Fedify: ActivityPub server framework

Fedify 2.2.0 is out! This release finally adds client-to-server (C2S) outbox listener support, proper HTTP 410 Gone responses for deleted actors via Tombstone, new integrations for SolidStart and Nuxt, and interoperability fixes for Lemmy and Pixelfed. Three new end-to-end tutorials also landed alongside a custom collections cookbook.

https://github.com/fedify-dev/fedify/discussions/733

Building a threadiverse community platform by @hongminhee https://lobste.rs/s/gbgfec #distributed #web
https://fedify.dev/tutorial/threadiverse

Fedify 2.2.0 is out! This release finally adds client-to-server (C2S) outbox listener support, proper HTTP 410 Gone responses for deleted actors via Tombstone, new integrations for SolidStart and Nuxt, and interoperability fixes for Lemmy and Pixelfed. Three new end-to-end tutorials also landed alongside a custom collections cookbook.

https://github.com/fedify-dev/fedify/discussions/733

Unless something comes up, #Fedify 2.2.0 will be released today.

If you'd like to preview the #tutorial I'm writing on building a small federated image sharing service, similar to @pixelfed, with @fedify and @nuxt, here it is:

https://pr-731-0.fedify.pages.dev/tutorial/content-sharing

If you'd like to give feedback after reading it, please leave a comment on the following PR:

https://github.com/fedify-dev/fedify/pull/731

#Fedify #fedidev #ActivityPub #Nuxt #Pixelfed

If you'd like to preview the #tutorial I'm writing on building a small #threadiverse software with #Fedify, here it is:

https://pr-710.fedify.pages.dev/tutorial/threadiverse

If you'd like to give feedback after reading it, please leave a comment on the following PR:

https://github.com/fedify-dev/fedify/pull/710

The official Awesome Fedify site is now live:

http://awesome.fedify.dev/

It brings together real-world Fedify projects, packages, examples, tutorials, and talks in one place.

If you know a good resource we should list, contributions are welcome:

https://github.com/fedify-dev/awesome-fedify

We're working on a new #tutorial for #Fedify: Building a Federated Blog with Astro!

It walks you through creating a hybrid blog—static Markdown posts powered by #Astro content collections, with #ActivityPub federation layered on top. By the end, your blog will be followable from Mastodon, send Create/Update/Delete activities when you publish or edit posts, and display #fediverse replies as comments.

Preview the draft here: https://d180af62.fedify.pages.dev/tutorial/astro-blog.

We'd love your feedback—especially if you spot anything incorrect, unclear, or missing. Please leave comments on the GitHub PR #695 or issue #691.

#fedidev

Naru, the Korean version of #Neocities, reportedly added an #ActivityPub implementation in just an hour using #Fedify. If you also want to implement ActivityPub quickly, give Fedify a try!

https://hackers.pub/@jihyeok/019da3d9-45b8-7629-96a8-b26bd62867c2

Naru (Korean Neocities) gains ActivityPub support thanks to Fedify!

Now, you can follow Naru personal homepages on the Fediverse, and receive updates at most once a day per website. For example, if you want to receive updates for https://yang.naru.pub, you can simply folllow @yang@naru.pub.

I believe this is a significant improvement over polling websites and an effective way to stay connected with the indie web community.

Fedify ActivityPub server framework

A #TypeScript library for building federated server apps powered by #ActivityPub and other standards, so-called #fediverse

https://fedify.dev

Significant performance improvements are expected in today's latest Fedify patch releases (v1.9.9, v1.10.8, v2.0.12, and v2.1.5).

Fedify security updates: 1.9.7, 1.10.6, 2.0.10, and 2.1.3

If you use Fedify, update to a patched release now. A high-severity denial-of-service vulnerability (CVE-2026-34148) affects Fedify's remote document loader and authenticated document loader. Both follow HTTP redirects without a redirect limit or loop detection. An attacker-controlled server can return a redirect loop for a keyId or actor URL fetch, causing a single inbound ActivityPub request to keep issuing outbound requests until the fetch times out.

All versions up to and including 2.1.0 are affected. Patched releases are 1.9.7, 1.10.6, 2.0.10, and 2.1.3. Update with your package manager:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to Abhinav Jaswal for the report and responsible disclosure. Disclosure was coordinated with Ghost so they had time to ship their update.

If anything is unclear, ask below.

My first PR has been merged into the main branch of the @fedify project! It's the first step in integrating #fep0837 into Fedify. The next step is to build on the software.
Thank you, @hongminhee, for your patience and work!
I learnt a lot about JSON-LD. I still think there is more for me to learn...

BotKit 0.4.0 is out! This release adds @fedify/botkit-postgres, a PostgreSQL-backed repository for deployments where SQLite isn't enough; a remote follow button on the bot profile page, so visitors can follow directly without manually searching from their own instance; and Session.republishProfile(), which lets you push profile changes to followers without waiting for the next post. It also upgrades the underlying Fedify dependency to 2.1.2, with a few small breaking API changes.

Full release notes:

https://github.com/fedify-dev/botkit/discussions/20

Fedify 2.1.0 is out!

The highlight of this release is onUnverifiedActivity(), a long-requested hook that lets you intercept inbound activities whose signatures couldn't be verified, instead of silently returning 401 and letting remote servers retry forever. Great for handling Delete activities from permanently gone actors.

Also new: full RFC 9421 Accept-Signature negotiation on both outbound and inbound paths, GoToSocial interoperability fixes, @fedify/mysql for MySQL/MariaDB backends, @fedify/astro for Astro integration, and fedify lookup --recurse for following reply chains.

Release notes: https://github.com/fedify-dev/fedify/discussions/642

Wir sollten „Public Money = Public Social Media” also mehr pushen.
Habt Spaß und wenn ihr könnt, baut doch etwas mit z. B. @fedify oder @botkit.
Damit das Ganze hier aber wirklich skaliert, braucht es schlichtweg mehr Geld. Natürlich auch mehr Strukturen und Spezifikationen. Dass hier überhaupt etwas gebaut wird, ist schon großartig. Im Ehrenamt lässt sich nur schwer eine Alternative zu Big Tech aufbauen, wenn man möchte, dass ein Großteil der Bevölkerung Lust hat, diese Anwendungen zu benutzen. Geschweige vom Onboarding, auch auf dem Platten land.
Wer von Open Source spricht, sollte beim Fediverse Funding nicht schweigen.

Hier noch einmal eine Linkliste von Tools:
- Ihr habt Bock auf hübsche Wraps-Grafiken für euren Account: https://mastodon-wrapped.playground.54gradsoftware.de/
- Ihr wollt eure Account-Einstellungen checken: https://mastodon-account-checker.playground.54gradsoftware.de/
- Ihr wollt wissen, welche Organisationen schon auf Mastodon sind (täglich frisch aktualisiert): https://mastodon-account-checker.playground.54gradsoftware.de/
- Jede Konferenz/Treffen braucht ein Hashtag und eine https://fediwall.de/
- Tägliche coole Geschichtlichen Wikipedia Links gibt es hier: @heute_vor

I've been thinking about adding federation health monitoring to #Fedify—not as a separate data store or custom API, but by extending the existing #OpenTelemetry integration. The idea is to expose delivery outcomes, signature verification failures, and per-remote-host error rates as OpenTelemetry metrics alongside the spans Fedify already emits. If you already have a Prometheus or Grafana setup, you'd get federation observability basically for free. Circuit breaker behavior (temporarily skipping a remote server that's been consistently unreachable) could surface as OpenTelemetry events, keeping everything in the same trace context rather than scattered across separate logs.

Does this sound useful to you? I'm curious whether people building on Fedify—or running federated servers in general—would actually reach for this, and what kinds of things you'd most want to observe. Happy to hear any thoughts.

#fedidev #ActivityPub

(Disclosure: Using the name and logo of Encyclia – symbolically, since Encyclia is not a legal entity – I have an active monthly donation to @fedify on OpenCollective. However, I do not believe that this is getting me any preferential treatment, and in my observation the Fedify project treats all contributors and downstream implementers with equal respect.)

Seems as good a day as any to thank @hongminhee and team for the exemplary work on @fedify. Following Fedify's big 2.0 release, my two largest interoperability pain points in @encyclia can be fixed. 🙂

https://github.com/fedify-dev/fedify/issues/473 means that people using @gotosocial will finally be able to follow @encyclia accounts soon (whenever I finish the upgrade).

https://github.com/fedify-dev/fedify/issues/472 will let me (and others) handle more account resolution edge cases and reduce failure mode traffic after Fedify 2.1 is out.

明日起きたらDeno+Hono+Fedifyに入門する。
おやすも

Fedify has just laid out a comprehensive implementation plan for this fep:

https://github.com/fedify-dev/fedify/issues/288#issuecomment-3971459585

The core idea is replacing HTTP(S) URIs with server-independent identifiers: ap:// URIs that use a Decentralized Identifier (DID) as the authority component, rather than a domain name. An object identified as ap://did:key:z6Mk…/actor can live on multiple servers simultaneously and survives any single server disappearing.

Jiwon (@z9mb1), one of our core contributors, drew a Fedify dino! How cute!

https://oeee.cafe/@z9mb1/2b5b0baf-466b-4c65-a1e0-d3588f0666f4

Fedify dino for notice

https://kre.pe/CKwN This is a paid request :) fediverse logo was attached afterwards.

Started laying out a rough plan for implementing FEP-ef61: Portable Objects in #Fedify—server-independent #ActivityPub identities backed by #DIDs, multi-server replication, and client-side signing. It's going to be a long road (13 tasks across 5 phases, with a few open questions that need answering before we even begin), but I think it's worth doing right.

https://github.com/fedify-dev/fedify/issues/288#issuecomment-3971459585

#fedidev #fediverse #PortableObjects

Over the weekend, I created https://robot.villas using @fedify 2.0. Not knowing how activitypub worked made this a lot harder than I expected, but did get there in the end.

Each bot mirrors an RSS feed. @nyt_travel as an example. You can add your RSS feed for funzies at https://github.com/icco/robot.villas/blob/main/feeds.yml

Let me know if you run into any issues with my new little bot farm of news.

#theWorkshop

Hi #fediverse and #ActivityPub developers!

I'm currently working on interoperability testing for #Hollo and #Fedify, and I need a #Bonfire account to test federation with their implementation.

Since there aren't many open public Bonfire instances available, I was wondering if any Bonfire instance admins out there would be willing to grant me a test account? It would be a huge help for improving interop! Let me know if you can help. Thanks!

#fedidev #BonfireNetworks

@fedify That is one juicy changelog! 🤩

Makes me want to jump into upgrading @encyclia, especially after we postponed the Fresh 2.x integration. But it sounds like that's going to be a bit of an adventure, so I'll wait until I can set an afternoon aside for it.

The really cool thing about this new architecture is that it can enable Client to Server architecture for AP with fedify (maybe vocab packages could be used in the browser too!)