Fedify: ActivityPub server framework

Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3

If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended.

The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.

Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.

Update @fedify/fedify:

npm  update  @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update  @fedify/fedify
bun  update  @fedify/fedify
deno update  @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, ask below.

It took some night tinkering around, but I built a proof of concept with @fedify, with 1) a shop software that creates and sends offers/products, 2) to the following marketplaces. The marketplace aggregates these offers and all via activitipub, so in the fediverse.
You can find the proof of concept here: https://marketplace.playground.54gradsoftware.de/.
If you go to a shop software, you also can add products, and you should see in the marketplace the new product: https://shop-postcards.playground.54gradsoftware.de/
Every hour there is a reset in the db.

This is just a super simple example with no CSS and no auth, but just an example to test the new fedify vocabulary.
You can find more information in the repo: https://codeberg.org/54GradSoftware/economiverse
#fep0837

This is the CUTEST kawaii Ai-chan (藍(あい)"Ai" is a normal female Japanese name meaning "Indigo" both the color and the plant; "Ai"-chan, the mascot of Misskey, has nothing to do with Large Language Models) I have ever seen from a technical literature titled like "Practical Fedify: An Introduction to ActivityPub Microblog Development"! I even see other mascots in the Fediverse too, like Don the Mastodon and that Blue Dinosaur mascot of Fedify (I don't know its name).
Huge thanks to @hongminhee@hollo.social https://hollo.social/@hongminhee for their work on authoring this amazing book and developing Fedify itself! And if you can read Japanese and are interested in Fedify and ActivityPub Development, then definitely check this one out! You can pre-order the book on Amazon Japan → https://amzn.asia/d/0hQSKBmI #Fedify (The book will be printed on May 22)

日本で世界初のFedifyの書籍「実践Fedify——ActivityPubマイクロブログ開発入門」が出版されました。この本は私にとって初めての著書でもありますが、最初の本が母語の韓国語ではなく日本語だというのは、なんだかとても不思議な気分ですね。本書は、英語で書かれたFedifyの公式チュートリアル「Creating your own federated microblog」をベースに、様々な加筆を行ったものです。Fedifyのマスコットの恐竜と、Misskeyのマスコットである三須木（みすき） 藍（あい）、Mastodonのマスコットが一緒に描かれた可愛い表紙のイラストは、ゆめつきママさんが描いてくださいました。電子書籍と紙の書籍の両方で、来る22日にインプレス NextPublishingから出版される予定です。

The world's first Fedify book, Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門), has been published in Japan. This is also the first book I have ever published, and it feels quite surreal that my first book is in Japanese rather than my native language, Korean. This book is an expanded version based on the official English Fedify tutorial, Creating your own federated microblog, with various additions. Yumetsuki Mama (ゆめつきママ) worked on the cute book cover illustration, which features the Fedify dinosaur mascot, Misskey's mascot Ai-chan, and the Mastodon mascot together. It is scheduled to be published in both e-book and print formats on the 22nd by Impress NextPublishing. See also the Amazon Japan.

Fedify security updates: 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1

If you use Fedify, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass validatePublicUrl() even though they refer to private or loopback addresses.

Fedify uses validatePublicUrl() when fetching remote ActivityPub documents and related resources. An attacker who can make a Fedify server fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF risk.

All versions up to and including 2.2.0 are affected. Patched releases are 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1.

For Fedify 1.x, update @fedify/fedify:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify

For Fedify 2.x, update both @fedify/fedify and @fedify/vocab-runtime:

npm update @fedify/fedify @fedify/vocab-runtime
yarn upgrade @fedify/fedify @fedify/vocab-runtime
pnpm update @fedify/fedify @fedify/vocab-runtime
bun update @fedify/fedify @fedify/vocab-runtime
deno update @fedify/fedify @fedify/vocab-runtime

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure.

If anything is unclear, ask below.

Fedify 2.2.0 is out! This release finally adds client-to-server (C2S) outbox listener support, proper HTTP 410 Gone responses for deleted actors via Tombstone, new integrations for SolidStart and Nuxt, and interoperability fixes for Lemmy and Pixelfed. Three new end-to-end tutorials also landed alongside a custom collections cookbook.

https://github.com/fedify-dev/fedify/discussions/733

Building a threadiverse community platform by @hongminhee https://lobste.rs/s/gbgfec #distributed #web
https://fedify.dev/tutorial/threadiverse

Fedify 2.2.0 is out! This release finally adds client-to-server (C2S) outbox listener support, proper HTTP 410 Gone responses for deleted actors via Tombstone, new integrations for SolidStart and Nuxt, and interoperability fixes for Lemmy and Pixelfed. Three new end-to-end tutorials also landed alongside a custom collections cookbook.

https://github.com/fedify-dev/fedify/discussions/733

Unless something comes up, #Fedify 2.2.0 will be released today.

If you'd like to preview the #tutorial I'm writing on building a small federated image sharing service, similar to @pixelfed, with @fedify and @nuxt, here it is:

https://pr-731-0.fedify.pages.dev/tutorial/content-sharing

If you'd like to give feedback after reading it, please leave a comment on the following PR:

https://github.com/fedify-dev/fedify/pull/731

#Fedify #fedidev #ActivityPub #Nuxt #Pixelfed

If you'd like to preview the #tutorial I'm writing on building a small #threadiverse software with #Fedify, here it is:

https://pr-710.fedify.pages.dev/tutorial/threadiverse

If you'd like to give feedback after reading it, please leave a comment on the following PR:

https://github.com/fedify-dev/fedify/pull/710

The official Awesome Fedify site is now live:

http://awesome.fedify.dev/

It brings together real-world Fedify projects, packages, examples, tutorials, and talks in one place.

If you know a good resource we should list, contributions are welcome:

https://github.com/fedify-dev/awesome-fedify

We're working on a new #tutorial for #Fedify: Building a Federated Blog with Astro!

It walks you through creating a hybrid blog—static Markdown posts powered by #Astro content collections, with #ActivityPub federation layered on top. By the end, your blog will be followable from Mastodon, send Create/Update/Delete activities when you publish or edit posts, and display #fediverse replies as comments.

Preview the draft here: https://d180af62.fedify.pages.dev/tutorial/astro-blog.

We'd love your feedback—especially if you spot anything incorrect, unclear, or missing. Please leave comments on the GitHub PR #695 or issue #691.

#fedidev

Naru, the Korean version of #Neocities, reportedly added an #ActivityPub implementation in just an hour using #Fedify. If you also want to implement ActivityPub quickly, give Fedify a try!

https://hackers.pub/@jihyeok/019da3d9-45b8-7629-96a8-b26bd62867c2

Naru (Korean Neocities) gains ActivityPub support thanks to Fedify!

Now, you can follow Naru personal homepages on the Fediverse, and receive updates at most once a day per website. For example, if you want to receive updates for https://yang.naru.pub, you can simply folllow @yang@naru.pub.

I believe this is a significant improvement over polling websites and an effective way to stay connected with the indie web community.

Fedify ActivityPub server framework

A #TypeScript library for building federated server apps powered by #ActivityPub and other standards, so-called #fediverse

https://fedify.dev

Significant performance improvements are expected in today's latest Fedify patch releases (v1.9.9, v1.10.8, v2.0.12, and v2.1.5).

Fedify security updates: 1.9.7, 1.10.6, 2.0.10, and 2.1.3

If you use Fedify, update to a patched release now. A high-severity denial-of-service vulnerability (CVE-2026-34148) affects Fedify's remote document loader and authenticated document loader. Both follow HTTP redirects without a redirect limit or loop detection. An attacker-controlled server can return a redirect loop for a keyId or actor URL fetch, causing a single inbound ActivityPub request to keep issuing outbound requests until the fetch times out.

All versions up to and including 2.1.0 are affected. Patched releases are 1.9.7, 1.10.6, 2.0.10, and 2.1.3. Update with your package manager:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to Abhinav Jaswal for the report and responsible disclosure. Disclosure was coordinated with Ghost so they had time to ship their update.

If anything is unclear, ask below.

My first PR has been merged into the main branch of the @fedify project! It's the first step in integrating #fep0837 into Fedify. The next step is to build on the software.
Thank you, @hongminhee, for your patience and work!
I learnt a lot about JSON-LD. I still think there is more for me to learn...

BotKit 0.4.0 is out! This release adds @fedify/botkit-postgres, a PostgreSQL-backed repository for deployments where SQLite isn't enough; a remote follow button on the bot profile page, so visitors can follow directly without manually searching from their own instance; and Session.republishProfile(), which lets you push profile changes to followers without waiting for the next post. It also upgrades the underlying Fedify dependency to 2.1.2, with a few small breaking API changes.

Full release notes:

https://github.com/fedify-dev/botkit/discussions/20

Fedify 2.1.0 is out!

The highlight of this release is onUnverifiedActivity(), a long-requested hook that lets you intercept inbound activities whose signatures couldn't be verified, instead of silently returning 401 and letting remote servers retry forever. Great for handling Delete activities from permanently gone actors.

Also new: full RFC 9421 Accept-Signature negotiation on both outbound and inbound paths, GoToSocial interoperability fixes, @fedify/mysql for MySQL/MariaDB backends, @fedify/astro for Astro integration, and fedify lookup --recurse for following reply chains.

Release notes: https://github.com/fedify-dev/fedify/discussions/642

Wir sollten „Public Money = Public Social Media” also mehr pushen.
Habt Spaß und wenn ihr könnt, baut doch etwas mit z. B. @fedify oder @botkit.
Damit das Ganze hier aber wirklich skaliert, braucht es schlichtweg mehr Geld. Natürlich auch mehr Strukturen und Spezifikationen. Dass hier überhaupt etwas gebaut wird, ist schon großartig. Im Ehrenamt lässt sich nur schwer eine Alternative zu Big Tech aufbauen, wenn man möchte, dass ein Großteil der Bevölkerung Lust hat, diese Anwendungen zu benutzen. Geschweige vom Onboarding, auch auf dem Platten land.
Wer von Open Source spricht, sollte beim Fediverse Funding nicht schweigen.

Hier noch einmal eine Linkliste von Tools:
- Ihr habt Bock auf hübsche Wraps-Grafiken für euren Account: https://mastodon-wrapped.playground.54gradsoftware.de/
- Ihr wollt eure Account-Einstellungen checken: https://mastodon-account-checker.playground.54gradsoftware.de/
- Ihr wollt wissen, welche Organisationen schon auf Mastodon sind (täglich frisch aktualisiert): https://mastodon-account-checker.playground.54gradsoftware.de/
- Jede Konferenz/Treffen braucht ein Hashtag und eine https://fediwall.de/
- Tägliche coole Geschichtlichen Wikipedia Links gibt es hier: @heute_vor

I've been thinking about adding federation health monitoring to #Fedify—not as a separate data store or custom API, but by extending the existing #OpenTelemetry integration. The idea is to expose delivery outcomes, signature verification failures, and per-remote-host error rates as OpenTelemetry metrics alongside the spans Fedify already emits. If you already have a Prometheus or Grafana setup, you'd get federation observability basically for free. Circuit breaker behavior (temporarily skipping a remote server that's been consistently unreachable) could surface as OpenTelemetry events, keeping everything in the same trace context rather than scattered across separate logs.

Does this sound useful to you? I'm curious whether people building on Fedify—or running federated servers in general—would actually reach for this, and what kinds of things you'd most want to observe. Happy to hear any thoughts.

#fedidev #ActivityPub

(Disclosure: Using the name and logo of Encyclia – symbolically, since Encyclia is not a legal entity – I have an active monthly donation to @fedify on OpenCollective. However, I do not believe that this is getting me any preferential treatment, and in my observation the Fedify project treats all contributors and downstream implementers with equal respect.)

Seems as good a day as any to thank @hongminhee and team for the exemplary work on @fedify. Following Fedify's big 2.0 release, my two largest interoperability pain points in @encyclia can be fixed. 🙂

https://github.com/fedify-dev/fedify/issues/473 means that people using @gotosocial will finally be able to follow @encyclia accounts soon (whenever I finish the upgrade).

https://github.com/fedify-dev/fedify/issues/472 will let me (and others) handle more account resolution edge cases and reduce failure mode traffic after Fedify 2.1 is out.

明日起きたらDeno+Hono+Fedifyに入門する。
おやすも

Fedify has just laid out a comprehensive implementation plan for this fep:

https://github.com/fedify-dev/fedify/issues/288#issuecomment-3971459585

The core idea is replacing HTTP(S) URIs with server-independent identifiers: ap:// URIs that use a Decentralized Identifier (DID) as the authority component, rather than a domain name. An object identified as ap://did:key:z6Mk…/actor can live on multiple servers simultaneously and survives any single server disappearing.

Jiwon (@z9mb1), one of our core contributors, drew a Fedify dino! How cute!

https://oeee.cafe/@z9mb1/2b5b0baf-466b-4c65-a1e0-d3588f0666f4