Fedify 2.2.5

Released on June 5, 2026.

@fedify/cli

• Fixed fedify command failing under Deno 2.8+/TypeScript 6.0 where setTimeout() returns Timeout instead of number. Used ReturnType<typeof setTimeout> for the signalTimers WeakMap so it is compatible across all TypeScript/Deno versions. [#789 by Rui Chen]

Fedify 2.1.16

Released on June 5, 2026.

@fedify/cli

• Fixed fedify command failing under Deno 2.8+/TypeScript 6.0 where setTimeout() returns Timeout instead of number. Used ReturnType<typeof setTimeout> for the signalTimers WeakMap so it is compatible across all TypeScript/Deno versions. [#789 by Rui Chen]

Fedify 2.0.20

Released on June 5, 2026.

@fedify/cli

• Fixed fedify command failing under Deno 2.8+/TypeScript 6.0 where setTimeout() returns Timeout instead of number. Used ReturnType<typeof setTimeout> for the signalTimers WeakMap so it is compatible across all TypeScript/Deno versions. [#789 by Rui Chen]

Fedify 2.2.4

Released on June 4, 2026.

@fedify/vocab-runtime

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 2.1.15

Released on June 4, 2026.

@fedify/vocab-runtime

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 2.0.19

Released on June 4, 2026.

@fedify/vocab-runtime

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 1.10.11

Released on June 4, 2026.

@fedify/fedify

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 1.9.12

Released on June 4, 2026.

@fedify/fedify

• Fixed validatePublicUrl() allowing special-use IPv4 ranges, such as shared address space, benchmarking, multicast, reserved, and documentation ranges, which could bypass private network protections in remote document loading. [CVE-2026-50131]

• Fixed validatePublicUrl() allowing IPv6 translation and tunneling prefixes, including NAT64, Teredo, and 6to4 addresses, which could bypass private network protections in remote document loading. [CVE-2026-50131]

Fedify 2.2.3

Released on May 21, 2026.

@fedify/fedify

• Fixed a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]

Fedify 2.1.14

Released on May 21, 2026.

@fedify/fedify

• Fixed a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]