洪 民憙 (Hong Minhee)

Hello, I'm an open source software engineer in my late 30s living in #Seoul, #Korea, and an avid advocate of #FLOSS and the #fediverse.

I'm the creator of @fedify, an #ActivityPub server framework in #TypeScript, @hollo, an ActivityPub-enabled microblogging software for single users, and @botkit, a simple ActivityPub bot framework.

I'm also very interested in East Asian languages (so-called #CJK) and #Unicode. Feel free to talk to me in #English, #Korean (#한국어), or #Japanese (#日本語), or even in Literary Chinese (#文言文, #漢文)!

#introduction

安寧(안녕)하세요, 저는 서울에 살고 있는 30代(대) 後半(후반) 오픈 소스 소프트웨어 엔지니어이며, 自由(자유)·오픈 소스 소프트웨어와 聯合宇宙(연합우주)(fediverse)의 熱烈(열렬)한 支持者(지지자)입니다.

저는 TypeScript用(용) ActivityPub 서버 프레임워크인 @fedify 프로젝트와 싱글 유저用(용) ActivityPub 마이크로블로그인 @hollo 프로젝트와 ActivityPub 봇 프레임워크인 @botkit 프로젝트의 製作者(제작자)이기도 합니다.

저는 東(동)아시아 言語(언어)(이른바 #CJK)와 유니코드에도 關心(관심)이 많습니다. 聯合宇宙(연합우주)에서는 國漢文混用體(국한문 혼용체)를 쓰고 있어요! 제게 韓國語(한국어)나 英語(영어), 日本語(일본어)로 말을 걸어주세요. (아니면, 漢文(한문)으로도!)

#툿친소 #연친소 #별친소

こんにちは、私はソウルに住んでいる30代後半のオープンソースソフトウェアエンジニアで、自由・オープンソースソフトウェアとフェディバースの熱烈な支持者です。名前は洪 民憙（ホン・ミンヒ）です。

私はTypeScript用のActivityPubサーバーフレームワークである「@fedify」と、ActivityPubをサポートする1人用マイクロブログである 「@hollo」と、ActivityPubのボットを作成する為のシンプルなフレームワークである「@botkit」の作者でもあります。

私は東アジア言語（いわゆるCJK）とUnicodeにも興味が多いです。日本語、英語、韓国語で話しかけてください。（または、漢文でも！）

#自己紹介

We have released #security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

• Perform denial of service attacks through infinite redirect loops
• Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
• Access unintended URL schemes through redirect manipulation

Fixed Versions

• 1.3.x series: Update to 1.3.4
• 1.2.x series: Update to 1.2.11
• 1.1.x series: Update to 1.1.11
• 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

1. Added a maximum redirect limit (5) to prevent infinite redirect loops
2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Holloちょっとおもしろそうねのだ
https://docs.hollo.social/ja/

@mina Corporations love to use military terms, and I also find them quite gross. I don't want to be part of the task force, and sit in the war room.

Stop trying to overcompensate and get that broomstick out of your arse.

＞BT
その場でAccept/Rejectを決められない場合がありそうなので、2番目に投票した（followRequestをどこかに保存しておき、後でAccept/Rejectを呼び出すイメージ）。1番目だとその場で決めなければならない。

@dansup I'm trying to fetch Activity Streams objects from pixelfed.social, but it always respond with an HTML even if I make a request with Accept: application/activity+json. Am I wrong something?

$ curl -H 'Accept: application/activity+json' https://pixelfed.social/users/dansup
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://pixelfed.social/dansup'" />

        <title>Redirecting to https://pixelfed.social/dansup</title>
    </head>
    <body>
        Redirecting to <a href="https://pixelfed.social/dansup">https://pixelfed.social/dansup</a>.
    </body>
</html>

We are designing an API to support manual accept/reject of follow requests in #BotKit. Which of the below two approaches seems better?

Returning true or false in the onFollow event

bot.onFollow = async (session, follower) => {
  // Accept follows requests from non-bot accounts:
  return follower instanceof Person;
};

Accepting a followRequest object as the third parameter in the onFollow event and calling the accept() or reject() method

bot.onFollow = async (session, follower, followRequest) => {
  // Accept follows requests from non-bot accounts:
  if (follower instanceof Person) await followRequest.accept();
  else await followRequest.reject();
};

お昼ご飯で辛いトマト拉麺！

Want to build your own #ActivityPub implementation, but don't know where to start? Read and follow #Fedify's official tutorial, Creating your own federated microblog, and get started!

@cheeaun That's unintended! I'm looking into it!

Go Namhyeon (@gnh1201), the creator of WelsonJS, a JavaScript runtime for building Windows apps, is doing an interesting experiment: he's making ChatGPT create the modules you need on the fly so that you can import them by typing the ai:// prefix and a prompt in the require() function. Mind blowing! 🤯

https://catswords.social/@gnh1201/113858087694221466

@cheeaun

1. Follow requests are automatically approved. I have a plan to let BotKit support manual approval as well.
2. That would be definitely useful! I'm going to implement it too!

라이브러리 찾을 필요 없이, JavaScript require 함수에 바로 ChatGPT를 연결하여, 라이브러리 처럼 활용할 수 있게 해봤다.

잘됨.

@dampuzakura Denoで使いやすいORM（までではないかもしれませんが）としてはKyselyが有ります。

예전부터 생각하는건데 문제가 있음에도 불구하고 재밌으면 그만이라는 그 감성이 너무너무 유해하다고 생각함… 도덕성을 따지는 건 어찌보면 피곤할 수도 있다. 나는 재밌는 것을 그저 즐기고 싶은데 그게 잘못 되었다는 소리를 들으면 기분 나쁘거나 무시하고 싶어지는 것이다. 근데 그럼에도 불구하고 우리는 계속 체크를 해봐야한다. 완전무결한 도덕성은 없을지라도 그쪽으로 나아가려는 노력이라도 끊임없이 해야하지 않을까. 내가 당사자인데 재밌다는 이유로 내 아픔을 사람들이 헤아려주지 않는다면 너무 슬플 것 같다.

디씨인사이드와 일간베스트 등지는 단순히 '인셀 골탕먹이기'를 위해서가 아니라, 그동안 수많은 혐오 선동과 가짜 정보들을 제재하긴커녕 그런 똥덩어리들로 배를 채운 운영자들을 (이미 한참 늦었지만) 벌하기 위해, 그리고 그들이 부당하게 취한 이득을 작살내기 위해 폐쇄되어야 한다.

@dampuzakura Drizzle ORMをお勧めします！

내란수괴와 가담자들 혐의, 한 페이지에 총정리 [그래픽]

https://n.news.naver.com/article/028/0002727426

나이스한 정리

@cheeaun No such feature is available yet, but if you need it I will implement it!

@cheeaun Yeah, your bot will get its followers and posts lost. 😅

〈景福宮(경복궁) 周邊(주변) 파봤더니 高麗時代(고려시대) 遺物(유물)이 줄줄이?〉

https://www.hani.co.kr/arti/culture/culture_general/1178650.html

@cheeaun You can easily swap the storage by replacing the kv option of createBot() function!

Starting with BotKit v0.1.0-dev.43+82e564fe, it allows your bot to follow and unfollow others!

@cheeaun Federation would be okay again if read units limit will reset next month. 🤔

Fly.io offers Postgres and SQLite, and BotKit can utilize @fedify/postgres driver.

@cheeaun Oh no, the capacity for Deno KV provided by Deno Deploy's free plan is smaller than I expected. I'm not sure what will happen if you reach the capacity limit, but if errors occur, the federation will probably be disrupted. 🤔

Perhaps it is necessary to change the standard deployment option of BotKit from Deno Deploy to another platform such as Fly.io.

Misskey.ioはMisskey最大のフォーク（本家と違う別バージョン）なので、Misskeyの動作検証は別のところでした方がいいよね。

You will need a Pixelfed but single-user, like forking Hollo (for the backend) for its ease of installation and its lightness and Phanpy (for the frontend) by improving the view for the images a little.

#Hollo #Pixelfed #Fediverse

구트위터(현x) 하면서 맛돈은 개인서버라 믿을 수 없어서 못하겠다느니 한 사람들은 지금 일론머스크가 사용자 dm 퍼날해서 공개한 건에 대해서 무슨 생각을 하고 있을지 궁금해짐. 어떻게 받아들이고 있으려나? 그런데 굳이 알고 싶지는 않은 마음도 있다. 뭐… 힘내십셔.

My wife (@tokolovesme) bought me Wallace & Gromit merchandise for my love of Wallace & Gromit!

私も微力ながら『Thinking Penguin Magazine Vol.0』に「国漢文混用体からHolloまで」という拙稿を寄稿しました。興味の有る方は、第十一回技術書同人誌博覧会で手に入れる事が出来ます。

https://msky.ospn.jp/notes/a35ankd6m2p80nev

#FediLUG #技書博 #国漢文混用体 #Fedify #Hollo

오늘 點心(점심)은 그냥 바나나로 때운다.