fedify 1.9.0

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

release notes

Released on October 14, 2025.
@fedify/fedify


Implemented FEP-fe34 origin-based security model to protect against content spoofing attacks and ensure secure federation practices.  The security model enforces same-origin policy for ActivityPub objects and their properties, preventing malicious actors from impersonating content from other servers.  [#440]

Added crossOrigin option to Activity Vocabulary property accessors (get*() methods) with three security levels: "ignore" (default, logs warning and returns null), "throw" (throws error), and "trust" (bypasses checks).
Added LookupObjectOptions.crossOrigin option to lookupObject() function and Context.lookupObject() method for controlling cross-origin validation.
Embedded objects are now validated against their parent object's origin and only trusted when they share the same origin or are explicitly marked as trusted.
Property hydration now respects origin-based security, automatically performing remote fetches when embedded objects have different origins.
Internal trust tracking system maintains security context throughout object lifecycles (construction, cloning, and property access).



Added withIdempotency() method to configure activity idempotency strategies for inbox processing.  This addresses issue #441 where activities with the same ID sent to different inboxes were incorrectly deduplicated globally instead of per-inbox.  [#441]

Added IdempotencyStrategy type.
Added IdempotencyKeyCallback type.
Added InboxListenerSetters.withIdempotency() method.
By default, "per-origin" strategy is used for backward compatibility. This will change to "per-inbox" in Fedify 2.0.  We recommend explicitly setting the strategy to avoid unexpected behavior changes.



Fixed handling of ActivityPub objects containing relative URLs.  The Activity Vocabulary classes now automatically resolve relative URLs by inferring the base URL from the object's @id or document URL, eliminating the need for manual baseUrl specification in most cases.  This improves interoperability with ActivityPub servers that emit relative URLs in properties like icon.url and image.url.  [#411, #443 by Jiwon Kwon]


Added TypeScript support for all RFC 6570 URI Template expression types in dispatcher path parameters.  Previously, only simple string expansion ({identifier}) was supported in TypeScript types, while the runtime already supported all RFC 6570 expressions.  Now TypeScript accepts all expression types including {+identifier} (reserved string expansion, recommended for URI identifiers), {#identifier} (fragment expansion), {.identifier} (label expansion), {/identifier} (path segments), {;identifier} (path-style parameters), {?identifier} (query component), and {&identifier} (query continuation).  [#426, #446 by Jiwon Kwon]

Added Rfc6570Expression<TParam> type helper.
Updated all dispatcher path type parameters to accept RFC 6570 expressions: setActorDispatcher(), setObjectDispatcher(), setInboxDispatcher(), setOutboxDispatcher(), setFollowingDispatcher(), setFollowersDispatcher(), setLikedDispatcher(), setFeaturedDispatcher(), setFeaturedTagsDispatcher(), setInboxListeners(), setCollectionDispatcher(), and setOrderedCollectionDispatcher().



Added inverse properties for collections to Vocabulary API. [FEP-5711, #373, #381 by Jiwon Kwon]

new Collection() constructor now accepts likesOf option.
Added Collection.likesOfId property.
Added Collection.getLikesOf() method.
new Collection() constructor now accepts sharesOf option.
Added Collection.sharedOfId property.
Added Collection.getSharedOf() method.
new Collection() constructor now accepts repliesOf option.
Added Collection.repliesOfId property.
Added Collection.getRepliesOf() method.
new Collection() constructor now accepts inboxOf option.
Added Collection.inboxOfId property.
Added Collection.getInboxOf() method.
new Collection() constructor now accepts outboxOf option.
Added Collection.outboxOfId property.
Added Collection.getOutboxOf() method.
new Collection() constructor now accepts followersOf option.
Added Collection.followersOfId property.
Added Collection.getFollowersOf() method.
new Collection() constructor now accepts followingOf option.
Added Collection.followingOfId property.
Added Collection.getFollowingOf() method.
new Collection() constructor now accepts likedOf option.
Added Collection.likedOfId property.
Added Collection.getLikedOf() method.



Changed how parseSoftware() function handles non-Semantic Versioning number strings on tryBestEffort mode.  [#353, #365 by Hyeonseo Kim]


Separated modules from @fedify/fedify/x into dedicated packages to improve modularity and reduce bundle size.  The existing integration functions in @fedify/fedify/x are now deprecated and will be removed in version 2.0.0.  [#375 by Chanhaeng Lee]

Deprecated @fedify/fedify/x/cfworkers in favor of @fedify/cfworkers.
Deprecated @fedify/fedify/x/denokv in favor of @fedify/denokv.
Deprecated @fedify/fedify/x/hono in favor of @fedify/hono.
Deprecated @fedify/fedify/x/sveltekit in favor of @fedify/sveltekit.



Extended Link from @fedify/fedify/webfinger to support OStatus 1.0 Draft 2.  [#402, #404 by Hyeonseo Kim]

Added an optional template field to the Link interface.
Changed the href field optional from the Link interface according to RFC 7033 Section 4.4.4.3.



Added Federatable.setWebFingerLinksDispatcher() method to set additional links to WebFinger.  [#119, #407 by HyeonseoKim]


Added CommonJS support alongside ESM for better NestJS integration and broader Node.js ecosystem compatibility.  This eliminates the need for Node.js's --experimental-require-module flag and resolves dual package hazard issues.  [#429, #431]


@fedify/cli


Added Next.js option to fedify init command. This option allows users to initialize a new Fedify project with Next.js integration. [#313 by Chanhaeng Lee]


Changed how fedify nodeinfo command handles non-Semantic Versioning number strings on -b/--best-effort mode.  Now it uses the same logic as the parseSoftware() function in the @fedify/fedify package, which allows it to parse non-Semantic Versioning number strings more flexibly. [#353, #365 by Hyeonseo Kim]]


Added -T/--timeout option to fedify lookup command. This option allows users to specify timeout in seconds for network requests to prevent hanging on slow or unresponsive servers. [[#258], #372 by Hyunchae Kim]


@fedify/amqp

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

@fedify/cfworkers

Created Cloudflare Workers integration as the @fedify/cfworkers package. Separated from @fedify/fedify/x/cfworkers to improve modularity and reduce bundle size.  [#375 by Chanhaeng Lee]

@fedify/denokv

Created Deno KV integration as the @fedify/denokv package. Separated from @fedify/fedify/x/denokv to improve modularity and reduce bundle size.  [#375 by Chanhaeng Lee]

@fedify/elysia

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

@fedify/express

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

@fedify/fastify


Created Fastify integration as the @fedify/fastify package. [#151, #450 by An Subin]

Added fedifyPlugin() function for integrating Fedify into Fastify applications.
Converts between Fastify's request/reply API and Web Standards Request/Response.
Supports both ESM and CommonJS for broad Node.js compatibility.



@fedify/h3

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

@fedify/hono


Created Hono integration as the @fedify/hono package. Separated from @fedify/fedify/x/hono to improve modularity and reduce bundle size.  [#375 by Chanhaeng Lee]


Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]


@fedify/koa


Created Koa integration as the @fedify/koa package.  [#454, #455]

Added createMiddleware() function for integrating Fedify into Koa applications.
Supports both Koa v2.x and v3.x via peer dependencies.
Converts between Koa's context-based API and Web Standards Request/Response.
Builds for both npm (ESM/CJS) and JSR distribution.



@fedify/next


Created Next.js integration as the @fedify/next package. [#313 by Chanhaeng Lee]


Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]


@fedify/postgres

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

@fedify/redis


Added support for Redis Cluster to the @fedify/redis package. [#368 by Michael Barrett]


Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]


@fedify/sqlite

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

@fedify/sveltekit


Created SvelteKit integration as the @fedify/sveltekit package. Separated from @fedify/fedify/x/sveltekit to improve modularity and reduce bundle size.  [#375 by Chanhaeng Lee]


Fixed SvelteKit integration hook types to correctly infer the request and response types in hooks.  [#271, #394 by Chanhaeng Lee]


Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]


@fedify/testing

Added CommonJS support alongside ESM for better compatibility with CommonJS-based Node.js applications.  [#429, #431]

View the full release notes at https://github.com/fedify-dev/fedify/releases/tag/1.9.0.

---

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.