Fedify: ActivityPub server framework

🎉 Excited to announce that #Fedify is now on Open Collective! Support the project's development starting at:

• Backer (from $5/mo)
• Supporter (from $25/mo)
• Sponsor (from $100/mo)
• Corporate Sponsor (from $500/mo)
• Custom donations welcome

Your support will help us maintain and improve Fedify. Check it out here:

https://opencollective.com/fedify

#OpenCollective #support #backing #sponsor #donation

Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

• Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
• #WebFinger client and server
• HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
• Middleware for handling webhooks
• #NodeInfo protocol
• #Node.js, #Deno, and #Bun support
• CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

https://fedify.dev/

This is great - @fedify has launched an @opencollective to help sustain the project. This is a great library and framework that is helping many other projects grow into the #fediverse. Shout-out to @hongminhee! (also to @liaizon for posting about it as well)

https://opencollective.com/fedify

Today @fedify launched an @opencollective to support the project.
@hongminhee has been doing amazing work on it. Fedify has shown itself to be one of the most promising ways for other projects to become part of the #fediverse. If you liked seeing Ghost (@index) make such fast progress bringing in potentially thousands (millions?) of blogs and newsletters to the fediverse, this is what they are using behind the scenes! So lets support this project together!
https://opencollective.com/fedify

🎉 Excited to announce that #Fedify is now on Open Collective! Support the project's development starting at:

• Backer (from $5/mo)
• Supporter (from $25/mo)
• Sponsor (from $100/mo)
• Corporate Sponsor (from $500/mo)
• Custom donations welcome

Your support will help us maintain and improve Fedify. Check it out here:

https://opencollective.com/fedify

#OpenCollective #support #backing #sponsor #donation

We've just set up our sponsors showcase! You can now find our wonderful sponsors:

• On our website: https://unstable.fedify.dev/sponsors
• In our README.md: https://github.com/fedify-dev/fedify?tab=readme-ov-file#sponsors
• In our SPONSORS.md: https://github.com/fedify-dev/fedify/blob/main/SPONSORS.md

These pages are automatically updated every hour. Thank you to all our sponsors for supporting #Fedify's development!

Want to be listed? Support us on Open Collective: https://opencollective.com/fedify.

FediAuth、apsigが地味に未完成 (ActorのJSON-LDの問題もあるだろうけどFedify Inboxでの検証が通らない)なのでFedify使うことを検討中​​

I've just contributed to Fedify. Consider supporting them too — every little helps! https://opencollective.com/fedify

I've just contributed to Fedify. Consider supporting them too — every little helps! https://opencollective.com/fedify

♥️

https://mastodon.social/@dansup/113910607674823618

Thank you so much, @dansup! Really appreciate your support! Your work in the fediverse community has been inspiring, and having you as our first supporter means a lot.

https://mastodon.social/@dansup/113910607674823618

🎉 Excited to announce that #Fedify is now on Open Collective! Support the project's development starting at:

• Backer (from $5/mo)
• Supporter (from $25/mo)
• Sponsor (from $100/mo)
• Corporate Sponsor (from $500/mo)
• Custom donations welcome

Your support will help us maintain and improve Fedify. Check it out here:

https://opencollective.com/fedify

#OpenCollective #support #backing #sponsor #donation

Valtteri Laitinen (@valtlai) managed to get #Fedify running on #Cloudflare Workers!

#CloudflareWorkers #fedidev #ActivityPub

https://fedi.valtlai.fi/@valtlai/113906145660141267

We've just moved the #Fedify project and related repositories to our new GitHub organization account, @fedify-dev! 🎉

Here's what moved:

• @dahlia/fedify → @fedify-dev/fedify
• @dahlia/botkit → @fedify-dev/botkit
• @dahlia/hollo → @fedify-dev/hollo
• @dahlia/fedify-amqp → @fedify-dev/amqp
• @dahlia/fedify-h3 → @fedify-dev/h3
• @dahlia/fedify-express → @fedify-dev/express
• @dahlia/fedify-postgres → @fedify-dev/postgres
• @dahlia/fedify-redis → @fedify-dev/redis
• @dahlia/markdown-it-hashtag → @fedify-dev/markdown-it-hashtag
• @dahlia/markdown-it-mention → @fedify-dev/markdown-it-mention
• @dahlia/fedichatbot → @fedify-dev/fedichatbot
• @dahlia/microblog → @fedify-dev/microblog

All repositories have been transferred and GitHub's automatic redirects are in place, so existing links will continue to work. Also, the project's core functionality and development process remain unchanged.

Thanks to everyone who participated in our naming poll. Looking forward to Fedify's continued growth under its new organizational home!

New GitHub organization: https://github.com/fedify-dev.

We've just moved the #Fedify project and related repositories to our new GitHub organization account, @fedify-dev! 🎉

Here's what moved:

• @dahlia/fedify → @fedify-dev/fedify
• @dahlia/botkit → @fedify-dev/botkit
• @dahlia/hollo → @fedify-dev/hollo
• @dahlia/fedify-amqp → @fedify-dev/amqp
• @dahlia/fedify-h3 → @fedify-dev/h3
• @dahlia/fedify-express → @fedify-dev/express
• @dahlia/fedify-postgres → @fedify-dev/postgres
• @dahlia/fedify-redis → @fedify-dev/redis
• @dahlia/markdown-it-hashtag → @fedify-dev/markdown-it-hashtag
• @dahlia/markdown-it-mention → @fedify-dev/markdown-it-mention
• @dahlia/fedichatbot → @fedify-dev/fedichatbot
• @dahlia/microblog → @fedify-dev/microblog

All repositories have been transferred and GitHub's automatic redirects are in place, so existing links will continue to work. Also, the project's core functionality and development process remain unchanged.

Thanks to everyone who participated in our naming poll. Looking forward to Fedify's continued growth under its new organizational home!

New GitHub organization: https://github.com/fedify-dev.

@sash Here is our answer!

https://hollo.social/@fedify/0194a1d2-65ba-73f2-960d-82f322cf7e25

@dkruythoff @daniel

We appreciate the thoughtful suggestions about moving Fedify to platforms like Codeberg that better align with the federation ideals our project upholds. These suggestions raise important points about corporate centralization and the broader FOSS ecosystem that we've carefully considered.

After thorough deliberation, we plan to keep Fedify's primary repository on GitHub for the foreseeable future. This decision stems from several practical considerations:

First, we aim to make Fedify as accessible as possible to potential contributors. While platforms like Codeberg represent important alternatives, GitHub remains the platform most developers are familiar with, particularly in the JavaScript/TypeScript ecosystem where Fedify operates.

Second, GitHub currently provides significant visibility benefits that help us reach more developers who could benefit from or contribute to Fedify. As a relatively new project, this broader reach is particularly valuable for building our community.

Additionally, our package registry JSR's provenance attestation feature, which we rely on for security guarantees, currently only supports GitHub Actions integration. This technical dependency would make migration particularly challenging at this time.

However, we recognize the value in supporting more decentralized platforms. As a middle ground, we are considering setting up a mirror repository on Codeberg. This would provide an alternative access point while maintaining our GitHub presence.

We're committed to regularly reassessing this position as the ecosystem evolves and as alternative platforms continue to mature.

@dkruythoff @daniel

We appreciate the thoughtful suggestions about moving Fedify to platforms like Codeberg that better align with the federation ideals our project upholds. These suggestions raise important points about corporate centralization and the broader FOSS ecosystem that we've carefully considered.

After thorough deliberation, we plan to keep Fedify's primary repository on GitHub for the foreseeable future. This decision stems from several practical considerations:

First, we aim to make Fedify as accessible as possible to potential contributors. While platforms like Codeberg represent important alternatives, GitHub remains the platform most developers are familiar with, particularly in the JavaScript/TypeScript ecosystem where Fedify operates.

Second, GitHub currently provides significant visibility benefits that help us reach more developers who could benefit from or contribute to Fedify. As a relatively new project, this broader reach is particularly valuable for building our community.

Additionally, our package registry JSR's provenance attestation feature, which we rely on for security guarantees, currently only supports GitHub Actions integration. This technical dependency would make migration particularly challenging at this time.

However, we recognize the value in supporting more decentralized platforms. As a middle ground, we are considering setting up a mirror repository on Codeberg. This would provide an alternative access point while maintaining our GitHub presence.

We're committed to regularly reassessing this position as the ecosystem evolves and as alternative platforms continue to mature.

Okay, since we couldn't get in touch with the @fedify account owner, we need a new name for our GitHub organization. Which alternative do you prefer?

Your suggestions for other names are welcome in the comments! We'll make the final decision based on your feedback.

#Fedify already uses the #Temporal API exclusively for representing temporal data.

https://developer.mozilla.org/en-US/blog/javascript-temporal-is-coming/

The Date is dead, long live the Temporal!

https://developer.mozilla.org/en-US/blog/javascript-temporal-is-coming/

Here's a quick update on our GitHub organization plans: GitHub support has informed us they no longer process inactive username requests. We'll try reaching out to the current owner of @fedify account to see if we can work something out.

We'll keep you posted on how this goes! 🤞

We're planning to move our GitHub repository to an organization account for better project management. We've requested GitHub support to help us acquire the inactive @fedify username for this purpose. (The attached screenshot is our formal request to GitHub support.)

If we successfully acquire @fedify, that will be our new organization name. If not, we'll choose an alternative name. We'll keep you updated on the progress!

In any case, we'll ensure a smooth transition with proper redirects from the current repository. Stay tuned for updates!

If you'd like to support the development of @fedify or @hollo or @botkit, you can sponsor me on GitHub!

https://github.com/sponsors/dahlia

#ActivityPub #fedidev #Fedify #Hollo #BotKit #sponsor

If you are a #fediverse admin running libraries on #Fedify keep an eye on this: https://nvd.nist.gov/vuln/detail/CVE-2025-23221

FedifyのWebFinger実装における脆弱性CVE-2025-23221に対するセキュリティアップデート（1.0.14、1.1.11、1.2.11、1.3.4）をリリースいたしました。すべてのユーザー様におかれましては、お使いのバージョンに応じた最新版への速やかなアップデートを推奨いたします。

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

• 無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
• プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
• リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

• 1.3.xシリーズ：1.3.4へアップデート
• 1.2.xシリーズ：1.2.11へアップデート
• 1.1.xシリーズ：1.1.11へアップデート
• 1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

1. 無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
2. 元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
3. SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

#Fedify #WebFinger #セキュリティ #脆弱性 #DoS #SSRF

#Fedify 프레임워크의 #WebFinger 구현에서 발견된 보안 취약점 CVE-2025-23221을 해결하기 위한 보안 업데이트(1.0.14, 1.1.11, 1.2.11, 1.3.4)를 배포했습니다. 모든 사용자께서는 각자 사용 중인 버전에 해당하는 최신 버전으로 즉시 업데이트하시기를 권장합니다.

취약점 내용

보안 연구자가 Fedify의 lookupWebFinger() 함수에서 다음과 같은 보안 문제점들을 발견했습니다:

• 무한 리다이렉트 루프를 통한 서비스 거부 공격 가능
• 내부 네트워크 주소로의 리다이렉트를 통한 SSRF (서버측 요청 위조) 공격 가능
• 리다이렉트 조작을 통한 의도하지 않은 URL 스킴 접근 가능

수정된 버전

• 1.3.x 시리즈: 1.3.4로 업데이트
• 1.2.x 시리즈: 1.2.11로 업데이트
• 1.1.x 시리즈: 1.1.11로 업데이트
• 1.0.x 시리즈: 1.0.14로 업데이트

변경 사항

이번 보안 업데이트에는 다음과 같은 수정 사항이 포함되어 있습니다:

1. 무한 리다이렉트 루프를 방지하기 위해 최대 리다이렉트 횟수 제한(5회) 도입
2. 원래 요청과 동일한 스킴(HTTP/HTTPS)으로만 리다이렉트 허용하도록 제한
3. SSRF 공격 방지를 위해 내부 네트워크 주소로의 리다이렉트 차단

업데이트 방법

다음 명령어로 최신 보안 버전으로 업데이트하실 수 있습니다:

# npm 사용자의 경우
npm update @fedify/fedify

# Deno 사용자의 경우
deno add jsr:@fedify/fedify

이 취약점을 책임감 있게 보고해 주신 보안 연구자께 감사드립니다. 덕분에 신속하게 문제를 해결할 수 있었습니다.

이 취약점에 대한 자세한 내용은 보안 권고문을 참고해 주시기 바랍니다.

문의 사항이나 우려 사항이 있으시다면 GitHub Discussions나 Matrix 채팅방, 또는 Discord 서버를 통해 언제든 연락해 주시기 바랍니다.

#보안 #보안패치 #취약점 #SSRF

We have released #security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

• Perform denial of service attacks through infinite redirect loops
• Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
• Access unintended URL schemes through redirect manipulation

Fixed Versions

• 1.3.x series: Update to 1.3.4
• 1.2.x series: Update to 1.2.11
• 1.1.x series: Update to 1.1.11
• 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

1. Added a maximum redirect limit (5) to prevent infinite redirect loops
2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

自分だけのActivityPubを作りたいけど、何から始めれば良いのか分からないですか？Fedifyの公式チュートリアル「自分だけのフェディバースのマイクロブログを作ろう！」を読んでみてください！

#ActivityPub #Fedify

자신만의 #ActivityPub 구현을 하고 싶지만, 어디서 시작해야 할지 모르겠나요? #Fedify 공식 튜토리얼인 〈나만의 연합우주 마이크로블로그 만들기〉를 읽고 따라해 보세요!

Want to build your own #ActivityPub implementation, but don't know where to start? Read and follow #Fedify's official tutorial, Creating your own federated microblog, and get started!

スタンドアロンのActivityPubボットを作成するためのTypeScriptフレームワーク、BotKitを発表します！

一般的なMastodonボットとは異なり、BotKitで作成したボットは、プラットフォームの制約なく完全に独立して動作するFediverseボットです。シンプルで直感的なAPIにより、TypeScriptファイル1つでボットを作成できます。

現在はDenoのみの対応で、今後Node.jsとBunのサポートも予定しています。堅牢なFedifyをベースに開発されています。

https://botkit.fedify.dev/