洪 民憙 (Hong Minhee)

Hollo security updates: 0.7.17, 0.8.6, and 0.9.1

If you run Hollo, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and Hollo depends on Fedify for ActivityPub federation.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended—without invalidating the signature.

The fix makes Fedify normalize Linked Data Signature-verified activities against its local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape. For full technical details of the underlying vulnerability, see the Fedify security announcement.

All Hollo versions up to and including 0.7.16, 0.8.5, and 0.9.0 are affected. Patched releases are 0.7.17 for the 0.7.x series, 0.8.6 for the 0.8.x series, and 0.9.1 for the 0.9.x series.

For 0.7.x deployments, update to 0.7.17:

docker pull ghcr.io/fedify-dev/hollo:0.7.17

For 0.8.x deployments, update to 0.8.6:

docker pull ghcr.io/fedify-dev/hollo:0.8.6

For 0.9.x deployments, update to 0.9.1:

docker pull ghcr.io/fedify-dev/hollo:0.9.1

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to @Claire for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3

If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended.

The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.

Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.

Update @fedify/fedify:

npm  update  @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update  @fedify/fedify
bun  update  @fedify/fedify
deno update  @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, ask below.

@kakkokari_gtyih もしやるとしたら、の話ですが――もともとはフォークを作る方向で考えていました。アップストリームには受け入れてもらいにくいだろうと思っていたので。でもそういう反応が出てくると、少し違う可能性も見えてきますね。

仮にBunのZig→Rust移植みたいにLLMエージェントで大規模に書き換えるなら、フェデレーション周りの統合テストがある程度揃っていないと怖いなとも思っています。

@hongminhee@hollo.social これ、個人的には実は割とありなのではと思っていたりします

@liaizon What do you mean by “pending”? Are you talking about a quote post being pending? Usually, it should be approved within a minute.

@hollo releases a new major version update, 0.90. Too many changes to hit in a single post! Skimming, the most notable to users will be the switch from Pico CSS (my weekend hobbyist fave) to Uno CSS. At least in screenshots, the new UI is taking on a polished look.

Planning to upgrade, but need to review this a bit more before flipping the switch.

https://github.com/fedify-dev/hollo/discussions/496

#FediDev #ActivityPub

Hollo 0.9.0 is out. https://github.com/fedify-dev/hollo/discussions/496

The biggest change this release is a complete redesign of every server-rendered page. Pico CSS is replaced by a new design system built on UnoCSS, and your chosen theme color now tints your profile and dashboard pages throughout.

Other highlights:

• Passkey (WebAuthn) authentication: sign in with a biometric or PIN gesture, which counts as MFA so there's no separate TOTP step
• Full FEP-044f quote authorization: QuoteRequest/Accept/Reject federation, quote policy enforcement, and dereferenceable QuoteAuthorization objects
• A configurable media proxy (MEDIA_PROXY=proxy or cache) that re-serves remote avatars, attachments, and preview images from Hollo's own origin
• Optional split-domain WebFinger via HANDLE_HOST + WEB_ORIGIN
• Public followers/following pages and per-post reaction list pages (likes, boosts, emoji reactions, quotes)

There were also several serious database performance fixes: profile page queries that were taking hundreds of seconds on cold caches, a NodeInfo endpoint doing a full table scan on every request, and a handful of timeline pagination bugs.

#Hollo #ActivityPub #Fediverse

The HTTP 'Link' response header can be a way of letting you create small-net type HTML (as a document) without CSS — while letting you add style using CSS, and even change it (without editing the HTML file).

Ex:

Link: <https://example.com/styles.css>; rel=preload; as=style, <https://example.com/styles.css>; rel=stylesheet

#html #http #smallNet #smallWeb #smolNet #smolWeb

@evan Thanks!

@stefan Thanks!

今週の金土に李在烈さん（@kodingwarrior）と一緒にTSKaigi 2026に参加します。参加される方はいらっしゃいますか？

Type out the code https://lobste.rs/s/zotppg #programming
https://haskellforall.com/2026/05/type-out-the-code

今週の金土に李在烈さん（@kodingwarrior）と一緒にTSKaigi 2026に参加します。参加される方はいらっしゃいますか？

みんなHollo使おうぜ！！！！！！！！！！！！！！

@DoomHammerNG I guess you could buy an e-book copy?

@mistheart Thanks!

@raisondetredev Thanks!

@NIGHTEN Thank you!

@JonasJRichter Thanks!

@_elena Thanks! Yeah, this kawaii cover would be one of its selling points!

This is the CUTEST kawaii Ai-chan (藍(あい)"Ai" is a normal female Japanese name meaning "Indigo" both the color and the plant; "Ai"-chan, the mascot of Misskey, has nothing to do with Large Language Models) I have ever seen from a technical literature titled like "Practical Fedify: An Introduction to ActivityPub Microblog Development"! I even see other mascots in the Fediverse too, like Don the Mastodon and that Blue Dinosaur mascot of Fedify (I don't know its name).
Huge thanks to @hongminhee@hollo.social https://hollo.social/@hongminhee for their work on authoring this amazing book and developing Fedify itself! And if you can read Japanese and are interested in Fedify and ActivityPub Development, then definitely check this one out! You can pre-order the book on Amazon Japan → https://amzn.asia/d/0hQSKBmI #Fedify (The book will be printed on May 22)

日本で世界初のFedifyの書籍「実践Fedify——ActivityPubマイクロブログ開発入門」が出版されました。この本は私にとって初めての著書でもありますが、最初の本が母語の韓国語ではなく日本語だというのは、なんだかとても不思議な気分ですね。本書は、英語で書かれたFedifyの公式チュートリアル「Creating your own federated microblog」をベースに、様々な加筆を行ったものです。Fedifyのマスコットの恐竜と、Misskeyのマスコットである三須木（みすき） 藍（あい）、Mastodonのマスコットが一緒に描かれた可愛い表紙のイラストは、ゆめつきママさんが描いてくださいました。電子書籍と紙の書籍の両方で、来る22日にインプレス NextPublishingから出版される予定です。

The world's first Fedify book, Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門), has been published in Japan. This is also the first book I have ever published, and it feels quite surreal that my first book is in Japanese rather than my native language, Korean. This book is an expanded version based on the official English Fedify tutorial, Creating your own federated microblog, with various additions. Yumetsuki Mama (ゆめつきママ) worked on the cute book cover illustration, which features the Fedify dinosaur mascot, Misskey's mascot Ai-chan, and the Mastodon mascot together. It is scheduled to be published in both e-book and print formats on the 22nd by Impress NextPublishing. See also the Amazon Japan.

お、洪民憙さんの本でてるじゃん。

みんなActivityPubの自力実装で挫折するぐらいなら、この本を買ってFedify組み込んで開発するといいよ。

実践Fedify　ActivityPubマイクロブログ開発入門
https://nextpublishing.jp/book/19496.html

分散型ソーシャルネットワークの仕組みを理解しよう！ 『実践Fedify　ActivityPubマイクロブログ開発入門』発行 技術の泉シリーズ、5月の新刊
https://prtimes.jp/main/html/rd/p/000007383.000005875.html

#prtimes #プレスリリース #ニュースリリース #配信 #サイト #サービス #方法 #代行 #PR_TIMES

실천 Fedify

- 일단 대표로 아이 쨩(미스키 마스코트)가 대문짝만한게 그려져있음 (귀여워)
- 마스토돈도 뒤에 그려져있음
- 한국이 아니라 일본임
- 저자 이름이 가타카나로 홍민희가 아니라 한자 그대로 써있음

https://hackers.pub/@hongminhee/019e3e78-8dbe-7973-b625-8bb50a098a63

일본에서 제가 쓴 Fedify 책 〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이 나왔어요! 정식 출판된 책은 처음 써보는데, 그게 한국어가 아니라 일본어라는 게 뭔가 신기하네요…!

출판사 페이지: https://nextpublishing.jp/book/19496.html
Amazon Japan: https://amzn.asia/d/0hA3KTeQ

RE: https://fedibird.com/@noellabo/116599256677289467