#Fedify 1.4.0 has been released, and #BotKit 0.1.0 will be based on Fedify 1.4.0. BotKit 0.1.0 is also about to be released, so please stay tuned!
https://hollo.social/@fedify/0194d42d-ee82-7a21-b66e-f88702278099
fedify
Hollo 0.3.0 released! #Hollo is a single-user federated microblogging software which is #ActivityPub-enabled and powered by #Fedify.
The key changes of this release include:
Thanks to @joschi, Hollo now support local filesystem storage for media files. You can configure DRIVE_DISK=fs and FS_ASSET_PATH to store media files in the local filesystem. For users who've used S3, no further action is required—but, it's recommended to configure DRIVE_DISK=s3 as DRIVE_DISK will be required in the future releases.
Added support for Sentry. If you want to see error reports and instrumented traces in Sentry, please configure SENTRY_DSN.
Added pagination to the profile page.
Minor performance improvements and bug fixes due to upgrading Fedify to 1.3.0.
You can upgrade to Hollo 0.3.0 using the following ways:
To Railway users: Just redeploy the Hollo service!
To Docker users: Switch your Hollo image to ghcr.io/dahlia/hollo:0.3.0 or simply latest!
To manual installers: Fetch the stable branch and switch over to it!
Looking for a side project to do over the holidays? Why not create your own #ActivityPub server with #Fedify?
Hollo 0.4.0 released! #Hollo is a single-user federated microblogging software which is #ActivityPub-enabled and powered by #Fedify.
The key changes of this release include:
Hollo is now powered by Node.js 23+ instead of Bun for more efficient memory usage.
Added an experimental feature flag TIMELINE_INBOXES to store all posts visible to your timeline in the database, rather than filtering them in real-time as they are displayed. This is useful for relatively larger instances with many incoming posts, but as of now it may have several bugs. It is expected to be the default behavior in the future after it is stabilized.
Now you can import and export your data from the administration dashboard in CSV format: follows, lists, accounts you muted, accounts you blocked, and bookmarks.
You can now make your profile discoverable.
The profile page now shows an account's cover image if it has one.
Many bug fixes.
For the details, see also the full changelog.
You can upgrade to Hollo 0.4.0 using the following ways:
To Railway users: Just redeploy the Hollo service!
To Docker users: Switch your Hollo image to ghcr.io/dahlia/hollo:0.4.0 or simply latest!
To manual installers:
Install Node.js 23 or higher.
Fetch the stable branch and switch over to it.
Run pnpm install.
Run pnpm run prod to start the Hollo server.
The last "big" code thing I need to get done before the alpha test of my current @fedify project is the task queue - make sure routine data updates happen, consider individual importance and urgency, respect external API rate limits, etc.
But that's super intimidating so I'm currently procrastinating by making it a cute lil home page instead. 🙃
Introducing #BotKit: A #TypeScript framework for creating truly standalone #ActivityPub bots!
Unlike traditional Mastodon bots, BotKit lets you build fully independent #fediverse bots that aren't constrained by platform limits. Create your entire bot in a single TypeScript file using our simple, expressive API.
Currently #Deno-only, with Node.js & Bun support planned. Built on the robust #Fedify foundation.
Made a little bit of progress on my #Fedify project yesterday. Spun my wheels testing a few #TypeScript ORMs and running into compatibility problems with each of them. By the time I went to bed, the preferences page was capable of storing and loading account-local form data for the first time. 🥳
For this project, when progress looks slow from the outside, it's because I'm learning the ecosystem pretty much from scratch. Not letting myself get discouraged. 🙂
We're excited to announce the release of Fedify 1.4.0! This release brings significant improvements to enhance compatibility and flexibility in #ActivityPub federation.
Key Highlights
Introduced a new system to adjust outgoing activities for better compatibility with various ActivityPub implementations. This includes automatic ID assignment for activities and actor dehydration to satisfy implementation quirks (looking at you, Threads!).
WebFinger customization
Added the ability to customize WebFinger responses through the new mapAlias() API, giving you more control over how your actors are discovered.
New interaction collections
Added support for shares, likes, and emojiReactions properties to the Object class, making it easier to access and traverse these interaction collections.
More flexible document/context loader
Document loader and context loader are now configurable through factory functions, giving you more control over how your application handles JSON-LD documents.
CLI improvements
The fedify lookup command now supports two new options:
-t/--traverse: Traverse through collection objects
-S/--suppress-errors: Continue operation even when encountering errors during traversal
Other enhancements
Added Context.getNodeInfo() method for easier NodeInfo access
Improved error handling in collection traversal and JSON-LD processing
Added support for private network access control in WebFinger lookups
User-Agent headers now automatically include your instance URL, making it easier for other servers to identify your instance
For the complete list of changes and bugfixes, please visit our changelog.
Whether you're building a new federated application or maintaining an existing one, #Fedify 1.4.0 provides the tools you need for robust ActivityPub federation.
Supporting us
We're grateful to all our sponsors who make this project possible. Check out our new sponsors showcase page to see the amazing individuals and organizations supporting Fedify's development. If you'd like to support Fedify's development, please consider becoming a sponsor!
Upgrade now
You can install Fedify 1.4.0 from JSR or npm. Upgrade today and let us know what you think!
10月26日(土)に開催されるOSC 2024 Tokyo/FallにFedify/Hollo合同で出展します!可愛いFedifyのロゴのシールと『自分だけのフェディバースのマイクロブログを作ろう!』日本語版の紙の本を持って行く予定です。よろしくお願いします。
Okay, I'm about to release #Fedify 1.4.0. Probably today or tomorrow?
Want to build your own #ActivityPub implementation, but don't know where to start? Read and follow #Fedify's official tutorial, Creating your own federated microblog, and get started!
We have released #security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.
The Vulnerability
A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:
Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation
Fixed Versions
1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14
Changes
The security updates implement the following fixes:
Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks
How to Update
To update to the latest secure version:
# For npm usersnpm update @fedify/fedify# For Deno usersdeno add jsr:@fedify/fedify
We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.
For more details about this vulnerability, please refer to our security advisory.
If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.
If you are a #fediverse admin running libraries on #Fedify keep an eye on this: https://nvd.nist.gov/vuln/detail/CVE-2025-23221
#Fedify already uses the #Temporal API exclusively for representing temporal data.
https://developer.mozilla.org/en-US/blog/javascript-temporal-is-coming/
📢 Important announcement! #BotKit's #GitHub repository has moved to a new home! 🏠
The repository is now located at @fedify-dev/botkit (previously @dahlia/botkit). All future development will continue at the new location.
Don't worry—everything's the same, just a new address! Please update your bookmarks and project references. Thanks for being part of our community!
#Fedify #ActivityPub #fediverse #fedidev
https://hollo.social/@fedify/0194a851-581d-779c-b777-dc39e753ef14
🎉 Excited to announce that #Fedify is now on Open Collective! Support the project's development starting at:
Backer (from $5/mo)
Supporter (from $25/mo)
Sponsor (from $100/mo)
Corporate Sponsor (from $500/mo)
Custom donations welcome
Your support will help us maintain and improve Fedify. Check it out here:
https://opencollective.com/fedify
Valtteri Laitinen (@valtlai) managed to get #Fedify running on #Cloudflare Workers!
As the maintainer of #Fedify, I'd be grateful for your support to help keep the project sustainable!
https://hollo.social/@fedify/0194b112-b604-7d03-84e0-4faaf4ab46cd