@fedify/vocab-runtime 2.0.0-dev.1908 → 2.0.0-dev.85

package/deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.0.0-dev.1908+c31cc639",
+  "version": "2.0.0-dev.85+a55c8362",
   "license": "MIT",
   "exports": {
     ".": "./src/mod.ts"
@@ -12,6 +12,7 @@
     "url": "https://hongminhee.org/"
   },
   "imports": {
+    "@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
     "asn1js": "npm:asn1js@^3.0.6",
     "byte-encodings": "npm:byte-encodings@^1.0.11",
     "fetch-mock": "npm:fetch-mock@^12.5.4",

package/dist/mod.cjs

@@ -22,6 +22,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 
 //#endregion
 const __logtape_logtape = __toESM(require("@logtape/logtape"));
+const __opentelemetry_api = __toESM(require("@opentelemetry/api"));
 const node_process = __toESM(require("node:process"));
 const node_dns_promises = __toESM(require("node:dns/promises"));
 const node_net = __toESM(require("node:net"));
@@ -4178,6 +4179,43 @@ const preloadedContexts = {
 };
 var contexts_default = preloadedContexts;
 
+//#endregion
+//#region deno.json
+var name = "@fedify/vocab-runtime";
+var version = "2.0.0-dev.85+a55c8362";
+var license = "MIT";
+var exports$1 = { ".": "./src/mod.ts" };
+var description = "Runtime library for @fedify/vocab";
+var author = {
+	"name": "Hong Minhee",
+	"email": "hong@minhee.org",
+	"url": "https://hongminhee.org/"
+};
+var imports = {
+	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
+	"asn1js": "npm:asn1js@^3.0.6",
+	"byte-encodings": "npm:byte-encodings@^1.0.11",
+	"fetch-mock": "npm:fetch-mock@^12.5.4",
+	"multicodec": "npm:multicodec@^3.2.1",
+	"pkijs": "npm:pkijs@^3.2.5"
+};
+var exclude = ["dist", "node_modules"];
+var tasks = {
+	"check": "deno fmt --check && deno lint && deno check src/*.ts",
+	"test": "deno test"
+};
+var deno_default = {
+	name,
+	version,
+	license,
+	exports: exports$1,
+	description,
+	author,
+	imports,
+	exclude,
+	tasks
+};
+
 //#endregion
 //#region src/link.ts
 const parametersNeedLowerCase = ["rel", "type"];
@@ -4360,42 +4398,6 @@ var HttpHeaderLink = class HttpHeaderLink {
 	}
 };
 
-//#endregion
-//#region deno.json
-var name = "@fedify/vocab-runtime";
-var version = "2.0.0-dev.1908+c31cc639";
-var license = "MIT";
-var exports$1 = { ".": "./src/mod.ts" };
-var description = "Runtime library for @fedify/vocab";
-var author = {
-	"name": "Hong Minhee",
-	"email": "hong@minhee.org",
-	"url": "https://hongminhee.org/"
-};
-var imports = {
-	"asn1js": "npm:asn1js@^3.0.6",
-	"byte-encodings": "npm:byte-encodings@^1.0.11",
-	"fetch-mock": "npm:fetch-mock@^12.5.4",
-	"multicodec": "npm:multicodec@^3.2.1",
-	"pkijs": "npm:pkijs@^3.2.5"
-};
-var exclude = ["dist", "node_modules"];
-var tasks = {
-	"check": "deno fmt --check && deno lint && deno check src/*.ts",
-	"test": "deno test"
-};
-var deno_default = {
-	name,
-	version,
-	license,
-	exports: exports$1,
-	description,
-	author,
-	imports,
-	exclude,
-	tasks
-};
-
 //#endregion
 //#region src/request.ts
 /**
@@ -4582,29 +4584,38 @@ async function getRemoteDocument(url, response, fetch$1) {
 	}
 	let document;
 	if (!jsonLd && (contentType === "text/html" || contentType?.startsWith("text/html;") || contentType === "application/xhtml+xml" || contentType?.startsWith("application/xhtml+xml;"))) {
-		const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/gi;
-		const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+		const MAX_HTML_SIZE = 1024 * 1024;
 		const html = await response.text();
-		let m;
-		const rawAttribs = [];
-		while ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);
-		for (const rawAttrs of rawAttribs) {
-			let m2;
-			const attribs = {};
-			while ((m2 = p2.exec(rawAttrs)) !== null) {
-				const key = m2[1].toLowerCase();
-				const value = m2[3] ?? m2[4] ?? m2[5] ?? "";
-				attribs[key] = value;
-			}
-			if (attribs.rel === "alternate" && "type" in attribs && (attribs.type === "application/activity+json" || attribs.type === "application/ld+json" || attribs.type.startsWith("application/ld+json;")) && "href" in attribs && new URL(attribs.href, docUrl).href !== docUrl.href) {
-				logger.debug("Found alternate document: {alternateUrl} from {url}", {
-					alternateUrl: attribs.href,
-					url: documentUrl
-				});
-				return await fetch$1(new URL(attribs.href, docUrl).href);
+		if (html.length > MAX_HTML_SIZE) {
+			logger.warn("HTML response too large, skipping alternate link discovery: {url}", {
+				url: documentUrl,
+				size: html.length
+			});
+			document = JSON.parse(html);
+		} else {
+			const tagPattern = /<(a|link)\s+([^>]*?)\s*\/?>/gi;
+			const attrPattern = /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+			let tagMatch;
+			while ((tagMatch = tagPattern.exec(html)) !== null) {
+				const tagContent = tagMatch[2];
+				let attrMatch;
+				const attribs = {};
+				attrPattern.lastIndex = 0;
+				while ((attrMatch = attrPattern.exec(tagContent)) !== null) {
+					const key = attrMatch[1].toLowerCase();
+					const value = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
+					attribs[key] = value;
+				}
+				if (attribs.rel === "alternate" && "type" in attribs && (attribs.type === "application/activity+json" || attribs.type === "application/ld+json" || attribs.type.startsWith("application/ld+json;")) && "href" in attribs && new URL(attribs.href, docUrl).href !== docUrl.href) {
+					logger.debug("Found alternate document: {alternateUrl} from {url}", {
+						alternateUrl: attribs.href,
+						url: documentUrl
+					});
+					return await fetch$1(new URL(attribs.href, docUrl).href);
+				}
 			}
+			document = JSON.parse(html);
 		}
-		document = JSON.parse(html);
 	} else document = await response.json();
 	logger.debug("Fetched document: {status} {url} {headers}", {
 		status: response.status,
@@ -4635,6 +4646,8 @@ async function getRemoteDocument(url, response, fetch$1) {
 * @since 1.3.0
 */
 function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
+	const tracerProvider = __opentelemetry_api.trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
 	async function load(url, options) {
 		options?.signal?.throwIfAborted();
 		if (!skipPreloadedContexts && url in contexts_default) {
@@ -4654,14 +4667,38 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 			});
 			throw error;
 		}
-		const request = createActivityPubRequest(url, { userAgent });
-		logRequest(logger, request);
-		const response = await fetch(request, {
-			redirect: "manual",
-			signal: options?.signal
+		return await tracer.startActiveSpan("activitypub.fetch_document", {
+			kind: __opentelemetry_api.SpanKind.CLIENT,
+			attributes: { "url.full": url }
+		}, async (span) => {
+			try {
+				const request = createActivityPubRequest(url, { userAgent });
+				logRequest(logger, request);
+				const response = await fetch(request, {
+					redirect: "manual",
+					signal: options?.signal
+				});
+				span.setAttribute("http.response.status_code", response.status);
+				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
+					const redirectUrl = response.headers.get("Location");
+					span.setAttribute("http.redirect.url", redirectUrl);
+					return await load(redirectUrl, options);
+				}
+				const result = await getRemoteDocument(url, response, load);
+				span.setAttribute("docloader.document_url", result.documentUrl);
+				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
+				return result;
+			} catch (error) {
+				span.recordException(error);
+				span.setStatus({
+					code: __opentelemetry_api.SpanStatusCode.ERROR,
+					message: String(error)
+				});
+				throw error;
+			} finally {
+				span.end();
+			}
 		});
-		if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) return load(response.headers.get("Location"), options);
-		return getRemoteDocument(url, response, load);
 	}
 	return load;
 }

package/dist/mod.js

@@ -1,4 +1,5 @@
 import { getLogger } from "@logtape/logtape";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 import process from "node:process";
 import { lookup } from "node:dns/promises";
 import { isIP } from "node:net";
@@ -4155,6 +4156,43 @@ const preloadedContexts = {
 };
 var contexts_default = preloadedContexts;
 
+//#endregion
+//#region deno.json
+var name = "@fedify/vocab-runtime";
+var version = "2.0.0-dev.85+a55c8362";
+var license = "MIT";
+var exports = { ".": "./src/mod.ts" };
+var description = "Runtime library for @fedify/vocab";
+var author = {
+	"name": "Hong Minhee",
+	"email": "hong@minhee.org",
+	"url": "https://hongminhee.org/"
+};
+var imports = {
+	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
+	"asn1js": "npm:asn1js@^3.0.6",
+	"byte-encodings": "npm:byte-encodings@^1.0.11",
+	"fetch-mock": "npm:fetch-mock@^12.5.4",
+	"multicodec": "npm:multicodec@^3.2.1",
+	"pkijs": "npm:pkijs@^3.2.5"
+};
+var exclude = ["dist", "node_modules"];
+var tasks = {
+	"check": "deno fmt --check && deno lint && deno check src/*.ts",
+	"test": "deno test"
+};
+var deno_default = {
+	name,
+	version,
+	license,
+	exports,
+	description,
+	author,
+	imports,
+	exclude,
+	tasks
+};
+
 //#endregion
 //#region src/link.ts
 const parametersNeedLowerCase = ["rel", "type"];
@@ -4337,42 +4375,6 @@ var HttpHeaderLink = class HttpHeaderLink {
 	}
 };
 
-//#endregion
-//#region deno.json
-var name = "@fedify/vocab-runtime";
-var version = "2.0.0-dev.1908+c31cc639";
-var license = "MIT";
-var exports = { ".": "./src/mod.ts" };
-var description = "Runtime library for @fedify/vocab";
-var author = {
-	"name": "Hong Minhee",
-	"email": "hong@minhee.org",
-	"url": "https://hongminhee.org/"
-};
-var imports = {
-	"asn1js": "npm:asn1js@^3.0.6",
-	"byte-encodings": "npm:byte-encodings@^1.0.11",
-	"fetch-mock": "npm:fetch-mock@^12.5.4",
-	"multicodec": "npm:multicodec@^3.2.1",
-	"pkijs": "npm:pkijs@^3.2.5"
-};
-var exclude = ["dist", "node_modules"];
-var tasks = {
-	"check": "deno fmt --check && deno lint && deno check src/*.ts",
-	"test": "deno test"
-};
-var deno_default = {
-	name,
-	version,
-	license,
-	exports,
-	description,
-	author,
-	imports,
-	exclude,
-	tasks
-};
-
 //#endregion
 //#region src/request.ts
 /**
@@ -4559,29 +4561,38 @@ async function getRemoteDocument(url, response, fetch$1) {
 	}
 	let document;
 	if (!jsonLd && (contentType === "text/html" || contentType?.startsWith("text/html;") || contentType === "application/xhtml+xml" || contentType?.startsWith("application/xhtml+xml;"))) {
-		const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/gi;
-		const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+		const MAX_HTML_SIZE = 1024 * 1024;
 		const html = await response.text();
-		let m;
-		const rawAttribs = [];
-		while ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);
-		for (const rawAttrs of rawAttribs) {
-			let m2;
-			const attribs = {};
-			while ((m2 = p2.exec(rawAttrs)) !== null) {
-				const key = m2[1].toLowerCase();
-				const value = m2[3] ?? m2[4] ?? m2[5] ?? "";
-				attribs[key] = value;
-			}
-			if (attribs.rel === "alternate" && "type" in attribs && (attribs.type === "application/activity+json" || attribs.type === "application/ld+json" || attribs.type.startsWith("application/ld+json;")) && "href" in attribs && new URL(attribs.href, docUrl).href !== docUrl.href) {
-				logger.debug("Found alternate document: {alternateUrl} from {url}", {
-					alternateUrl: attribs.href,
-					url: documentUrl
-				});
-				return await fetch$1(new URL(attribs.href, docUrl).href);
+		if (html.length > MAX_HTML_SIZE) {
+			logger.warn("HTML response too large, skipping alternate link discovery: {url}", {
+				url: documentUrl,
+				size: html.length
+			});
+			document = JSON.parse(html);
+		} else {
+			const tagPattern = /<(a|link)\s+([^>]*?)\s*\/?>/gi;
+			const attrPattern = /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+			let tagMatch;
+			while ((tagMatch = tagPattern.exec(html)) !== null) {
+				const tagContent = tagMatch[2];
+				let attrMatch;
+				const attribs = {};
+				attrPattern.lastIndex = 0;
+				while ((attrMatch = attrPattern.exec(tagContent)) !== null) {
+					const key = attrMatch[1].toLowerCase();
+					const value = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
+					attribs[key] = value;
+				}
+				if (attribs.rel === "alternate" && "type" in attribs && (attribs.type === "application/activity+json" || attribs.type === "application/ld+json" || attribs.type.startsWith("application/ld+json;")) && "href" in attribs && new URL(attribs.href, docUrl).href !== docUrl.href) {
+					logger.debug("Found alternate document: {alternateUrl} from {url}", {
+						alternateUrl: attribs.href,
+						url: documentUrl
+					});
+					return await fetch$1(new URL(attribs.href, docUrl).href);
+				}
 			}
+			document = JSON.parse(html);
 		}
-		document = JSON.parse(html);
 	} else document = await response.json();
 	logger.debug("Fetched document: {status} {url} {headers}", {
 		status: response.status,
@@ -4612,6 +4623,8 @@ async function getRemoteDocument(url, response, fetch$1) {
 * @since 1.3.0
 */
 function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
+	const tracerProvider = trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
 	async function load(url, options) {
 		options?.signal?.throwIfAborted();
 		if (!skipPreloadedContexts && url in contexts_default) {
@@ -4631,14 +4644,38 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 			});
 			throw error;
 		}
-		const request = createActivityPubRequest(url, { userAgent });
-		logRequest(logger, request);
-		const response = await fetch(request, {
-			redirect: "manual",
-			signal: options?.signal
+		return await tracer.startActiveSpan("activitypub.fetch_document", {
+			kind: SpanKind.CLIENT,
+			attributes: { "url.full": url }
+		}, async (span) => {
+			try {
+				const request = createActivityPubRequest(url, { userAgent });
+				logRequest(logger, request);
+				const response = await fetch(request, {
+					redirect: "manual",
+					signal: options?.signal
+				});
+				span.setAttribute("http.response.status_code", response.status);
+				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
+					const redirectUrl = response.headers.get("Location");
+					span.setAttribute("http.redirect.url", redirectUrl);
+					return await load(redirectUrl, options);
+				}
+				const result = await getRemoteDocument(url, response, load);
+				span.setAttribute("docloader.document_url", result.documentUrl);
+				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
+				return result;
+			} catch (error) {
+				span.recordException(error);
+				span.setStatus({
+					code: SpanStatusCode.ERROR,
+					message: String(error)
+				});
+				throw error;
+			} finally {
+				span.end();
+			}
 		});
-		if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) return load(response.headers.get("Location"), options);
-		return getRemoteDocument(url, response, load);
 	}
 	return load;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.0.0-dev.1908+c31cc639",
+  "version": "2.0.0-dev.85+a55c8362",
   "homepage": "https://fedify.dev/",
   "repository": {
     "type": "git",
@@ -55,8 +55,9 @@
     "typescript": "^5.9.3"
   },
   "dependencies": {
-    "@logtape/logtape": "^1.1.1",
+    "@logtape/logtape": "^1.3.5",
     "@multiformats/base-x": "^4.0.1",
+    "@opentelemetry/api": "^1.9.0",
     "asn1js": "^3.0.6",
     "byte-encodings": "^1.0.11",
     "multicodec": "^3.2.1",

package/src/docloader.test.ts

@@ -1,5 +1,5 @@
 import fetchMock from "fetch-mock";
-import { deepStrictEqual, rejects } from "node:assert";
+import { deepStrictEqual, ok, rejects } from "node:assert";
 import { test } from "node:test";
 import preloadedContexts from "./contexts.ts";
 import { getDocumentLoader } from "./docloader.ts";
@@ -361,5 +361,33 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  // Regression test for ReDoS vulnerability (CVE-2025-68475)
+  // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
+  // With the vulnerable regex, this causes catastrophic backtracking
+  const maliciousPayload = "<a" + ' a="b"'.repeat(30) + " ";
+
+  fetchMock.get("https://example.com/redos", {
+    body: maliciousPayload,
+    headers: { "Content-Type": "text/html; charset=utf-8" },
+  });
+
+  await t.test("ReDoS resistance (CVE-2025-68475)", async () => {
+    const start = performance.now();
+    // The malicious HTML will fail JSON parsing, but the important thing is
+    // that it should complete quickly (not hang due to ReDoS)
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redos"),
+      SyntaxError,
+    );
+    const elapsed = performance.now() - start;
+
+    // Should complete in under 1 second. With the vulnerable regex,
+    // this would take 14+ seconds for 30 repetitions.
+    ok(
+      elapsed < 1000,
+      `Potential ReDoS vulnerability detected: ${elapsed}ms (expected < 1000ms)`,
+    );
+  });
+
   fetchMock.hardReset();
 });

package/src/docloader.ts

@@ -1,4 +1,6 @@
 import { getLogger } from "@logtape/logtape";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+import metadata from "../deno.json" with { type: "json" };
 import preloadedContexts from "./contexts.ts";
 import { HttpHeaderLink } from "./link.ts";
 import {
@@ -189,37 +191,55 @@ export async function getRemoteDocument(
       contentType === "application/xhtml+xml" ||
       contentType?.startsWith("application/xhtml+xml;"))
   ) {
-    const p =
-      /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
-    const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig;
+    // Security: Limit HTML response size to mitigate ReDoS attacks
+    const MAX_HTML_SIZE = 1024 * 1024; // 1MB
     const html = await response.text();
-    let m: RegExpExecArray | null;
-    const rawAttribs: string[] = [];
-    while ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);
-    for (const rawAttrs of rawAttribs) {
-      let m2: RegExpExecArray | null;
-      const attribs: Record<string, string> = {};
-      while ((m2 = p2.exec(rawAttrs)) !== null) {
-        const key = m2[1].toLowerCase();
-        const value = m2[3] ?? m2[4] ?? m2[5] ?? "";
-        attribs[key] = value;
-      }
-      if (
-        attribs.rel === "alternate" && "type" in attribs && (
-          attribs.type === "application/activity+json" ||
-          attribs.type === "application/ld+json" ||
-          attribs.type.startsWith("application/ld+json;")
-        ) && "href" in attribs &&
-        new URL(attribs.href, docUrl).href !== docUrl.href
-      ) {
-        logger.debug(
-          "Found alternate document: {alternateUrl} from {url}",
-          { alternateUrl: attribs.href, url: documentUrl },
-        );
-        return await fetch(new URL(attribs.href, docUrl).href);
+    if (html.length > MAX_HTML_SIZE) {
+      logger.warn(
+        "HTML response too large, skipping alternate link discovery: {url}",
+        { url: documentUrl, size: html.length },
+      );
+      document = JSON.parse(html);
+    } else {
+      // Safe regex patterns without nested quantifiers to prevent ReDoS
+      // (CVE-2025-68475)
+      // Step 1: Extract <a ...> or <link ...> tags
+      const tagPattern = /<(a|link)\s+([^>]*?)\s*\/?>/gi;
+      // Step 2: Parse attributes
+      const attrPattern =
+        /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+
+      let tagMatch: RegExpExecArray | null;
+      while ((tagMatch = tagPattern.exec(html)) !== null) {
+        const tagContent = tagMatch[2];
+        let attrMatch: RegExpExecArray | null;
+        const attribs: Record<string, string> = {};
+
+        // Reset regex state for attribute parsing
+        attrPattern.lastIndex = 0;
+        while ((attrMatch = attrPattern.exec(tagContent)) !== null) {
+          const key = attrMatch[1].toLowerCase();
+          const value = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
+          attribs[key] = value;
+        }
+
+        if (
+          attribs.rel === "alternate" && "type" in attribs && (
+            attribs.type === "application/activity+json" ||
+            attribs.type === "application/ld+json" ||
+            attribs.type.startsWith("application/ld+json;")
+          ) && "href" in attribs &&
+          new URL(attribs.href, docUrl).href !== docUrl.href
+        ) {
+          logger.debug(
+            "Found alternate document: {alternateUrl} from {url}",
+            { alternateUrl: attribs.href, url: documentUrl },
+          );
+          return await fetch(new URL(attribs.href, docUrl).href);
+        }
       }
+      document = JSON.parse(html);
     }
-    document = JSON.parse(html);
   } else {
     document = await response.json();
   }
@@ -266,6 +286,9 @@ export function getDocumentLoader(
   { allowPrivateAddress, skipPreloadedContexts, userAgent }:
     GetDocumentLoaderOptions = {},
 ): DocumentLoader {
+  const tracerProvider = trace.getTracerProvider();
+  const tracer = tracerProvider.getTracer(metadata.name, metadata.version);
+
   async function load(
     url: string,
     options?: DocumentLoaderOptions,
@@ -289,23 +312,56 @@ export function getDocumentLoader(
         throw error;
       }
     }
-    const request = createActivityPubRequest(url, { userAgent });
-    logRequest(logger, request);
-    const response = await fetch(request, {
-      // Since Bun has a bug that ignores the `Request.redirect` option,
-      // to work around it we specify `redirect: "manual"` here too:
-      // https://github.com/oven-sh/bun/issues/10754
-      redirect: "manual",
-      signal: options?.signal,
-    });
-    // Follow redirects manually to get the final URL:
-    if (
-      response.status >= 300 && response.status < 400 &&
-      response.headers.has("Location")
-    ) {
-      return load(response.headers.get("Location")!, options);
-    }
-    return getRemoteDocument(url, response, load);
+
+    return await tracer.startActiveSpan(
+      "activitypub.fetch_document",
+      {
+        kind: SpanKind.CLIENT,
+        attributes: {
+          "url.full": url,
+        },
+      },
+      async (span) => {
+        try {
+          const request = createActivityPubRequest(url, { userAgent });
+          logRequest(logger, request);
+          const response = await fetch(request, {
+            // Since Bun has a bug that ignores the `Request.redirect` option,
+            // to work around it we specify `redirect: "manual"` here too:
+            // https://github.com/oven-sh/bun/issues/10754
+            redirect: "manual",
+            signal: options?.signal,
+          });
+          span.setAttribute("http.response.status_code", response.status);
+
+          // Follow redirects manually to get the final URL:
+          if (
+            response.status >= 300 && response.status < 400 &&
+            response.headers.has("Location")
+          ) {
+            const redirectUrl = response.headers.get("Location")!;
+            span.setAttribute("http.redirect.url", redirectUrl);
+            return await load(redirectUrl, options);
+          }
+
+          const result = await getRemoteDocument(url, response, load);
+          span.setAttribute("docloader.document_url", result.documentUrl);
+          if (result.contextUrl != null) {
+            span.setAttribute("docloader.context_url", result.contextUrl);
+          }
+          return result;
+        } catch (error) {
+          span.recordException(error as Error);
+          span.setStatus({
+            code: SpanStatusCode.ERROR,
+            message: String(error),
+          });
+          throw error;
+        } finally {
+          span.end();
+        }
+      },
+    );
   }
   return load;
 }