npm - @fedify/fedify - Versions diffs - 1.2.10 → 1.2.12 - Mend

@fedify/fedify 1.2.10 → 1.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/CHANGES.md CHANGED Viewed

@@ -3,6 +3,42 @@
 Fedify changelog
 ================
+Version 1.2.12
+--------------
+Released on February 10, 2025.
+ -  Fixed a bug with nested object hydration in Activity Vocabulary API where
+    deeply nested properties (like `Object.getAttribution()` on
+    `Activity.getObject()`) were't being properly hydrated during `toJsonLd()`
+    calls. Previously, subsequent calls to `toJsonLd()` on nested objects could
+    result in inconsistent JSON-LD output where nested objects remained as URLs
+    instead of being fully expanded.
+Version 1.2.11
+--------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
 Version 1.2.10
 --------------
@@ -227,6 +263,42 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
+Version 1.1.12
+--------------
+Released on February 10, 2025.
+ -  Fixed a bug with nested object hydration in Activity Vocabulary API where
+    deeply nested properties (like `Object.getAttribution()` on
+    `Activity.getObject()`) were't being properly hydrated during `toJsonLd()`
+    calls. Previously, subsequent calls to `toJsonLd()` on nested objects could
+    result in inconsistent JSON-LD output where nested objects remained as URLs
+    instead of being fully expanded.
+Version 1.1.11
+--------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
 Version 1.1.10
 --------------
@@ -492,6 +564,44 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
+Version 1.0.15
+--------------
+Released on February 10, 2025.
+ -  Fixed a bug with nested object hydration in Activity Vocabulary API where
+    deeply nested properties (like `Object.getAttribution()` on
+    `Activity.getObject()`) were't being properly hydrated during `toJsonLd()`
+    calls. Previously, subsequent calls to `toJsonLd()` on nested objects could
+    result in inconsistent JSON-LD output where nested objects remained as URLs
+    instead of being fully expanded.
+Version 1.0.14
+--------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
 Version 1.0.13
 --------------

package/esm/deps/jsr.io/@std/async/{1.0.9 → 1.0.10}/delay.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /** Options for {@linkcode delay}. */
 import * as dntShim from "../../../../../_dnt.shims.js";

package/esm/deps/jsr.io/@std/bytes/1.0.5/_types.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // Copyright 2018-2025 the Deno authors. MIT license.
2	+ export {};

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/concat.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Concatenate an array of byte slices into a single slice.

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/copy.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Copy bytes from the source array to the destination array and returns the

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/ends_with.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Returns `true` if the suffix array appears at the end of the source array,

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/equals.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Check whether byte slices are equal to each other using 8-bit comparisons.

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/includes_needle.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 import { indexOfNeedle } from "./index_of_needle.js";
 /**

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/index_of_needle.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Returns the index of the first occurrence of the needle array in the source

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/last_index_of_needle.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Returns the index of the last occurrence of the needle array in the source

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/mod.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Helper functions for working with

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/repeat.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 import { copy } from "./copy.js";
 /**

package/esm/deps/jsr.io/@std/bytes/{1.0.4 → 1.0.5}/starts_with.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Returns `true` if the prefix array appears at the start of the source array,

package/esm/deps/jsr.io/@std/encoding/1.0.7/_types.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // Copyright 2018-2025 the Deno authors. MIT license.
2	+ export {};

package/esm/deps/jsr.io/@std/encoding/{1.0.6 → 1.0.7}/_validate_binary_like.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 const encoder = new TextEncoder();
 function getTypeName(value) {
     const type = typeof value;

package/esm/deps/jsr.io/@std/encoding/{1.0.6 → 1.0.7}/base64.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Utilities for

package/esm/deps/jsr.io/@std/encoding/{1.0.6 → 1.0.7}/base64url.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Utilities for

package/esm/deps/jsr.io/@std/encoding/{1.0.6 → 1.0.7}/hex.js RENAMED Viewed

@@ -1,6 +1,6 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // https://github.com/golang/go/blob/master/LICENSE
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Port of the Go

package/esm/deps/jsr.io/@std/http/{1.0.12 → 1.0.13}/_negotiation/common.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 /*!
  * Adapted directly from negotiator at https://github.com/jshttp/negotiator/
  * which is licensed as follows:

package/esm/deps/jsr.io/@std/http/{1.0.12 → 1.0.13}/_negotiation/encoding.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 /*!
  * Adapted directly from negotiator at https://github.com/jshttp/negotiator/
  * which is licensed as follows:

package/esm/deps/jsr.io/@std/http/{1.0.12 → 1.0.13}/_negotiation/language.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 /*!
  * Adapted directly from negotiator at https://github.com/jshttp/negotiator/
  * which is licensed as follows:

package/esm/deps/jsr.io/@std/http/{1.0.12 → 1.0.13}/_negotiation/media_type.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 /*!
  * Adapted directly from negotiator at https://github.com/jshttp/negotiator/
  * which is licensed as follows:

package/esm/deps/jsr.io/@std/http/{1.0.12 → 1.0.13}/negotiation.js RENAMED Viewed

@@ -1,4 +1,4 @@
-// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+// Copyright 2018-2025 the Deno authors. MIT license.
 // This module is browser compatible.
 /**
  * Contains the functions {@linkcode accepts}, {@linkcode acceptsEncodings}, and

package/esm/federation/collection.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import * as dntShim from "../_dnt.shims.js";
-import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
+import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.7/hex.js";
 /**
  * Calculates the [partial follower collection digest][1].
  *

package/esm/federation/handler.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { accepts } from "../deps/jsr.io/@std/http/1.0.12/negotiation.js";
+import { accepts } from "../deps/jsr.io/@std/http/1.0.13/negotiation.js";
 import { verifyRequest } from "../sig/http.js";
 import { detachSignature, verifyJsonLd } from "../sig/ld.js";
 import { doesActorOwnKey } from "../sig/owner.js";

package/esm/runtime/key.js CHANGED Viewed

@@ -1,9 +1,9 @@
 import * as dntShim from "../_dnt.shims.js";
 import { createPublicKey } from "node:crypto";
-import { concat } from "../deps/jsr.io/@std/bytes/1.0.4/concat.js";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
-import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/1.0.6/base64url.js";
-import { decodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
+import { concat } from "../deps/jsr.io/@std/bytes/1.0.5/concat.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.7/base64.js";
+import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/1.0.7/base64url.js";
+import { decodeHex } from "../deps/jsr.io/@std/encoding/1.0.7/hex.js";
 import { Integer, Sequence } from "asn1js";
 import { decode, encode } from "multibase";
 import { addPrefix, getCodeFromData, rmPrefix } from "multicodec";

package/esm/runtime/url.js CHANGED Viewed

@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
     }
     // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
     // and ensure that they are all public:
-    const addresses = await lookup(hostname, { all: true });
+    let addresses;
+    try {
+        addresses = await lookup(hostname, { all: true });
+    }
+    catch {
+        addresses = [];
+    }
     for (const { address, family } of addresses) {
         if (family === 4 && !isValidPublicIPv4Address(address) ||
             family === 6 && !isValidPublicIPv6Address(address) ||

package/esm/sig/http.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { equals } from "../deps/jsr.io/@std/bytes/1.0.4/mod.js";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
+import { equals } from "../deps/jsr.io/@std/bytes/1.0.5/mod.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.7/base64.js";
 import { CryptographicKey } from "../vocab/vocab.js";
 import { fetchKey, validateCryptoKey } from "./key.js";
 /**

package/esm/sig/ld.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
-import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.7/base64.js";
+import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.7/hex.js";
 // @ts-ignore TS7016
 import jsonld from "jsonld";
 import { fetchDocumentLoader, } from "../runtime/docloader.js";

package/esm/vocab/lookup.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { delay } from "../deps/jsr.io/@std/async/1.0.9/delay.js";
+import { delay } from "../deps/jsr.io/@std/async/1.0.10/delay.js";
 import { fetchDocumentLoader, } from "../runtime/docloader.js";
 import { lookupWebFinger } from "../webfinger/lookup.js";
 import { Object } from "./vocab.js";