@fedify/fedify 1.3.18 → 1.3.20

package/CHANGES.md

@@ -3,6 +3,32 @@
 Fedify changelog
 ================
 
+Version 1.3.20
+--------------
+
+Released on August 8, 2025.
+
+ -  Fixed a critical authentication bypass vulnerability in the inbox handler
+    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
+    The vulnerability occurred because activities were processed before
+    verifying that the HTTP Signatures key belonged to the claimed actor.
+    Now authentication verification is performed before activity processing to
+    prevent actor impersonation attacks.  [[CVE-2025-54888]]
+
+[CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
+
+
+Version 1.3.19
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.3.18
 --------------
 
@@ -357,6 +383,17 @@ Released on November 30, 2024.
 [#193]: https://github.com/fedify-dev/fedify/issues/193
 
 
+Version 1.2.23
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.2.22
 --------------
 
@@ -759,6 +796,17 @@ Released on October 31, 2024.
 [#118]: https://github.com/fedify-dev/fedify/issues/118
 
 
+Version 1.1.23
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.1.22
 --------------
 
@@ -1202,6 +1250,17 @@ Released on October 20, 2024.
 [#150]: https://github.com/fedify-dev/fedify/issues/150
 
 
+Version 1.0.26
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.0.25
 --------------
 

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.3.18",
+    "version": "1.3.20",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",
@@ -37,7 +37,7 @@ export default {
         "@opentelemetry/semantic-conventions": "npm:@opentelemetry/semantic-conventions@^1.27.0",
         "@phensley/language-tag": "npm:@phensley/language-tag@^1.9.0",
         "@std/assert": "jsr:@std/assert@^0.226.0",
-        "@std/async": "jsr:@std/async@^1.0.5",
+        "@std/async": "jsr:@std/async@1.0.13",
         "@std/bytes": "jsr:@std/bytes@^1.0.2",
         "@std/collections": "jsr:@std/collections@^1.0.6",
         "@std/encoding": "jsr:@std/encoding@1.0.7",

package/esm/federation/handler.js

@@ -1,6 +1,6 @@
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
-import { accepts } from "../deps/jsr.io/@std/http/1.0.16/negotiation.js";
+import { accepts } from "../deps/jsr.io/@std/http/1.0.20/negotiation.js";
 import metadata from "../deno.js";
 import { verifyRequest } from "../sig/http.js";
 import { detachSignature, verifyJsonLd } from "../sig/ld.js";
@@ -418,20 +418,6 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
         span.setAttribute("activitypub.activity.id", activity.id.href);
     }
     span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
-    const routeResult = await routeActivity({
-        context: ctx,
-        json,
-        activity,
-        recipient,
-        inboxListeners,
-        inboxContextFactory,
-        inboxErrorHandler,
-        kv,
-        kvPrefixes,
-        queue,
-        span,
-        tracerProvider,
-    });
     if (httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)) {
         logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
             activity: json,
@@ -449,6 +435,20 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
             headers: { "Content-Type": "text/plain; charset=utf-8" },
         });
     }
+    const routeResult = await routeActivity({
+        context: ctx,
+        json,
+        activity,
+        recipient,
+        inboxListeners,
+        inboxContextFactory,
+        inboxErrorHandler,
+        kv,
+        kvPrefixes,
+        queue,
+        span,
+        tracerProvider,
+    });
     if (routeResult === "alreadyProcessed") {
         return new Response(`Activity <${activity.id}> has already been processed.`, {
             status: 202,

package/esm/vocab/announce.yaml

@@ -16,7 +16,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   quoteUrl: "as:quoteUrl"

package/esm/vocab/create.yaml

@@ -13,7 +13,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   ChatMessage: "http://litepub.social/ns#ChatMessage"

package/esm/vocab/delete.yaml

@@ -15,7 +15,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   ChatMessage: "http://litepub.social/ns#ChatMessage"

package/esm/vocab/question.yaml

@@ -14,85 +14,87 @@ description: |
   used to express possible answers, but a Question object *must not* have both
   properties.
 defaultContext:
-- "https://w3id.org/identity/v1"
-- "https://www.w3.org/ns/activitystreams"
-- "https://w3id.org/security/data-integrity/v1"
-- toot: "http://joinmastodon.org/ns#"
-  misskey: "https://misskey-hub.net/ns#"
-  fedibird: "http://fedibird.com/ns#"
-  sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
-  Emoji: "toot:Emoji"
-  Hashtag: "as:Hashtag"
-  quoteUrl: "as:quoteUrl"
-  _misskey_quote: "misskey:_misskey_quote"
-  quoteUri: "fedibird:quoteUri"
+  - "https://w3id.org/identity/v1"
+  - "https://www.w3.org/ns/activitystreams"
+  - "https://w3id.org/security/data-integrity/v1"
+  - toot: "http://joinmastodon.org/ns#"
+    misskey: "https://misskey-hub.net/ns#"
+    fedibird: "http://fedibird.com/ns#"
+    sensitive: "as:sensitive"
+    votersCount:
+      "@id": "toot:votersCount"
+      "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
+    Emoji: "toot:Emoji"
+    Hashtag: "as:Hashtag"
+    quoteUrl: "as:quoteUrl"
+    _misskey_quote: "misskey:_misskey_quote"
+    quoteUri: "fedibird:quoteUri"
 
 properties:
-- pluralName: exclusiveOptions
-  singularName: exclusiveOption
-  singularAccessor: false
-  compactName: oneOf
-  uri: "https://www.w3.org/ns/activitystreams#oneOf"
-  description: |
-    Identifies an exclusive option for a Question.  Use of `exclusiveOptions`
-    implies that the Question can have only a single answer.  To indicate that
-    a Question can have multiple answers, use `inclusiveOptions`.
-  range:
-  - "https://www.w3.org/ns/activitystreams#Object"
+  - pluralName: exclusiveOptions
+    singularName: exclusiveOption
+    singularAccessor: false
+    compactName: oneOf
+    uri: "https://www.w3.org/ns/activitystreams#oneOf"
+    description: |
+      Identifies an exclusive option for a Question.  Use of `exclusiveOptions`
+      implies that the Question can have only a single answer.  To indicate that
+      a Question can have multiple answers, use `inclusiveOptions`.
+    range:
+      - "https://www.w3.org/ns/activitystreams#Object"
 
-- pluralName: inclusiveOptions
-  singularName: inclusiveOption
-  singularAccessor: false
-  compactName: anyOf
-  uri: "https://www.w3.org/ns/activitystreams#anyOf"
-  description: |
-    Identifies an inclusive option for a Question.  Use of `inclusiveOptions`
-    implies that the Question can have multiple answers.  To indicate that
-    a Question can have only one answer, use `exclusiveOptions`.
-  range:
-  - "https://www.w3.org/ns/activitystreams#Object"
+  - pluralName: inclusiveOptions
+    singularName: inclusiveOption
+    singularAccessor: false
+    compactName: anyOf
+    uri: "https://www.w3.org/ns/activitystreams#anyOf"
+    description: |
+      Identifies an inclusive option for a Question.  Use of `inclusiveOptions`
+      implies that the Question can have multiple answers.  To indicate that
+      a Question can have only one answer, use `exclusiveOptions`.
+    range:
+      - "https://www.w3.org/ns/activitystreams#Object"
 
-- singularName: closed
-  functional: true
-  compactName: closed
-  uri: "https://www.w3.org/ns/activitystreams#closed"
-  description: |
-    Indicates that a question has been closed, and answers are no longer
-    accepted.
-  range:
-  - "http://www.w3.org/2001/XMLSchema#dateTime"
-  - "http://www.w3.org/2001/XMLSchema#boolean"
+  - singularName: closed
+    functional: true
+    compactName: closed
+    uri: "https://www.w3.org/ns/activitystreams#closed"
+    description: |
+      Indicates that a question has been closed, and answers are no longer
+      accepted.
+    range:
+      - "http://www.w3.org/2001/XMLSchema#dateTime"
+      - "http://www.w3.org/2001/XMLSchema#boolean"
 
-- singularName: voters
-  functional: true
-  compactName: votersCount
-  uri: "http://joinmastodon.org/ns#votersCount"
-  description: |
-    How many people have voted in the poll.  Distinct from how many votes have
-    been cast (in the case of multiple-choice polls).
-  range:
-  - "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
+  - singularName: voters
+    functional: true
+    compactName: votersCount
+    uri: "http://joinmastodon.org/ns#votersCount"
+    description: |
+      How many people have voted in the poll.  Distinct from how many votes have
+      been cast (in the case of multiple-choice polls).
+    range:
+      - "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
 
-- singularName: quoteUrl
-  functional: true
-  compactName: quoteUrl
-  uri: "https://www.w3.org/ns/activitystreams#quoteUrl"
-  redundantProperties:
-  - compactName: _misskey_quote
-    uri: "https://misskey-hub.net/ns#_misskey_quote"
-  - compactName: quoteUri
-    uri: "http://fedibird.com/ns#quoteUri"
-  description: |
-    The URI of the ActivityStreams object that this object quotes.
+  - singularName: quoteUrl
+    functional: true
+    compactName: quoteUrl
+    uri: "https://www.w3.org/ns/activitystreams#quoteUrl"
+    redundantProperties:
+      - compactName: _misskey_quote
+        uri: "https://misskey-hub.net/ns#_misskey_quote"
+      - compactName: quoteUri
+        uri: "http://fedibird.com/ns#quoteUri"
+    description: |
+      The URI of the ActivityStreams object that this object quotes.
 
-    This property sets three JSON-LD properties at once under the hood:
+      This property sets three JSON-LD properties at once under the hood:
 
-    1. https://www.w3.org/ns/activitystreams#quoteUrl
-    2. https://misskey-hub.net/ns#_misskey_quote
-    3. http://fedibird.com/ns#quoteUri
+      1. https://www.w3.org/ns/activitystreams#quoteUrl
+      2. https://misskey-hub.net/ns#_misskey_quote
+      3. http://fedibird.com/ns#quoteUri
 
-    When a JSON-LD object is parsed, this property is filled with one of
-    the values of those three properties in order.
-  range:
-  - "fedify:url"
+      When a JSON-LD object is parsed, this property is filled with one of
+      the values of those three properties in order.
+    range:
+      - "fedify:url"

package/esm/vocab/update.yaml

@@ -37,7 +37,9 @@ defaultContext:
   suspended: "toot:suspended"
   memorial: "toot:memorial"
   indexable: "toot:indexable"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   schema: "http://schema.org#"