@fedify/fedify 1.4.11 → 1.4.13

package/CHANGES.md

@@ -3,6 +3,30 @@
 Fedify changelog
 ================
 
+Version 1.4.13
+--------------
+
+Released on August 8, 2025.
+
+ -  Fixed a critical authentication bypass vulnerability in the inbox handler
+    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
+    The vulnerability occurred because activities were processed before
+    verifying that the HTTP Signatures key belonged to the claimed actor.
+    Now authentication verification is performed before activity processing to
+    prevent actor impersonation attacks.  [[CVE-2025-54888]]
+
+
+Version 1.4.12
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.4.11
 --------------
 
@@ -241,6 +265,32 @@ Released on February 5, 2025.
 [#195]: https://github.com/fedify-dev/fedify/issues/195
 
 
+Version 1.3.20
+--------------
+
+Released on August 8, 2025.
+
+ -  Fixed a critical authentication bypass vulnerability in the inbox handler
+    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
+    The vulnerability occurred because activities were processed before
+    verifying that the HTTP Signatures key belonged to the claimed actor.
+    Now authentication verification is performed before activity processing to
+    prevent actor impersonation attacks.  [[CVE-2025-54888]]
+
+[CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
+
+
+Version 1.3.19
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.3.18
 --------------
 
@@ -595,6 +645,17 @@ Released on November 30, 2024.
 [#193]: https://github.com/fedify-dev/fedify/issues/193
 
 
+Version 1.2.23
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.2.22
 --------------
 
@@ -997,6 +1058,17 @@ Released on October 31, 2024.
 [#118]: https://github.com/fedify-dev/fedify/issues/118
 
 
+Version 1.1.23
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.1.22
 --------------
 
@@ -1440,6 +1512,17 @@ Released on October 20, 2024.
 [#150]: https://github.com/fedify-dev/fedify/issues/150
 
 
+Version 1.0.26
+--------------
+
+Released on June 30, 2025.
+
+ -  Fixed JSON-LD serialization of the `Question.voters` property to correctly
+    serialize as a plain number (e.g., `"votersCount": 123`) instead of as a
+    typed literal object (e.g., `"votersCount":{"type":"xsd:nonNegativeInteger",
+    "@value":123}`).
+
+
 Version 1.0.25
 --------------
 

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.4.11",
+    "version": "1.4.13",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",
@@ -38,7 +38,7 @@ export default {
         "@opentelemetry/semantic-conventions": "npm:@opentelemetry/semantic-conventions@^1.27.0",
         "@phensley/language-tag": "npm:@phensley/language-tag@^1.9.0",
         "@std/assert": "jsr:@std/assert@^0.226.0",
-        "@std/async": "jsr:@std/async@^1.0.5",
+        "@std/async": "jsr:@std/async@1.0.13",
         "@std/bytes": "jsr:@std/bytes@^1.0.2",
         "@std/collections": "jsr:@std/collections@^1.0.6",
         "@std/encoding": "jsr:@std/encoding@1.0.7",

package/esm/federation/handler.js

@@ -1,6 +1,6 @@
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
-import { accepts } from "../deps/jsr.io/@std/http/1.0.16/negotiation.js";
+import { accepts } from "../deps/jsr.io/@std/http/1.0.20/negotiation.js";
 import metadata from "../deno.js";
 import { verifyRequest } from "../sig/http.js";
 import { detachSignature, verifyJsonLd } from "../sig/ld.js";
@@ -418,20 +418,6 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
         span.setAttribute("activitypub.activity.id", activity.id.href);
     }
     span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
-    const routeResult = await routeActivity({
-        context: ctx,
-        json,
-        activity,
-        recipient,
-        inboxListeners,
-        inboxContextFactory,
-        inboxErrorHandler,
-        kv,
-        kvPrefixes,
-        queue,
-        span,
-        tracerProvider,
-    });
     if (httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)) {
         logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
             activity: json,
@@ -449,6 +435,20 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
             headers: { "Content-Type": "text/plain; charset=utf-8" },
         });
     }
+    const routeResult = await routeActivity({
+        context: ctx,
+        json,
+        activity,
+        recipient,
+        inboxListeners,
+        inboxContextFactory,
+        inboxErrorHandler,
+        kv,
+        kvPrefixes,
+        queue,
+        span,
+        tracerProvider,
+    });
     if (routeResult === "alreadyProcessed") {
         return new Response(`Activity <${activity.id}> has already been processed.`, {
             status: 202,

package/esm/vocab/announce.yaml

@@ -16,7 +16,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   quoteUrl: "as:quoteUrl"

package/esm/vocab/create.yaml

@@ -13,7 +13,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   ChatMessage: "http://litepub.social/ns#ChatMessage"

package/esm/vocab/delete.yaml

@@ -15,7 +15,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   ChatMessage: "http://litepub.social/ns#ChatMessage"

package/esm/vocab/question.yaml

@@ -21,7 +21,9 @@ defaultContext:
   misskey: "https://misskey-hub.net/ns#"
   fedibird: "http://fedibird.com/ns#"
   sensitive: "as:sensitive"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   quoteUrl: "as:quoteUrl"

package/esm/vocab/update.yaml

@@ -37,7 +37,9 @@ defaultContext:
   suspended: "toot:suspended"
   memorial: "toot:memorial"
   indexable: "toot:indexable"
-  votersCount: "toot:votersCount"
+  votersCount:
+    "@id": "toot:votersCount"
+    "@type": "http://www.w3.org/2001/XMLSchema#nonNegativeInteger"
   Emoji: "toot:Emoji"
   Hashtag: "as:Hashtag"
   schema: "http://schema.org#"