#Fedify has moved to a monorepo structure with unified versioning across all packages (@fedify/fedify, @fedify/cli, database adapters & framework integrations).
All packages now release together, making dependency management much simpler!
fedify
I just discovered why some of my followers from larger #Mastodon instances (like mastodon.social) would mysteriously unfollow me after a while!
Turns out Mastodon implements the FEP-8fcf specification (Followers collection synchronization across servers), but it expected all followers to be in a single page collection. When followers were split across multiple pages, it would only see the first page and incorrectly remove all followers from subsequent pages!
This explains so much about the strange behavior I've been seeing with #Hollo and other #Fedify-based servers over the past few months. Some people would follow me from large instances, then mysteriously unfollow later without any action on their part.
Thankfully this fix has been marked for backporting, so it should appear in an upcoming patch release rather than waiting for the next major version. Great news for all of us building on #ActivityPub!
This is why I love open source—we can identify, understand, and fix these kinds of interoperability issues together. 😊
🎉 Big thanks to @2chanhaeng for his first contribution to #Fedify! He implemented the new fedify webfinger command in PR #278, which allows isolated #WebFinger lookups for testing configurations. This addresses the need for developers to test WebFinger functionality without performing comprehensive object retrieval.
The contribution includes:
A new fedify webfinger <handle> command that accepts @user@domain format handles or URIs
Clean JSON output of WebFinger JRD results
Proper error handling for invalid handles and lookup failures
Complete #CLI integration with help text and usage examples
This was originally filed as issue #260 and marked as a good first issue—perfect for newcomers to learn the codebase structure while contributing meaningful functionality. The PR has been merged and will be included in the upcoming Fedify 1.8.0 release.
We appreciate all first-time contributors who help make Fedify better for the entire #fediverse community. Welcome aboard, ChanHaeng!
We're thrilled to highlight five outstanding contributions from the Korean Open Source Contribution Academy (#OSSCA) program participants who have been working on #Fedify! Their dedication and effort have significantly enhanced our #ActivityPub server framework.
First up is @nyeong with his monumental #318 PR, implementing a SQLite-based key–value store to address #274. This contribution adds the SqliteKvStore class with full cross-runtime support for Node.js, Deno, and Bun through the new @fedify/sqlite package. His implementation includes atomic operations, TTL support, comprehensive test coverage, and careful attention to SQL injection prevention. This enables developers to use SQLite as a persistent storage backend while maintaining compatibility with Fedify's existing KvStore API—a crucial feature for production deployments!
Next, @crohasang delivered an excellent quality-of-life improvement with #341 PR, fixing #257. He enhanced the CLI to properly respect TTY status and the NO_COLOR environment variable, implementing intelligent color control across all CLI commands. The solution involved switching from @cliffy/ansi/colors to @std/fmt/colors, creating a helper function using Deno.inspect() to handle object formatting, and ensuring colors are correctly disabled when output is redirected to files. This makes the CLI much more pipe-friendly and suitable for automated workflows!
@menele contributed a thoughtful enhancement with #342 PR, addressing #191. She updated the fedify inbox command to display not just the activity type, but also the type of object contained within each activity—transforming output like "Create" into the more informative "Create(Note)" or "Undo" into "Undo(Follow)". This seemingly simple change required making the display function asynchronous to fetch the enclosed objects, significantly improving the debugging experience for developers!
@woaol tackled an important developer experience issue with #329 PR, solving #306. Previously, the fedify init command would often install outdated versions of Fedify packages like @fedify/redis because version numbers were hardcoded in the CLI. They created a getLatestVersion() function that dynamically retrieves package versions from local metadata files, ensuring that developers always get the latest versions of all Fedify packages when initializing a new project. This improvement includes comprehensive test coverage and eliminates the frustration of starting a project with outdated dependencies!
Finally, @kodingwarrior made a significant contribution with #309 PR, implementing #269—NestJS integration! They created the @fedify/nestjs package with a FedifyModule that seamlessly integrates Fedify into NestJS applications. This includes proper middleware implementation, dependency injection support through NestJS's module system, and compatibility with both CommonJS and ESM environments. This opens up Fedify to the large NestJS developer community, making it easier than ever to build ActivityPub-enabled applications with this popular enterprise framework!
These contributions showcase the incredible talent and dedication of the OSSCA participants. From core infrastructure improvements to developer experience enhancements, each contribution makes Fedify better for the entire community. Thank you all for your hard work and welcome to the Fedify contributor family! 🚀
We're looking forward to seeing more amazing contributions from the OSSCA program and the broader community. If you're interested in contributing to Fedify, check out our GitHub repository and join us in building the future of federated social web! 🌟
🎉 Huge shoutout to two amazing contributors from Korea's #OSSCA program who've made excellent contributions to #Fedify!
👏 @gaebalgom tackled a tricky terminal compatibility issue in PR #282, fixing the fedify node command's favicon display on terminal emulators without truecolor support (#168). His solution elegantly detects terminal capabilities and falls back to 256-color mode when needed—ensuring a great experience across different environments.
🌟 @joonnot enhanced Fedify's #WebFinger functionality in PR #281 by adding a configurable maxRedirection option to the lookupWebFinger() function (#248). He transformed a hardcoded limitation into a flexible, user-customizable parameter while maintaining perfect backward compatibility.
Both delivered thoughtful, well-implemented solutions that showcase the quality of contributions coming from the OSSCA program. Welcome to the Fedify community! 
📣 Exciting news! Fedify CLI is now available via Homebrew!
If you're using #Homebrew on macOS or #Linuxbrew on Linux, you can now install our CLI toolchain with a simple command:
brew install fedify
This makes it even easier to get started with building your federated server app. Try it out and let us know what you think!
The #Fedify monorepo has grown to 16 packages!
We've been working hard to make Fedify more modular and easier to integrate with your favorite tools and platforms. From the core framework to database drivers, from CLI tools to web framework integrations—we've got you covered.
Our packages now include:
Core framework and CLI tools
Web framework integrations: Express, Hono, H3, Elysia, NestJS, Next.js, SvelteKit
Database drivers: PostgreSQL, Redis, SQLite, AMQP/RabbitMQ
Platform integrations: Cloudflare Workers, Deno KV
Testing utilities
Each package is available on JSR and/or npm, making it easy to pick exactly what you need for your ActivityPub implementation.
What integration would you like to see next? Let us know!
In case you weren't aware, #Fedify has both #Discord and #Matrix communities where you can get help, discuss features, or just chat about #ActivityPub and federated social networks.
Matrix space: #fedify:matrix.org
Discord server: https://discord.gg/bhtwpzURwd
Feel free to join either community based on your preference. Both channels have active discussions about Fedify and federation topics.
Hey folks! We're excited to share a preview of a new API coming in #Fedify 1.6 that should make structuring larger federated apps much cleaner: FederationBuilder.
As your Fedify applications grow, you might encounter circular dependency issues when registering dispatchers and listeners across multiple files. The new FederationBuilder pattern helps solve this by separating the configuration phase from instantiation.
Instead of this:
// federation.tsimport { createFederation } from "@fedify/fedify";export const federation = createFederation<AppContext>({ kv: new DbKvStore(), queue: new RedisMessageQueue(), // Other options...});// Now we need to import this federation instance in other files// to register dispatchers and listeners...
You can now do this:
// builder.tsimport { createFederationBuilder } from "@fedify/fedify";export const builder = createFederationBuilder<AppContext>();// other files can import and configure this builder...
// actors.tsimport { builder } from "./builder.ts";import { Person } from "@fedify/fedify";builder.setActorDispatcher("/users/{handle}", async (ctx, handle) => { // Actor implementation});
// inbox.tsimport { builder } from "./builder.ts";import { Follow } from "@fedify/fedify";builder.setInboxListeners("/users/{handle}/inbox", "/inbox") .on(Follow, async (ctx, follow) => { // Follow handling });
// main.ts — Only create the Federation instance at startupimport { builder } from "./builder.ts";// Build the Federation object with actual dependenciesexport const federation = await builder.build({ kv: new DbKvStore(), queue: new RedisMessageQueue(), // Other options...});
This pattern helps avoid circular dependencies and makes your code more modular. Each part of your app can configure the builder without needing the actual Federation instance.
The full documentation will be available when 1.6 is released, but we wanted to share this early with our community. Looking forward to your feedback when it lands!
Want to try it right now? You can install the development version from JSR or npm:
# Denodeno add jsr:@fedify/fedify@1.6.0-dev.777+1206cb01# Node.jsnpm add @fedify/fedify@1.6.0-dev.777# Bunbun add @fedify/fedify@1.6.0-dev.777
🎉 Huge shoutouts to two amazing contributors from Korea's #OSSCA program who just made #Fedify even better!
First, @z9mb1 delivered PR #321, adding a handy -o/--output option to fedify lookup. Now you can save lookup results directly to files instead of just printing to terminal—a nice quality-of-life improvement for analysis and scripting workflows.
But the real showstopper is @joonnot's incredible PR #283, which introduces the brand new @fedify/testing package! This massive contribution (2,014 lines across 20 files) brings MockFederation and MockContext classes that completely transform how we test federated applications. No more complex setups or actual network requests—just clean, straightforward unit testing with activity tracking, inbox simulation, and queue-aware testing capabilities.
These contributions solve real pain points and showcase the amazing talent emerging from the OSSCA program. Both features will be available in the upcoming Fedify 1.8 release. The future of federated software development just got a lot brighter! 🚀
We'd like to recognize some excellent contributions from our #OSSCA (Open Source Contribution Academy) participants who have been working on #Fedify.
@gaebalgom contributed PR #339, which introduces the @fedify/elysia package to provide Elysia integration for Fedify. This work addresses issue #286 by creating a plugin that enables developers using #Bun and #Elysia to integrate Fedify's #ActivityPub capabilities into their applications. The contribution includes the core integration module, documentation, examples, and proper monorepo configuration, making Fedify accessible to the Elysia community.
@r4bb1t submitted PR #315, implementing comprehensive AbortSignal support across multiple APIs to resolve issue #51. This contribution adds request cancellation capabilities not only to lookupWebFinger() but also to lookupObject(), DocumentLoader, and the HTTP signature authentication flow (doubleKnock()), allowing developers to properly handle timeouts and abort ongoing requests throughout the entire request chain. The implementation includes extensive test coverage for cancellation scenarios across all affected components and lays the groundwork for adding --timeout options to various CLI commands like fedify lookup, fedify webfinger, and fedify nodeinfo, making federated applications more robust and responsive.
@ooheunda addressed a testing infrastructure issue with PR #350, fixing a race condition in PostgreSQL message queue tests that was causing intermittent failures (issue #346). By adding explicit initialization before concurrent message queue listeners, this fix prevents table creation conflicts that were affecting test reliability, ensuring more consistent PR testing for all contributors.
@songbirds provided two test stability improvements with PR #344 and PR #347. The first PR adds skip guards to RedisKvStore tests as a workaround for a known Bun runtime issue, keeping the test suite functional while awaiting an upstream fix. The second PR resolves a race condition in the code generation process by randomizing output filenames, preventing conflicts during parallel test execution. These contributions help maintain a stable testing environment for the project.
Thank you all for your contributions to Fedify. Your work helps make federated social networking more accessible to developers.
🔒 Security Update for BotKit Users
We've released #security patch versions BotKit 0.1.2 and 0.2.2 to address CVE-2025-54888, a security #vulnerability discovered in #Fedify. These updates incorporate the latest patched version of Fedify to ensure your bots remain secure.
We strongly recommend all #BotKit users update to the latest patch version immediately. Thank you for keeping the #fediverse safe! 🛡️
We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.
We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.
Update Instructions:
Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
Manual installations: Run git pull to get the latest code, then pnpm install and restart your service
We're excited to share an update on #Fedify's development! While we're actively working on Fedify 1.9 in the main branch, we've also begun preparations for Fedify 2.0 in the next branch.
Before you get too excited about revolutionary new features, we want to set clear expectations: Fedify 2.0 will primarily focus on cleaning up technical debt that we couldn't address due to backward compatibility constraints. This means removing deprecated APIs and making breaking changes that will ultimately result in a cleaner, more maintainable codebase. Think of it as a major housekeeping release—necessary work that will make Fedify better in the long run.
Some of the planned improvements include adding readonly modifiers throughout our types and interfaces to better enforce our immutability-by-default principle, implementing our own RFC 6570 URI Template library for symmetric expansion and pattern matching, and various CLI tool migrations to our new Optique framework for better cross-runtime support. While the majority of changes will be about refinement rather than revolution, these updates will strengthen Fedify's foundation and improve interoperability across the #fediverse. You can track all planned changes in detail by checking out the Fedify 2.0 milestone on our GitHub repository.
Today I discovered an interesting inconsistency in Activity Streams specs while investigating a Fedify issue.
The question: How should we interpret URLs like "icon": "https://example.com/avatar.png"?
JSON-LD context (https://www.w3.org/ns/activitystreams): @type: "@id" → “This is an IRI reference, dereference it to fetch an ActivityStreams object.”
Activity Streams Primer: “assume that a bare string is the href of a Link object, not an id” (no dereferencing)
Result: JSON-LD processor-based implementations try to parse PNG files as JSON and fail.
Turns out w3c/activitystreams#595 already discusses the same issue for href properties. I added a note that icon, image, etc. have the same problem.
Once again reminded of how tricky spec work can be…
#ActivityPub #Fedify #ActivityStreams #fedidev #specifications
Edited 122d ago
🔒 Security Release: BotKit 0.3.1
We've released BotKit 0.3.1 with an important security fix.
This update addresses CVE-2025-68475 (High severity, CVSS 7.5), a ReDoS vulnerability in Fedify's HTML parsing that could cause denial of service.
If you're using BotKit 0.3.x, please upgrade to 0.3.1 as soon as possible.
According to @tchambers's My 2026 Open Social Web Predictions:
Fedify will power the federation layer for at least one mid-sized social platform (500K+ users) that adds ActivityPub support in 2026. The “build vs. buy” calculation for federation shifts decisively toward “just use Fedify.”
We're honored by this recognition and will keep working hard to make #ActivityPub adoption easier for everyone. Thank you, Tim!
We're excited to announce that #Fedify has been awarded a service agreement by the @sovtechfund! The Sovereign Tech Fund is investing €192,000 in Fedify's development over 2025–2026 to strengthen the fediverse ecosystem.
This investment will enable us to significantly expand Fedify's capabilities and make it easier for developers to build federated applications. The commissioned work focuses on improving developer experience, adding comprehensive debugging tools, and ensuring Fedify remains at the forefront of #ActivityPub innovation.
Here are the key milestones we'll be delivering:
Web framework integrations: Official adapters for Next.js, Elysia, Fastify, and Koa, making it seamless to add federation to existing applications
ActivityPub debug & development tools: Real-time debug dashboard with WebSocket monitoring, federation lifecycle hooks, and implementation checklist CLI to make federation interactions transparent and debuggable
Storage & infrastructure enhancements: SQLiteKvStore for robust file-based storage across Node.js, Deno, and Bun, plus performance optimizations for production deployments
Comprehensive documentation & examples: Specialized tutorials for building federated blogs, social networks, and content platforms, with complete working examples and migration guides
Observability & monitoring: Full OpenTelemetry metrics, performance benchmarking tools, and federation health dashboards for production environments
Advanced features & standards: FEP-ef61 (Portable Objects) support and implementation of emerging Fediverse Enhancement Proposals to keep Fedify at the cutting edge
All developments will be open source and available for the entire #fediverse community to use, contribute to, and build upon.
This is amazing news! Fedify has received a substantial grant for further development, including portability for fediverse objects and enhanced dev kits for ActivityPub. 🎉🎉🎉
https://hollo.social/@fedify/0199a579-adb3-7bf5-a8ea-970c8fa91f09
Exciting news for #Fedify developers! We've just landed a major milestone for Fedify 2.0—the #CLI now runs natively on #Node.js and #Bun, not just #Deno (#456). If you install @fedify/cli@2.0.0-dev.1761 from npm, you'll get actual JavaScript that executes directly in your runtime, no more pre-compiled binaries from deno compile. This is part of our broader transition to Optique, a new cross-runtime CLI framework we've developed specifically for Fedify's needs (#374).
This change means a more natural development experience regardless of your #JavaScript runtime preference. Node.js developers can now run the CLI tools directly through their familiar ecosystem, and the same goes for Bun users. While Fedify 2.0 isn't released yet, we're excited to share this progress with the community—feel free to try out the dev version and let us know how it works for you!
Just opened an issue for a major new task for #Fedify: building an #interoperability smoke test suite.
To ensure Fedify-built servers federate correctly with the wider #fediverse, we're planning to run automated E2E tests in #CI against live instances of Mastodon, Misskey, and more. This is crucial for a framework's reliability.
You can see the full plan and discussion here: