We're excited to announce the release of BotKit 0.3.0! This release marks a significant milestone as #BotKit now supports #Node.js alongside #Deno, making it accessible to a wider audience. The minimum required Node.js version is 22.0.0. This dual-runtime support means you can now choose your preferred #JavaScript runtime while building #ActivityPub #bots with the same powerful BotKit APIs.

One of the most requested features has landed: poll support! You can now create interactive polls in your #bot messages, allowing followers to vote on questions with single or multiple-choice options. Polls are represented as ActivityPub Question objects with proper expiration times, and your bot can react to votes through the new onVote event handler. This feature enhances engagement possibilities and brings BotKit to feature parity with major #fediverse platforms like Mastodon and Misskey.

// Create a poll with multiple choicesawait session.publish(textWhat&#39;s your favorite programming language?, { class: Question, poll: { multiple: true, // Allow multiple selections options: ["JavaScript", "TypeScript", "Python", "Rust"], endTime: Temporal.Now.instant().add({ hours: 24 }), },});// Handle votesbot.onVote = async (session, vote) => { console.log(</span><span>${</span><span>vote</span><span>.</span><span>actor</span><span>}</span><span> voted for &quot;</span><span>${</span><span>vote</span><span>.</span><span>option</span><span>}</span><span>&quot;);};

The web frontend has been enhanced with a new followers page, thanks to the contribution from Hyeonseo Kim (@gaebalgom)! The /followers route now displays a paginated list of your bot's followers, and the follower count on the main profile page is now clickable, providing better visibility into your bot's audience. This improvement makes the web interface more complete and user-friendly.

For developers looking for alternative storage backends, we've introduced the SqliteRepository through the new @fedify/botkit-sqlite package. This provides a production-ready SQLite-based storage solution with ACID compliance, write-ahead logging (WAL) for optimal performance, and proper indexing. Additionally, the new @fedify/botkit/repository module offers MemoryCachedRepository for adding an in-memory cache layer on top of any repository implementation, improving read performance for frequently accessed data.

This release also includes an important security update: we've upgraded to #Fedify 1.8.8, ensuring your bots stay secure and compatible with the latest ActivityPub standards. The repository pattern has been expanded with new interfaces and types like RepositoryGetMessagesOptions, RepositoryGetFollowersOptions, and proper support for polls storage through the KvStoreRepositoryPrefixes.polls option, providing more flexibility for custom implementations.

#fedidev

We're excited to announce the release of BotKit 0.3.0! This release marks a significant milestone as #BotKit now supports #Node.js alongside #Deno, making it accessible to a wider audience. The minimum required Node.js version is 22.0.0. This dual-runtime support means you can now choose your preferred #JavaScript runtime while building #ActivityPub #bots with the same powerful BotKit APIs.

One of the most requested features has landed: poll support! You can now create interactive polls in your #bot messages, allowing followers to vote on questions with single or multiple-choice options. Polls are represented as ActivityPub Question objects with proper expiration times, and your bot can react to votes through the new onVote event handler. This feature enhances engagement possibilities and brings BotKit to feature parity with major #fediverse platforms like Mastodon and Misskey.

// Create a poll with multiple choicesawait session.publish(textWhat&#39;s your favorite programming language?, { class: Question, poll: { multiple: true, // Allow multiple selections options: ["JavaScript", "TypeScript", "Python", "Rust"], endTime: Temporal.Now.instant().add({ hours: 24 }), },});// Handle votesbot.onVote = async (session, vote) => { console.log(</span><span>${</span><span>vote</span><span>.</span><span>actor</span><span>}</span><span> voted for &quot;</span><span>${</span><span>vote</span><span>.</span><span>option</span><span>}</span><span>&quot;);};

The web frontend has been enhanced with a new followers page, thanks to the contribution from Hyeonseo Kim (@gaebalgom)! The /followers route now displays a paginated list of your bot's followers, and the follower count on the main profile page is now clickable, providing better visibility into your bot's audience. This improvement makes the web interface more complete and user-friendly.

For developers looking for alternative storage backends, we've introduced the SqliteRepository through the new @fedify/botkit-sqlite package. This provides a production-ready SQLite-based storage solution with ACID compliance, write-ahead logging (WAL) for optimal performance, and proper indexing. Additionally, the new @fedify/botkit/repository module offers MemoryCachedRepository for adding an in-memory cache layer on top of any repository implementation, improving read performance for frequently accessed data.

This release also includes an important security update: we've upgraded to #Fedify 1.8.8, ensuring your bots stay secure and compatible with the latest ActivityPub standards. The repository pattern has been expanded with new interfaces and types like RepositoryGetMessagesOptions, RepositoryGetFollowersOptions, and proper support for polls storage through the KvStoreRepositoryPrefixes.polls option, providing more flexibility for custom implementations.

#fedidev

We'd like to recognize the valuable contributions from two developers who participated in Korea's #OSSCA (Open Source Contribution Academy) program. Both contributors identified important gaps in #Fedify's functionality and documentation, providing thoughtful solutions that benefit the broader #ActivityPub ecosystem.

@gaebalgom contributed PR #365, addressing issue #353 regarding NodeInfo parser compatibility, originally reported by @andypiper. The issue arose when Fedify incorrectly rejected #NodeInfo documents from snac instances due to overly strict version string parsing that required semantic versioning compliance. Their solution improves the fallback behavior in the parseSoftware() function to handle non-SemVer version strings by parsing dot-separated numbers and defaulting to zero for missing components. The implementation includes thorough test coverage for various edge cases, including single numbers (3), two-part versions (2.81), and malformed version strings. This fix provides immediate compatibility improvements across the fediverse while maintaining backward compatibility, and will be included in Fedify 1.9. The contribution serves as an interim solution, with a more comprehensive fix planned for Fedify 2.0 (issue #366), where the NodeInfo software.version field will be changed from the SemVer type to a plain string to fully comply with the NodeInfo specification.

@z9mb1 contributed PR #364, resolving issue #337 by adding practical examples for Fedify's custom collection dispatchers feature. Custom collections were introduced in Fedify 1.8 but lacked clear documentation for developers seeking to implement them. Their contribution provides a comprehensive example demonstrating how to set up custom collections for tagged posts, including proper routing patterns, pagination handling, and counter functionality. The example includes mock data structures, shows how to configure collection dispatchers with URL patterns like /users/{userId}/tags/{tag}, and demonstrates the complete request/response cycle using federation.fetch(). This work provides developers with a clear, runnable reference that reduces the complexity of implementing custom collections in ActivityPub applications.

We appreciate these meaningful contributions that help make Fedify more accessible and robust for the entire ActivityPub community.

#opensource #fedidev #fediverse

We'd like to recognize the valuable contributions from two developers who participated in Korea's #OSSCA (Open Source Contribution Academy) program. Both contributors identified important gaps in #Fedify's functionality and documentation, providing thoughtful solutions that benefit the broader #ActivityPub ecosystem.

@gaebalgom contributed PR #365, addressing issue #353 regarding NodeInfo parser compatibility, originally reported by @andypiper. The issue arose when Fedify incorrectly rejected #NodeInfo documents from snac instances due to overly strict version string parsing that required semantic versioning compliance. Their solution improves the fallback behavior in the parseSoftware() function to handle non-SemVer version strings by parsing dot-separated numbers and defaulting to zero for missing components. The implementation includes thorough test coverage for various edge cases, including single numbers (3), two-part versions (2.81), and malformed version strings. This fix provides immediate compatibility improvements across the fediverse while maintaining backward compatibility, and will be included in Fedify 1.9. The contribution serves as an interim solution, with a more comprehensive fix planned for Fedify 2.0 (issue #366), where the NodeInfo software.version field will be changed from the SemVer type to a plain string to fully comply with the NodeInfo specification.

@z9mb1 contributed PR #364, resolving issue #337 by adding practical examples for Fedify's custom collection dispatchers feature. Custom collections were introduced in Fedify 1.8 but lacked clear documentation for developers seeking to implement them. Their contribution provides a comprehensive example demonstrating how to set up custom collections for tagged posts, including proper routing patterns, pagination handling, and counter functionality. The example includes mock data structures, shows how to configure collection dispatchers with URL patterns like /users/{userId}/tags/{tag}, and demonstrates the complete request/response cycle using federation.fetch(). This work provides developers with a clear, runnable reference that reduces the complexity of implementing custom collections in ActivityPub applications.

We appreciate these meaningful contributions that help make Fedify more accessible and robust for the entire ActivityPub community.

#opensource #fedidev #fediverse

I've heard good things on the server side from #fedify, but what's a good #TypeScript client library for #ActivityPub? Suppose I wanted to write a #fediverse client for #KaiOS for example

Asking for a friend 😉

I've heard good things on the server side from #fedify, but what's a good #TypeScript client library for #ActivityPub? Suppose I wanted to write a #fediverse client for #KaiOS for example

Asking for a friend 😉

We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.

We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.

Update Instructions:

• Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
• Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
• Manual installations: Run git pull to get the latest code, then pnpm install and restart your service

All #Fedify users must immediately update to the latest patched versions. A #critical authentication bypass #vulnerability (CVE-2025-54888) has been discovered in Fedify that allows attackers to impersonate any #ActivityPub actor by sending forged activities signed with their own keys.

This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.

The following versions contain the #security fix: 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.

After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.

The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.

#fedidev

https://socialhub.activitypub.rocks/t/fedify-security-updates-1-3-20-1-4-13-1-5-5-1-6-8-1-7-9-and-1-8-5/5478

https://socialhub.activitypub.rocks/t/fedify-security-updates-1-3-20-1-4-13-1-5-5-1-6-8-1-7-9-and-1-8-5/5478

🔒 Security Update for BotKit Users

We've released #security patch versions BotKit 0.1.2 and 0.2.2 to address CVE-2025-54888, a security #vulnerability discovered in #Fedify. These updates incorporate the latest patched version of Fedify to ensure your bots remain secure.

We strongly recommend all #BotKit users update to the latest patch version immediately. Thank you for keeping the #fediverse safe! 🛡️

#fedidev

We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.

We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.

Update Instructions:

• Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
• Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
• Manual installations: Run git pull to get the latest code, then pnpm install and restart your service

All #Fedify users must immediately update to the latest patched versions. A #critical authentication bypass #vulnerability (CVE-2025-54888) has been discovered in Fedify that allows attackers to impersonate any #ActivityPub actor by sending forged activities signed with their own keys.

This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.

The following versions contain the #security fix: 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.

After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.

The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.

#fedidev