Fedify 2.1.5

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

@fedify/cfworkers

• Fixed a remaining TypeScript type mismatch for Cloudflare Workers users who pass wrangler types or @cloudflare/vite-plugin generated KV bindings to WorkersKvStore. The package now accepts a minimal structural KV binding interface for WorkersKvStore and WorkersMessageQueue's orderingKv option instead of requiring the nominal KVNamespace type imported from @cloudflare/workers-types, so generated local declarations compile without casts or @ts-expect-error. [#665]

Fedify 2.0.12

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

@fedify/cfworkers

• Fixed a remaining TypeScript type mismatch for Cloudflare Workers users who pass wrangler types or @cloudflare/vite-plugin generated KV bindings to WorkersKvStore. The package now accepts a minimal structural KV binding interface for WorkersKvStore and WorkersMessageQueue's orderingKv option instead of requiring the nominal KVNamespace type imported from @cloudflare/workers-types, so generated local declarations compile without casts or @ts-expect-error. [#665]

Fedify 1.10.8

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

Fedify 1.9.9

Released on April 8, 2026.

@fedify/fedify

• Fixed Context.getActorKeyPairs() assigning the same key ID to both the CryptographicKey (used for HTTP Signatures and Linked Data Signatures) and the Multikey (used for Object Integrity Proofs) within an ActorKeyPair. The Multikey now receives a distinct ID (#multikey-1, #multikey-2, …) so that the actor document no longer contains two objects sharing the same id, which was invalid JSON-LD. Object Integrity Proof signatures now reference the correct Multikey ID instead of the CryptographicKey ID. [#663]

• Object Integrity Proofs signing now takes place before activity fanout, so all recipients receive the same pre-signed activity. Previously, OIP signing was deferred until after fanout, meaning each fanout worker would re-sign independently with potentially different timestamps and the fanout message itself contained an unsigned activity.

Fedify 2.1.4

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

@fedify/cfworkers

• Fixed a TypeScript type mismatch that occurred when passing wrangler types-generated binding types (e.g. KVNamespace, Queue) to WorkersKvStore and WorkersMessageQueue constructors. The package previously imported these types from @cloudflare/workers-types/experimental, which includes extra members (such as KVNamespace.deleteBulk()) absent from types generated by wrangler types, causing TypeScript assignment errors at the call site. The import now uses the stable @cloudflare/workers-types entrypoint, whose definitions match what wrangler types generates. [#662]

Fedify 2.0.11

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

@fedify/cfworkers

• Fixed a TypeScript type mismatch that occurred when passing wrangler types-generated binding types (e.g. KVNamespace, Queue) to WorkersKvStore and WorkersMessageQueue constructors. The package previously imported these types from @cloudflare/workers-types/experimental, which includes extra members (such as KVNamespace.deleteBulk()) absent from types generated by wrangler types, causing TypeScript assignment errors at the call site. The import now uses the stable @cloudflare/workers-types entrypoint, whose definitions match what wrangler types generates. [#662]

Fedify 1.10.7

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

Fedify 1.9.8

Released on April 7, 2026.

@fedify/fedify

• Fixed sendActivity() not awaiting fanoutQueue.enqueue() in the fanout path, which could cause fanout messages to be silently dropped on runtimes like Cloudflare Workers that may terminate an isolate as soon as the response is sent. [#661]

Fedify 2.1.3

Released on March 31, 2026.

@fedify/init

• Restored the npm entrypoint contract for @fedify/init after the tsdown upgrade started publishing dist/*.mjs files while the package metadata still exported dist/*.js and dist/*.d.ts. Node consumers such as @fedify/cli can start again, including npx -y @fedify/cli --help. [#655]

@fedify/create

• Restored the npm CLI entrypoint for @fedify/create so the published bin and exports paths once again point to generated dist/mod.js output instead of missing dist/mod.js files. This prevents the same packaging regression from breaking npm init @fedify. [#655]

Fedify 2.0.10

Released on March 31, 2026.

@fedify/lint

• Fixed the published ESM output paths for @fedify/lint so the package exports and type declarations point to the actual files generated by tsdown. This restores imports such as import fedifyLint from "@fedify/lint" in documentation examples and other TypeScript consumers.

@fedify/init

• Restored the npm entrypoint contract for @fedify/init after the tsdown upgrade started publishing dist/*.mjs files while the package metadata still exported dist/*.js and dist/*.d.ts. Node consumers such as @fedify/cli can start again, including npx -y @fedify/cli --help. [#655]

@fedify/create

• Restored the npm CLI entrypoint for @fedify/create so the published bin and exports paths once again point to generated dist/mod.js output instead of missing dist/mod.js files. This prevents the same packaging regression from breaking npm init @fedify. [#655]