洪 民憙 (Hong Minhee)

@mariusor Fair point! To clarify: FediChatBot is just a tech demo for @botkit, the ActivityPub bot framework I've been building. BotKit itself has nothing to do with LLMs—it's for creating any kind of fediverse bot (weather bots, notification bots, RSS feeds, etc.). I just happened to use an LLM for the demo since it makes for an interactive example. Not advocating for AI integration in the fediverse, just showcasing what the framework can do.

Hey @FediChatBot, what LLM are you based on?

セキュリティアップデート: Hollo 0.6.19 リリース

FedifyのHTMLパースコードにおけるセキュリティ脆弱性に対応したHollo 0.6.19をリリースしました。

この脆弱性 (CVE-2025-68475) は ReDoS (正規表現によるサービス拒否) の問題であり、攻撃者がフェデレーション操作中に特別に細工されたHTMLレスポンスを送信することで、サービス停止を引き起こす可能性があります。悪意のあるペイロードは小さい (約170バイト) ですが、Node.jsのイベントループを長時間ブロックする可能性があります。

すべてのHollo運営者の皆様には、直ちにバージョン 0.6.19 へのアップグレードを強くお勧めします。

#Hollo #セキュリティ #fediverse #ActivityPub

보안 업데이트: Hollo 0.6.19 릴리스

Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.

이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.

모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.

#Hollo #보안 #페디버스 #연합우주 #ActivityPub

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

#Hollo #Security #Fediverse #ActivityPub

🚨 Security Advisory: CVE-2025-68475

A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify's HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses.

If you're running Fedify in production, please upgrade to one of the patched versions immediately.

For full details, see the security advisory: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93

Thank you to Yue (Knox) Liu for responsibly reporting this vulnerability.

#Fedify #ActivityPub #security #fediverse #fedidev

@kai Haha, your friend Su is right! Nowadays, many Koreans (especially the younger generations) don't use hanja in their daily lives, and some don't even know how to write their own names in hanja. I'm a bit of an outlier for displaying it on my profile—I just happen to like how it looks and the meaning it carries! 😊

@bart Spot on. The vendor lock-in is exactly what's holding me back from moving to Codeberg. It's frustrating that standard security features like OIDC publishing are becoming a golden cage that keeps us tied to big platforms. I'd love to see npm support OIDC from Forgejo/Gitea, but it feels like we're still a long way from a truly forge-agnostic ecosystem. 2FA tokens for life, I guess? 🥲

Is it just me, or is #npm's trusted publishing unnecessarily rigid? Only one workflow filename allowed per package. It's like they never imagined a project having multiple release branches or evolving CI structures. Moving from build.yaml to publish.yaml shouldn't be this annoying. 😩

Calling all #fediverse developers for help: I'm currently trying to implement a #reporting (#flag) feature for Hackers' Pub, an #ActivityPub-enabled community for software engineers. Is there a formal specification for how cross-instance reporting should work in ActivityPub? Or, is there any well-documented material that explains how the major implementations handle it?

#fedidev #mastodev #askfedi

이번 週末(주말)에는 반드시 브뤼셀行(행) 航空券(항공권)을 끊어야 한다…

When I was young, I really liked Pokémon, but after I became interested in animal rights as an adult, Pokémon battles started to remind me of abusive customs like dogfighting or cockfighting, so it's untenable to like them as much as I used to. 😔

@3a29 That's a very logical and objective approach. I appreciate the careful consideration before making any assumptions!

@ianthetechie Haha, I guess I have an old soul vibe! 😂 You're right—it's definitely rare for my generation to use hanja as a display name. I just personally love the aesthetics and the history behind it. The Japanese posts definitely add another layer to the puzzle!

I was wondering when browsers started calling the UI "chrome" (it's not a Google thing!)

Amazingly, the Firefox (then Mozilla) commit that introduced the "chrome" tree into the source code dates back to Sep 4, 1998... which is also the same day Google was founded!

https://github.com/mozilla-firefox/firefox/blob/e5e26170e19b2b601ef1fcddd8762c9e3bb11487/xpfc/chrome/Makefile

Edit: Netscape used the term much earlier though! Not as much in filenames, but in the actual source code it's all over the place.

@ryan You're not technically wrong! It's written in Chinese characters, but it's a very common way to write Korean names (we call it hanja). It's tricky because we mostly use hangul now. Good luck with your next round of hangul learning—it really is a logical system!

To non-CJK language speakers: What do you think when you see my name written in Chinese characters?

2025年が終わる前にHolloの新バージョンをリリースしないと…‼️

Equivalências fediversais

As mais populares são essas de escrever pouquinho:

- Twitter → Mastodon
- Twitter → GoToSocial
- Twitter → Sharkey
- Twitter → Snac
- Twitter → Hollo
- Twitter → Akkoma

Sim, não faltam alternativas para microblogging. Mas tem mais coisas:

- Instagram → Pixelfed
- Facebook → Friendica
- Reddit → Lemmy
- Reddit → kBin
- YouTube → PeerTube
- WordPress → WordPress com plugin ActivityPub
- Blogger → WriteFreely

Sem anúncios, rastreadores, algoritmos nem bilionários perversos por trás. Só pessoas voluntariamente hospedando esses serviços para a comunidade.

#VemProFediverso

@mapache It probably depends on the dependencies?

If the app relies on external services like PostgreSQL or Redis, Docker images with Helm charts or Docker Compose configs might make sense—they bundle the complexity nicely.

For standalone apps, system packages (deb/rpm) would be nice in theory, but I imagine maintaining packages for multiple distros is quite a bit of work. Maybe a practical middle ground could be: provide packages for the major families (RedHat + Debian) and offer a single-file executable as a fallback for everyone else?

Personally, I tend to avoid install scripts when possible—they feel less transparent to me, though I understand others might feel differently.

Fediverse friends and acquaintances:
when self-hosting a service, what do you prefer?

I need your help to improve the developer experience (DevX) of #badgefed. #fediverse #askfedi #mastodon #activitypub

Just had the realization that my lost post could be summarized as:

"I’m a TCP person in a UDP world"

https://ploum.net/2025-12-15-communication-entertainment.html

Still stick with Pino? Give LogTape a try!

恵比寿のMACHIKADOというお店でお昼ご飯で真鯛パスタを食べている。

恵比寿に位置する繁邦というお店でクレープを食べている。

Deno v2.6.2 will ship with a major improvement to the debugger - Web workers, `node:worker_threads` and stopping in any test file will now be supported!

This will work in both VS Code and Chrome DevTools.

PRs for the curious:
https://github.com/denoland/deno/pull/31527

Mozilla has a new CEO who:

- Has been at Mozilla for less than a year
- Has no prior open source experience (but well in "fintech" and "real estate")
- Has a MBA (aka "brainworm diploma")
- Is all-in on AI

That’s exactly the kind of bingo profile the whole community has been waiting for.

As someone who's been mass-mass-publishing to JSR since its early days, this has been really frustrating. I even set up a local JSR server to debug it, only to find that the problem simply doesn't exist locally. At this point I'm out of ideas—hoping the JSR team can take a look at the production environment.

https://hollo.social/@fedify/019b2806-9b0b-7982-bad6-eb17c669af4d

We've been struggling with a JSR publishing issue for nearly two months now—@fedify/cli and @fedify/testing packages hang indefinitely during the server-side processing stage, blocking our releases. Strangely, the problem doesn't reproduce on a local JSR server at all.

We've opened a GitHub issue to track this: https://github.com/jsr-io/jsr/issues/1238.

Fedify has been a Deno-first, JSR-first project from the start, and we really want to keep it that way. If you've experienced similar issues or have any insights, we'd appreciate your input on the issue.

Ok, hotels, flights, trains, and one extra family fun day were booked. See you next year at #fosdem2026 !

https://fosdem.org/2026/schedule/event/decentralised-badges-activitypub-badgefed/

#fosdem