Released on February 1, 2026.

@fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has an inline CollectionPage in its first property without an explicit id. This is common in Mastodon's replies collections. The function previously used collection.firstId to determine pagination, which returned null for inline pages without an id, causing it to incorrectly fall into the non-paginated branch. [#550 by Lee Dogeon]

Released on February 1, 2026.

@fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has an inline CollectionPage in its first property without an explicit id. This is common in Mastodon's replies collections. The function previously used collection.firstId to determine pagination, which returned null for inline pages without an id, causing it to incorrectly fall into the non-paginated branch. [#550 by Lee Dogeon]

Released on January 23, 2026.

@fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of calling registered key pairs dispatcher. The method now properly invokes the key pairs dispatcher when it is registered via setKeyPairsDispatcher(). [#530]

Released on January 23, 2026.

@fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of calling registered key pairs dispatcher. The method now properly invokes the key pairs dispatcher when it is registered via setKeyPairsDispatcher(). [#530]

Released on January 22, 2026.

@fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning null instead of calling registered dispatchers. The methods now properly invoke actor and object dispatchers when they are registered via setActorDispatcher() and setObjectDispatcher(). [#530]

Released on January 22, 2026.

@fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning null instead of calling registered dispatchers. The methods now properly invoke actor and object dispatchers when they are registered via setActorDispatcher() and setObjectDispatcher(). [#530]

Released on December 24, 2025.

@fedify/fedify

• Enhanced OpenTelemetry instrumentation with span events for capturing detailed activity data. Span events now record complete activity JSON payloads and verification status, enabling richer observability and debugging capabilities without relying solely on span attributes (which only support primitive values). [#323]

  • Added activitypub.activity.received span event to the activitypub.inbox span, recording the full activity JSON, verification status (activity verified, HTTP signatures verified, Linked Data signatures verified), and actor information.
  • Added activitypub.activity.sent span event to the activitypub.send_activity span, recording the full activity JSON and target inbox URL.
  • Added activitypub.object.fetched span event to the activitypub.lookup_object span, recording the fetched object's type and complete JSON-LD representation.

• Added OpenTelemetry spans for previously uninstrumented operations: [#323]

  • Added activitypub.fetch_document span for document loader operations, tracking URL fetching, HTTP redirects, and final document URLs.
  • Added activitypub.verify_key_ownership span for cryptographic key ownership verification, recording actor ID, key ID, verification result, and the verification method used.

• Added optional list() method to the KvStore interface for enumerating entries by key prefix. This method takes an optional prefix parameter; when omitted or empty, it returns all entries. This enables efficient prefix scanning which is useful for implementing features like distributed trace storage, cache invalidation by prefix, and listing related entries. [#498, #500]

  • Added KvStoreListEntry interface.
  • Implemented in MemoryKvStore.

• Added FedifySpanExporter class that persists ActivityPub activity traces to a KvStore for distributed tracing support. This enables aggregating trace data across multiple nodes in a distributed deployment, making it possible to build debug dashboards that show complete request flows across web servers and background workers. [#497, #502]

  • Added @fedify/fedify/otel module.
  • Added FedifySpanExporter class implementing OpenTelemetry's SpanExporter interface.
  • Added TraceActivityRecord interface for stored activity data, including actorId and signatureDetails fields for debug dashboard support.
  • Added SignatureVerificationDetails interface for detailed signature verification information.
  • Added TraceSummary interface for trace listing.
  • Added FedifySpanExporterOptions interface.
  • Added GetRecentTracesOptions interface.
  • Added ActivityDirection type.

@fedify/nestjs

• Allowed Express 5 in the express peer dependency range to support NestJS 11. [#492, #493 by Cho Hasang]

@fedify/sqlite

• Implemented list() method in SqliteKvStore. [#498, #500]

@fedify/postgres

• Implemented list() method in PostgresKvStore. [#498, #500]

@fedify/redis

• Implemented list() method in RedisKvStore. [#498, #500]

@fedify/denokv

• Implemented list() method in DenoKvStore. [#498, #500]

@fedify/cfworkers

• Implemented list() method in WorkersKvStore. [#498, #500]

Released on December 20, 2025.

@fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [CVE-2025-68475]

@fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error that occurred when using SqliteKvStore on Node.js or Bun. The error was caused by duplicate Temporal imports during the build process. [#487]

Released on December 20, 2025.

@fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in the document loader's HTML parsing. An attacker-controlled server could respond with a malicious HTML payload that blocked the event loop. [CVE-2025-68475]

@fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error that occurred when using SqliteKvStore on Node.js or Bun. The error was caused by duplicate Temporal imports during the build process. [#487]

Released on December 20, 2025.

• Fixed a bug where the npm package failed to load at runtime with an error like SyntaxError: The requested module '../types.js' does not provide an export named 'i'. This was a regression introduced in version 1.7.15.