Update dependency @fedify/hono to v1.10.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fedify/hono (source)	1.9.1 → 1.10.3

---

Release Notes

fedify-dev/fedify (@​fedify/hono)

v1.10.3

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [#​550 by Lee Dogeon]

v1.10.2

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [#​530]

v1.10.1

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.10.0

Compare Source

Released on December 24, 2025.

@​fedify/fedify

• Enhanced OpenTelemetry instrumentation with span events for capturing
  detailed activity data. Span events now record complete activity JSON
  payloads and verification status, enabling richer observability and
  debugging capabilities without relying solely on span attributes
  (which only support primitive values). [#​323]

  • Added activitypub.activity.received span event to the
    activitypub.inbox span, recording the full activity JSON,
    verification status (activity verified, HTTP signatures verified,
    Linked Data signatures verified), and actor information.
  • Added activitypub.activity.sent span event to the
    activitypub.send_activity span, recording the full activity JSON
    and target inbox URL.
  • Added activitypub.object.fetched span event to the
    activitypub.lookup_object span, recording the fetched object's
    type and complete JSON-LD representation.

• Added OpenTelemetry spans for previously uninstrumented operations:
  [#​323]

  • Added activitypub.fetch_document span for document loader operations,
    tracking URL fetching, HTTP redirects, and final document URLs.
  • Added activitypub.verify_key_ownership span for cryptographic
    key ownership verification, recording actor ID, key ID, verification
    result, and the verification method used.

• Added optional list() method to the KvStore interface for enumerating
  entries by key prefix. This method takes an optional prefix parameter;
  when omitted or empty, it returns all entries. This enables efficient
  prefix scanning which is useful for implementing features like distributed
  trace storage, cache invalidation by prefix, and listing related entries.
  [#​498, #​500]

  • Added KvStoreListEntry interface.
  • Implemented in MemoryKvStore.

• Added FedifySpanExporter class that persists ActivityPub activity traces
  to a KvStore for distributed tracing support. This enables aggregating
  trace data across multiple nodes in a distributed deployment, making it
  possible to build debug dashboards that show complete request flows across
  web servers and background workers. [#​497, #​502]

  • Added @fedify/fedify/otel module.
  • Added FedifySpanExporter class implementing OpenTelemetry's
    SpanExporter interface.
  • Added TraceActivityRecord interface for stored activity data,
    including actorId and signatureDetails fields for debug dashboard
    support.
  • Added SignatureVerificationDetails interface for detailed signature
    verification information.
  • Added TraceSummary interface for trace listing.
  • Added FedifySpanExporterOptions interface.
  • Added GetRecentTracesOptions interface.
  • Added ActivityDirection type.

@​fedify/nestjs

• Allowed Express 5 in the express peer dependency range to support NestJS 11.
  [#​492, #​493 by Cho Hasang]

@​fedify/sqlite

• Implemented list() method in SqliteKvStore. [#​498, #​500]

@​fedify/postgres

• Implemented list() method in PostgresKvStore. [#​498, #​500]

@​fedify/redis

• Implemented list() method in RedisKvStore. [#​498, #​500]

@​fedify/denokv

• Implemented list() method in DenoKvStore. [#​498, #​500]

@​fedify/cfworkers

• Implemented list() method in WorkersKvStore. [#​498, #​500]

v1.9.5

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [[#​550] by Lee Dogeon]

v1.9.4

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [[#​530]]

v1.9.3

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.9.2

Compare Source

Released on December 20, 2025.

@​fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
  the document loader's HTML parsing. An attacker-controlled server could
  respond with a malicious HTML payload that blocked the event loop.
  [CVE-2025-68475]

@​fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error
  that occurred when using SqliteKvStore on Node.js or Bun. The error
  was caused by duplicate Temporal imports during the build process.
  [#​487]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 07:00 AM and 04:59 PM, only on Monday, Tuesday, Wednesday, and Thursday ( * 7-16 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/fedify-hono-1.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sagzy]

@codex review

[Copilot]

Pull request overview

This PR updates the @fedify/hono package from version 1.9.1 to 1.10.3, which is an integration package for using Fedify with the Hono web framework. The update spans multiple minor versions (1.10.0, 1.10.1, 1.10.2, 1.10.3) and includes bug fixes in the Fedify ecosystem, particularly for @fedify/testing methods and traverseCollection() functionality.

Changes:

• Updated @fedify/hono dependency from 1.9.1 to 1.10.3 in package.json
• Updated corresponding yarn.lock entries with new version, resolved URL, and integrity hash

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updated @fedify/hono dependency version from 1.9.1 to 1.10.3
yarn.lock	Updated lock file entries for @fedify/hono with new version metadata

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Potential version mismatch detected. The @fedify/hono package is being updated to version 1.10.3, but @fedify/fedify remains at version 1.9.1. These packages are part of the same monorepo (fedify-dev/fedify) and the release notes show that version 1.10.0 introduced significant changes including new interfaces (KvStore.list(), FedifySpanExporter) and OpenTelemetry enhancements.

The @fedify/redis package (version 1.9.1) and @fedify/cli package (version 1.9.1 in devDependencies) are also out of sync with @fedify/hono.

Consider updating all @fedify/* packages to the same version (1.10.3 or at least 1.10.x) to ensure compatibility. The release notes indicate that version 1.10.x includes features like the new optional list() method in the KvStore interface that was implemented across all KvStore implementations (including RedisKvStore, which this project uses).

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Around line 66-68: The package.json pins `@fedify/fedify` to 1.9.1 which
conflicts with `@fedify/hono`'s peerDependency requirement; update the dependency
entry "@fedify/fedify" to at least "1.10.3" (or a matching semver like
"^1.10.3") and run dependency checks/build/tests to ensure `@fedify/redis` and
other packages remain compatible with the bumped `@fedify/fedify`.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect peer/dependency requirements for `@fedify/hono`@1.10.3
npm view `@fedify/hono`@1.10.3 peerDependencies
npm view `@fedify/hono`@1.10.3 peerDependenciesMeta
npm view `@fedify/hono`@1.10.3 dependencies
npm view `@fedify/hono`@1.10.3 engines

Repository: TryGhost/ActivityPub

Length of output: 111

---

@fedify/hono 1.10.3 requires @fedify/fedify ≥1.10.3 as a peer dependency, but package.json pins it at 1.9.1.

The peer dependency constraint @fedify/fedify: '^1.10.3' will be violated. Bump @fedify/fedify to at least 1.10.3 and verify @fedify/redis compatibility.

🤖 Prompt for AI Agents

In `@package.json` around lines 66 - 68, The package.json pins `@fedify/fedify` to
1.9.1 which conflicts with `@fedify/hono`'s peerDependency requirement; update the
dependency entry "@fedify/fedify" to at least "1.10.3" (or a matching semver
like "^1.10.3") and run dependency checks/build/tests to ensure `@fedify/redis`
and other packages remain compatible with the bumped `@fedify/fedify`.