BotKit 0.4.3

Released on June 4, 2026.

• Upgraded Fedify to 1.9.12, which fixes an SSRF protection bypass vulnerability. [CVE-2026-50131]

BotKit 0.3.4

Released on June 4, 2026.

• Upgraded Fedify to 1.9.12, which fixes an SSRF protection bypass vulnerability. [CVE-2026-50131]

BotKit 0.4.2

Released on May 21, 2026.

@fedify/botkit

• Upgraded Fedify to 2.1.14 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]

BotKit 0.3.3

Released on May 21, 2026.

• Upgraded Fedify to 1.9.11 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]

BotKit 0.4.1

Released on May 12, 2026.

@fedify/botkit

• Upgraded Fedify to 2.1.12, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.

BotKit 0.3.2

Released on May 12, 2026.

• Upgraded Fedify to 1.9.10, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.

BotKit 0.4.0

Released on March 30, 2026.

@fedify/botkit

• Upgraded Fedify to 2.1.2.

  • BotKit now targets Fedify 2.0's modular package layout, using @fedify/vocab, @fedify/vocab-runtime, and @fedify/denokv where appropriate.
  • Message.language and SessionPublishOptions.language now use Intl.Locale instead of LanguageTag.
  • Bot software versions now use plain strings instead of SemVer objects.
  • Removed the parseSemVer(), SemVer, LanguageTag, and parseLanguageTag() public exports.

• BotKit now acknowledges unverified remote Delete activities signed by permanently gone actors with 202 Accepted instead of 401 Unauthorized.

  • This applies only when Fedify reports a keyFetchError and the remote actor's key fetch returned 410 Gone.
  • The unverified activity is not passed to BotKit event handlers, but the successful response stops repeated redelivery attempts from the remote server.

• Added FEP-5711 inverse properties to the bot actor's outbox and followers collections.

• Added a remote follow button to the web interface. [#10, #14 by Hyeonseo Kim]

  • Added a Follow button on the bot's profile page that allows users to follow the bot from their own fediverse instance without manual searching.
  • When clicked, the button opens a modal dialog where users can enter their fediverse handle (e.g., @username@instance.com).
  • The feature uses WebFinger to discover the user's instance and automatically redirects to the appropriate follow page using the OStatus subscribe protocol.

• Added Session.republishProfile() to broadcast profile changes to followers. [#18]

  • The new method sends an ActivityPub Update activity for the bot actor to the bot's followers.
  • This makes profile updates such as display name, bio, avatar, and header image propagate without waiting for the next post.

@fedify/botkit-postgres

• Added a new PostgreSQL repository package, @fedify/botkit-postgres, which provides PostgresRepository, PostgresRepositoryOptions, and initializePostgresRepositorySchema(). [#11, #19]

BotKit 0.3.1

Released on December 20, 2025.

• Upgraded Fedify to 1.8.15, which includes a critical security fix CVE-2025-68475 that addresses a ReDoS (Regular Expression Denial of Service) vulnerability in HTML parsing. [CVE-2025-68475]

BotKit 0.3.0

Released on August 28, 2025.

• BotKit now supports Node.js alongside of Deno. The minimum required version of Node.js is 22.0.0.

@fedify/botkit

• BotKit now supports publishing polls. [#7, #8]

  • Added Poll interface.
  • Added Vote interface.
  • Added an overload of the Session.publish() method that accepts SessionPublishOptionsWithQuestion as the second argument.
  • Added SessionPublishOptionsWithQuestion interface.
  • Added Bot.onVote event.
  • Added VoteEventHandler type.
  • Added KvStoreRepositoryPrefixes.polls option.

• Added @fedify/botkit/repository module that provides repository implementations for BotKit.

  • Added RepositoryGetMessagesOptions interface.
  • Added RepositoryGetFollowersOptions interface.
  • Added Uuid type.
  • Added KvKey type.
  • Added KvStore type.
  • Added KvStoreRepositoryPrefixes interface.
  • Added Announce class.
  • Added Create class.
  • Added MemoryCachedRepository class.

• Added web frontend followers page. [#2, #13 by Hyeonseo Kim]

  • Added /followers route that displays a list of bot followers.
  • Made follower count on the main page clickable, linking to /followers.

• Upgraded Fedify to 1.8.8.

@fedify/botkit-sqlite

• Added SqliteRepository class that implements a SQLite-based repository for BotKit.
• Added SqliteRepositoryOptions interface.

BotKit 0.2.4

Released on August 26, 2025.

• Upgraded Fedifyh to 1.5.7 which fixes a bug where HTTP Signature verification failed for requests having created or expires fields in their Signature header, causing 500 Internal Server Error responses in inbox handlers.