Update dependency @fedify/cli to v1.9.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fedify/cli (source)	1.7.8 -> 1.9.1

---

Release Notes

fedify-dev/fedify (@​fedify/cli)

v1.9.1

Compare Source

Released on October 31, 2025.

@​fedify/testing

• Fixed JSR publishing hanging indefinitely at the processing stage by
  hiding complex type exports from the public API. The JSR type analyzer
  struggled with complex type dependencies when analyzing the MockFederation,
  TestFederation, TestContext, and SentActivity types, causing indefinite
  hangs during the processing stage. [[#​468]]

  • Breaking change: MockFederation class is no longer exported from
    the public API. Use createFederation() factory function instead.
  • TestFederation<TContextData>, TestContext<TContextData>, and
    SentActivity interfaces are no longer exported from the public API,
    but their types are still inferred from createFederation() return type
    and can be used via TypeScript's type inference.

@​fedify/cli

• Fixed fedify command failing on Windows with PermissionDenied error
  when trying to locate or execute package managers during initialization.
  The CLI now properly handles *.cmd and *.bat files on Windows by
  invoking them through cmd /c. [[#​463]]

v1.9.0

Compare Source

Released on October 14, 2025.

@​fedify/fedify

• Implemented FEP-fe34 origin-based security model to protect against
  content spoofing attacks and ensure secure federation practices. The
  security model enforces same-origin policy for ActivityPub objects and
  their properties, preventing malicious actors from impersonating content
  from other servers. [#​440]

  • Added crossOrigin option to Activity Vocabulary property accessors
    (get*() methods) with three security levels: "ignore" (default,
    logs warning and returns null), "throw" (throws error), and
    "trust" (bypasses checks).
  • Added LookupObjectOptions.crossOrigin option to lookupObject()
    function and Context.lookupObject() method for controlling
    cross-origin validation.
  • Embedded objects are now validated against their parent object's origin
    and only trusted when they share the same origin or are explicitly
    marked as trusted.
  • Property hydration now respects origin-based security, automatically
    performing remote fetches when embedded objects have different origins.
  • Internal trust tracking system maintains security context throughout
    object lifecycles (construction, cloning, and property access).

• Added withIdempotency() method to configure activity idempotency
  strategies for inbox processing. This addresses issue #​441 where
  activities with the same ID sent to different inboxes were incorrectly
  deduplicated globally instead of per-inbox. [#​441]

  • Added IdempotencyStrategy type.
  • Added IdempotencyKeyCallback type.
  • Added InboxListenerSetters.withIdempotency() method.
  • By default, "per-origin" strategy is used for backward compatibility.
    This will change to "per-inbox" in Fedify 2.0. We recommend
    explicitly setting the strategy to avoid unexpected behavior changes.

• Fixed handling of ActivityPub objects containing relative URLs. The
  Activity Vocabulary classes now automatically resolve relative URLs by
  inferring the base URL from the object's @id or document URL, eliminating
  the need for manual baseUrl specification in most cases. This improves
  interoperability with ActivityPub servers that emit relative URLs in
  properties like icon.url and image.url. [#​411, #​443 by Jiwon Kwon]

• Added TypeScript support for all RFC 6570 URI Template expression types
  in dispatcher path parameters. Previously, only simple string expansion
  ({identifier}) was supported in TypeScript types, while the runtime
  already supported all RFC 6570 expressions. Now TypeScript accepts all
  expression types including {+identifier} (reserved string expansion,
  recommended for URI identifiers), {#identifier} (fragment expansion),
  {.identifier} (label expansion), {/identifier} (path segments),
  {;identifier} (path-style parameters), {?identifier} (query component),
  and {&identifier} (query continuation). [#​426, #​446 by Jiwon Kwon]

  • Added Rfc6570Expression<TParam> type helper.
  • Updated all dispatcher path type parameters to accept RFC 6570
    expressions: setActorDispatcher(), setObjectDispatcher(),
    setInboxDispatcher(), setOutboxDispatcher(),
    setFollowingDispatcher(), setFollowersDispatcher(),
    setLikedDispatcher(), setFeaturedDispatcher(),
    setFeaturedTagsDispatcher(), setInboxListeners(),
    setCollectionDispatcher(), and setOrderedCollectionDispatcher().

• Added inverse properties for collections to Vocabulary API.
  [FEP-5711, #​373, #​381 by Jiwon Kwon]

  • new Collection() constructor now accepts likesOf option.
  • Added Collection.likesOfId property.
  • Added Collection.getLikesOf() method.
  • new Collection() constructor now accepts sharesOf option.
  • Added Collection.sharedOfId property.
  • Added Collection.getSharedOf() method.
  • new Collection() constructor now accepts repliesOf option.
  • Added Collection.repliesOfId property.
  • Added Collection.getRepliesOf() method.
  • new Collection() constructor now accepts inboxOf option.
  • Added Collection.inboxOfId property.
  • Added Collection.getInboxOf() method.
  • new Collection() constructor now accepts outboxOf option.
  • Added Collection.outboxOfId property.
  • Added Collection.getOutboxOf() method.
  • new Collection() constructor now accepts followersOf option.
  • Added Collection.followersOfId property.
  • Added Collection.getFollowersOf() method.
  • new Collection() constructor now accepts followingOf option.
  • Added Collection.followingOfId property.
  • Added Collection.getFollowingOf() method.
  • new Collection() constructor now accepts likedOf option.
  • Added Collection.likedOfId property.
  • Added Collection.getLikedOf() method.

• Changed how parseSoftware() function handles non-Semantic Versioning
  number strings on tryBestEffort mode. [#​353, #​365 by Hyeonseo Kim]

• Separated modules from @fedify/fedify/x into dedicated packages to
  improve modularity and reduce bundle size. The existing integration
  functions in @fedify/fedify/x are now deprecated and will be removed in
  version 2.0.0. [#​375 by Chanhaeng Lee]

  • Deprecated @fedify/fedify/x/cfworkers in favor of @fedify/cfworkers.
  • Deprecated @fedify/fedify/x/denokv in favor of @fedify/denokv.
  • Deprecated @fedify/fedify/x/hono in favor of @fedify/hono.
  • Deprecated @fedify/fedify/x/sveltekit in favor of @fedify/sveltekit.

• Extended Link from @fedify/fedify/webfinger to support
  OStatus 1.0 Draft 2. [#​402, #​404 by Hyeonseo Kim]

  • Added an optional template field to the Link interface.
  • Changed the href field optional from the Link interface according to
    RFC 7033 Section 4.4.4.3.

• Added Federatable.setWebFingerLinksDispatcher() method to set additional
  links to WebFinger. [#​119, #​407 by HyeonseoKim]

• Added CommonJS support alongside ESM for better NestJS integration and
  broader Node.js ecosystem compatibility. This eliminates the need for
  Node.js's --experimental-require-module flag and resolves dual package
  hazard issues. [#​429, #​431]

@​fedify/cli

• Added Next.js option to fedify init command. This option allows users
  to initialize a new Fedify project with Next.js integration.
  [#​313 by Chanhaeng Lee]

• Changed how fedify nodeinfo command handles non-Semantic Versioning
  number strings on -b/--best-effort mode. Now it uses the same logic as
  the parseSoftware() function in the @​fedify/fedify package, which
  allows it to parse non-Semantic Versioning number strings more flexibly.
  [#​353, #​365 by Hyeonseo Kim]]

• Added -T/--timeout option to fedify lookup command. This option allows
  users to specify timeout in seconds for network requests to prevent
  hanging on slow or unresponsive servers.
  [[#​258], #​372 by Hyunchae Kim]

@​fedify/amqp

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/cfworkers

• Created Cloudflare Workers integration as the @​fedify/cfworkers package.
  Separated from @fedify/fedify/x/cfworkers to improve modularity and
  reduce bundle size. [#​375 by Chanhaeng Lee]

@​fedify/denokv

• Created Deno KV integration as the @​fedify/denokv package.
  Separated from @fedify/fedify/x/denokv to improve modularity and
  reduce bundle size. [#​375 by Chanhaeng Lee]

@​fedify/elysia

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/express

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/fastify

• Created Fastify integration as the @​fedify/fastify package.
  [#​151, #​450 by An Subin]

  • Added fedifyPlugin() function for integrating Fedify into Fastify
    applications.
  • Converts between Fastify's request/reply API and Web Standards
    Request/Response.
  • Supports both ESM and CommonJS for broad Node.js compatibility.

@​fedify/h3

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/hono

• Created Hono integration as the @​fedify/hono package.
  Separated from @fedify/fedify/x/hono to improve modularity and
  reduce bundle size. [#​375 by Chanhaeng Lee]

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/koa

• Created Koa integration as the @​fedify/koa package. [#​454, #​455]

  • Added createMiddleware() function for integrating Fedify into Koa
    applications.
  • Supports both Koa v2.x and v3.x via peer dependencies.
  • Converts between Koa's context-based API and Web Standards
    Request/Response.
  • Builds for both npm (ESM/CJS) and JSR distribution.

@​fedify/next

• Created Next.js integration as the @​fedify/next package.
  [#​313 by Chanhaeng Lee]

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/postgres

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/redis

• Added support for Redis Cluster to the @​fedify/redis package.
  [#​368 by Michael Barrett]

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/sqlite

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/sveltekit

• Created SvelteKit integration as the @​fedify/sveltekit package.
  Separated from @fedify/fedify/x/sveltekit to improve modularity and
  reduce bundle size. [#​375 by Chanhaeng Lee]

• Fixed SvelteKit integration hook types to correctly infer the request
  and response types in hooks. [#​271, #​394 by Chanhaeng Lee]

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

@​fedify/testing

• Added CommonJS support alongside ESM for better compatibility with
  CommonJS-based Node.js applications. [#​429, #​431]

v1.8.14

Compare Source

Released on October 19, 2025.

@​fedify/testing

• Fixed JSR publishing hanging indefinitely at the processing stage.
  The issue was caused by TypeScript function overload signatures in
  MockContext and MockFederation classes that triggered a bug in JSR's
  type analyzer. All method overloads have been removed and simplified to
  use any types where necessary. [#​468, #​470]

@​fedify/cli

• Fixed fedify command failing on Windows with PermissionDenied error
  when trying to locate or execute package managers during initialization.
  The CLI now properly handles *.cmd and *.bat files on Windows by
  invoking them through cmd /c. [#​463]

v1.8.13

Compare Source

Released on October 10, 2025.

@​fedify/fedify

• Fixed inconsistent encoding/decoding of URI template identifiers with
  special characters. Updated uri-template-router to version 1.0.0,
  which properly decodes percent-encoded characters in URI template variables
  according to RFC 6570. This resolves issues where identifiers containing
  URIs (e.g., https%3A%2F%2Fexample.com) were being inconsistently decoded
  in dispatcher callbacks and double-encoded in collection URLs. [#​416]

v1.8.12

Compare Source

Released on September 20, 2025.

@​fedify/sqlite

• Fixed bundling issues where incorrect import paths to node_modules were
  included in the bundled output. The @​js-temporal/polyfill dependency
  was moved from devDependencies to dependencies to ensure proper
  bundling.

v1.8.11

Compare Source

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and
  edge cases. The fix now properly percent-encodes any authority component
  in at:// URIs, supporting did:web, did:key, and other DID methods
  beyond just did:plc. Also handles URIs without path components
  correctly. [[#​436]]

v1.8.10

Compare Source

Released on September 17, 2025.

@​fedify/fedify

• Added a temporary workaround for invalid AT Protocol URIs from BridgyFed.
  URIs like at://did:plc:... that violate RFC 3986 URI syntax are now
  automatically URL-encoded to at://did%3Aplc%3A... to prevent parsing
  failures when processing bridged Bluesky content. [[#​436]]

v1.8.9

Compare Source

Released on September 10, 2025.

• Integration and database adapter packages (@​fedify/amqp, @​fedify/elysia,
  @​fedify/express, @​fedify/h3, @​fedify/nestjs, @​fedify/postgres,
  @​fedify/redis, @​fedify/sqlite, @​fedify/testing) now specify explicit
  version ranges for the @​fedify/fedify peer dependency instead of
  accepting any version, improving compatibility guarantees.

v1.8.8

Compare Source

Released on August 25, 2025.

@​fedify/fedify

• Fixed a bug where verifyRequest() function threw a TypeError when
  verifying HTTP Signatures with created or expires fields in
  the Signature header as defined in draft-cavage-http-signatures-12,
  causing 500 Internal Server Error responses in inbox handlers.
  Now it correctly handles these fields as unquoted integers according
  to the specification.

v1.8.7

Compare Source

Released on August 25, 2025.

@​fedify/fedify

• Fixed a bug where ActivityPub Discovery failed to recognize XHTML
  self-closing <link> tags. The HTML/XHTML parser now correctly handles
  whitespace before the self-closing slash (/>), improving compatibility
  with XHTML documents that follow the self-closing tag format.

v1.8.6

Compare Source

Released on August 24, 2025.

@​fedify/nestjs

• Fixed a critical error that prevented the middleware from processing
  ActivityPub requests in NestJS applications. The middleware now correctly
  handles request bodies that have been pre-processed by other NestJS
  middleware or interceptors. [#​279, #​386 by Jaeyeol Lee]

@​fedify/testing

• Updated exports to include context creation functions.
  [#​382 by Colin Mitchell]

  • Added createContext() function.
  • Added createInboxContext() function.
  • Added createRequestContext() function.

v1.8.5

Compare Source

Released on August 8, 2025.

@​fedify/fedify

• Fixed a critical authentication bypass vulnerability in the inbox handler
  that allowed unauthenticated attackers to impersonate any ActivityPub actor.
  The vulnerability occurred because activities were processed before
  verifying that the HTTP Signatures key belonged to the claimed actor.
  Now authentication verification is performed before activity processing to
  prevent actor impersonation attacks. [[CVE-2025-54888]]

@​fedify/cli

• Fixed fedify nodeinfo color support in Windows Terminal.
  [#​358, #​360 by KeunHyeong Park]

v1.8.4

Compare Source

Released on August 7, 2025.

@​fedify/cli

• Fixed fedify lookup command's -r/--raw, -C/--compact, and
  -e/--expand options to properly output valid JSON format instead of
  Deno's object inspection format. [#​357]

v1.8.3

Compare Source

Released on August 6, 2025.

@​fedify/cli

• Restored image resizing functionality in fedify lookup command by using
  the existing Jimp library for image manipulation. This properly displays
  icon and image fields with appropriate sizing in terminals.

• Added support for Ghostty terminal emulator for image rendering in
  fedify lookup command.

v1.8.2

Compare Source

Released on August 6, 2025.

@​fedify/cli

• Fixed npx @​fedify/cli command not working on various platforms by
  correcting the binary path resolution in the Node.js wrapper script.

• Temporarily removed Sharp dependency to resolve installation issues
  across different platforms. As a result, fedify lookup command will no
  longer resize images when displaying them in the terminal. This is a
  temporary workaround and image resizing functionality will be restored
  in a future patch version using an alternative approach.

• Fixed build artifact paths in GitHub Actions workflow to correctly
  reference CLI package location in the monorepo structure.

v1.8.1

Compare Source

Released on October 19, 2025.

@​fedify/testing

• Fixed JSR publishing hanging indefinitely at the processing stage.
  The issue was caused by TypeScript function overload signatures in
  MockContext and MockFederation classes that triggered a bug in JSR's
  type analyzer. All method overloads have been removed and simplified to
  use any types where necessary. [#​468, #​470]

@​fedify/cli

• Fixed fedify command failing on Windows with PermissionDenied error
  when trying to locate or execute package managers during initialization.
  The CLI now properly handles *.cmd and *.bat files on Windows by
  invoking them through cmd /c. [#​463]

v1.7.13

Compare Source

Released on September 17, 2025.

• Improved the AT Protocol URI workaround to handle all DID methods and
  edge cases. The fix now properly percent-encodes any authority component
  in at:// URIs, supporting did:web, did:key, and other DID methods
  beyond just did:plc. Also handles URIs without path components
  correctly. [[#​436]]

v1.7.12

Compare Source

Released on September 17, 2025.

• Added a temporary workaround for invalid AT Protocol URIs from BridgyFed.
  URIs like at://did:plc:... that violate RFC 3986 URI syntax are now
  automatically URL-encoded to at://did%3Aplc%3A... to prevent parsing
  failures when processing bridged Bluesky content. [[#​436]]

v1.7.11

Compare Source

Released on August 25, 2025.

• Fixed a bug where verifyRequest() function threw a TypeError when
  verifying HTTP Signatures with created or expires fields in
  the Signature header as defined in draft-cavage-http-signatures-12,
  causing 500 Internal Server Error responses in inbox handlers.
  Now it correctly handles these fields as unquoted integers according
  to the specification.

v1.7.10

Compare Source

Released on August 25, 2025.

• Fixed a bug where ActivityPub Discovery failed to recognize XHTML
  self-closing <link> tags. The HTML/XHTML parser now correctly handles
  whitespace before the self-closing slash (/>), improving compatibility
  with XHTML documents that follow the self-closing tag format.

v1.7.9

Compare Source

Released on August 8, 2025.

• Fixed a critical authentication bypass vulnerability in the inbox handler
  that allowed unauthenticated attackers to impersonate any ActivityPub actor.
  The vulnerability occurred because activities were processed before
  verifying that the HTTP Signatures key belonged to the claimed actor.
  Now authentication verification is performed before activity processing to
  prevent actor impersonation attacks. [[CVE-2025-54888]]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 08:00 AM and 11:59 AM, only on Monday, Tuesday, Wednesday, and Thursday ( * 8-11 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}