diff --git a/README.md b/README.md index 3d8bcf73..4e57a0a4 100644 --- a/README.md +++ b/README.md @@ -19,13 +19,13 @@ Four packages are installed directly from GitHub forks rather than the npm regis In `package.json` these use the `github:owner/repo[#branch]` syntax so npm fetches them directly from GitHub on install. -> **Lockfile caveat:** The fork dependency is resolved to a specific commit in `package-lock.json`. When fixes are pushed to the fork, run `npm install github:svemagie/indiekit-endpoint-activitypub` to pull the latest commit. The fork HEAD is at `42f8c2d` (all upstream fixes through 2026-03-23 merged; DM support; pin/unpin status; favourite/reblog timeout guard; raw signed fetch fallback for non-standard AP servers; timezone-aware status lookup for pre-UTC-normalization timeline items; own Micropub posts mirrored into ap_timeline so context/statuses endpoints work for website-authored posts). +> **Lockfile caveat:** The fork dependency is resolved to a specific commit in `package-lock.json`. When fixes are pushed to the fork, run `npm install github:svemagie/indiekit-endpoint-activitypub` to pull the latest commit. The fork HEAD is at `230bfd1` (upstream v3.9.x merged: Fedify 2.1.0, 5 FEPs — Tombstone/soft-delete, Activity Intents, indexable actor, NodeInfo enrichment, Collection Sync; security audit — XSS/CSRF/OAuth scope enforcement, rate limiting, token expiry, secret hashing; architecture refactor — syndicator.js, batch-broadcast.js, init-indexes.js, CSS split into 15 files; plus all fork patches: DM support, pin/unpin status, edit post, favourite/reblog timeout guard, raw signed fetch fallback, timezone-aware status lookup, own Micropub posts mirrored into ap_timeline). --- ## ActivityPub federation -The blog is a native ActivityPub actor (`@svemagie@blog.giersig.eu`) powered by [Fedify](https://fedify.dev/) v2.0.3 via the `@rmdes/indiekit-endpoint-activitypub` package. All federation routes are mounted at `/activitypub`. +The blog is a native ActivityPub actor (`@svemagie@blog.giersig.eu`) powered by [Fedify](https://fedify.dev/) v2.1.0 via the `@rmdes/indiekit-endpoint-activitypub` package. All federation routes are mounted at `/activitypub`. ### Actor identity diff --git a/package-lock.json b/package-lock.json index 9b39fceb..d79021bd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -763,12 +763,12 @@ "license": "MIT" }, "node_modules/@fedify/debugger": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/debugger/-/debugger-2.0.7.tgz", - "integrity": "sha512-439rX7f6zxXuBfLCQefP5JSv1osdjG4IimuRrIQgb5xaG1VlSaixHn4eN94ii64TGD+6PUGbTFYZhRmnnYlwAA==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/debugger/-/debugger-2.1.1.tgz", + "integrity": "sha512-n3fdo3u3uZwng+4NkgkDReyKg1tJhJ4B+5qX4AA49p+NJUdOBJYihmuovoXdZ0fxO2E3UK+X0o0q+OFOdMRBKw==", "dependencies": { "@js-temporal/polyfill": "^0.5.1", - "@logtape/logtape": "^2.0.0", + "@logtape/logtape": "^2.0.5", "@opentelemetry/api": "^1.9.0", "@opentelemetry/context-async-hooks": "^2.5.0", "@opentelemetry/core": "^2.5.0", @@ -776,24 +776,24 @@ "hono": "^4.0.0" }, "peerDependencies": { - "@fedify/fedify": "^2.0.7" + "@fedify/fedify": "^2.1.1" } }, "node_modules/@fedify/fedify": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/fedify/-/fedify-2.0.7.tgz", - "integrity": "sha512-2/GYm/ukjg4t3+HXBgfxkoq1KUCGPJTxxmanmd+B4aGOmHX5PNfteSxpQxrHYzUGQNk46KFKnDF3+t6v2JKCfA==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/fedify/-/fedify-2.1.1.tgz", + "integrity": "sha512-DHhtrfBrg899Voi6W9rjDr6QDFcRQi/Ur7mmttGFnVJa5fVnXbOCZaQ9Bb9di8559Zbn+xX3sqWKJfW2v8lvAQ==", "funding": [ "https://opencollective.com/fedify", "https://github.com/sponsors/dahlia" ], "license": "MIT", "dependencies": { - "@fedify/vocab": "2.0.7", - "@fedify/vocab-runtime": "2.0.7", - "@fedify/webfinger": "2.0.7", + "@fedify/vocab": "2.1.1", + "@fedify/vocab-runtime": "2.1.1", + "@fedify/webfinger": "2.1.1", "@js-temporal/polyfill": "^0.5.1", - "@logtape/logtape": "^2.0.0", + "@logtape/logtape": "^2.0.5", "@opentelemetry/api": "^1.9.0", "@opentelemetry/core": "^2.5.0", "@opentelemetry/sdk-trace-base": "^2.5.0", @@ -814,9 +814,9 @@ } }, "node_modules/@fedify/redis": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/redis/-/redis-2.0.7.tgz", - "integrity": "sha512-e9YfkDJxItaWibslo+D0+FAq+eEFG3t7GxjE51FRjQwKZj7+FK2BhGD5lOtlTwq00StRqmf2WYcjMC03lcE3cg==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/redis/-/redis-2.1.1.tgz", + "integrity": "sha512-ZJTbZ555RErVJg7RUIYIY1lzX2Ihfsy3bqnX58AUQTngYmfwgBAl9FAv275shjiSuNVNhWCr0pyjAdnQTb18YA==", "funding": [ "https://opencollective.com/fedify", "https://github.com/sponsors/dahlia" @@ -824,28 +824,28 @@ "license": "MIT", "dependencies": { "@js-temporal/polyfill": "^0.5.1", - "@logtape/logtape": "^2.0.0" + "@logtape/logtape": "^2.0.5" }, "peerDependencies": { - "@fedify/fedify": "^2.0.7", + "@fedify/fedify": "^2.1.1", "ioredis": "^5.8.2" } }, "node_modules/@fedify/vocab": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/vocab/-/vocab-2.0.7.tgz", - "integrity": "sha512-jg1KpI2Yke26NcHrK8HS/OUeTYiCgcj98IvynBxgfzZY2MeZ1Bc7wg4VDRdHfz+TEMe9GwkF47Flj6DVcar0Zw==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/vocab/-/vocab-2.1.1.tgz", + "integrity": "sha512-Jy5t4jAzrR0+sF0b+aQRuvZC4pvsEsutjeayJf6RVTNSs+QugvbyCz7k+GXtMvofnpP9QjuK6nUKal+c/3qfiQ==", "funding": [ "https://opencollective.com/fedify", "https://github.com/sponsors/dahlia" ], "license": "MIT", "dependencies": { - "@fedify/vocab-runtime": "2.0.7", - "@fedify/vocab-tools": "2.0.7", - "@fedify/webfinger": "2.0.7", + "@fedify/vocab-runtime": "2.1.1", + "@fedify/vocab-tools": "2.1.1", + "@fedify/webfinger": "2.1.1", "@js-temporal/polyfill": "^0.5.1", - "@logtape/logtape": "^2.0.0", + "@logtape/logtape": "^2.0.5", "@multiformats/base-x": "^4.0.1", "@opentelemetry/api": "^1.9.0", "asn1js": "^3.0.6", @@ -860,16 +860,16 @@ } }, "node_modules/@fedify/vocab-runtime": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/vocab-runtime/-/vocab-runtime-2.0.7.tgz", - "integrity": "sha512-6YKAC1/Xk5GYUuWwX6BwhmMjLmSEiyJWZuu+u25aJ+0i9b93Cw2aGCuorTndvFZcpZ+TDGiEQfA0qVe6knJWcg==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/vocab-runtime/-/vocab-runtime-2.1.1.tgz", + "integrity": "sha512-W/R/+AOKld4S5HuwPf8bgT8dA+apNoaF8j0wVqFcj9/nCWYrTzWX8KfiHK2kOGxK1gK1ia+AtJJ/uFUcBpbc/A==", "funding": [ "https://opencollective.com/fedify", "https://github.com/sponsors/dahlia" ], "license": "MIT", "dependencies": { - "@logtape/logtape": "^2.0.0", + "@logtape/logtape": "^2.0.5", "@multiformats/base-x": "^4.0.1", "@opentelemetry/api": "^1.9.0", "asn1js": "^3.0.6", @@ -884,9 +884,9 @@ } }, "node_modules/@fedify/vocab-tools": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/vocab-tools/-/vocab-tools-2.0.7.tgz", - "integrity": "sha512-4jz6b0keXab6kjRCnr8oSLnHgdir30xPWV4HkQhVMIQROW6SVyUPMjRxr1+iuzUx70DqHuNdkDJPXX+1gPezNg==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/vocab-tools/-/vocab-tools-2.1.1.tgz", + "integrity": "sha512-c64ZKjeJjqllEQ0WWPF+5s5V2PADJoL63MV5HqR/wQVvOyBpMK/oOcjLYLtwmwAgqQY2HHDOQwYvsIbTTPujTA==", "funding": [ "https://opencollective.com/fedify", "https://github.com/sponsors/dahlia" @@ -905,17 +905,17 @@ } }, "node_modules/@fedify/webfinger": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/@fedify/webfinger/-/webfinger-2.0.7.tgz", - "integrity": "sha512-JNSBGQHekvvGNWbIRaI05WDNh4xO13SWa/WG6JMxaabQKnnerXVyy1M36zKbEEaXASvANk3qGkXLPZCae3dJmg==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fedify/webfinger/-/webfinger-2.1.1.tgz", + "integrity": "sha512-yCtHWMA/sA1NZUvopuFQ4KEgKHHj129WyPdVSpOiWGneUw+p3sgf8ffO1oj13FYwiR3qvpIV8SMcJ9aFmOa6Ug==", "funding": [ "https://opencollective.com/fedify", "https://github.com/sponsors/dahlia" ], "license": "MIT", "dependencies": { - "@fedify/vocab-runtime": "2.0.7", - "@logtape/logtape": "^2.0.0", + "@fedify/vocab-runtime": "2.1.1", + "@logtape/logtape": "^2.0.5", "@opentelemetry/api": "^1.9.0", "es-toolkit": "1.43.0" }, @@ -1850,9 +1850,9 @@ "license": "MIT" }, "node_modules/@logtape/logtape": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@logtape/logtape/-/logtape-2.0.4.tgz", - "integrity": "sha512-Z4COeAMdedcBFuFkXaPFvDPOVuHoEom1hwNnPCIkSyojyikuNguplwPoSG+kZthWrS7GiOJo1USQyjWwIFfTKA==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@logtape/logtape/-/logtape-2.0.5.tgz", + "integrity": "sha512-UizDkh20ZPJVOddRxG1F77WhHdlNl/sbQgoO8T534R7XvUBMAJ9En9f35u+meW2tRsNLvjz6R87Zanwf53tspQ==", "funding": [ "https://github.com/sponsors/dahlia" ], @@ -1982,18 +1982,18 @@ } }, "node_modules/@opentelemetry/api": { - "version": "1.9.0", - "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz", - "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==", + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.1.tgz", + "integrity": "sha512-gLyJlPHPZYdAk1JENA9LeHejZe1Ti77/pTeFm/nMXmQH/HFZlcS/O2XJB+L8fkbrNSqhdtlvjBVjxwUYanNH5Q==", "license": "Apache-2.0", "engines": { "node": ">=8.0.0" } }, "node_modules/@opentelemetry/context-async-hooks": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/@opentelemetry/context-async-hooks/-/context-async-hooks-2.6.0.tgz", - "integrity": "sha512-L8UyDwqpTcbkIK5cgwDRDYDoEhQoj8wp8BwsO19w3LB1Z41yEQm2VJyNfAi9DrLP/YTqXqWpKHyZfR9/tFYo1Q==", + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/context-async-hooks/-/context-async-hooks-2.6.1.tgz", + "integrity": "sha512-XHzhwRNkBpeP8Fs/qjGrAf9r9PRv67wkJQ/7ZPaBQQ68DYlTBBx5MF9LvPx7mhuXcDessKK2b+DcxqwpgkcivQ==", "license": "Apache-2.0", "engines": { "node": "^18.19.0 || >=20.6.0" @@ -2003,9 +2003,9 @@ } }, "node_modules/@opentelemetry/core": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.6.0.tgz", - "integrity": "sha512-HLM1v2cbZ4TgYN6KEOj+Bbj8rAKriOdkF9Ed3tG25FoprSiQl7kYc+RRT6fUZGOvx0oMi5U67GoFdT+XUn8zEg==", + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.6.1.tgz", + "integrity": "sha512-8xHSGWpJP9wBxgBpnqGL0R3PbdWQndL1Qp50qrg71+B28zK5OQmUgcDKLJgzyAAV38t4tOyLMGDD60LneR5W8g==", "license": "Apache-2.0", "dependencies": { "@opentelemetry/semantic-conventions": "^1.29.0" @@ -2018,12 +2018,12 @@ } }, "node_modules/@opentelemetry/resources": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.6.0.tgz", - "integrity": "sha512-D4y/+OGe3JSuYUCBxtH5T9DSAWNcvCb/nQWIga8HNtXTVPQn59j0nTBAgaAXxUVBDl40mG3Tc76b46wPlZaiJQ==", + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.6.1.tgz", + "integrity": "sha512-lID/vxSuKWXM55XhAKNoYXu9Cutoq5hFdkbTdI/zDKQktXzcWBVhNsOkiZFTMU9UtEWuGRNe0HUgmsFldIdxVA==", "license": "Apache-2.0", "dependencies": { - "@opentelemetry/core": "2.6.0", + "@opentelemetry/core": "2.6.1", "@opentelemetry/semantic-conventions": "^1.29.0" }, "engines": { @@ -2034,13 +2034,13 @@ } }, "node_modules/@opentelemetry/sdk-trace-base": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.6.0.tgz", - "integrity": "sha512-g/OZVkqlxllgFM7qMKqbPV9c1DUPhQ7d4n3pgZFcrnrNft9eJXZM2TNHTPYREJBrtNdRytYyvwjgL5geDKl3EQ==", + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.6.1.tgz", + "integrity": "sha512-r86ut4T1e8vNwB35CqCcKd45yzqH6/6Wzvpk2/cZB8PsPLlZFTvrh8yfOS3CYZYcUmAx4hHTZJ8AO8Dj8nrdhw==", "license": "Apache-2.0", "dependencies": { - "@opentelemetry/core": "2.6.0", - "@opentelemetry/resources": "2.6.0", + "@opentelemetry/core": "2.6.1", + "@opentelemetry/resources": "2.6.1", "@opentelemetry/semantic-conventions": "^1.29.0" }, "engines": { @@ -2417,15 +2417,16 @@ } }, "node_modules/@rmdes/indiekit-endpoint-activitypub": { - "version": "3.8.5", - "resolved": "git+ssh://git@github.com/svemagie/indiekit-endpoint-activitypub.git#42f8c2d9d44f2f5db08b7518e7642ffd0cb9a3b1", + "version": "3.10.0", + "resolved": "git+ssh://git@github.com/svemagie/indiekit-endpoint-activitypub.git#230bfd105e51cbd27509640c845e0a51dcb6177b", "license": "MIT", "dependencies": { - "@fedify/debugger": "^2.0.0", - "@fedify/fedify": "^2.0.0", - "@fedify/redis": "^2.0.0", + "@fedify/debugger": "^2.1.0", + "@fedify/fedify": "^2.1.0", + "@fedify/redis": "^2.1.0", "@js-temporal/polyfill": "^0.5.0", "express": "^5.0.0", + "express-rate-limit": "^7.5.1", "ioredis": "^5.9.3", "sanitize-html": "^2.13.1", "unfurl.js": "^6.4.0" @@ -2439,6 +2440,21 @@ "@indiekit/frontend": "^1.0.0-beta.25" } }, + "node_modules/@rmdes/indiekit-endpoint-activitypub/node_modules/express-rate-limit": { + "version": "7.5.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz", + "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, "node_modules/@rmdes/indiekit-endpoint-auth": { "version": "1.0.0-beta.25", "resolved": "https://registry.npmjs.org/@rmdes/indiekit-endpoint-auth/-/indiekit-endpoint-auth-1.0.0-beta.25.tgz", @@ -5175,9 +5191,9 @@ } }, "node_modules/hono": { - "version": "4.12.8", - "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.8.tgz", - "integrity": "sha512-VJCEvtrezO1IAR+kqEYnxUOoStaQPGrCmX3j4wDTNOcD1uRPFpGlwQUIW8niPuvHXaTUxeOUl5MMDGrl+tmO9A==", + "version": "4.12.9", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.9.tgz", + "integrity": "sha512-wy3T8Zm2bsEvxKZM5w21VdHDDcwVS1yUFFY6i8UobSsKfFceT7TOwhbhfKsDyx7tYQlmRM5FLpIuYvNFyjctiA==", "license": "MIT", "engines": { "node": ">=16.9.0"