Skip to content

Update dependency @fedify/cli to v1.8.13 #1379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency @fedify/cli to v1.8.13 #1379

wants to merge 1 commit into from
+5 −5

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 17, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@fedify/cli (source) 1.7.8 -> 1.8.13 age confidence

Release Notes

fedify-dev/fedify (@​fedify/cli)

v1.8.13

Compare Source

Released on October 10, 2025.

@​fedify/fedify
  • Fixed inconsistent encoding/decoding of URI template identifiers with
    special characters. Updated uri-template-router to version 1.0.0,
    which properly decodes percent-encoded characters in URI template variables
    according to RFC 6570. This resolves issues where identifiers containing
    URIs (e.g., https%3A%2F%2Fexample.com) were being inconsistently decoded
    in dispatcher callbacks and double-encoded in collection URLs. [#​416]

v1.8.12

Compare Source

Released on September 20, 2025.

@​fedify/sqlite
  • Fixed bundling issues where incorrect import paths to node_modules were
    included in the bundled output. The @​js-temporal/polyfill dependency
    was moved from devDependencies to dependencies to ensure proper
    bundling.

v1.8.11

Compare Source

Released on September 17, 2025.

  • Improved the AT Protocol URI workaround to handle all DID methods and
    edge cases. The fix now properly percent-encodes any authority component
    in at:// URIs, supporting did:web, did:key, and other DID methods
    beyond just did:plc. Also handles URIs without path components
    correctly. [[#​436]]

v1.8.10

Compare Source

Released on September 17, 2025.

@​fedify/fedify
  • Added a temporary workaround for invalid AT Protocol URIs from BridgyFed.
    URIs like at://did:plc:... that violate RFC 3986 URI syntax are now
    automatically URL-encoded to at://did%3Aplc%3A... to prevent parsing
    failures when processing bridged Bluesky content. [[#​436]]

v1.8.9

Compare Source

Released on September 10, 2025.

v1.8.8

Compare Source

Released on August 25, 2025.

@​fedify/fedify
  • Fixed a bug where verifyRequest() function threw a TypeError when
    verifying HTTP Signatures with created or expires fields in
    the Signature header as defined in draft-cavage-http-signatures-12,
    causing 500 Internal Server Error responses in inbox handlers.
    Now it correctly handles these fields as unquoted integers according
    to the specification.

v1.8.7

Compare Source

Released on August 25, 2025.

@​fedify/fedify
  • Fixed a bug where ActivityPub Discovery failed to recognize XHTML
    self-closing <link> tags. The HTML/XHTML parser now correctly handles
    whitespace before the self-closing slash (/>), improving compatibility
    with XHTML documents that follow the self-closing tag format.

v1.8.6

Compare Source

Released on August 24, 2025.

@​fedify/nestjs
  • Fixed a critical error that prevented the middleware from processing
    ActivityPub requests in NestJS applications. The middleware now correctly
    handles request bodies that have been pre-processed by other NestJS
    middleware or interceptors. [#​279, #​386 by Jaeyeol Lee]
@​fedify/testing

  • Updated exports to include context creation functions.
    [#​382 by Colin Mitchell]

    • Added createContext() function.
    • Added createInboxContext() function.
    • Added createRequestContext() function.

v1.8.5

Compare Source

Released on August 8, 2025.

@​fedify/fedify
  • Fixed a critical authentication bypass vulnerability in the inbox handler
    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
    The vulnerability occurred because activities were processed before
    verifying that the HTTP Signatures key belonged to the claimed actor.
    Now authentication verification is performed before activity processing to
    prevent actor impersonation attacks. [[CVE-2025-54888]]
@​fedify/cli
  • Fixed fedify nodeinfo color support in Windows Terminal.
    [#​358, #​360 by KeunHyeong Park]

v1.8.4

Compare Source

Released on August 7, 2025.

@​fedify/cli
  • Fixed fedify lookup command's -r/--raw, -C/--compact, and
    -e/--expand options to properly output valid JSON format instead of
    Deno's object inspection format. [#​357]

v1.8.3

Compare Source

Released on August 6, 2025.

@​fedify/cli

  • Restored image resizing functionality in fedify lookup command by using
    the existing Jimp library for image manipulation. This properly displays
    icon and image fields with appropriate sizing in terminals.

  • Added support for Ghostty terminal emulator for image rendering in
    fedify lookup command.

v1.8.2

Compare Source

Released on August 6, 2025.

@​fedify/cli

  • Fixed npx @&#8203;fedify/cli command not working on various platforms by
    correcting the binary path resolution in the Node.js wrapper script.

  • Temporarily removed Sharp dependency to resolve installation issues
    across different platforms. As a result, fedify lookup command will no
    longer resize images when displaying them in the terminal. This is a
    temporary workaround and image resizing functionality will be restored
    in a future patch version using an alternative approach.

  • Fixed build artifact paths in GitHub Actions workflow to correctly
    reference CLI package location in the monorepo structure.

v1.8.1

Compare Source

Released on October 10, 2025.

@​fedify/fedify
  • Fixed inconsistent encoding/decoding of URI template identifiers with
    special characters. Updated uri-template-router to version 1.0.0,
    which properly decodes percent-encoded characters in URI template variables
    according to RFC 6570. This resolves issues where identifiers containing
    URIs (e.g., https%3A%2F%2Fexample.com) were being inconsistently decoded
    in dispatcher callbacks and double-encoded in collection URLs. [#​416]

v1.7.13

Compare Source

Released on September 17, 2025.

  • Improved the AT Protocol URI workaround to handle all DID methods and
    edge cases. The fix now properly percent-encodes any authority component
    in at:// URIs, supporting did:web, did:key, and other DID methods
    beyond just did:plc. Also handles URIs without path components
    correctly. [[#​436]]

v1.7.12

Compare Source

Released on September 17, 2025.

  • Added a temporary workaround for invalid AT Protocol URIs from BridgyFed.
    URIs like at://did:plc:... that violate RFC 3986 URI syntax are now
    automatically URL-encoded to at://did%3Aplc%3A... to prevent parsing
    failures when processing bridged Bluesky content. [[#​436]]

v1.7.11

Compare Source

Released on August 25, 2025.

  • Fixed a bug where verifyRequest() function threw a TypeError when
    verifying HTTP Signatures with created or expires fields in
    the Signature header as defined in draft-cavage-http-signatures-12,
    causing 500 Internal Server Error responses in inbox handlers.
    Now it correctly handles these fields as unquoted integers according
    to the specification.

v1.7.10

Compare Source

Released on August 25, 2025.

  • Fixed a bug where ActivityPub Discovery failed to recognize XHTML
    self-closing <link> tags. The HTML/XHTML parser now correctly handles
    whitespace before the self-closing slash (/>), improving compatibility
    with XHTML documents that follow the self-closing tag format.

v1.7.9

Compare Source

Released on August 8, 2025.

  • Fixed a critical authentication bypass vulnerability in the inbox handler
    that allowed unauthenticated attackers to impersonate any ActivityPub actor.
    The vulnerability occurred because activities were processed before
    verifying that the HTTP Signatures key belonged to the claimed actor.
    Now authentication verification is performed before activity processing to
    prevent actor impersonation attacks. [[CVE-2025-54888]]

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 08:00 AM and 11:59 AM, only on Monday, Tuesday, Wednesday, and Thursday ( * 8-11 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 17, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate bot force-pushed the renovate/fedify-cli-1.x branch from 7f19edc to d30bfb2 Compare October 19, 2025 14:32
@renovate renovate bot changed the title Update dependency @fedify/cli to v1.9.0 Update dependency @fedify/cli to v1.8.13 Oct 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants