Update Fedify packages to v1.10.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fedify/cli (source)	1.9.1 → 1.10.4
@fedify/fedify (source)	1.9.2 → 1.10.4
@fedify/hono (source)	1.9.1 → 1.10.4
@fedify/redis (source)	1.9.1 → 1.10.4

---

Release Notes

fedify-dev/fedify (@​fedify/cli)

v1.10.4

Compare Source

Released on March 11, 2026.

@​fedify/fedify

• Added https://w3id.org/security/data-integrity/v2 to preloaded JSON-LD
  contexts.

v1.10.3

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [#​550 by Lee Dogeon]

v1.10.2

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [#​530]

v1.10.1

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.10.0

Compare Source

Released on December 24, 2025.

@​fedify/fedify

• Enhanced OpenTelemetry instrumentation with span events for capturing
  detailed activity data. Span events now record complete activity JSON
  payloads and verification status, enabling richer observability and
  debugging capabilities without relying solely on span attributes
  (which only support primitive values). [#​323]

  • Added activitypub.activity.received span event to the
    activitypub.inbox span, recording the full activity JSON,
    verification status (activity verified, HTTP signatures verified,
    Linked Data signatures verified), and actor information.
  • Added activitypub.activity.sent span event to the
    activitypub.send_activity span, recording the full activity JSON
    and target inbox URL.
  • Added activitypub.object.fetched span event to the
    activitypub.lookup_object span, recording the fetched object's
    type and complete JSON-LD representation.

• Added OpenTelemetry spans for previously uninstrumented operations:
  [#​323]

  • Added activitypub.fetch_document span for document loader operations,
    tracking URL fetching, HTTP redirects, and final document URLs.
  • Added activitypub.verify_key_ownership span for cryptographic
    key ownership verification, recording actor ID, key ID, verification
    result, and the verification method used.

• Added optional list() method to the KvStore interface for enumerating
  entries by key prefix. This method takes an optional prefix parameter;
  when omitted or empty, it returns all entries. This enables efficient
  prefix scanning which is useful for implementing features like distributed
  trace storage, cache invalidation by prefix, and listing related entries.
  [#​498, #​500]

  • Added KvStoreListEntry interface.
  • Implemented in MemoryKvStore.

• Added FedifySpanExporter class that persists ActivityPub activity traces
  to a KvStore for distributed tracing support. This enables aggregating
  trace data across multiple nodes in a distributed deployment, making it
  possible to build debug dashboards that show complete request flows across
  web servers and background workers. [#​497, #​502]

  • Added @fedify/fedify/otel module.
  • Added FedifySpanExporter class implementing OpenTelemetry's
    SpanExporter interface.
  • Added TraceActivityRecord interface for stored activity data,
    including actorId and signatureDetails fields for debug dashboard
    support.
  • Added SignatureVerificationDetails interface for detailed signature
    verification information.
  • Added TraceSummary interface for trace listing.
  • Added FedifySpanExporterOptions interface.
  • Added GetRecentTracesOptions interface.
  • Added ActivityDirection type.

@​fedify/nestjs

• Allowed Express 5 in the express peer dependency range to support NestJS 11.
  [#​492, #​493 by Cho Hasang]

@​fedify/sqlite

• Implemented list() method in SqliteKvStore. [#​498, #​500]

@​fedify/postgres

• Implemented list() method in PostgresKvStore. [#​498, #​500]

@​fedify/redis

• Implemented list() method in RedisKvStore. [#​498, #​500]

@​fedify/denokv

• Implemented list() method in DenoKvStore. [#​498, #​500]

@​fedify/cfworkers

• Implemented list() method in WorkersKvStore. [#​498, #​500]

v1.9.5

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [[#​550] by Lee Dogeon]

v1.9.4

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [[#​530]]

v1.9.3

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.9.2

Compare Source

Released on December 20, 2025.

@​fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
  the document loader's HTML parsing. An attacker-controlled server could
  respond with a malicious HTML payload that blocked the event loop.
  [CVE-2025-68475]

@​fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error
  that occurred when using SqliteKvStore on Node.js or Bun. The error
  was caused by duplicate Temporal imports during the build process.
  [#​487]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 07:00 AM and 04:59 PM, only on Monday, Tuesday, Wednesday, and Thursday ( * 7-16 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sagzy]

@CodeRabbit review pls

[coderabbitai]

@sagzy Sure, I'll kick off a review of this PR right away!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

Two package.json files are updated with dependency version bumps for @fedify packages. The root package.json updates four @fedify packages (@fedify/cli, @fedify/fedify, @fedify/hono, @fedify/redis) from version 1.9.x to 1.10.4. The jobs/reconcile-account-topics/package.json updates @fedify/fedify from 1.9.2 to 1.10.4. No logic changes or functional modifications are present.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: updating Fedify packages to v1.10.4.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description clearly identifies all package updates with version numbers, release dates, and relevant change details from the Fedify packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/fedify

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the project’s Fedify ecosystem dependencies to v1.10.4 to pick up upstream fixes and improvements (notably in @fedify/fedify and @fedify/redis), with corresponding lockfile refresh.

Changes:

• Bump @fedify/cli, @fedify/fedify, @fedify/hono, and @fedify/redis to 1.10.4 in package.json.
• Bump @fedify/fedify to 1.10.4 for the reconcile-account-topics job package.
• Regenerate yarn.lock to reflect updated Fedify transitive dependencies (e.g., jsonld, undici, @digitalbazaar/http-client, rdf-canonize).

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updates root dev/runtime Fedify packages to 1.10.4.
yarn.lock	Lockfile refresh for the new Fedify versions and transitive dependency graph.
jobs/reconcile-account-topics/package.json	Updates the job’s @fedify/fedify dependency to 1.10.4.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 49: Update the `@fedify/cli` dependency to "1.10.4" in package.json (the
existing "@fedify/cli" entry) and run the full test suite; specifically exercise
your custom KnexKvStore implementation and any role-guard middleware that
depends on KvStore to confirm compatibility with the CVE-2025-68475 fix,
OpenTelemetry changes, and the optional list() addition to KvStore.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a013a58c-8861-4d53-9ca5-51a7bc79dbd9

📥 Commits

Reviewing files that changed from the base of the PR and between 7910a34 and b633d4b.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• jobs/reconcile-account-topics/package.json
• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the tests pass with the new Fedify versions

# Check if there are any direct usages of the new optional KvStore.list() method
# that might indicate the codebase is already trying to use it
rg -n 'KvStore.*list|\.list\s*\(' --type ts -g '!node_modules'

# Check for any traverseCollection usage that was affected by the bug fix
rg -n 'traverseCollection' --type ts -g '!node_modules'

Repository: TryGhost/ActivityPub

Length of output: 46

---

🏁 Script executed:

cat -n package.json | sed -n '45,75p'

Repository: TryGhost/ActivityPub

Length of output: 1300

---

🌐 Web query:

Fedify 1.10.4 release notes changelog security fixes

💡 Result:

No release notes, changelog, or security fixes found for Fedify version 1.10.4. Fedify 1.10.0 was released on December 24, 2025, introducing OpenTelemetry enhancements including FedifySpanExporter for tracing activities to KvStore, and an optional list method on KvStore interface (made required in 2.0.0). No specific mentions of 1.10.4 in official GitHub releases, changelogs at fedify.dev/changelog, or CHANGES.md. Latest versions are in 2.x series as of March 2026. Security fixes documented up to 1.8.5 for authentication bypass vulnerability (GHSA-6jcc-xgcr-q3h4). If 1.10.4 is a patch release, details may not be publicly highlighted or it may not exist; check GitHub releases directly for confirmation.

Citations:

• 1: https://github.com/fedify-dev/fedify/releases
• 2: https://unstable.fedify.dev/changelog
• 3: https://fedify.dev/changelog
• 4: https://raw.githubusercontent.com/dahlia/fedify/master/CHANGES.md
• 5: https://intel.aikido.dev/cve/AIKIDO-2025-10539
• 6: https://hollo.social/@fedify/019b502a-505b-7708-9b87-e3935057312f
• 7: https://github.com/fedify-dev/fedify/blob/main/CHANGES.md

---

🌐 Web query:

CVE-2025-68475 ReDoS HTML parsing security vulnerability

💡 Result:

CVE-2025-68475 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Fedify TypeScript library for building ActivityPub-powered federated server apps. It affects versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2. The vulnerability is in the document loader's HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259, which uses nested quantifiers: /<(a|link)((\s+[a-z][a-z:_-]=("[^"]"|'[^']'|[^\s>]+))+)\s/?>/ig. This causes catastrophic backtracking on maliciously crafted HTML (~170 bytes), blocking the Node.js event loop for 14+ seconds and enabling DoS. CVSS v3.1: 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). CWE-1333: Inefficient Regular Expression Complexity. Patched in versions 1.6.13, 1.7.14, 1.8.15, 1.9.2 via commits like fedify-dev/fedify@2bdcb24 and fedify-dev/fedify@bf2f078. Reported responsibly by Yue (Knox) Liu. Upgrade immediately if using affected versions. No public exploits found beyond PoC descriptions in advisory.

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2025-68475
• 2: GHSA-rchf-xwx2-hm93
• 3: https://advisories.gitlab.com/pkg/npm/@fedify/fedify/CVE-2025-68475/
• 4: GHSA-rchf-xwx2-hm93
• 5: https://www.cve.org/CVERecord?id=CVE-2025-68475

---

🏁 Script executed:

rg -n 'KvStore|RedisKvStore' --type ts -g '!node_modules' -A 2

Repository: TryGhost/ActivityPub

Length of output: 10824

---

LGTM! Security improvements and feature consistency across @fedify packages.

All @fedify packages updated consistently to 1.10.4, which includes:

• CVE-2025-68475 security fix (ReDoS vulnerability in document loader's HTML parsing regex)
• OpenTelemetry instrumentation improvements for tracing activities to KvStore
• Optional list() method added to KvStore interface (relevant since your codebase implements custom KvStore)

The minor version bump (1.9 → 1.10) maintains backward compatibility with your existing usage of createFederation, KvStore, RedisKvStore, and verifyObject.

Recommend running your test suite to verify compatibility with the new versions, especially for the custom KnexKvStore implementation and role-guard middleware which depend on KvStore.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 49, Update the `@fedify/cli` dependency to "1.10.4" in
package.json (the existing "@fedify/cli" entry) and run the full test suite;
specifically exercise your custom KnexKvStore implementation and any role-guard
middleware that depends on KvStore to confirm compatibility with the
CVE-2025-68475 fix, OpenTelemetry changes, and the optional list() addition to
KvStore.