Update Fedify packages to 1.10.11#1856
Conversation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WalkthroughThis PR updates the Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
sagzy
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 67-69: The package versions for "`@fedify/fedify`", "`@fedify/hono`",
and "`@fedify/redis`" are pinned to 1.10.11 which leaves the HIGH security
advisory for `@fedify/fedify` unpatched; update the dependency entries in
package.json for "`@fedify/fedify`", "`@fedify/hono`", and "`@fedify/redis`" to
versions >=2.2.3 (ensure "`@fedify/hono`" remains compatible with its peer hono
version—hono@4.12.23 satisfies hono:^4.0.0), run npm/yarn install to update
lockfile, and run tests/build to verify compatibility after bumping those
package versions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4c276e9a-372c-4e22-ba68-c8fa91b9d00e
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
package.json
| "@fedify/fedify": "1.10.11", | ||
| "@fedify/hono": "1.10.11", | ||
| "@fedify/redis": "1.10.11", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What changes were introduced in Fedify 1.10.11 and are there any security advisories for Fedify packages versions 1.10.10 or 1.10.11?
💡 Result:
As of June 4, 2026, there is no release for Fedify version 1.10.11. The most recent release in the 1.10.x series is 1.10.10 [1]. Regarding security advisories for Fedify: - Fedify 1.10.10 was released on May 21, 2026, to address a security vulnerability (CVE-2026-42462) in Linked Data Signature verification [1][2]. This vulnerability could allow an attacker to restructure the JSON-LD graph of a signed activity, potentially changing its interpretation without invalidating the signature [2][3]. The fix involves normalizing activities against the local JSON-LD context before interpretation and rejecting constructs that could manipulate the object shape [2]. - Fedify 1.10.9 (released May 10, 2026) addressed a separate vulnerability related to a private network protection bypass in validatePublicUrl(), which could have allowed SSRF attacks via IPv4-mapped IPv6 literals [4][5]. Users are advised to keep their Fedify installations updated to the latest patched versions to mitigate these risks [2][5].
Citations:
- 1: https://github.com/fedify-dev/fedify/releases/tag/1.10.10
- 2: Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fedify-dev/fedify#773
- 3: https://security.snyk.io/vuln/SNYK-JS-FEDIFYFEDIFY-16895732
- 4: https://github.com/fedify-dev/fedify/releases/tag/1.10.9
- 5: Fedify security updates: 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1 fedify-dev/fedify#761
🌐 Web query:
Is @fedify/hono version 1.10.11 compatible with hono version 4.12.23?
💡 Result:
No reliable source evidence found that explicitly states whether @fedify/hono version 1.10.11 is compatible with hono version 4.12.23. What I could verify from sources: 1) The current published @fedify/hono package page doesn’t show version 1.10.11; it shows much newer versions (e.g., 2.2.x) on npm/JSR, so I could not confirm the dependency range for 1.10.11 from the package metadata available in the search results. [1] 2) Hono 4.12.23 is a release tag (2026-05-25). [2] 3) Fedify repo lockfile evidence shows that their hono integration typically depends on specific hono versions (example shows hono 4.8.3 in a lockfile snapshot), but that does not prove compatibility for the specific combo you asked about (fedify-hono 1.10.11 + hono 4.12.23). [3] To answer your question conclusively, I would need an authoritative artifact for exactly @fedify/hono@1.10.11 (its package.json peerDependencies/dependencies on “hono”, or release notes / compatibility matrix). The search results I found were insufficient to locate those exact version details. Practical guidance: if you’re using npm/pnpm, check what “hono” version @fedify/hono@1.10.11 declares (peerDependencies or dependencies) and then see whether 4.12.23 satisfies that range; otherwise expect possible type/runtime breakage due to Hono’s v4 migration history. [4]
Citations:
- 1: https://www.npmjs.com/package/@fedify/hono
- 2: https://github.com/honojs/hono/releases/tag/v4.12.23
- 3: https://github.com/fedify-dev/fedify/blob/780686fd0bb0a93d4dae48ece4da073a71171650/pnpm-lock.yaml
- 4: https://github.com/honojs/hono/blob/main/docs/MIGRATION.md
🏁 Script executed:
#!/bin/bash
# Check npm registry for package existence and basic metadata
echo "=== Checking `@fedify/fedify`@1.10.11 ==="
curl -s https://registry.npmjs.org/@fedify/fedify/1.10.11 | jq -r '.version, .deprecated // "Not deprecated"'
echo -e "\n=== Checking `@fedify/hono`@1.10.11 ==="
curl -s https://registry.npmjs.org/@fedify/hono/1.10.11 | jq -r '.version, .peerDependencies.hono // "No hono peer dependency specified", .deprecated // "Not deprecated"'
echo -e "\n=== Checking `@fedify/redis`@1.10.11 ==="
curl -s https://registry.npmjs.org/@fedify/redis/1.10.11 | jq -r '.version, .deprecated // "Not deprecated"'
echo -e "\n=== Checking `@fedify/cli`@1.10.11 ==="
curl -s https://registry.npmjs.org/@fedify/cli/1.10.11 | jq -r '.version, .deprecated // "Not deprecated"'
# Check for known vulnerabilities
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 10, ecosystem: NPM, package: "`@fedify/fedify`") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: TryGhost/ActivityPub
Length of output: 2926
Update Fedify packages beyond 1.10.11 to address HIGH security advisory
@fedify/fedify@1.10.11,@fedify/hono@1.10.11, and@fedify/redis@1.10.11exist on npm and are not deprecated.@fedify/hono@1.10.11declarespeerDependencies.hono: ^4.0.0, sohono@4.12.23satisfies the requirement.- Security: GitHub advisory for
@fedify/fedify(“LD-Signature Bypass via JSON-LD Named-Graph Restructuring”) affects versions<2.2.3(patched in2.2.3), so upgrading only to1.10.11keeps this HIGH issue unfixed—upgrade Fedify packages to>=2.2.3.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` around lines 67 - 69, The package versions for
"`@fedify/fedify`", "`@fedify/hono`", and "`@fedify/redis`" are pinned to 1.10.11
which leaves the HIGH security advisory for `@fedify/fedify` unpatched; update the
dependency entries in package.json for "`@fedify/fedify`", "`@fedify/hono`", and
"`@fedify/redis`" to versions >=2.2.3 (ensure "`@fedify/hono`" remains compatible
with its peer hono version—hono@4.12.23 satisfies hono:^4.0.0), run npm/yarn
install to update lockfile, and run tests/build to verify compatibility after
bumping those package versions.
There was a problem hiding this comment.
"LD-Signature Bypass via JSON-LD Named-Graph Restructuring" has been fixed in 1.10.10, the advisory needs an update
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check Fedify 1.10.10 release notes on GitHub
echo "=== Fedify 1.10.10 release ==="
curl -s "https://api.github.com/repos/fedify-dev/fedify/releases/tags/1.10.10" | jq -r '.body' | head -60
echo -e "\n=== GitHub Security Advisory details ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 10, ecosystem: NPM, package: "`@fedify/fedify`") {
nodes {
advisory {
ghsaId
summary
severity
publishedAt
updatedAt
description
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Length of output: 95746
@sagzy, you're correct — thank you for the correction. The Fedify release notes confirm that 1.10.10 was the backport that addressed the LD-Signature Bypass (CVE-2026-42462), so the project was already protected before this PR. The GitHub advisory GHSA-9rfg-v8g9-9367 is incomplete: it only records the 2.x fix (< 2.2.3, patched in 2.2.3) and is missing the >= 1.10.0, < 1.10.10 range with 1.10.10 as the first patched version. My original concern was based on that incomplete advisory data. I'll withdraw it.
✏️ Learnings added
Learnt from: sagzy
Repo: TryGhost/ActivityPub PR: 1856
File: package.json:67-69
Timestamp: 2026-06-04T06:59:44.055Z
Learning: GHSA-9rfg-v8g9-9367 ("Fedify LD-Signature Bypass via JSON-LD Named-Graph Restructuring") was backported and fixed in `fedify/fedify` 1.10.10 (released 2026-05-21), but the GitHub advisory is incomplete — it only lists the 2.x branch fix (`< 2.2.3`, patched in `2.2.3`) and does not include the 1.x backport range. Projects on `fedify/fedify` >= 1.10.10 are NOT vulnerable to this issue despite the advisory appearing to flag them.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
1 participant
Release notes: https://github.com/fedify-dev/fedify/releases/tag/1.10.11