Fedify: ActivityPub server framework

Significant performance improvements are expected in today's latest Fedify patch releases (v1.9.9, v1.10.8, v2.0.12, and v2.1.5).

Fedify security updates: 1.9.7, 1.10.6, 2.0.10, and 2.1.3

If you use Fedify, update to a patched release now. A high-severity denial-of-service vulnerability (CVE-2026-34148) affects Fedify's remote document loader and authenticated document loader. Both follow HTTP redirects without a redirect limit or loop detection. An attacker-controlled server can return a redirect loop for a keyId or actor URL fetch, causing a single inbound ActivityPub request to keep issuing outbound requests until the fetch times out.

All versions up to and including 2.1.0 are affected. Patched releases are 1.9.7, 1.10.6, 2.0.10, and 2.1.3. Update with your package manager:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to Abhinav Jaswal for the report and responsible disclosure. Disclosure was coordinated with Ghost so they had time to ship their update.

If anything is unclear, ask below.

My first PR has been merged into the main branch of the @fedify project! It's the first step in integrating #fep0837 into Fedify. The next step is to build on the software.
Thank you, @hongminhee, for your patience and work!
I learnt a lot about JSON-LD. I still think there is more for me to learn...

BotKit 0.4.0 is out! This release adds @fedify/botkit-postgres, a PostgreSQL-backed repository for deployments where SQLite isn't enough; a remote follow button on the bot profile page, so visitors can follow directly without manually searching from their own instance; and Session.republishProfile(), which lets you push profile changes to followers without waiting for the next post. It also upgrades the underlying Fedify dependency to 2.1.2, with a few small breaking API changes.

Full release notes:

https://github.com/fedify-dev/botkit/discussions/20

Fedify 2.1.0 is out!

The highlight of this release is onUnverifiedActivity(), a long-requested hook that lets you intercept inbound activities whose signatures couldn't be verified, instead of silently returning 401 and letting remote servers retry forever. Great for handling Delete activities from permanently gone actors.

Also new: full RFC 9421 Accept-Signature negotiation on both outbound and inbound paths, GoToSocial interoperability fixes, @fedify/mysql for MySQL/MariaDB backends, @fedify/astro for Astro integration, and fedify lookup --recurse for following reply chains.

Release notes: https://github.com/fedify-dev/fedify/discussions/642

Wir sollten „Public Money = Public Social Media” also mehr pushen.
Habt Spaß und wenn ihr könnt, baut doch etwas mit z. B. @fedify oder @botkit.
Damit das Ganze hier aber wirklich skaliert, braucht es schlichtweg mehr Geld. Natürlich auch mehr Strukturen und Spezifikationen. Dass hier überhaupt etwas gebaut wird, ist schon großartig. Im Ehrenamt lässt sich nur schwer eine Alternative zu Big Tech aufbauen, wenn man möchte, dass ein Großteil der Bevölkerung Lust hat, diese Anwendungen zu benutzen. Geschweige vom Onboarding, auch auf dem Platten land.
Wer von Open Source spricht, sollte beim Fediverse Funding nicht schweigen.

Hier noch einmal eine Linkliste von Tools:
- Ihr habt Bock auf hübsche Wraps-Grafiken für euren Account: https://mastodon-wrapped.playground.54gradsoftware.de/
- Ihr wollt eure Account-Einstellungen checken: https://mastodon-account-checker.playground.54gradsoftware.de/
- Ihr wollt wissen, welche Organisationen schon auf Mastodon sind (täglich frisch aktualisiert): https://mastodon-account-checker.playground.54gradsoftware.de/
- Jede Konferenz/Treffen braucht ein Hashtag und eine https://fediwall.de/
- Tägliche coole Geschichtlichen Wikipedia Links gibt es hier: @heute_vor

I've been thinking about adding federation health monitoring to #Fedify—not as a separate data store or custom API, but by extending the existing #OpenTelemetry integration. The idea is to expose delivery outcomes, signature verification failures, and per-remote-host error rates as OpenTelemetry metrics alongside the spans Fedify already emits. If you already have a Prometheus or Grafana setup, you'd get federation observability basically for free. Circuit breaker behavior (temporarily skipping a remote server that's been consistently unreachable) could surface as OpenTelemetry events, keeping everything in the same trace context rather than scattered across separate logs.

Does this sound useful to you? I'm curious whether people building on Fedify—or running federated servers in general—would actually reach for this, and what kinds of things you'd most want to observe. Happy to hear any thoughts.

#fedidev #ActivityPub

(Disclosure: Using the name and logo of Encyclia – symbolically, since Encyclia is not a legal entity – I have an active monthly donation to @fedify on OpenCollective. However, I do not believe that this is getting me any preferential treatment, and in my observation the Fedify project treats all contributors and downstream implementers with equal respect.)

Seems as good a day as any to thank @hongminhee and team for the exemplary work on @fedify. Following Fedify's big 2.0 release, my two largest interoperability pain points in @encyclia can be fixed. 🙂

https://github.com/fedify-dev/fedify/issues/473 means that people using @gotosocial will finally be able to follow @encyclia accounts soon (whenever I finish the upgrade).

https://github.com/fedify-dev/fedify/issues/472 will let me (and others) handle more account resolution edge cases and reduce failure mode traffic after Fedify 2.1 is out.

明日起きたらDeno+Hono+Fedifyに入門する。
おやすも

Fedify has just laid out a comprehensive implementation plan for this fep:

https://github.com/fedify-dev/fedify/issues/288#issuecomment-3971459585

The core idea is replacing HTTP(S) URIs with server-independent identifiers: ap:// URIs that use a Decentralized Identifier (DID) as the authority component, rather than a domain name. An object identified as ap://did:key:z6Mk…/actor can live on multiple servers simultaneously and survives any single server disappearing.

Jiwon (@z9mb1), one of our core contributors, drew a Fedify dino! How cute!

https://oeee.cafe/@z9mb1/2b5b0baf-466b-4c65-a1e0-d3588f0666f4

Fedify dino for notice

https://kre.pe/CKwN This is a paid request :) fediverse logo was attached afterwards.

Started laying out a rough plan for implementing FEP-ef61: Portable Objects in #Fedify—server-independent #ActivityPub identities backed by #DIDs, multi-server replication, and client-side signing. It's going to be a long road (13 tasks across 5 phases, with a few open questions that need answering before we even begin), but I think it's worth doing right.

https://github.com/fedify-dev/fedify/issues/288#issuecomment-3971459585

#fedidev #fediverse #PortableObjects

Over the weekend, I created https://robot.villas using @fedify 2.0. Not knowing how activitypub worked made this a lot harder than I expected, but did get there in the end.

Each bot mirrors an RSS feed. @nyt_travel as an example. You can add your RSS feed for funzies at https://github.com/icco/robot.villas/blob/main/feeds.yml

Let me know if you run into any issues with my new little bot farm of news.

#theWorkshop

Hi #fediverse and #ActivityPub developers!

I'm currently working on interoperability testing for #Hollo and #Fedify, and I need a #Bonfire account to test federation with their implementation.

Since there aren't many open public Bonfire instances available, I was wondering if any Bonfire instance admins out there would be willing to grant me a test account? It would be a huge help for improving interop! Let me know if you can help. Thanks!

#fedidev #BonfireNetworks

@fedify That is one juicy changelog! 🤩

Makes me want to jump into upgrading @encyclia, especially after we postponed the Fresh 2.x integration. But it sounds like that's going to be a bit of an adventure, so I'll wait until I can set an afternoon aside for it.

The really cool thing about this new architecture is that it can enable Client to Server architecture for AP with fedify (maybe vocab packages could be used in the browser too!)

@david_megginson @ben

Btw, just found the v2 release announcement of @fedify and that is a prime example on how, on the grassroots environment end of the spectrum we can maneuvre into better territory.

Kudos to the #fedify developers. Handing people tools they need to focus on solutions, and build without getting thrown into deep on-the-wire impl detail reeds to worry about.

That is the positive side of the equation. There's not only a big uptick in interest for the #SocialAPI i.e. #ActivityPub client-to-server, which offers new opportunity to correct course. But also are there more #FOSS projects focused on robust tool and library support for the 'Solution developer' stakeholder.

In the revamp of the delightful commons initiative, made possible with support of @nlnet I emphasized all these projects, while I de-emphasized the apps that are already doing good for themself, but contribute to further divergence from open standards.

https://delightful.coding.social

https://hollo.social/@fedify/019c8521-92ef-7d5f-be4d-c50eae575742

"Fedify 2.0.0 está aqui!

Esta é a maior atualização da história do Fedify. Destaques:

**Arquitetura modular** – O pacote monolítico `@fedify/fedify` foi dividido em pacotes independentes e focados: `@fedify/vocab`, `@fedify/vocab-runtime`, `@fedify/vocab-tools`, `@fedify/webfinger` e outros. Pacotes menores, imports mais limpos e a possibilidade de estender o ActivityPub com tipos de vocabulário personalizados.

**Painel de depuração em tempo real** – O novo pacote `@fedify/debugger` oferece um dashboard ao vivo em `/__debug__/` que mostra todo o tráfego de federação: traces, detalhes das atividades, verificação de assinaturas e logs correlacionados. Basta envolver seu objeto `Federation` e pronto.

**Suporte a relay do ActivityPub** – Suporte nativo a relays via `@fedify/relay` e o comando CLI `fedify relay`. Compatível com os protocolos Mastodon-style e LitePub-style (FEP-ae0c).

**Entrega ordenada de mensagens** – A nova opção `orderingKey` resolve o problema do "post zumbi", quando um `Delete` chega antes do seu `Create`. Atividades com a mesma chave são entregues garantidamente na ordem FIFO.

**Tratamento de falhas permanentes** – `setOutboxPermanentFailureHandler()` permite reagir quando uma inbox remota retorna 404 ou 410, possibilitando limpar seguidores inacessíveis em vez de tentar reenviar indefinidamente.

Outras novidades incluem negociação de conteúdo no nível do middleware, `@fedify/lint` para regras compartilhadas de linting, `@fedify/create` para scaffolding rápido de projetos, arquivos de configuração para a CLI, suporte nativo à CLI em Node.js/Bun e diversos fixes de bugs.

Esta versão conta com contribuições significativas de participantes do OSSCA da Coreia. Agradecemos imensamente a todos envolvidos!

Trata-se de uma release major com breaking changes. Consulte o guia de migração antes de atualizar.

Notas completas da release: https://github.com/fedify-dev/fedify/discussions/580

#Fedify #ActivityPub #fediverso #fedidev #TypeScript"

@fediverse @tecnologia @academicos @internet (pode seguir para acompanhar os assuntos ou marcar para amplificar a postagem até no #lemmy tb)

@fedify https://hollo.social/@fedify/019c8521-92ef-7d5f-be4d-c50eae575742

Fedify 2.0.0をリリースしました！

Fedify史上最大のリリースです。主な変更点をご紹介します：

• モジュラーアーキテクチャ — これまでのモノリシックな@fedify/fedifyパッケージを、@fedify/vocab、@fedify/vocab-runtime、@fedify/vocab-tools、@fedify/webfingerなど、独立したパッケージに分割しました。バンドルサイズの削減、インポートの整理に加え、カスタム語彙型によるActivityPubの拡張も可能になりました。
• リアルタイムデバッグダッシュボード — 新しい@fedify/debuggerパッケージにより、/__debug__/パスにライブダッシュボードを表示できます。連合トラフィックのトレース、アクティビティの詳細、署名検証、ログまで一目で確認できます。既存のFederationオブジェクトをラップするだけで使えます。
• ActivityPubリレーサポート — @fedify/relayパッケージとfedify relayCLIコマンドで、リレーサーバーをすぐに立ち上げることができます。Mastodon方式とLitePub方式の両方に対応しています（FEP-ae0c）。
• 順序保証メッセージ配信 — 新しいorderingKeyオプションにより、「ゾンビ投稿」問題を解決しました。DeleteがCreateより先に到着してしまう問題がなくなります。同じキーを共有するアクティビティはFIFO順序が保証されます。
• 永続的な配信失敗の処理 — setOutboxPermanentFailureHandler()で、リモートのインボックスが404や410を返した際に対応できるようになりました。到達不能なフォロワーの整理などが可能です。

その他にも、ミドルウェアレベルでのコンテンツネゴシエーション、@fedify/lint、@fedify/create、CLI設定ファイル、ネイティブNode.js/Bun CLIサポート、多数のバグ修正などが含まれています。

今回のリリースには、韓国のOSSCA（オープンソースコントリビューションアカデミー）参加者の皆さんからの多大な貢献が含まれています。ご協力いただいた全ての方に感謝いたします！

破壊的変更を含むメジャーリリースです。アップグレード前にマイグレーションガイドを必ずご確認ください。

リリースノート全文: https://github.com/fedify-dev/fedify/discussions/580

#Fedify #ActivityPub #fediverse #fedidev #TypeScript

Fedify 2.0.0을 릴리스했습니다!

Fedify 역사상 가장 큰 릴리스입니다. 주요 변경 사항을 소개합니다:

• 모듈형 아키텍처 — 기존의 단일 @fedify/fedify 패키지를 @fedify/vocab, @fedify/vocab-runtime, @fedify/vocab-tools, @fedify/webfinger 등 독립적인 패키지들로 분리했습니다. 번들 크기가 줄어들고, 임포트가 깔끔해지며, 커스텀 어휘 타입으로 ActivityPub을 확장할 수도 있습니다.
• 실시간 디버그 대시보드 — 새로운 @fedify/debugger 패키지로 /__debug__/ 경로에 라이브 대시보드를 띄울 수 있습니다. 연합 트래픽의 트레이스, 액티비티 상세, 서명 검증, 로그까지 한눈에 확인할 수 있습니다. 기존 Federation 객체를 감싸기만 하면 됩니다.
• ActivityPub 릴레이 지원 — @fedify/relay 패키지와 fedify relay CLI 명령어로 릴레이 서버를 바로 띄울 수 있습니다. Mastodon 방식과 LitePub 방식 모두 지원합니다(FEP-ae0c).
• 순서 보장 메시지 전달 — 새로운 orderingKey 옵션으로 “좀비 포스트” 문제를 해결합니다. Delete가 Create보다 먼저 도착하는 문제가 더 이상 발생하지 않습니다. 같은 키를 공유하는 액티비티는 FIFO 순서가 보장됩니다.
• 영구 전달 실패 처리 — setOutboxPermanentFailureHandler()로 원격 인박스가 404나 410을 반환할 때 대응할 수 있습니다. 도달 불가능한 팔로워를 정리하는 등의 처리가 가능합니다.

이 외에도 미들웨어 수준의 콘텐츠 협상, @fedify/lint, @fedify/create, CLI 설정 파일, 네이티브 Node.js/Bun CLI 지원, 다수의 버그 수정 등이 포함되어 있습니다.

이번 릴리스에는 한국 OSSCA (오픈소스 컨트리뷰션 아카데미) 참가자분들의 큰 기여가 담겨 있습니다. 참여해 주신 모든 분께 감사드립니다!

브레이킹 체인지가 포함된 메이저 릴리스입니다. 업그레이드 전에 마이그레이션 가이드를 꼭 확인해 주세요.

전체 릴리스 노트: https://github.com/fedify-dev/fedify/discussions/580

#Fedify #ActivityPub #fediverse #fedidev #TypeScript

Fedify 2.0.0 is here!

This is the biggest release in Fedify's history. Here are the highlights:

• Modular architecture — The monolithic @fedify/fedify package has been broken up into focused, independent packages: @fedify/vocab, @fedify/vocab-runtime, @fedify/vocab-tools, @fedify/webfinger, and more. Smaller bundles, cleaner imports, and the ability to extend ActivityPub with custom vocabulary types.
• Real-time debug dashboard — The new @fedify/debugger package gives you a live dashboard at /__debug__/ showing all your federation traffic: traces, activity details, signature verification, and correlated logs. Just wrap your Federation object and you're done.
• ActivityPub relay support — First-class relay support via @fedify/relay and the fedify relay CLI command. Supports both Mastodon-style and LitePub-style relay protocols (FEP-ae0c).
• Ordered message delivery — The new orderingKey option solves the “zombie post” problem where a Delete arrives before its Create. Activities sharing the same key are guaranteed to be delivered in FIFO order.
• Permanent failure handling — setOutboxPermanentFailureHandler() lets you react when a remote inbox returns 404 or 410, so you can clean up unreachable followers instead of retrying forever.

Other changes include content negotiation at the middleware level, @fedify/lint for shared linting rules, @fedify/create for quick project scaffolding, CLI config files, native Node.js/Bun CLI support, and many bug fixes.

This release includes significant contributions from Korea's OSSCA participants. Huge thanks to everyone involved!

This is a major release with breaking changes—please check the migration guide before upgrading.

Full release notes: https://github.com/fedify-dev/fedify/discussions/580

#Fedify #ActivityPub #fediverse #fedidev #TypeScript

I have just completed the "Learning the Basics" and "Creating a Microblog" tutorials on @fedify. The Fediverse is very complicated. However, building the example application with Fedify is much simpler, and the tutorial was really good, with lots of examples and explanations of the basics. If you want to check it out, here's the link: https://fedify.dev/tutorial/microblog.

Thank you for creating it, and please consider following @hongminhee!

#fediverse

I Guess I’m now the first ever Indiekit Instance on the #fediverse

Thanks to Fedify

{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1"
],
"type": "Person",
"id": "https://rmendes.net/",
"preferredUsername": "rick",
"name": "Ricardo Mendes",
"url": "https://rmendes.net/",
"inbox": "https://rmendes.net/activitypub/inbox",
"outbox": "https://rmendes.net/activitypub/outbox",
"followers": "…

https://rmendes.net/notes/2026/02/19/8b1d5

コミュニティをDiscordからMatrixへ段階的に移行しています。メンテナーとコントリビューターはすでにMatrixに移っているため、今後はMatrixのほうが返答が早くなります。Discordはしばらく継続しますが、Matrixがメインの場となりました。

詳細とMatrixルームの一覧はこちら：https://github.com/fedify-dev/fedify/discussions/573（英文）

저희 커뮤니티를 Discord에서 Matrix로 조금씩 이전하고 있습니다. 메인테이너와 기여자들은 이미 Matrix로 옮긴 상태라, 앞으로는 Matrix 쪽이 응답이 더 빠를 거예요. Discord는 당분간 유지되지만, Matrix가 이제 메인 거점입니다.

자세한 내용과 Matrix 룸 목록은 여기서 확인하세요: https://github.com/fedify-dev/fedify/discussions/573.

We're gradually moving our community from Discord to Matrix. The maintainers and contributors are already there, so you'll get faster responses on Matrix going forward. Discord will stay up for a while, but Matrix is now our primary home.

For the full details and the list of Matrix rooms, see: https://github.com/fedify-dev/fedify/discussions/573.

Heh, heh. Tonight I stumbled upon a hidden little feature in Fedify's CLI.

If you run `fedify nodeinfo mastodon.social -b` you get a cute little ascii art representation of the instance's logo.

Happy to see a bit of fun mixed into these fedi tools!

@fedify #ActivityPub #Fediverse