洪 民憙 (Hong Minhee)

Hello! I'm Hong Minhee (洪 民憙), an open source software engineer in my late 30s, living in Seoul, Korea. I'm bisexual and non-binary (they/them), and an enthusiastic advocate of free/open source software and the fediverse.

I work full-time on @fedify, an ActivityPub server framework in TypeScript, funded by @sovtechfund. I'm also the creator of @hollo, a single-user ActivityPub microblog; @botkit, an ActivityPub bot framework; Hackers' Pub, a fediverse platform for software developers; and LogTape, a logging library for JavaScript and TypeScript.

I have a long interest in East Asian languages (CJK) and Unicode. I post mostly in English here, though occasionally in Japanese or in mixed-script Korean (國漢文混用體), a traditional writing style that interleaves Chinese characters with the native Korean alphabet. Wanting to write in that style was actually one of the reasons I joined the fediverse. Feel free to talk to me in English, Korean, Japanese, or even Literary Chinese!

#introduction

はじめまして！ソウル在住の30代後半のオープンソースソフトウェアエンジニア、洪 民憙（ホン・ミンヒ）と申します。バイセクシュアル（bisexual）・ノンバイナリー（non-binary）で、自由・オープンソースソフトウェア（F/OSS）とフェディバース（fediverse）の熱烈な支持者です。

STF（@sovtechfund）の支援を受け、TypeScript用ActivityPubサーバーフレームワーク「@fedify」の開発に専念しています。他にも、おひとり様向けのActivityPubマイクロブログ「@hollo」、ActivityPubボットフレームワーク「@botkit」、ソフトウェア開発者向けフェディバースプラットフォームHackers' Pub、JavaScript・TypeScript用ロギングライブラリLogTapeなどの制作者でもあります。

東アジア言語（いわゆるCJK）とUnicodeにも興味があります。このアカウントでは主に英語で投稿していますが、時々日本語や国漢文混用体（漢字ハングル混じり文）の韓国語でも書いています。実はこの文体で書きたくてフェディバースを始めた、という経緯もあります。日本語、英語、韓国語、漢文でも気軽に話しかけてください！

#自己紹介

安寧(안녕)하세요! 저는 서울에 살고 있는 30代(대) 後半(후반)의 오픈 소스 소프트웨어 엔지니어 洪民憙(홍민희)입니다. 兩性愛者(양성애자)(bisexual)이자 논바이너리(non-binary)이며, 自由(자유)·오픈 소스 소프트웨어(F/OSS)와 聯合宇宙(연합우주)(fediverse)의 熱烈(열렬)한 支持者(지지자)이기도 합니다.

STF(@sovtechfund)의 支援(지원)을 받아 TypeScript用(용) ActivityPub 서버 프레임워크 @fedify 開發(개발)에 專業(전업)으로 任(임)하고 있습니다. 그 外(외)에도 싱글 유저用(용) ActivityPub 마이크로블로그 @hollo, ActivityPub 봇 프레임워크 @botkit, 소프트웨어 開發者(개발자)를 위한 聯合宇宙(연합우주) 플랫폼 Hackers' Pub, JavaScript·TypeScript用(용) 로깅 라이브러리 LogTape 等(등)의 製作者(제작자)이기도 합니다.

東(동)아시아 言語(언어)(이른바 CJK)와 Unicode에도 關心(관심)이 많습니다. 이 計定(계정)에서는 主(주)로 英語(영어)로 포스팅하지만, 때때로 日本語(일본어)나 國漢文混用體(국한문 혼용체) 韓國語(한국어)로도 씁니다. 聯合宇宙(연합우주)에 오게 된 動機(동기) 中(중) 하나가 바로 國漢文混用體(국한문 혼용체)로 글을 쓰고 싶었기 때문이기도 하고요. 韓國語(한국어), 英語(영어), 日本語(일본어), 아니면 漢文(한문)으로도 말을 걸어주세요!

#툿친소 #연친소 #별친소 #자기소개

If you believe in the #Fediverse :

- post here
- bring your friends and family here
- tell companies, governments and creators to post here
- pay for your instance
- pay for your software

Do one thing every day. The Fediverse is worth fighting for.

@yeokbo Mastodon과 Bluesky 사이에서 고민하게 되는 요인들로 어떤 것들이 있으신가요? 페디버스 개발자로서 의견이 궁금합니다!

@burly Yeah, fair read. “Winning path” was a bad phrase. I meant path of least resistance: if the easiest thing is always to write Node.js-compatible code, there's not much reason for a Deno-native package culture to form. Nobody loses; it just never gets built.

@tychi Both Deno and Node.js run on V8, and V8 is C++, so Rust doesn't really distinguish them at the engine level. If you want a Rust-native JavaScript stack, Andromeda is probably closer: it runs on Nova, a JavaScript engine written in Rust rather than V8. Still experimental, but that's the tradeoff when you step off the compatibility treadmill.

Deno 2.8.0 is out. The compatibility work is real: the #Node.js test suite pass rate jumped from 42% to 76.4%, deno install is now a drop-in for npm install, lib.node is included by default, and setTimeout() now returns a NodeJS.Timeout instead of a number. None of that is irrational on its own. Put it together, though, and #Deno starts looking less like an alternative to Node.js and more like a cleaner way to run Node.js-shaped code.

It reminds me of OS/2's Win32 compatibility layer. IBM offered it so developers wouldn't have to choose, but the effect was the opposite: people kept writing Windows apps, and OS/2-native software never got a reason to exist. The closer Deno gets to Node.js, the less reason anyone has to think about whether their code is Deno-aware. Maybe that helps adoption. I just don't see how a Deno-native package culture survives if the winning path is “pretend it's npm.”

I did it. #Smithereen 1.0 is officially out now. Only took me 6.5 years from an idea to something I can proudly call a stable release.

BotKit security updates: 0.3.3 and 0.4.2

If you use BotKit, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and BotKit inherits the exposure through its dependency on Fedify.

The vulnerability allows an attacker to use JSON-LD graph-restructuring features—specifically @graph, @included, and @reverse—to reshape a signed ActivityPub activity without invalidating its Linked Data Signature. This can cause BotKit (via Fedify) to interpret a different ActivityPub object shape than was originally signed. The fix normalizes Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects the JSON-LD constructs that enable the attack.

All versions of BotKit up to 0.3.2 (in the 0.3.x branch) and 0.4.1 (in the 0.4.x branch) are affected. Patched releases are 0.3.3 and 0.4.2.

For BotKit 0.4.x, update @fedify/botkit:

npm  update  @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update  @fedify/botkit
bun  update  @fedify/botkit
deno update  @fedify/botkit

For BotKit 0.3.x, update @fedify/botkit:

npm  update  @fedify/botkit@0.3.3
yarn upgrade @fedify/botkit@0.3.3
pnpm update  @fedify/botkit@0.3.3
bun  update  @fedify/botkit@0.3.3
deno update  @fedify/botkit@0.3.3

If you use other BotKit-related packages (e.g., @fedify/botkit-postgres), update them as well. After updating, redeploy.

The CVE ID is CVE-2026-42462. See also fedify-dev/fedify#773 for Fedify's own announcement.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, feel free to ask on GitHub Discussions or Matrix.

夕飯で焼肉食べた

羽田空港に到着！

Anyone else in the fediverse who does fieldwork in #linguistics ? #languages #language #indigenouslanguages #minoritylanguages (if you have suggestions for hashtags that will help me find other field linguists, please add them in a comment to this toot)

Working on adding support in Ghost for custom web domain for your handle so that (eg) I can be `@john@onolan.org` rather than `@john@john.onolan.org`

Lots of people run Ghost instances on subdomains, so think this will be helpful!

This is now live! If you have an old social web profile with followers that you want to move over to Ghost, that now works.

Find it under Network → Preferences → Account Migration

Set up an account alias pointing to your old handle, then initiate an account move on your old profile.

今は金浦から羽田に行く飛行機の中…

Hollo security updates: 0.7.17, 0.8.6, and 0.9.1

If you run Hollo, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and Hollo depends on Fedify for ActivityPub federation.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended—without invalidating the signature.

The fix makes Fedify normalize Linked Data Signature-verified activities against its local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape. For full technical details of the underlying vulnerability, see the Fedify security announcement.

All Hollo versions up to and including 0.7.16, 0.8.5, and 0.9.0 are affected. Patched releases are 0.7.17 for the 0.7.x series, 0.8.6 for the 0.8.x series, and 0.9.1 for the 0.9.x series.

For 0.7.x deployments, update to 0.7.17:

docker pull ghcr.io/fedify-dev/hollo:0.7.17

For 0.8.x deployments, update to 0.8.6:

docker pull ghcr.io/fedify-dev/hollo:0.8.6

For 0.9.x deployments, update to 0.9.1:

docker pull ghcr.io/fedify-dev/hollo:0.9.1

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to @Claire for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3

If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended.

The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.

Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.

Update @fedify/fedify:

npm  update  @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update  @fedify/fedify
bun  update  @fedify/fedify
deno update  @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, ask below.

@kakkokari_gtyih もしやるとしたら、の話ですが――もともとはフォークを作る方向で考えていました。アップストリームには受け入れてもらいにくいだろうと思っていたので。でもそういう反応が出てくると、少し違う可能性も見えてきますね。

仮にBunのZig→Rust移植みたいにLLMエージェントで大規模に書き換えるなら、フェデレーション周りの統合テストがある程度揃っていないと怖いなとも思っています。

@hongminhee@hollo.social これ、個人的には実は割とありなのではと思っていたりします

@liaizon What do you mean by “pending”? Are you talking about a quote post being pending? Usually, it should be approved within a minute.

@hollo releases a new major version update, 0.90. Too many changes to hit in a single post! Skimming, the most notable to users will be the switch from Pico CSS (my weekend hobbyist fave) to Uno CSS. At least in screenshots, the new UI is taking on a polished look.

Planning to upgrade, but need to review this a bit more before flipping the switch.

https://github.com/fedify-dev/hollo/discussions/496

#FediDev #ActivityPub

Hollo 0.9.0 is out. https://github.com/fedify-dev/hollo/discussions/496

The biggest change this release is a complete redesign of every server-rendered page. Pico CSS is replaced by a new design system built on UnoCSS, and your chosen theme color now tints your profile and dashboard pages throughout.

Other highlights:

• Passkey (WebAuthn) authentication: sign in with a biometric or PIN gesture, which counts as MFA so there's no separate TOTP step
• Full FEP-044f quote authorization: QuoteRequest/Accept/Reject federation, quote policy enforcement, and dereferenceable QuoteAuthorization objects
• A configurable media proxy (MEDIA_PROXY=proxy or cache) that re-serves remote avatars, attachments, and preview images from Hollo's own origin
• Optional split-domain WebFinger via HANDLE_HOST + WEB_ORIGIN
• Public followers/following pages and per-post reaction list pages (likes, boosts, emoji reactions, quotes)

There were also several serious database performance fixes: profile page queries that were taking hundreds of seconds on cold caches, a NodeInfo endpoint doing a full table scan on every request, and a handful of timeline pagination bugs.

#Hollo #ActivityPub #Fediverse

The HTTP 'Link' response header can be a way of letting you create small-net type HTML (as a document) without CSS — while letting you add style using CSS, and even change it (without editing the HTML file).

Ex:

Link: <https://example.com/styles.css>; rel=preload; as=style, <https://example.com/styles.css>; rel=stylesheet

#html #http #smallNet #smallWeb #smolNet #smolWeb

@evan Thanks!

@stefan Thanks!

今週の金土に李在烈さん（@kodingwarrior）と一緒にTSKaigi 2026に参加します。参加される方はいらっしゃいますか？

Type out the code https://lobste.rs/s/zotppg #programming
https://haskellforall.com/2026/05/type-out-the-code

今週の金土に李在烈さん（@kodingwarrior）と一緒にTSKaigi 2026に参加します。参加される方はいらっしゃいますか？

みんなHollo使おうぜ！！！！！！！！！！！！！！

@DoomHammerNG I guess you could buy an e-book copy?