@hongminhee@hollo.social
1,079 following1,890 followers
An intersectionalist, feminist, and socialist living in Seoul (UTC+09:00). @tokolovesme's spouse. Who's behind @fedify, @hollo, and @botkit. Write some free software in #TypeScript, #Haskell, #Rust, & #Python. They/them.
서울에 사는 交叉女性主義者이자 社會主義者. 金剛兔(@tokolovesme)의 配偶者. @fedify, @hollo, @botkit 메인테이너. #TypeScript, #Haskell, #Rust, #Python 等으로 自由 소프트웨어 만듦.
If you believe in the #Fediverse :
- post here
- bring your friends and family here
- tell companies, governments and creators to be here
- pay for your instance
- pay for your software
Do one thing every day. The Fediverse is worth fighting for.
@yeokbo Mastodon과 Bluesky 사이에서 고민하게 되는 요인들로 어떤 것들이 있으신가요? 페디버스 개발자로서 의견이 궁금합니다!
@burly Yeah, fair read. “Winning path” was a bad phrase. I meant path of least resistance: if the easiest thing is always to write Node.js-compatible code, there's not much reason for a Deno-native package culture to form. Nobody loses; it just never gets built.
@tychi Both Deno and Node.js run on V8, and V8 is C++, so Rust doesn't really distinguish them at the engine level. If you want a Rust-native JavaScript stack, Andromeda is probably closer: it runs on Nova, a JavaScript engine written in Rust rather than V8. Still experimental, but that's the tradeoff when you step off the compatibility treadmill.
tryandromeda.dev
Andromeda - Rust-powered JavaScript and TypeScript runtime
Deno 2.8.0 is out. The compatibility work is real: the #Node.js test suite pass rate jumped from 42% to 76.4%, deno install is now a drop-in for npm install, lib.node is included by default, and setTimeout() now returns a NodeJS.Timeout instead of a number. None of that is irrational on its own. Put it together, though, and #Deno starts looking less like an alternative to Node.js and more like a cleaner way to run Node.js-shaped code.
It reminds me of OS/2's Win32 compatibility layer. IBM offered it so developers wouldn't have to choose, but the effect was the opposite: people kept writing Windows apps, and OS/2-native software never got a reason to exist. The closer Deno gets to Node.js, the less reason anyone has to think about whether their code is Deno-aware. Maybe that helps adoption. I just don't see how a Deno-native package culture survives if the winning path is “pretend it's npm.”
deno.com
`import defer`, six new subcommands (`deno transpile`, `deno pack`, `deno bump-version`, `deno ci`, `deno why`, `deno audit fix`), network debugging in Chrome DevTools, framework-aware `deno compile`, and 3.66x faster cold npm installs.
I did it. #Smithereen 1.0 is officially out now. Only took me 6.5 years from an idea to something I can proudly call a stable release.
If you use BotKit, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and BotKit inherits the exposure through its dependency on Fedify.
The vulnerability allows an attacker to use JSON-LD graph-restructuring features—specifically @graph, @included, and @reverse—to reshape a signed ActivityPub activity without invalidating its Linked Data Signature. This can cause BotKit (via Fedify) to interpret a different ActivityPub object shape than was originally signed. The fix normalizes Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects the JSON-LD constructs that enable the attack.
All versions of BotKit up to 0.3.2 (in the 0.3.x branch) and 0.4.1 (in the 0.4.x branch) are affected. Patched releases are 0.3.3 and 0.4.2.
For BotKit 0.4.x, update @fedify/botkit:
npm update @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update @fedify/botkit
bun update @fedify/botkit
deno update @fedify/botkitFor BotKit 0.3.x, update @fedify/botkit:
npm update @fedify/botkit@0.3.3
yarn upgrade @fedify/botkit@0.3.3
pnpm update @fedify/botkit@0.3.3
bun update @fedify/botkit@0.3.3
deno update @fedify/botkit@0.3.3If you use other BotKit-related packages (e.g., @fedify/botkit-postgres), update them as well. After updating, redeploy.
The CVE ID is CVE-2026-42462. See also fedify-dev/fedify#773 for Fedify's own announcement.
Thanks to @Claire for the report and responsible disclosure.
If anything is unclear, feel free to ask on GitHub Discussions or Matrix.
matrix.to
You're invited to talk on Matrix
夕飯で焼肉食べた
羽田空港に到着!
Anyone else in the fediverse who does fieldwork in #linguistics ? #languages #language #indigenouslanguages #minoritylanguages (if you have suggestions for hashtags that will help me find other field linguists, please add them in a comment to this toot)
Working on adding support in Ghost for custom web domain for your handle so that (eg) I can be `@john@onolan.org` rather than `@john@john.onolan.org`
Lots of people run Ghost instances on subdomains, so think this will be helpful!
This is now live! If you have an old social web profile with followers that you want to move over to Ghost, that now works.
Find it under Network → Preferences → Account Migration
Set up an account alias pointing to your old handle, then initiate an account move on your old profile.
今は金浦から羽田に行く飛行機の中…
If you run Hollo, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and Hollo depends on Fedify for ActivityPub federation.
Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended—without invalidating the signature.
The fix makes Fedify normalize Linked Data Signature-verified activities against its local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape. For full technical details of the underlying vulnerability, see the Fedify security announcement.
All Hollo versions up to and including 0.7.16, 0.8.5, and 0.9.0 are affected. Patched releases are 0.7.17 for the 0.7.x series, 0.8.6 for the 0.8.x series, and 0.9.1 for the 0.9.x series.
For 0.7.x deployments, update to 0.7.17:
docker pull ghcr.io/fedify-dev/hollo:0.7.17For 0.8.x deployments, update to 0.8.6:
docker pull ghcr.io/fedify-dev/hollo:0.8.6For 0.9.x deployments, update to 0.9.1:
docker pull ghcr.io/fedify-dev/hollo:0.9.1After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.
Thanks to @Claire for the report and responsible disclosure to the Fedify project.
If anything is unclear, ask below.
Released on May 21, 2026. Upgraded Fedify to 2.2.3 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently th...
If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.
Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended.
The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.
Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.
Update @fedify/fedify:
npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedifyAfter updating, redeploy. If you run other Fedify-based servers, update those too.
Thanks to @Claire for the report and responsible disclosure.
If anything is unclear, ask below.
github.com
As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. ### Summary An...
@kakkokari_gtyih もしやるとしたら、の話ですが――もともとはフォークを作る方向で考えていました。アップストリームには受け入れてもらいにくいだろうと思っていたので。でもそういう反応が出てくると、少し違う可能性も見えてきますね。
仮にBunのZig→Rust移植みたいにLLMエージェントで大規模に書き換えるなら、フェデレーション周りの統合テストがある程度揃っていないと怖いなとも思っています。
@hongminhee@hollo.social これ、個人的には実は割とありなのではと思っていたりします
@liaizon What do you mean by “pending”? Are you talking about a quote post being pending? Usually, it should be approved within a minute.
@hollo releases a new major version update, 0.90. Too many changes to hit in a single post! Skimming, the most notable to users will be the switch from Pico CSS (my weekend hobbyist fave) to Uno CSS. At least in screenshots, the new UI is taking on a polished look.
Planning to upgrade, but need to review this a bit more before flipping the switch.
github.com
Hollo is a single-user, headless ActivityPub server. It exposes a Mastodon-compatible API with no built-in frontend, so you can connect any Mastodon client of your choice. It's built on Fedify and ...
Hollo 0.9.0 is out. https://github.com/fedify-dev/hollo/discussions/496
The biggest change this release is a complete redesign of every server-rendered page. Pico CSS is replaced by a new design system built on UnoCSS, and your chosen theme color now tints your profile and dashboard pages throughout.
Other highlights:
QuoteRequest/Accept/Reject federation, quote policy enforcement, and dereferenceable QuoteAuthorization objectsMEDIA_PROXY=proxy or cache) that re-serves remote avatars, attachments, and preview images from Hollo's own originHANDLE_HOST + WEB_ORIGINThere were also several serious database performance fixes: profile page queries that were taking hundreds of seconds on cold caches, a NodeInfo endpoint doing a full table scan on every request, and a handful of timeline pagination bugs.
Public profile for 洪 民憙 (Hong Minhee) with a bookstore header image, circular avatar, follower and following counts, bio, custom fields including website and GitHub links, and a pinned post card below
The “Edit @hongminhee” admin page showing the new Hollo design: profile image upload areas for avatar and header, identity fields for display name and bio, custom fields table with label-value pairs, privacy checkboxes, a 20-swatch theme color picker with orange selected, and a “Save changes” button
The HTTP 'Link' response header can be a way of letting you create small-net type HTML (as a document) without CSS — while letting you add style using CSS, and even change it (without editing the HTML file).
Ex:
Link: <https://example.com/styles.css>; rel=preload; as=style, <https://example.com/styles.css>; rel=stylesheet
@evan Thanks!
@stefan Thanks!
今週の金土に李在烈さん(@kodingwarrior)と一緒にTSKaigi 2026に参加します。参加される方はいらっしゃいますか?
n-kaiwai.work
表紙ゆめかわすぎ‼️:hearteyes: https://nextpublishing.jp/book/19496.html (📎1)
This quote was not authorized by the quoted post's author.
今週の金土に李在烈さん(@kodingwarrior)と一緒にTSKaigi 2026に参加します。参加される方はいらっしゃいますか?
みんなHollo使おうぜ!!!!!!!!!!!!!!
@DoomHammerNG I guess you could buy an e-book copy?