Released on December 24, 2025.

@fedify/fedify

• Enhanced OpenTelemetry instrumentation with span events for capturing detailed activity data. Span events now record complete activity JSON payloads and verification status, enabling richer observability and debugging capabilities without relying solely on span attributes (which only support primitive values). [#323]

  • Added activitypub.activity.received span event to the activitypub.inbox span, recording the full activity JSON, verification status (activity verified, HTTP signatures verified, Linked Data signatures verified), and actor information.
  • Added activitypub.activity.sent span event to the activitypub.send_activity span, recording the full activity JSON and target inbox URL.
  • Added activitypub.object.fetched span event to the activitypub.lookup_object span, recording the fetched object's type and complete JSON-LD representation.

• Added OpenTelemetry spans for previously uninstrumented operations: [#323]

  • Added activitypub.fetch_document span for document loader operations, tracking URL fetching, HTTP redirects, and final document URLs.
  • Added activitypub.verify_key_ownership span for cryptographic key ownership verification, recording actor ID, key ID, verification result, and the verification method used.

• Added optional list() method to the KvStore interface for enumerating entries by key prefix. This method takes an optional prefix parameter; when omitted or empty, it returns all entries. This enables efficient prefix scanning which is useful for implementing features like distributed trace storage, cache invalidation by prefix, and listing related entries. [#498, #500]

  • Added KvStoreListEntry interface.
  • Implemented in MemoryKvStore.

• Added FedifySpanExporter class that persists ActivityPub activity traces to a KvStore for distributed tracing support. This enables aggregating trace data across multiple nodes in a distributed deployment, making it possible to build debug dashboards that show complete request flows across web servers and background workers. [#497, #502]

  • Added @fedify/fedify/otel module.
  • Added FedifySpanExporter class implementing OpenTelemetry's SpanExporter interface.
  • Added TraceActivityRecord interface for stored activity data, including actorId and signatureDetails fields for debug dashboard support.
  • Added SignatureVerificationDetails interface for detailed signature verification information.
  • Added TraceSummary interface for trace listing.
  • Added FedifySpanExporterOptions interface.
  • Added GetRecentTracesOptions interface.
  • Added ActivityDirection type.

@fedify/nestjs

• Allowed Express 5 in the express peer dependency range to support NestJS 11. [#492, #493 by Cho Hasang]

@fedify/sqlite

• Implemented list() method in SqliteKvStore. [#498, #500]

@fedify/postgres

• Implemented list() method in PostgresKvStore. [#498, #500]

@fedify/redis

• Implemented list() method in RedisKvStore. [#498, #500]

@fedify/denokv

• Implemented list() method in DenoKvStore. [#498, #500]

@fedify/cfworkers

• Implemented list() method in WorkersKvStore. [#498, #500]

Released on December 20, 2025.

@fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [CVE-2025-68475]

@fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error that occurred when using SqliteKvStore on Node.js or Bun. The error was caused by duplicate Temporal imports during the build process. [#487]

Released on December 20, 2025.

@fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [CVE-2025-68475]

@fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error that occurred when using SqliteKvStore on Node.js or Bun. The error was caused by duplicate Temporal imports during the build process. [#487]

Released on December 20, 2025.

• Fixed a bug where the npm package failed to load at runtime with an error like SyntaxError: The requested module '../types.js' does not provide an export named 'i'. This was a regression introduced in version 1.7.15.

Released on December 20, 2025.

• Fixed a bug where TypeScript declaration files (.d.ts) were not included in the npm package, causing type errors when importing the package.

Released on December 20, 2025.

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [CVE-2025-68475]

Released on December 20, 2025.

• Fixed a bug where the npm package failed to load at runtime with an error like SyntaxError: The requested module '../types.js' does not provide an export named 'i'. This was a regression introduced in version 1.6.14.

Released on December 20, 2025.

• Fixed a bug where TypeScript declaration files (.d.ts) were not included in the npm package, causing type errors when importing the package.

Released on December 20, 2025.

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [CVE-2025-68475]

Released on October 31, 2025.

@fedify/testing

• Fixed JSR publishing hanging indefinitely at the processing stage by hiding complex type exports from the public API. The JSR type analyzer struggled with complex type dependencies when analyzing the MockFederation, TestFederation, TestContext, and SentActivity types, causing indefinite hangs during the processing stage. [#468]

  • Breaking change: MockFederation class is no longer exported from the public API. Use createFederation() factory function instead.
  • TestFederation<TContextData>, TestContext<TContextData>, and SentActivity interfaces are no longer exported from the public API, but their types are still inferred from createFederation() return type and can be used via TypeScript's type inference.

@fedify/cli

• Fixed fedify command failing on Windows with PermissionDenied error when trying to locate or execute package managers during initialization. The CLI now properly handles *.cmd and *.bat files on Windows by invoking them through cmd /c. [#463]