Fedify 2.2.0

Released on April 28, 2026.

@fedify/fedify

• Shipped an Agent Skills bundle at skills/fedify/ and declared it in package.json through the agents.skills field. The skill teaches AI coding agents how to use Fedify inside a consumer's project (builder pattern, dispatchers, framework integrations, vocabulary, keys, queues and storage, observability, CLI, and common pitfalls). Projects that run a tool implementing the Agent Skills spec, such as skills-npm, will pick up the skill automatically from node_modules, keeping the guidance in sync with the installed Fedify version. [#711, #712]

• Added setOutboxListeners() and OutboxContext for handling client-to-server POST requests to actor outboxes. Outbox listeners use application-defined authorization through .authorize(), catch activity types with .on(), and require explicit delivery through ctx.sendActivity() or ctx.forwardActivity(). Fedify now also logs a runtime warning when an outbox listener returns without delivering the posted activity. [#430, #688]

• Allowed actor dispatchers to return Tombstone for deleted accounts. Fedify now serves those actor URIs as 410 Gone with the serialized tombstone body, and the corresponding WebFinger lookups also return 410 Gone instead of pretending the account was never handled. Added a RequestContext.getActor() overload that can return those tombstones to application code when called with { tombstone: "passthrough" }. [#644, #680]

• Added DoubleKnockOptions.maxRedirection to configure the maximum number of redirects followed by doubleKnock(). getAuthenticatedDocumentLoader() now also respects GetAuthenticatedDocumentLoaderOptions.maxRedirection.

• Improved interoperability with threadiverse software by serializing the public audience as the full https://www.w3.org/ns/activitystreams#Public URI in outgoing activities' to, cc, bto, bcc, and audience fields, instead of the compacted as:Public or Public CURIEs that JSON-LD compaction would otherwise produce. Some ActivityPub implementations, Lemmy included, match those fields as plain URLs without JSON-LD expansion and would silently drop activities carrying the CURIE form; see LemmyNet/lemmy#6465. The rewrite is gated on a URDNA2015 canonical-form equivalence check, so an application-defined @context that redefines the as: prefix or the bare Public term is preserved as is. The rewrite is also applied before eddsa-jcs-2022 Object Integrity Proof signing so the signed bytes match what is sent on the wire. [#710, #721]

• Improved interoperability with Pixelfed by serializing outgoing activities' attachment fields as arrays even when there is only one attachment. JSON-LD compaction would otherwise emit a scalar value for single attachments, but Pixelfed currently expects an array and may reject incoming posts; see pixelfed/pixelfed#6588. [#721]

@fedify/lint

• Added the outbox-listener-delivery-required rule. It warns when an outbox listener registered through setOutboxListeners() returns without an explicit delivery call, which would otherwise leave a posted client activity unfederated. [#430, #688]

@fedify/testing

• Added createOutboxContext() plus postOutboxActivity() and mock setOutboxListeners() support so outbox listeners using either sendActivity() or forwardActivity() can be tested without spinning up a live federation server. [#430, #688]

@fedify/vocab-runtime

• Added DocumentLoaderFactoryOptions.maxRedirection to configure the maximum number of redirects followed by getDocumentLoader().

@fedify/vocab

• Added Tombstone.formerType plus generated entity type helpers for deleted vocabulary objects. Applications can now construct tombstones with Fedify entity classes such as Person, and @fedify/vocab now exports $EntityType, isEntityType(), and getEntityTypeById() for working with those references. Unknown remote formerType values are ignored with a warning instead of making the whole tombstone fail to parse. [#645, #681]

• Added FEP-044f vocabulary support for Mastodon-style quote posts. [#452, #679]

  • Added QuoteRequest and QuoteAuthorization classes.
  • Added canQuote to InteractionPolicy.
  • Added quote and quoteAuthorization properties to Article, ChatMessage, Note, and Question.

• Added vocabulary types for FEP-0837, economic resource coordination in federated networks. [#578 by Samuel Brinkmann]

  • Added Proposal class for publishing offers or requests.
  • Added Intent class for describing economic transactions within a proposal, with action, resourceConformsTo, resourceQuantity, availableQuantity, and minimumQuantity properties.
  • Added Measure class for representing quantities with units of measure, with unit and numericalValue properties.

@fedify/vocab-tools

• Added the fedify:vocabEntityType pseudo-scalar to the vocabulary generator. Vocabulary properties can now accept generated Fedify entity constructors instead of arbitrary IRIs when the schema wants a reference to a known vocabulary type. Generated code now also emits the supporting $EntityType, isEntityType(), and getEntityTypeById() helpers for working with those references. [#645, #681]

@fedify/cli

• Made fedify lookup --recurse honor -p/--allow-private-address for recursively discovered object URLs, matching the policy already used by -t/--traverse. Recursive lookups still reject private or localhost targets by default unless users explicitly opt in. [#700, #718]

• Added FEP-044f quote support to fedify lookup --recurse, so the CLI can follow both the new quote-post relation and the older quoteUrl compatibility surface. [#452, #679]

@fedify/solidstart

• Added @fedify/solidstart package for integrating Fedify with SolidStart. It provides fedifyMiddleware() for request handling with SolidStart's middleware system. [#476, #601 by Hyeonseo Kim and #652 by ChanHaeng Lee]

@fedify/nuxt

• Added @fedify/nuxt package for integrating Fedify with Nuxt. It provides a Nuxt module that delegates non-federation requests to Nuxt, supports shared-route content negotiation, and returns deferred 406 Not Acceptable when Fedify routes are requested without ActivityPub-compatible Accept headers and Nuxt has no matching page. [#149, #674 by ChanHaeng Lee]

@fedify/init

• Added a --allow-non-empty option to fedify init for automated scaffolding in directories that already contain unrelated files. The command still fails before making changes if any file that Fedify would generate already exists, avoiding accidental merges or appends. [#716, #717]

• Fixed fedify init so that a directory containing only a freshly initialized Git repository is treated as empty. Directories whose Git HEAD already resolves to a commit, whose Git metadata contains loose or packed refs, stored objects, an index, or reflogs, or that contain any files besides .git, still require the existing non-empty-directory confirmation. [#716, #717]

• Fixed generated biome.json files to use Biome 2 configuration syntax, matching the @biomejs/biome version that fedify init installs. Generated projects now enable import organization through Biome's assist.actions.source.organizeImports setting instead of the removed top-level organizeImports option. [#716, #717]

• Fixed errors when using fedify init with certain web framework integration packages (Astro, ElysiaJS, Nitro) alongside @fedify/mysql. Environment variables are now properly loaded at runtime, resolving the TypeError: Cannot read properties of undefined from mysql2. [[#649](https://github.com/fedif...

Fedify 2.1.11

Released on April 27, 2026.

@fedify/init

• Fixed the Astro, Nitro, and Next.js project templates so their generated logging.ts files are loaded during server startup before Fedify handles requests. Nitro projects now get a server plugin that imports the LogTape configuration, Next.js projects get an instrumentation.ts register() hook that imports it in the Node.js runtime, and Astro projects import it in src/middleware.ts. [#725, #727]

Fedify 2.0.15

Released on April 27, 2026.

@fedify/init

• Fixed the Nitro and Next.js project templates so their generated logging.ts files are loaded during server startup. Nitro projects now get a server plugin that imports the LogTape configuration, and Next.js projects get an instrumentation.ts register() hook that imports it in the Node.js runtime before Fedify handles requests. [#725, #727]

Fedify 2.1.10

Released on April 23, 2026.

@fedify/vocab-runtime

• Added https://join-lemmy.org/context.json to preloaded JSON-LD contexts. Lemmy serves this context as application/json without a JSON-LD context Link header, which caused the default document loader to reject Lemmy-originated activities before application handlers could run. [#714]

Fedify 2.0.14

Released on April 23, 2026.

@fedify/vocab-runtime

• Added https://join-lemmy.org/context.json to preloaded JSON-LD contexts. Lemmy serves this context as application/json without a JSON-LD context Link header, which caused the default document loader to reject Lemmy-originated activities before application handlers could run. [#714]

Fedify 2.1.9

Released on April 22, 2026.

@fedify/mysql

• Fixed a TypeScript type mismatch in MysqlKvStore and MysqlMessageQueue that could reject valid mysql2 pools when an application resolved mysql2 through multiple type sources or different package versions. The constructors now accept the structural pool shape they actually use, so mixed Deno/npm setups and monorepos no longer need casts or @ts-expect-error workarounds.

Fedify 2.1.8

Released on April 22, 2026.

@fedify/init

• Fixed fedify init -w astro -p bun generating package.json scripts that invoked Astro through Node.js. Bun + Astro projects now use bunx --bun astro dev and bunx --bun astro build, so the generated development workflow runs on systems that only have Bun installed.

@fedify/next

• Widened @fedify/next's supported Next.js peer dependency range to >=15.4.6 <17, so installing it into a fresh create-next-app 16.x project no longer fails with an ERESOLVE peer dependency conflict. This restores the default fedify init -w next flow against the current Next.js stable release and updates the integration example to track Next.js 16. [#713]

Fedify 2.0.13

Released on April 22, 2026.

@fedify/next

• Widened @fedify/next's supported Next.js peer dependency range to >=15.4.6 <17, so installing it into a fresh create-next-app 16.x project no longer fails with an ERESOLVE peer dependency conflict. This restores the default fedify init -w next flow against the current Next.js stable release and updates the integration example to track Next.js 16. [#713]

Fedify 2.1.7

Released on April 21, 2026.

@fedify/init

• Fixed fedify init generating Astro projects for Bun with the Node.js adapter and astro preview, which could fail to run correctly on Bun. Astro + Bun projects now use @nurodev/astro-bun and run the built Bun server entry point instead. [#707]

Fedify 2.1.6

Released on April 20, 2026.

@fedify/astro

• Restored the npm entrypoint contract for @fedify/astro by making the build emit dist/*.js and dist/*.d.ts files that match the published package metadata again. This fixes package resolution failures caused by package.json exporting files that did not exist in the npm tarball. [#699, #701]

@fedify/cli

• Fixed fedify lookup failing to look up URLs on private or localhost addresses unless -p/--allow-private-address was passed, which was a regression introduced in Fedify 2.1.0 when the CLI began forwarding the allowPrivateAddress option to the underlying document loader. URLs explicitly provided on the command line now always allow private addresses, while URLs discovered during -t/--traverse honor the option to mitigate SSRF attacks against private addresses. Recursive fetches via --recurse continue to always disallow private addresses regardless of the option. [#696, #698 by Chanhaeng Lee]