fedify 2.1.0

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

• TODO and FIXME comments have been checked.

release notes

Released on March 24, 2026.
@fedify/fedify


Added InboxListenerSetters.onUnverifiedActivity() so applications can inspect inbound activities whose signatures could not be verified and optionally return a custom response instead of the default 401 Unauthorized.  This is useful for cases like Delete deliveries from actors whose signing keys now return 404 Not Found or 410 Gone. Added the supporting public types UnverifiedActivityHandler and UnverifiedActivityReason.  [#472, #611]


Added verifyRequestDetailed() plus the public types VerifyRequestDetailedResult, VerifyRequestFailureReason, and FetchKeyErrorResult so applications can distinguish unsigned requests, invalid signatures, and key-fetch failures during HTTP signature verification.  [#611]


OpenTelemetry spans/events and FedifySpanExporter signature details now expose HTTP signature failure reasons and key-fetch failure details for inbound activities.  [#611]


Fixed RequestContext.getSignedKeyOwner() to return null instead of throwing an error when the remote server requires authorized fetch and returns 401 Unauthorized for the key owner lookup.  Previously, this caused a 500 Internal Server Error when interoperating with servers like GoToSocial that have authorized fetch enabled.  [#473, #589]


Added RFC 9421 §5 Accept-Signature negotiation for both outbound and inbound paths.  On the outbound side, doubleKnock() now parses Accept-Signature challenges from 401 responses and retries with a compatible RFC 9421 signature before falling back to legacy spec-swap. On the inbound side, a new InboxChallengePolicy option in FederationOptions enables emitting Accept-Signature headers on inbox 401 responses, with optional one-time nonce support for replay protection.  [#583, #584, #626 by ChanHaeng Lee]


@fedify/vocab-runtime


Added Decimal, a branded string type for exact xsd:decimal values, along with isDecimal(), canParseDecimal(), and parseDecimal() for checking and validating XML Schema decimal lexical forms without introducing a decimal arithmetic dependency.  isDecimal() performs a strict lexical-form check, while canParseDecimal() and parseDecimal() apply XML Schema whitespace normalization first.  This lays the runtime groundwork for precision-safe marketplace and measurement values such as those needed by FEP-0837.  [#617, #640]


Updated the preloaded https://gotosocial.org/ns JSON-LD context to match the current GoToSocial v0.21+ namespace, adding new type terms (LikeRequest, LikeAuthorization, etc.) and property terms (automaticApproval, manualApproval, interactingObject, etc.) while retaining deprecated terms (always, approvalRequired) for backward compatibility.  [#453, #622]


Added optional FetchError.response so callers can inspect the original failed HTTP response when remote document or key fetches return an HTTP error (such as 404 Not Found or 410 Gone).  This enables higher-level APIs to distinguish transport failures from specific HTTP fetch failures. [#611]


@fedify/cli


Added --reverse option to fedify lookup to reverse presentation order of emitted results.  It now works across default multi-input lookup, --traverse collection traversal output, and --recurse object chains, while preserving existing fetch/error semantics.  [#607, #609]


Fixed fedify lookup printing separators with extra quotes between adjacent objects/items in some output paths (e.g., recurse/traverse flows).  Separators are now printed as plain text consistently. [#608]


Added --recurse and --recurse-depth options to fedify lookup for recursively following object relationships (e.g., reply chains via replyTarget / inReplyTo, and quote chains via quoteUrl and quote IRIs).  --traverse and --recurse are now mutually exclusive, --recurse-depth depends on --recurse, and --suppress-errors now works in recurse mode as best-effort lookup. [#606, #608]


Hardened fedify lookup by disallowing private/localhost document loads by default.  For local-development workflows, -p/--allow-private-address (or lookup.allowPrivateAddress = true in config) can re-enable private address access for explicit lookup/traverse requests.  This option does not apply to recursive fetches, which always disallow private addresses. [#608]


@fedify/vocab


Added GoToSocial interaction controls vocabulary for expressing who can like, reply to, or announce posts and for approving interactions. [#453, #622]

Added InteractionPolicy and InteractionRule typeless value classes.
Added LikeRequest, ReplyRequest, and AnnounceRequest activity types for requesting interaction approval.
Added LikeAuthorization, ReplyAuthorization, and AnnounceAuthorization types for proving approved interactions.
Added Object.interactionPolicy, Object.approvedBy, Object.getLikeAuthorization()/Object.likeAuthorizationId, Object.getReplyAuthorization()/Object.replyAuthorizationId, and Object.getAnnounceAuthorization()/Object.announceAuthorizationId.



Fixed Endpoints.toJsonLd() to no longer emit invalid "type": "as:Endpoints" in the serialized JSON-LD.  The as:Endpoints type does not exist in the ActivityStreams vocabulary, and its presence caused validation failures on implementations like browser.pub. [#576]


Fixed Source.toJsonLd() to no longer emit invalid "type": "as:Source" in the serialized JSON-LD.  The as:Source type does not exist in the ActivityStreams vocabulary either.


@fedify/vocab-tools


Added xsd:decimal support to the vocabulary code generator.  Properties with that range are now generated as Decimal in TypeScript, serialized as xsd:decimal JSON-LD literals, validated through canParseDecimal() when checking input data, and normalized through parseDecimal() when decoded.  Code generation now also rejects property ranges that mix xsd:string and xsd:decimal, since both map to runtime strings and would make serialization ambiguous.  [#617, #640]


Added typeless field to the type YAML schema.  When set to true, the generated toJsonLd() method does not emit @type (or type in compact form) in the serialized JSON-LD.  This is useful for types that are not real vocabulary types but rather anonymous object structures.


@fedify/init


Changed fedify init to add "temporal" to deno.json's "unstable" field only when the installed Deno version is earlier than 2.7.0. On Deno 2.7.0 or later, it is no longer added.


fedify init now omits the "unstable" field entirely when no unstable feature is required for the generated Deno project.


Supported Astro as a web framework option in fedify init, with runtime-specific templates for Deno, Bun, and Node.js environments. [#50 by ChanHaeng Lee]


@fedify/astro

Added @fedify/astro package for integrating Fedify with Astro. It provides fedifyIntegration() for Vite SSR configuration and fedifyMiddleware() for request handling.  [#50 by Chanhaeng Lee]

@fedify/mysql


Added MysqlMessageQueue class to the @fedify/mysql package, a MySQL/MariaDB-backed MessageQueue implementation.  It uses periodic polling (SELECT … FOR UPDATE SKIP LOCKED) to deliver messages and MySQL advisory locks (GET_LOCK/RELEASE_LOCK) for ordering-key serialization.  Supports delayed delivery, ordering keys, enqueueMany(), and concurrent workers.  Requires MySQL 8.0+ or MariaDB 10.6+.  [#586, #599]


Added @fedify/mysql package, a MySQL/MariaDB-backed KvStore implementation.  It provides MysqlKvStore, which stores key–value pairs in a MySQL table using the mysql2 driver.  Supports TTL, prefix listing, and compare-and-swap (cas()) operations. [#585, #597]

View the full release notes at https://github.com/fedify-dev/fedify/releases/tag/2.1.0.

---

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.