Fedify 2.1.10

Released on April 23, 2026.

@fedify/vocab-runtime

• Added https://join-lemmy.org/context.json to preloaded JSON-LD contexts. Lemmy serves this context as application/json without a JSON-LD context Link header, which caused the default document loader to reject Lemmy-originated activities before application handlers could run. [#714]

Fedify 2.0.14

Released on April 23, 2026.

@fedify/vocab-runtime

• Added https://join-lemmy.org/context.json to preloaded JSON-LD contexts. Lemmy serves this context as application/json without a JSON-LD context Link header, which caused the default document loader to reject Lemmy-originated activities before application handlers could run. [#714]

Fedify 2.1.9

Released on April 22, 2026.

@fedify/mysql

• Fixed a TypeScript type mismatch in MysqlKvStore and MysqlMessageQueue that could reject valid mysql2 pools when an application resolved mysql2 through multiple type sources or different package versions. The constructors now accept the structural pool shape they actually use, so mixed Deno/npm setups and monorepos no longer need casts or @ts-expect-error workarounds.

Fedify 2.1.8

Released on April 22, 2026.

@fedify/init

• Fixed fedify init -w astro -p bun generating package.json scripts that invoked Astro through Node.js. Bun + Astro projects now use bunx --bun astro dev and bunx --bun astro build, so the generated development workflow runs on systems that only have Bun installed.

@fedify/next

• Widened @fedify/next's supported Next.js peer dependency range to >=15.4.6 <17, so installing it into a fresh create-next-app 16.x project no longer fails with an ERESOLVE peer dependency conflict. This restores the default fedify init -w next flow against the current Next.js stable release and updates the integration example to track Next.js 16. [#713]

Fedify 2.0.13

Released on April 22, 2026.

@fedify/next

• Widened @fedify/next's supported Next.js peer dependency range to >=15.4.6 <17, so installing it into a fresh create-next-app 16.x project no longer fails with an ERESOLVE peer dependency conflict. This restores the default fedify init -w next flow against the current Next.js stable release and updates the integration example to track Next.js 16. [#713]

Fedify 2.1.7

Released on April 21, 2026.

@fedify/init

• Fixed fedify init generating Astro projects for Bun with the Node.js adapter and astro preview, which could fail to run correctly on Bun. Astro + Bun projects now use @nurodev/astro-bun and run the built Bun server entry point instead. [#707]

Fedify 2.1.6

Released on April 20, 2026.

@fedify/astro

• Restored the npm entrypoint contract for @fedify/astro by making the build emit dist/*.js and dist/*.d.ts files that match the published package metadata again. This fixes package resolution failures caused by package.json exporting files that did not exist in the npm tarball. [#699, #701]

@fedify/cli

• Fixed fedify lookup failing to look up URLs on private or localhost addresses unless -p/--allow-private-address was passed, which was a regression introduced in Fedify 2.1.0 when the CLI began forwarding the allowPrivateAddress option to the underlying document loader. URLs explicitly provided on the command line now always allow private addresses, while URLs discovered during -t/--traverse honor the option to mitigate SSRF attacks against private addresses. Recursive fetches via --recurse continue to always disallow private addresses regardless of the option. [#696, #698 by Chanhaeng Lee]

Fedify 2.1.5

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

@fedify/cfworkers

• Fixed a remaining TypeScript type mismatch for Cloudflare Workers users who pass wrangler types or @cloudflare/vite-plugin generated KV bindings to WorkersKvStore. The package now accepts a minimal structural KV binding interface for WorkersKvStore and WorkersMessageQueue's orderingKv option instead of requiring the nominal KVNamespace type imported from @cloudflare/workers-types, so generated local declarations compile without casts or @ts-expect-error. [#665]

Fedify 2.0.12

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

@fedify/cfworkers

• Fixed a remaining TypeScript type mismatch for Cloudflare Workers users who pass wrangler types or @cloudflare/vite-plugin generated KV bindings to WorkersKvStore. The package now accepts a minimal structural KV binding interface for WorkersKvStore and WorkersMessageQueue's orderingKv option instead of requiring the nominal KVNamespace type imported from @cloudflare/workers-types, so generated local declarations compile without casts or @ts-expect-error. [#665]

Fedify 1.10.8

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.