@fedify/fedify 1.5.4 → 1.5.6

package/CHANGES.md

@@ -3,6 +3,30 @@
 Fedify changelog
 ================
 
+Version 1.5.6
+-------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where ActivityPub Discovery failed to recognize XHTML
+    self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
+    whitespace before the self-closing slash (`/>`), improving compatibility
+    with XHTML documents that follow the self-closing tag format.
+
+
+Version 1.5.5
+-------------
+
+Released on August 8, 2025.
+
+ -  Fixed a critical authentication bypass vulnerability in the inbox handler
+    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
+    The vulnerability occurred because activities were processed before
+    verifying that the HTTP Signatures key belonged to the claimed actor.
+    Now authentication verification is performed before activity processing to
+    prevent actor impersonation attacks.  [[CVE-2025-54888]]
+
+
 Version 1.5.4
 -------------
 
@@ -177,6 +201,30 @@ Released on March 28, 2025.
 [multibase]: https://github.com/multiformats/js-multibase
 
 
+Version 1.4.14
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where ActivityPub Discovery failed to recognize XHTML
+    self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
+    whitespace before the self-closing slash (`/>`), improving compatibility
+    with XHTML documents that follow the self-closing tag format.
+
+
+Version 1.4.13
+--------------
+
+Released on August 8, 2025.
+
+ -  Fixed a critical authentication bypass vulnerability in the inbox handler
+    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
+    The vulnerability occurred because activities were processed before
+    verifying that the HTTP Signatures key belonged to the claimed actor.
+    Now authentication verification is performed before activity processing to
+    prevent actor impersonation attacks.  [[CVE-2025-54888]]
+
+
 Version 1.4.12
 --------------
 
@@ -426,6 +474,32 @@ Released on February 5, 2025.
 [#195]: https://github.com/fedify-dev/fedify/issues/195
 
 
+Version 1.3.21
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where ActivityPub Discovery failed to recognize XHTML
+    self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
+    whitespace before the self-closing slash (`/>`), improving compatibility
+    with XHTML documents that follow the self-closing tag format.
+
+
+Version 1.3.20
+--------------
+
+Released on August 8, 2025.
+
+ -  Fixed a critical authentication bypass vulnerability in the inbox handler
+    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
+    The vulnerability occurred because activities were processed before
+    verifying that the HTTP Signatures key belonged to the claimed actor.
+    Now authentication verification is performed before activity processing to
+    prevent actor impersonation attacks.  [[CVE-2025-54888]]
+
+[CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
+
+
 Version 1.3.19
 --------------
 
@@ -791,6 +865,17 @@ Released on November 30, 2024.
 [#193]: https://github.com/fedify-dev/fedify/issues/193
 
 
+Version 1.2.24
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where ActivityPub Discovery failed to recognize XHTML
+    self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
+    whitespace before the self-closing slash (`/>`), improving compatibility
+    with XHTML documents that follow the self-closing tag format.
+
+
 Version 1.2.23
 --------------
 
@@ -1204,6 +1289,17 @@ Released on October 31, 2024.
 [#118]: https://github.com/fedify-dev/fedify/issues/118
 
 
+Version 1.1.24
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where ActivityPub Discovery failed to recognize XHTML
+    self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
+    whitespace before the self-closing slash (`/>`), improving compatibility
+    with XHTML documents that follow the self-closing tag format.
+
+
 Version 1.1.23
 --------------
 
@@ -1658,6 +1754,17 @@ Released on October 20, 2024.
 [#150]: https://github.com/fedify-dev/fedify/issues/150
 
 
+Version 1.0.27
+--------------
+
+Released on August 25, 2025.
+
+ -  Fixed a bug where ActivityPub Discovery failed to recognize XHTML
+    self-closing `<link>` tags. The HTML/XHTML parser now correctly handles
+    whitespace before the self-closing slash (`/>`), improving compatibility
+    with XHTML documents that follow the self-closing tag format.
+
+
 Version 1.0.26
 --------------
 

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.5.4",
+    "version": "1.5.6",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",
@@ -26,7 +26,7 @@ export default {
         "@opentelemetry/semantic-conventions": "npm:@opentelemetry/semantic-conventions@^1.27.0",
         "@phensley/language-tag": "npm:@phensley/language-tag@^1.9.0",
         "@std/assert": "jsr:@std/assert@^0.226.0",
-        "@std/async": "jsr:@std/async@^1.0.5",
+        "@std/async": "jsr:@std/async@1.0.13",
         "@std/bytes": "jsr:@std/bytes@^1.0.2",
         "@std/collections": "jsr:@std/collections@^1.0.6",
         "@std/encoding": "jsr:@std/encoding@1.0.7",

package/esm/federation/handler.js

@@ -1,6 +1,6 @@
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
-import { accepts } from "../deps/jsr.io/@std/http/1.0.18/negotiation.js";
+import { accepts } from "../deps/jsr.io/@std/http/1.0.20/negotiation.js";
 import metadata from "../deno.js";
 import { verifyRequest } from "../sig/http.js";
 import { detachSignature, verifyJsonLd } from "../sig/ld.js";
@@ -472,20 +472,6 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
         span.setAttribute("activitypub.activity.id", activity.id.href);
     }
     span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
-    const routeResult = await routeActivity({
-        context: ctx,
-        json,
-        activity,
-        recipient,
-        inboxListeners,
-        inboxContextFactory,
-        inboxErrorHandler,
-        kv,
-        kvPrefixes,
-        queue,
-        span,
-        tracerProvider,
-    });
     if (httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)) {
         logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
             activity: json,
@@ -503,6 +489,20 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
             headers: { "Content-Type": "text/plain; charset=utf-8" },
         });
     }
+    const routeResult = await routeActivity({
+        context: ctx,
+        json,
+        activity,
+        recipient,
+        inboxListeners,
+        inboxContextFactory,
+        inboxErrorHandler,
+        kv,
+        kvPrefixes,
+        queue,
+        span,
+        tracerProvider,
+    });
     if (routeResult === "alreadyProcessed") {
         return new Response(`Activity <${activity.id}> has already been processed.`, {
             status: 202,

package/esm/runtime/docloader.js

@@ -108,7 +108,7 @@ async function getRemoteDocument(url, response, fetch) {
         (contentType === "text/html" || contentType?.startsWith("text/html;") ||
             contentType === "application/xhtml+xml" ||
             contentType?.startsWith("application/xhtml+xml;"))) {
-        const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\/?>/ig;
+        const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
         const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig;
         const html = await response.text();
         let m;