@fedify/fedify 1.4.12 → 1.4.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/CHANGES.md +83 -0
  2. package/esm/deno.js +2 -2
  3. package/esm/federation/handler.js +15 -15
  4. package/esm/runtime/docloader.js +1 -1
  5. package/esm/vocab/vocab.js +176 -176
  6. package/package.json +1 -1
  7. package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.d.ts.map +1 -1
  8. package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.d.ts.map +1 -1
  9. package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.d.ts.map +1 -1
  10. package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.d.ts.map +1 -1
  11. package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.d.ts.map +1 -1
  12. package/types/runtime/docloader.d.ts.map +1 -1
  13. /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.js +0 -0
  14. /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.js +0 -0
  15. /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.js +0 -0
  16. /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.js +0 -0
  17. /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.js +0 -0
  18. /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.d.ts +0 -0
  19. /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.d.ts +0 -0
  20. /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.d.ts +0 -0
  21. /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.d.ts +0 -0
  22. /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.d.ts +0 -0
package/CHANGES.md CHANGED
@@ -3,6 +3,30 @@
3
3
  Fedify changelog
4
4
  ================
5
5
 
6
+ Version 1.4.14
7
+ --------------
8
+
9
+ Released on August 25, 2025.
10
+
11
+ - Fixed a bug where ActivityPub Discovery failed to recognize XHTML
12
+ self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
13
+ whitespace before the self-closing slash (`/>`), improving compatibility
14
+ with XHTML documents that follow the self-closing tag format.
15
+
16
+
17
+ Version 1.4.13
18
+ --------------
19
+
20
+ Released on August 8, 2025.
21
+
22
+ - Fixed a critical authentication bypass vulnerability in the inbox handler
23
+ that allowed unauthenticated attackers to impersonate any ActivityPub actor.
24
+ The vulnerability occurred because activities were processed before
25
+ verifying that the HTTP Signatures key belonged to the claimed actor.
26
+ Now authentication verification is performed before activity processing to
27
+ prevent actor impersonation attacks. [[CVE-2025-54888]]
28
+
29
+
6
30
  Version 1.4.12
7
31
  --------------
8
32
 
@@ -252,6 +276,32 @@ Released on February 5, 2025.
252
276
  [#195]: https://github.com/fedify-dev/fedify/issues/195
253
277
 
254
278
 
279
+ Version 1.3.21
280
+ --------------
281
+
282
+ Released on August 25, 2025.
283
+
284
+ - Fixed a bug where ActivityPub Discovery failed to recognize XHTML
285
+ self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
286
+ whitespace before the self-closing slash (`/>`), improving compatibility
287
+ with XHTML documents that follow the self-closing tag format.
288
+
289
+
290
+ Version 1.3.20
291
+ --------------
292
+
293
+ Released on August 8, 2025.
294
+
295
+ - Fixed a critical authentication bypass vulnerability in the inbox handler
296
+ that allowed unauthenticated attackers to impersonate any ActivityPub actor.
297
+ The vulnerability occurred because activities were processed before
298
+ verifying that the HTTP Signatures key belonged to the claimed actor.
299
+ Now authentication verification is performed before activity processing to
300
+ prevent actor impersonation attacks. [[CVE-2025-54888]]
301
+
302
+ [CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
303
+
304
+
255
305
  Version 1.3.19
256
306
  --------------
257
307
 
@@ -617,6 +667,17 @@ Released on November 30, 2024.
617
667
  [#193]: https://github.com/fedify-dev/fedify/issues/193
618
668
 
619
669
 
670
+ Version 1.2.24
671
+ --------------
672
+
673
+ Released on August 25, 2025.
674
+
675
+ - Fixed a bug where ActivityPub Discovery failed to recognize XHTML
676
+ self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
677
+ whitespace before the self-closing slash (`/>`), improving compatibility
678
+ with XHTML documents that follow the self-closing tag format.
679
+
680
+
620
681
  Version 1.2.23
621
682
  --------------
622
683
 
@@ -1030,6 +1091,17 @@ Released on October 31, 2024.
1030
1091
  [#118]: https://github.com/fedify-dev/fedify/issues/118
1031
1092
 
1032
1093
 
1094
+ Version 1.1.24
1095
+ --------------
1096
+
1097
+ Released on August 25, 2025.
1098
+
1099
+ - Fixed a bug where ActivityPub Discovery failed to recognize XHTML
1100
+ self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
1101
+ whitespace before the self-closing slash (`/>`), improving compatibility
1102
+ with XHTML documents that follow the self-closing tag format.
1103
+
1104
+
1033
1105
  Version 1.1.23
1034
1106
  --------------
1035
1107
 
@@ -1484,6 +1556,17 @@ Released on October 20, 2024.
1484
1556
  [#150]: https://github.com/fedify-dev/fedify/issues/150
1485
1557
 
1486
1558
 
1559
+ Version 1.0.27
1560
+ --------------
1561
+
1562
+ Released on August 25, 2025.
1563
+
1564
+ - Fixed a bug where ActivityPub Discovery failed to recognize XHTML
1565
+ self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
1566
+ whitespace before the self-closing slash (`/>`), improving compatibility
1567
+ with XHTML documents that follow the self-closing tag format.
1568
+
1569
+
1487
1570
  Version 1.0.26
1488
1571
  --------------
1489
1572
 
package/esm/deno.js CHANGED
@@ -1,6 +1,6 @@
1
1
  export default {
2
2
  "name": "@fedify/fedify",
3
- "version": "1.4.12",
3
+ "version": "1.4.14",
4
4
  "license": "MIT",
5
5
  "exports": {
6
6
  ".": "./mod.ts",
@@ -38,7 +38,7 @@ export default {
38
38
  "@opentelemetry/semantic-conventions": "npm:@opentelemetry/semantic-conventions@^1.27.0",
39
39
  "@phensley/language-tag": "npm:@phensley/language-tag@^1.9.0",
40
40
  "@std/assert": "jsr:@std/assert@^0.226.0",
41
- "@std/async": "jsr:@std/async@^1.0.5",
41
+ "@std/async": "jsr:@std/async@1.0.13",
42
42
  "@std/bytes": "jsr:@std/bytes@^1.0.2",
43
43
  "@std/collections": "jsr:@std/collections@^1.0.6",
44
44
  "@std/encoding": "jsr:@std/encoding@1.0.7",
package/esm/federation/handler.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import { getLogger } from "@logtape/logtape";
2
2
  import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
3
- import { accepts } from "../deps/jsr.io/@std/http/1.0.18/negotiation.js";
3
+ import { accepts } from "../deps/jsr.io/@std/http/1.0.20/negotiation.js";
4
4
  import metadata from "../deno.js";
5
5
  import { verifyRequest } from "../sig/http.js";
6
6
  import { detachSignature, verifyJsonLd } from "../sig/ld.js";
@@ -418,20 +418,6 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
418
418
  span.setAttribute("activitypub.activity.id", activity.id.href);
419
419
  }
420
420
  span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
421
- const routeResult = await routeActivity({
422
- context: ctx,
423
- json,
424
- activity,
425
- recipient,
426
- inboxListeners,
427
- inboxContextFactory,
428
- inboxErrorHandler,
429
- kv,
430
- kvPrefixes,
431
- queue,
432
- span,
433
- tracerProvider,
434
- });
435
421
  if (httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)) {
436
422
  logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
437
423
  activity: json,
@@ -449,6 +435,20 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
449
435
  headers: { "Content-Type": "text/plain; charset=utf-8" },
450
436
  });
451
437
  }
438
+ const routeResult = await routeActivity({
439
+ context: ctx,
440
+ json,
441
+ activity,
442
+ recipient,
443
+ inboxListeners,
444
+ inboxContextFactory,
445
+ inboxErrorHandler,
446
+ kv,
447
+ kvPrefixes,
448
+ queue,
449
+ span,
450
+ tracerProvider,
451
+ });
452
452
  if (routeResult === "alreadyProcessed") {
453
453
  return new Response(`Activity <${activity.id}> has already been processed.`, {
454
454
  status: 202,
package/esm/runtime/docloader.js CHANGED
@@ -108,7 +108,7 @@ async function getRemoteDocument(url, response, fetch) {
108
108
  (contentType === "text/html" || contentType?.startsWith("text/html;") ||
109
109
  contentType === "application/xhtml+xml" ||
110
110
  contentType?.startsWith("application/xhtml+xml;"))) {
111
- const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\/?>/ig;
111
+ const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
112
112
  const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig;
113
113
  const html = await response.text();
114
114
  let m;