Fedify: an ActivityPub server framework

🎉 Excited to announce that #Fedify is now on Open Collective! Support the project's development starting at:

• Backer (from $5/mo)
• Supporter (from $25/mo)
• Sponsor (from $100/mo)
• Corporate Sponsor (from $500/mo)
• Custom donations welcome

Your support will help us maintain and improve Fedify. Check it out here:

https://opencollective.com/fedify

#OpenCollective #support #backing #sponsor #donation

Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

• Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
• #WebFinger client and server
• HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
• Middleware for handling webhooks
• #NodeInfo protocol
• #Node.js, #Deno, and #Bun support
• CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

https://fedify.dev/

Shout-out for @fedify as a great tool for developers in the #Fediverse 🫶🏻 from @dave #FrOSCon

We'd like to recognize the valuable contributions from two developers who participated in Korea's #OSSCA (Open Source Contribution Academy) program. Both contributors identified important gaps in #Fedify's functionality and documentation, providing thoughtful solutions that benefit the broader #ActivityPub ecosystem.

@gaebalgom contributed PR #365, addressing issue #353 regarding NodeInfo parser compatibility, originally reported by @andypiper. The issue arose when Fedify incorrectly rejected #NodeInfo documents from snac instances due to overly strict version string parsing that required semantic versioning compliance. Their solution improves the fallback behavior in the parseSoftware() function to handle non-SemVer version strings by parsing dot-separated numbers and defaulting to zero for missing components. The implementation includes thorough test coverage for various edge cases, including single numbers (3), two-part versions (2.81), and malformed version strings. This fix provides immediate compatibility improvements across the fediverse while maintaining backward compatibility, and will be included in Fedify 1.9. The contribution serves as an interim solution, with a more comprehensive fix planned for Fedify 2.0 (issue #366), where the NodeInfo software.version field will be changed from the SemVer type to a plain string to fully comply with the NodeInfo specification.

@z9mb1 contributed PR #364, resolving issue #337 by adding practical examples for Fedify's custom collection dispatchers feature. Custom collections were introduced in Fedify 1.8 but lacked clear documentation for developers seeking to implement them. Their contribution provides a comprehensive example demonstrating how to set up custom collections for tagged posts, including proper routing patterns, pagination handling, and counter functionality. The example includes mock data structures, shows how to configure collection dispatchers with URL patterns like /users/{userId}/tags/{tag}, and demonstrates the complete request/response cycle using federation.fetch(). This work provides developers with a clear, runnable reference that reduces the complexity of implementing custom collections in ActivityPub applications.

We appreciate these meaningful contributions that help make Fedify more accessible and robust for the entire ActivityPub community.

#opensource #fedidev #fediverse

Hello world! This is my first post. I created a single user microblog using @fedify

I am trying to create 'margins' — a free and open source single-user microblogging site for academics who want to stash ideas and readings within particular projects that can have multiple authors. It will use ActivityPub and federation.

Long road ahead, but I am excited!

@nyquildotorg Yeah, they seemed to already update their version of Fedify!

https://github.com/TryGhost/ActivityPub/commit/6fafc7d224b1c9a8b21833769a0dc9d884781fe8

🚨 緊急セキュリティアップデート通知

Fedifyで非常に深刻なセキュリティ脆弱性（CVE-2025-54888）が発見され、ホットフィックスを緊急リリースいたしました。

全ユーザーは直ちに最新のパッチバージョンにアップデートしてください。

詳細とアップデート方法については、以下のリンクをご参照ください：

https://github.com/fedify-dev/fedify/discussions/361

🚨 긴급 보안 업데이트 공지

Fedify에서 매우 심각한 보안 취약점(CVE-2025-54888)이 발견되어 핫픽스를 긴급 배포했습니다.

모든 사용자는 즉시 최신 패치 버전으로 업데이트해야 합니다.

자세한 내용과 업데이트 방법은 아래 링크를 참고해 주세요:

https://github.com/fedify-dev/fedify/discussions/361

All #Fedify users must immediately update to the latest patched versions. A #critical authentication bypass #vulnerability (CVE-2025-54888) has been discovered in Fedify that allows attackers to impersonate any #ActivityPub actor by sending forged activities signed with their own keys.

This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.

The following versions contain the #security fix: 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.

After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.

The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.

#fedidev

We're thrilled to announce Fedify 1.8.1, a mega release made possible through the incredible efforts of contributors from South Korea's #OSSCA (Open Source Contribution Academy). This release marks a significant milestone in #Fedify's development, bringing major architectural changes, new packages, and numerous enhancements across the board.

Note: Version 1.8.0 was skipped due to a versioning error.

🎉 Major Milestone: Monorepo Architecture

Fedify has been restructured as a #monorepo, consolidating all packages into a single repository with unified versioning. This change streamlines development and ensures all packages are released together with consistent version numbers.

Consolidated Packages

All existing Fedify packages now live under one roof:

• @fedify/fedify — Main library
• @fedify/cli — CLI toolchain
• @fedify/amqp — AMQP/RabbitMQ driver
• @fedify/express — Express integration
• @fedify/h3 — h3 framework integration
• @fedify/postgres — PostgreSQL drivers
• @fedify/redis — Redis drivers

🆕 New Packages

This release introduces four new packages to the Fedify ecosystem:

• @fedify/elysia — Elysia integration for Bun-powered applications
• @fedify/nestjs — NestJS integration for enterprise Node.js apps
• @fedify/sqlite — SQLite driver compatible with Bun, Deno, and Node.js
• @fedify/testing — Testing utilities with mock Federation and Context classes

@fedify/fedify

Custom Collection Dispatchers

A powerful new feature that allows you to create custom collections beyond the standard ActivityPub collections. This enables implementation of domain-specific collections while maintaining federation compatibility.

Contributors: ChanHaeng Lee [#310, #332]

• Added comprehensive types and interfaces for custom collection handling
• New methods on Federatable interface: setCollectionDispatcher() and setOrderedCollectionDispatcher()
• Added getCollectionUri() method to the Context interface
• Full support for paginated custom collections

Compare-and-Swap (CAS) Support for KV Stores

Key–value stores now optionally support CAS operations for atomic updates, enabling optimistic locking and preventing lost updates in concurrent environments.

• Added optional KvStore.cas() method
• Implemented in MemoryKvStore and DenoKvStore
• Useful for implementing distributed locks and counters

Fediverse Handle Utilities

New utility functions make working with #fediverse handles more convenient.

Contributors: ChanHaeng Lee [#278]

• parseFediverseHandle() — Parse handles into components
• isFediverseHandle() — Validate handle format
• toAcctUrl() — Convert handles to URLs
• FediverseHandle interface for type safety

Enhanced HTTP Request APIs

Contributors: Lee ByeongJun [#248, #281], Hyunchae Kim [#51, #315]

• Added LookupWebFingerOptions.maxRedirection option for controlling redirect behavior
• APIs now support AbortSignal for request cancellation
• New DocumentLoaderOptions interface
• Added signal options to LookupObjectOptions, LookupWebFingerOptions, and DoubleKnockOptions

@fedify/cli

New Commands and Enhancements

The CLI has received significant improvements thanks to our OSSCA contributors:

fedify webfinger Command

Contributors: ChanHaeng Lee [#260, #278], KeunHyeong Park [#311, #328]

Look up WebFinger information for any fediverse resource:

• Supports handles (@user@server) and URLs
• --user-agent option for custom User-Agent headers
• --allow-private-address for local testing
• --max-redirection to control redirect following

fedify nodeinfo Command

Contributors: Hyeonseo Kim [#267, #331, #168, #282, #304]

Replaces the deprecated fedify node command with improved terminal rendering.

Enhanced fedify lookup Command

Contributors: Jiwon Kwon [#169, #348, #261, #321]

• Terminal-specific image display for Kitty, WezTerm, Konsole, Warp, Wayst, st, and iTerm
• -o/--output option to save results to files

Improved fedify inbox Command

Contributors: Hasang Cho [#262, #285], Jang Hanarae [#191, #342]

• --actor-name and --actor-summary options for customizing temporary actors
• Now displays object types contained in activities

fedify init --dry-run

Contributors: Lee ByeongJun [#263, #298]

Preview project initialization without creating files.

Better Terminal Support

Contributors: Cho Hasang [#257, #341]

Correctly handles color output based on TTY detection and NO_COLOR environment variable.

@fedify/elysia

Contributors: Hyeonseo Kim [#286, #339]

New Elysia integration brings Fedify to Bun-powered applications with a simple plugin interface:

import { Elysia } from "elysia";
import { fedify } from "@fedify/elysia";

const app = new Elysia()
  .use(fedify(federation, { /* options */ }))
  .listen(3000);

@fedify/nestjs

Contributors: Jaeyeol Lee [#269, #309]

Enterprise-ready NestJS integration with dependency injection support:

import { FedifyModule } from "@fedify/nestjs";

@Module({
  imports: [
    FedifyModule.forRoot({
      kv: new MemoryKvStore(),
      queue: new InProcessMessageQueue(),
      origin: "https://example.com",
    }),
  ],
})
export class AppModule {}

@fedify/sqlite

Contributors: An Subin [#274, #318]

SqliteKvStore implementation compatible across all major JavaScript runtimes:

import { SqliteKvStore } from "@fedify/sqlite";

const kv = new SqliteKvStore("./fedify.db");

@fedify/testing

Contributors: Lee ByeongJun [#197, #283]

Comprehensive testing utilities with mocking support for Fedify applications:

import { MockFederation, MockContext } from "@fedify/testing";

const mockFederation = new MockFederation();
const mockContext = new MockContext();

// Track sent activities with full metadata
// Support custom path registration
// Multiple activity type listeners

🙏 Acknowledgments

This release represents an extraordinary community effort, particularly from the participants of South Korea's OSSCA (Open Source Contribution Academy) (Note: page in Korean). We extend our heartfelt thanks to all contributors:

Core Contributors

• ChanHaeng Lee (@2chanhaeng) — Custom collections, fediverse handles, WebFinger command
• Lee ByeongJun (@joonnot) — WebFinger redirections, dry-run, testing utilities
• Hyunchae Kim (@r4bb1t) — AbortSignal support
• Hyeonseo Kim (@gaebalgom) — Elysia integration, nodeinfo command
• Jaeyeol Lee (@kodingwarrior) — NestJS integration
• An Subin (@nyeong) — SQLite driver
• Jiwon Kwon (@z9mb1) — Terminal image display, output options
• Hasang Cho (@crohasang) — Color output handling, actor customization
• Jang Hanarae (@menele) — Activity object type display
• KeunHyeong Park (@w8385) — WebFinger redirect options

Test Infrastructure Contributors

• Oh Daeun (@ooheunda) — Fixed PostgreSQL test race conditions [#346, #350]
• Song Hanseo (@songbirds) — Test stability improvements for Redis and code generation [#344, #347]
• Kim Jonghyeon (@woaol) — CLI version management and documentation fixes [#306, #329, #330, #343]

Your contributions have made Fedify stronger and more versatile than ever. The OSSCA program's support has been instrumental in achieving this milestone release.

Migration Guide

Updating from Previous Versions

If you're using separate Fedify packages, update all packages to version 1.8.1:

{
  "dependencies": {
    "@fedify/fedify": "^1.8.1",
    "@fedify/cli": "^1.8.1",
    "@fedify/express": "^1.8.1"
  }
}

All packages now share the same version number, simplifying dependency management.

Breaking Changes

There are no breaking changes in this release. All existing code should continue to work without modifications.

What's Next

With the monorepo structure in place and new integrations available, we're excited to continue improving Fedify's developer experience and expanding its capabilities. Stay tuned for more updates, and thank you for being part of the Fedify community!

For detailed technical information about all changes, please refer to the full changelog.

Fedify is an open-source project that helps developers build federated server applications powered by ActivityPub. Join us on GitHub or Discord to contribute or get help!

#opensource #fedidev

We'd like to recognize some excellent contributions from our #OSSCA (Open Source Contribution Academy) participants who have been working on #Fedify.

@gaebalgom contributed PR #339, which introduces the @fedify/elysia package to provide Elysia integration for Fedify. This work addresses issue #286 by creating a plugin that enables developers using #Bun and #Elysia to integrate Fedify's #ActivityPub capabilities into their applications. The contribution includes the core integration module, documentation, examples, and proper monorepo configuration, making Fedify accessible to the Elysia community.

@r4bb1t submitted PR #315, implementing comprehensive AbortSignal support across multiple APIs to resolve issue #51. This contribution adds request cancellation capabilities not only to lookupWebFinger() but also to lookupObject(), DocumentLoader, and the HTTP signature authentication flow (doubleKnock()), allowing developers to properly handle timeouts and abort ongoing requests throughout the entire request chain. The implementation includes extensive test coverage for cancellation scenarios across all affected components and lays the groundwork for adding --timeout options to various CLI commands like fedify lookup, fedify webfinger, and fedify nodeinfo, making federated applications more robust and responsive.

@ooheunda addressed a testing infrastructure issue with PR #350, fixing a race condition in PostgreSQL message queue tests that was causing intermittent failures (issue #346). By adding explicit initialization before concurrent message queue listeners, this fix prevents table creation conflicts that were affecting test reliability, ensuring more consistent PR testing for all contributors.

@songbirds provided two test stability improvements with PR #344 and PR #347. The first PR adds skip guards to RedisKvStore tests as a workaround for a known Bun runtime issue, keeping the test suite functional while awaiting an upstream fix. The second PR resolves a race condition in the code generation process by randomizing output filenames, preventing conflicts during parallel test execution. These contributions help maintain a stable testing environment for the project.

Thank you all for your contributions to Fedify. Your work helps make federated social networking more accessible to developers.

#opensource #fedidev #fediverse

Lots of talk about Ghost today, and rightly so, but don’t forget that a little open source framework @fedify made the ActivityPub plugin possible.

Support open source!

https://ghost.org/changelog/6/

#ActivityPub #FediDev

We're thrilled to highlight five outstanding contributions from the Korean Open Source Contribution Academy (#OSSCA) program participants who have been working on #Fedify! Their dedication and effort have significantly enhanced our #ActivityPub server framework.

First up is @nyeong with his monumental #318 PR, implementing a SQLite-based key–value store to address #274. This contribution adds the SqliteKvStore class with full cross-runtime support for Node.js, Deno, and Bun through the new @fedify/sqlite package. His implementation includes atomic operations, TTL support, comprehensive test coverage, and careful attention to SQL injection prevention. This enables developers to use SQLite as a persistent storage backend while maintaining compatibility with Fedify's existing KvStore API—a crucial feature for production deployments!

Next, @crohasang delivered an excellent quality-of-life improvement with #341 PR, fixing #257. He enhanced the CLI to properly respect TTY status and the NO_COLOR environment variable, implementing intelligent color control across all CLI commands. The solution involved switching from @cliffy/ansi/colors to @std/fmt/colors, creating a helper function using Deno.inspect() to handle object formatting, and ensuring colors are correctly disabled when output is redirected to files. This makes the CLI much more pipe-friendly and suitable for automated workflows!

@menele contributed a thoughtful enhancement with #342 PR, addressing #191. She updated the fedify inbox command to display not just the activity type, but also the type of object contained within each activity—transforming output like "Create" into the more informative "Create(Note)" or "Undo" into "Undo(Follow)". This seemingly simple change required making the display function asynchronous to fetch the enclosed objects, significantly improving the debugging experience for developers!

@woaol tackled an important developer experience issue with #329 PR, solving #306. Previously, the fedify init command would often install outdated versions of Fedify packages like @fedify/redis because version numbers were hardcoded in the CLI. They created a getLatestVersion() function that dynamically retrieves package versions from local metadata files, ensuring that developers always get the latest versions of all Fedify packages when initializing a new project. This improvement includes comprehensive test coverage and eliminates the frustration of starting a project with outdated dependencies!

Finally, @kodingwarrior made a significant contribution with #309 PR, implementing #269—NestJS integration! They created the @fedify/nestjs package with a FedifyModule that seamlessly integrates Fedify into NestJS applications. This includes proper middleware implementation, dependency injection support through NestJS's module system, and compatibility with both CommonJS and ESM environments. This opens up Fedify to the large NestJS developer community, making it easier than ever to build ActivityPub-enabled applications with this popular enterprise framework!

These contributions showcase the incredible talent and dedication of the OSSCA participants. From core infrastructure improvements to developer experience enhancements, each contribution makes Fedify better for the entire community. Thank you all for your hard work and welcome to the Fedify contributor family! 🚀

We're looking forward to seeing more amazing contributions from the OSSCA program and the broader community. If you're interested in contributing to Fedify, check out our GitHub repository and join us in building the future of federated social web! 🌟

#opensource #fedidev #fediverse

What is the biggest reason that makes you hesitate to adopt #Fedify?

#ActivityPub #fedidev

@fedify Personally I just enjoy doing it myself. Fedify is a great project and I will happily use it for anything new, once I'm sick of writing it from scratch myself lol

What is the biggest reason that makes you hesitate to adopt #Fedify?

#ActivityPub #fedidev

🎉 Huge shoutout to @2chanhaeng for implementing custom collection dispatchers in #Fedify through the Korean #OSSCA program!

This incredible contribution adds support for creating arbitrary collections beyond the built-in ones (e.g., outbox, inbox, following, followers). Now developers can expose custom collections like user bookmarks, post categories, or any grouped content through the #ActivityPub protocol:

federation
  .setCollectionDispatcher(
    "bookmarks",
    Article,
    "/users/{identifier}/bookmarks",
    async (ctx, values, cursor) => {
      const { posts, nextCursor } = await getBookmarkedPosts(values.identifier, cursor);
      return { items: posts, nextCursor };
    }
  )
  .setCounter(async (ctx, values) =>
    getBookmarkCount(values.identifier)
  );

The implementation is technically excellent with full #TypeScript support, both Collection and OrderedCollection types, cursor-based pagination, authorization predicates, and zero breaking changes. @2chanhaeng delivered not just code but a complete feature with 313 lines of comprehensive documentation, practical examples, and thorough test coverage.

This opens up countless possibilities for ActivityPub applications built with Fedify. From user-specific collections to complex categorization systems, developers now have the flexibility to create any type of custom collection while maintaining full ActivityPub compliance.

Thank you @2chanhaeng for this outstanding contribution and to the OSSCA program for fostering such excellent open source collaboration! 🚀

• Issue: https://github.com/fedify-dev/fedify/issues/310
• Pull request: https://github.com/fedify-dev/fedify/pull/332

#opensource #fedidev #fediverse

🎉 Huge shoutouts to two amazing contributors from Korea's #OSSCA program who just made #Fedify even better!

First, @z9mb1 delivered PR #321, adding a handy -o/--output option to fedify lookup. Now you can save lookup results directly to files instead of just printing to terminal—a nice quality-of-life improvement for analysis and scripting workflows.

But the real showstopper is @joonnot's incredible PR #283, which introduces the brand new @fedify/testing package! This massive contribution (2,014 lines across 20 files) brings MockFederation and MockContext classes that completely transform how we test federated applications. No more complex setups or actual network requests—just clean, straightforward unit testing with activity tracking, inbox simulation, and queue-aware testing capabilities.

These contributions solve real pain points and showcase the amazing talent emerging from the OSSCA program. Both features will be available in the upcoming Fedify 1.8 release. The future of federated software development just got a lot brighter! 🚀

#ActivityPub #fedidev #fediverse #opensource

for some reason this post became popular among korean users
also hi, fedify devs!

RE: https://twink.men/notes/aae29npx866t05av

writefreely feels lacking, so i'm trying to make my own activitypub blog
thank God Fedify exists

For your information, you can install the fedify command through Homebrew or npm:

brew install fedify
npm install -g @fedify/cli

https://macaw.social/@andypiper/114837081525940310

@paul I should also just point you at https://browser.pub/ and mention that fedify (npm install fedify) has a great CLI for some of the testing too. Good luck!

@andypiper I'm not a server-side person, so there's really not much there - I started with the #fedify tutorial, enough to create one account, and an instance with a nodeinfo, added the mastodon api instance info that's in the screenshot, and web pages that display links and a resume from hardcoded data and embedded static json. I'm just dabbling, but I'd like to see a fediverse portfolio/resume site, like linkedin but not linkedin.

my very single-user instance built with #Fedify

Been reading up on the #ActivityPub spec as I design my plan out. There's a lot of really nice proposals out there I'm interested in considering implementing. Also been pretty happy with the @fedify library it's pretty awesome for hitting the ground running.

🎉 Huge shoutout to two amazing contributors from Korea's #OSSCA program who've made excellent contributions to #Fedify!

👏 @gaebalgom tackled a tricky terminal compatibility issue in PR #282, fixing the fedify node command's favicon display on terminal emulators without truecolor support (#168). His solution elegantly detects terminal capabilities and falls back to 256-color mode when needed—ensuring a great experience across different environments.

🌟 @joonnot enhanced Fedify's #WebFinger functionality in PR #281 by adding a configurable maxRedirection option to the lookupWebFinger() function (#248). He transformed a hardcoded limitation into a flexible, user-customizable parameter while maintaining perfect backward compatibility.

Both delivered thoughtful, well-implemented solutions that showcase the quality of contributions coming from the OSSCA program. Welcome to the Fedify community!

#ActivityPub #opensource #fedidev

🎉 Big thanks to @2chanhaeng for his first contribution to #Fedify! He implemented the new fedify webfinger command in PR #278, which allows isolated #WebFinger lookups for testing configurations. This addresses the need for developers to test WebFinger functionality without performing comprehensive object retrieval.

The contribution includes:

• A new fedify webfinger <handle> command that accepts @user@domain format handles or URIs
• Clean JSON output of WebFinger JRD results
• Proper error handling for invalid handles and lookup failures
• Complete #CLI integration with help text and usage examples

This was originally filed as issue #260 and marked as a good first issue—perfect for newcomers to learn the codebase structure while contributing meaningful functionality. The PR has been merged and will be included in the upcoming Fedify 1.8.0 release.

We appreciate all first-time contributors who help make Fedify better for the entire #fediverse community. Welcome aboard, ChanHaeng!

#opensource #fedidev

Just installed the fedify CLI tool on my Mac. Very useful tool for AP developers and tinkerers alike.

You can ask to to look up an AP object and it returns the response. Cool!

`fedify lookup https://spark.box464.social/pub/actors/spark464`

https://fedify.dev/cli

Thanks, @fedify

#FediDev #ActivityPub

#Fedify has moved to a monorepo structure with unified versioning across all packages (@fedify/fedify, @fedify/cli, database adapters & framework integrations).

All packages now release together, making dependency management much simpler!

#ActivityPub #fedidev

@douginamug check out @fedify https://fedify.dev/ !

Also, the actual spec was not _that_ long, I enjoyed reading it
https://www.w3.org/TR/activitypub/

@douginamug start with @fedify or @botkit!

A couple of things to note:

- Testing this between a local mastodon instance and a local Adonis.js server was a royal PITA, due to SSL requirements on Mastodon's side, and not being able to supply an extra certificate to trust (I was using localcan to proxy everything, but it uses a self-signed certificate and mastodon is very unhappy about that)

- Converting between the Request/Response objects that Fedify wants and what Adonis.js has was a little troublesome — it's mostly based on the express code, but modified for Adonis.js — I did have a bug where the body was incomplete for some reason.

- Changing instance URLs is a PITA because everything gets weirdly cached. Here be dragons.

- I did hit into an issue with firstKnock throwing an error, but I can't manage to reproduce it now. I think it may have been SSL related.