Fedify 2.3.0

Released on June 25, 2026.

@fedify/fedify

• Added mapActorAlias() method to ActorCallbackSetters interface to support fixed-path actor dispatchers. This is useful for exposing a single, instance-level actor at a fixed path, such as /actor for a relay or /bot for a bot, without leaking a sentinel identifier into the actor's URI. [#752, #753]

• Added optional MessageQueue.getDepth() support, using the new MessageQueueDepth return type, for reporting queue backlog depth. InProcessMessageQueue can now report queued messages, including ready and delayed counts, and ParallelMessageQueue delegates depth reporting to its wrapped queue when supported. [#735, #748]

• Added OpenTelemetry metrics for ActivityPub delivery attempts, permanent delivery failures, inbox listener processing duration, and HTTP Signature verification failures. Applications can pass the new meterProvider option to createFederation(), and Context.meterProvider exposes the provider available to request, inbox, and outbox code. [#316, #619, #755]

• Added the activitypub.delivery.failed span event to queued outbox delivery spans so retry and permanent-failure decisions include the remote host, attempt number, and HTTP status code when available. [#316, #619, #755]

• Breaking change: Changed the activitypub.activity.sent span event to record delivery metadata (activitypub.inbox.url and activitypub.activity.id) instead of the full activitypub.activity.json payload. FedifySpanExporter now stores outbound records from those attributes, and TraceActivityRecord.activityJson is present only when the span event includes full activity JSON. [#316, #619, #755]

• Added two OpenTelemetry histograms for signature verification: activitypub.signature.verification.duration measures end-to-end verification time for HTTP Signatures, Linked Data Signatures, and Object Integrity Proofs (including local key lookup and remote key fetches), and activitypub.signature.key_fetch.duration measures public key lookup duration separately so operators can isolate non-fetch verification work. Both instruments carry activitypub.signature.kind (http, linked_data, or object_integrity) and bounded result attributes; the verification histogram additionally carries spec-bounded http_signatures.algorithm, ld_signatures.type, or object_integrity_proofs.cryptosuite when known, plus http_signatures.failure_reason on rejected HTTP rows. [#316, #737, #769]

• Added OpenTelemetry HTTP server metrics for inbound requests handled by Federation.fetch(): fedify.http.server.request.count (Counter) and fedify.http.server.request.duration (Histogram). Both instruments carry http.request.method, fedify.endpoint, optional http.response.status_code, and optional fedify.route.template attributes so that operators can monitor aggregate request rate, latency, and status-code error rate even when traces are sampled. Attributes deliberately exclude raw URLs, query strings, and identifier values to keep cardinality bounded. [#316, #736, #757]

• Added OpenTelemetry metrics for ActivityPub collection requests handled by Federation.fetch() and custom collection handlers:

  • activitypub.collection.request (counter)
  • activitypub.collection.dispatch.duration (histogram)
  • activitypub.collection.page.items (histogram)
  • activitypub.collection.total_items (histogram)

  The metrics expose bounded collection dimensions: activitypub.collection.kind, activitypub.collection.page, activitypub.collection.result, fedify.collection.dispatcher, and optional http.response.status_code. Built-in collections are classified as inbox, outbox, following, followers, liked, featured, or featured_tags; application-defined collection routes are collapsed into custom. Collection IDs, cursors, custom route names, actor identifiers, and full URLs are deliberately excluded so dashboards can aggregate collection rate, latency, item counts, and totalItems values without attacker-controlled cardinality. [#316, #741, #777]

• Added OpenTelemetry queue task metrics covering Fedify's enqueue and worker boundaries for inbox, outbox, and fanout work:

  • fedify.queue.task.enqueued (counter)
  • fedify.queue.task.started (counter)
  • fedify.queue.task.completed (counter)
  • fedify.queue.task.failed (counter)
  • fedify.queue.task.duration (histogram)
  • fedify.queue.task.in_flight (up/down counter, process local)

  Instruments carry fedify.queue.role, best-effort fedify.queue.backend (the queue implementation's constructor name), and fedify.queue.native_retrial. The enqueue/started/completed/ failed/duration instruments additionally carry activitypub.activity.type whenever Fedify knows the activity type for the queued message; the in-flight up/down counter deliberately omits per-message attributes so that increment and decrement operations always pair up cleanly per attribute series. Enqueue measurements additionally carry fedify.queue.task.attempt for retries, and the completion-side instruments carry fedify.queue.task.result (completed, failed, or aborted). Together with MessageQueue.getDepth() reporting, these metrics let operators distinguish a slow-draining queue from a queue that sees less traffic. [#316, #740, #759]

• Added OpenTelemetry metrics for ActivityPub fanout and activity lifecycle events, complementing the per-recipient activitypub.delivery.* counters and the per-task fedify.queue.task.* metrics with an activity-level view of inbox and outbox pressure:

  • activitypub.fanout.recipients (histogram) records the number of recipient inboxes produced by a single fanout enqueue.
  • activitypub.inbox.activity (counter) classifies an inbound activity via the new activitypub.processing.result attribute as queued, processed, retried, rejected, or abandoned.
  • activitypub.outbox.activity (counter) classifies an outbound activity as queued, retried, or abandoned. Per-recipient sent/failed rows remain on activitypub.delivery.sent and activitypub.delivery.permanent_failure and are not duplicated.

  The lifecycle counters cover only Fedify-managed events: queue backends with nativeRetrial defer retry handling and therefore do not record retried or abandoned. Recipient URLs, actor IDs, and other high-cardinality identifiers are deliberately excluded from the fanout histogram. [#316, #742, #770]

• Added OpenTelemetry metrics for public key lookups, remote JSON-LD document fetches, and lookupObject() calls so operators can observe how often Fedify hits the cache, how long remote fetches take, and how lookupObject() resolutions split between actors, non-actor objects, and unresolved lookups:

  • activitypub.key.lookup (counter) and activitypub.key.lookup.duration (histogram) cover every public key lookup performed by fetchKey() / fetchKeyDetailed(), including signature verification paths.
  • activitypub.document.fetch (counter) and activitypub.document.fetch.duration (histogram) cover every Fedify-wrapped document or context loader invocation, including the authenticated loader.
  • activitypub.document.cache (counter) records hit or miss for each kvCache()-backed cache lookup.
  • activitypub.object.lookup (counter) records the parsed-result classification of every lookupObject() call as actor, object, or other.

  Instruments share an activitypub.lookup.kind and (where applicable) activitypub.lookup.result attribute drawn from small, spec-bounded enumerations. activitypub.remote.host records the URL host, including any non-default port; http.response.status_code is recorded when an HTTP response was observed; activitypub.cache.enabled is recorded on the key and document fetch metrics whenever Fedify can confidently report the cache layer's presence. Key IDs, actor IDs, object IDs, JSON-LD context URLs, full URLs, and fediverse handles are deliberately excluded so attacker-controlled remotes cannot inflate metric cardinality. The existing activitypub.signature.key_fetch.duration histogram (introduced in Fedify 2.3 for signature-scoped key-fetch latency, sliced by activitypub.signature.kind) remains in place; the new activitypub.key.lookup.duration is the general-purpose histogram that covers non-signature key...

Fedify 2.2.5

Released on June 5, 2026.

@fedify/cli

• Fixed fedify command failing under Deno 2.8+/TypeScript 6.0 where setTimeout() returns Timeout instead of number. Used ReturnType<typeof setTimeout> for the signalTimers WeakMap so it is compatible across all TypeScript/Deno versions. [#789 by Rui Chen]

Fedify 2.1.16

Released on June 5, 2026.

@fedify/cli

• Fixed fedify command failing under Deno 2.8+/TypeScript 6.0 where setTimeout() returns Timeout instead of number. Used ReturnType<typeof setTimeout> for the signalTimers WeakMap so it is compatible across all TypeScript/Deno versions. [#789 by Rui Chen]

Fedify 2.0.20

Released on June 5, 2026.

@fedify/cli

• Fixed fedify command failing under Deno 2.8+/TypeScript 6.0 where setTimeout() returns Timeout instead of number. Used ReturnType<typeof setTimeout> for the signalTimers WeakMap so it is compatible across all TypeScript/Deno versions. [#789 by Rui Chen]

Fedify 2.2.4

Released on June 4, 2026.

@fedify/vocab-runtime

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 2.1.15

Released on June 4, 2026.

@fedify/vocab-runtime

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 2.0.19

Released on June 4, 2026.

@fedify/vocab-runtime

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 1.10.11

Released on June 4, 2026.

@fedify/fedify

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 1.9.12

Released on June 4, 2026.

@fedify/fedify

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 2.2.3

Released on May 21, 2026.

@fedify/fedify

• Fixed a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]