non-Semantic Versioning number strings on -b/--best-effort mode. Now it uses the same logic as the parseSoftware() function in the @fedify/fedify package, which allows it to parse non-Semantic Versioning number strings more flexibly. [#353, #365 by Hyeonseo Kim]]

• Added -T/--timeout option to fedify lookup command. This option allows users to specify timeout in seconds for network requests to prevent hanging on slow or unresponsive servers. [[#258], #372 by Hyunchae Kim]

@fedify/amqp

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/cfworkers

• Created Cloudflare Workers integration as the @fedify/cfworkers package. Separated from @fedify/fedify/x/cfworkers to improve modularity and reduce bundle size. [#375 by Chanhaeng Lee]

@fedify/denokv

• Created Deno KV integration as the @fedify/denokv package. Separated from @fedify/fedify/x/denokv to improve modularity and reduce bundle size. [#375 by Chanhaeng Lee]

@fedify/elysia

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/express

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/fastify

• Created Fastify integration as the @fedify/fastify package. [#151, #450 by An Subin]

  • Added fedifyPlugin() function for integrating Fedify into Fastify applications.
  • Converts between Fastify's request/reply API and Web Standards Request/Response.
  • Supports both ESM and CommonJS for broad Node.js compatibility.

@fedify/h3

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/hono

• Created Hono integration as the @fedify/hono package. Separated from @fedify/fedify/x/hono to improve modularity and reduce bundle size. [#375 by Chanhaeng Lee]

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/koa

• Created Koa integration as the @fedify/koa package. [#454, #455]

  • Added createMiddleware() function for integrating Fedify into Koa applications.
  • Supports both Koa v2.x and v3.x via peer dependencies.
  • Converts between Koa's context-based API and Web Standards Request/Response.
  • Builds for both npm (ESM/CJS) and JSR distribution.

@fedify/next

• Created Next.js integration as the @fedify/next package. [#313 by Chanhaeng Lee]

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/postgres

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/redis

• Added support for Redis Cluster to the @fedify/redis package. [#368 by Michael Barrett]

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/sqlite

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/sveltekit

• Created SvelteKit integration as the @fedify/sveltekit package. Separated from @fedify/fedify/x/sveltekit to improve modularity and reduce bundle size. [#375 by Chanhaeng Lee]

• Fixed SvelteKit integration hook types to correctly infer the request and response types in hooks. [#271, #394 by Chanhaeng Lee]

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]

@fedify/testing

• Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications. [#429, #431]