Fedify 2.1.7

Released on April 21, 2026.

@fedify/init

• Fixed fedify init generating Astro projects for Bun with the Node.js adapter and astro preview, which could fail to run correctly on Bun. Astro + Bun projects now use @nurodev/astro-bun and run the built Bun server entry point instead. [#707]

Fedify 2.1.6

Released on April 20, 2026.

@fedify/astro

• Restored the npm entrypoint contract for @fedify/astro by making the build emit dist/*.js and dist/*.d.ts files that match the published package metadata again. This fixes package resolution failures caused by package.json exporting files that did not exist in the npm tarball. [#699, #701]

@fedify/cli

• Fixed fedify lookup failing to look up URLs on private or localhost addresses unless -p/--allow-private-address was passed, which was a regression introduced in Fedify 2.1.0 when the CLI began forwarding the allowPrivateAddress option to the underlying document loader. URLs explicitly provided on the command line now always allow private addresses, while URLs discovered during -t/--traverse honor the option to mitigate SSRF attacks against private addresses. Recursive fetches via --recurse continue to always disallow private addresses regardless of the option. [#696, #698 by Chanhaeng Lee]

Fedify 2.1.5

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

@fedify/cfworkers

• Fixed a remaining TypeScript type mismatch for Cloudflare Workers users who pass wrangler types or @cloudflare/vite-plugin generated KV bindings to WorkersKvStore. The package now accepts a minimal structural KV binding interface for WorkersKvStore and WorkersMessageQueue's orderingKv option instead of requiring the nominal KVNamespace type imported from @cloudflare/workers-types, so generated local declarations compile without casts or @ts-expect-error. [#665]

Fedify 2.0.12

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

@fedify/cfworkers

• Fixed a remaining TypeScript type mismatch for Cloudflare Workers users who pass wrangler types or @cloudflare/vite-plugin generated KV bindings to WorkersKvStore. The package now accepts a minimal structural KV binding interface for WorkersKvStore and WorkersMessageQueue's orderingKv option instead of requiring the nominal KVNamespace type imported from @cloudflare/workers-types, so generated local declarations compile without casts or @ts-expect-error. [#665]

Fedify 1.10.8

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

Fedify 1.9.9

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

Fedify 2.1.4

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

@fedify/cfworkers

• Fixed a TypeScript type mismatch that occurred when passing wrangler types-generated binding types (e.g. KVNamespace, Queue) to WorkersKvStore and WorkersMessageQueue constructors. The package previously imported these types from @cloudflare/workers-types/experimental, which includes extra members (such as KVNamespace.deleteBulk()) absent from types generated by wrangler types, causing TypeScript assignment errors at the call site. The import now uses the stable @cloudflare/workers-types entrypoint, whose definitions match what wrangler types generates. [#662]

Fedify 2.0.11

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

@fedify/cfworkers

• Fixed a TypeScript type mismatch that occurred when passing wrangler types-generated binding types (e.g. KVNamespace, Queue) to WorkersKvStore and WorkersMessageQueue constructors. The package previously imported these types from @cloudflare/workers-types/experimental, which includes extra members (such as KVNamespace.deleteBulk()) absent from types generated by wrangler types, causing TypeScript assignment errors at the call site. The import now uses the stable @cloudflare/workers-types entrypoint, whose definitions match what wrangler types generates. [#662]

Fedify 1.10.7

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

Fedify 1.9.8

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]