BotKit changelog
Version 0.5.0
To be released.
@fedify/botkit
Redesigned the bot's web pages with a new, self-contained design language.
The profile, post, and follower pages now use BotKit's own quiet, modern design instead of Pico CSS. The look is driven by the bot's accent color, adapts to light and dark color schemes automatically, and foregrounds the bot's own identity rather than BotKit's brand. Reposts are now clearly distinguished from the bot's own posts. The full system is described in the new <DESIGN.md> document.
The stylesheet and web fonts are bundled with the package and served locally, so the pages no longer load anything from an external CDN and work with no build step on either Deno or Node.js.
- Added the
PagesOptions.themeoption, which selects the color scheme ("auto","light", or"dark"; default"auto").
- Added the
Added support for hosting multiple bots on a single instance. [#16, #24]
The new
createInstance()function creates an instance that owns the shared infrastructure (the key–value store, the message queue, the repository, and HTTP handling), on which multiple bots can be hosted, each with its own actor identity and event handlers.- Added
createInstance()function. - Added
Instanceinterface. - Added
InstanceWithVoidContextDatainterface. - Added
CreateInstanceOptionsinterface. - Added
Instance.createBot()method, which creates a static bot from an identifier and aBotProfile, or a dynamicBotGroupfrom aBotDispatcherfunction that resolves bots on demand (e.g. one bot per region, backed by a database). - Added
BotProfileinterface. - Added
BotDispatchertype. - Added
BotGroupinterface. - Added
CreateBotGroupOptionsinterface, whosemapUsernameoption resolves WebFinger usernames to dynamic bot identifiers. - Added
BotEventHandlersinterface, whichBotandBotGroupboth extend. - Added
DEFAULT_INSTANCE_ACTOR_IDENTIFIERconstant. Multi-bot instances expose an instance actor under a reserved identifier, whose key signs shared-inbox related requests; it can be overridden through theCreateInstanceOptions.instanceActorIdentifieroption. - Added
@fedify/botkit/instancemodule.
Activities delivered to the shared inbox are routed to the bots they are relevant to: the followed or unfollowed bot, the owner of the liked or replied-to message, mentioned bots, addressed bots, and bots following the author. Multi-bot instances serve a bot list at the web root and each bot's pages under
/@{username}.The existing
createBot()function keeps working for single-bot deployments and preserves their behavior, including the web pages served at the root.- Added
Added support for consent-respecting quote posts using FEP-044f. [#27, #28, #29, #30, #31, #32, #33]
BotKit now serializes quote policies on outgoing messages, handles incoming
QuoteRequestactivities, automatically accepts or rejects them according to each message's policy, and storesQuoteAuthorizationstamps for accepted quotes. Applications can set a defaultCreateBotOptions.quotePolicy, override it per message withSession.publish()orAuthorizedMessage.update(), and moderate pending requests with the newBot.onQuoteRequestevent handler.When publishing a quote, BotKit now sets the FEP-044f
quoteproperty, sends aQuoteRequestto the quoted message's author, applies acceptedQuoteAuthorizationstamps to the stored message, and strips rejected quote targets from the stored message before delivering anUpdate. BotKit also verifiesQuoteAuthorizationstamps on received third-party quote posts and handles deleted stamps by forwarding theDeleteactivity before stripping the quote from the bot's own post.- Added
QuotePolicy,QuotePolicyOption,QuoteRequest, andQuoteRequestEventHandlertypes. [#27, #28, #31] - Added
Bot.onQuoteRequestevent handler. [#27, #28, #31] - Added
QuoteAcceptedEventHandlerandQuoteRejectedEventHandlertypes. [#27, #29, #32] - Added
Bot.onQuoteAcceptedandBot.onQuoteRejectedevent handlers. [#27, #29, #32] - Added
QuoteRevokedEventHandlertype andBot.onQuoteRevokedevent handler. [#27, #30, #33] - Added
ReadonlyBot.quotePolicy,CreateBotOptions.quotePolicy, andBotProfile.quotePolicyproperties. [#27, #28, #31] - Added
SessionPublishOptions.quotePolicyandAuthorizedMessageUpdateOptions.quotePolicyoptions. [#27, #28, #31] - Added
Message.quotePolicyandAuthorizedMessage.quoteApprovalStateproperties. [#27, #29, #32] - Added
Message.quoteApprovedproperty for inspecting whether a received quote post has valid FEP-044f approval. [#27, #30, #33] - Added
AuthorizedMessage.unauthorizeQuote()method for revoking an existing quote authorization stamp by the quoted message or its URI. [#27, #28, #31] - Added
@fedify/botkit/quotemodule. [#27, #28, #31]
- Added
The
Repositoryinterface now stores data for multiple bot actors: every method takes the identifier of the owning bot actor as its first parameter, and data belonging to different identifiers are isolated from each other. This is a breaking change for customRepositoryimplementations. [#16, #24]- Added
identifierparameter to allRepositorymethods. - Added
Repository.findFollowedBots()method, a reverse lookup answering which bots follow a given actor. - Added quote authorization storage methods:
Repository.addQuoteAuthorization(),Repository.getQuoteAuthorization(),Repository.findQuoteAuthorization(), andRepository.removeQuoteAuthorization(). - Added quote authorization reference methods:
Repository.addQuoteAuthorizationReference(),Repository.findQuoteAuthorizationReference(),Repository.findQuoteAuthorizationReferenceIdentifiers(),Repository.findQuoteAuthorizationReferenceAttribution(), andRepository.removeQuoteAuthorizationReference(). [#27, #29, #30, #32, #33] - Added optional
Repository.migrate()method for adopting data stored by BotKit 0.4 or earlier. - Added
Repository.forIdentifier()method andActorScopedRepositoryclass, a view of a repository bound to a single bot actor. KvRepositorynow stores data under bot-scoped keys. Its second constructor parameter is now aKvRepositoryOptionsobject with a singleprefixoption, replacing the removedKvStoreRepositoryPrefixesinterface.createBot()migrates data stored by BotKit 0.4 or earlier to the bot-scoped layout on startup.
- Added
Local object URIs now carry the identifier of the owning bot actor, e.g.
/ap/actor/{identifier}/note/{id}instead of/ap/note/{id}. URIs in the old format are still recognized in incoming activities and are permanently redirected to their canonical URIs when dereferenced, so links stored by remote servers keep working after an upgrade. [#16, #24]The
Session.botproperty is now typed asReadonlyBot, a read-only view of the bot's identity and profile, instead ofBot. This is a breaking change for code that reached the fullBotthrough a session; such code should hold on to theBotreturned bycreateBot()instead. [#16, #24]- Added
ReadonlyBotinterface.
- Added
Upgraded Fedify to 2.3.1, Hono to 4.12.27, and LogTape to 2.2.3.
@fedify/botkit-sqlite
Added a
quote_authorizationstable for FEP-044f quote authorization stamps. [#27, #28, #31]Added a
quote_authorization_refstable for received FEP-044f quote authorization stamps that have been applied to local quote posts. [#27, #29, #32]All tables now have a
bot_idcolumn and composite primary keys, so a single database stores the data of multiple bots. Opening a database created by version 0.4 or earlier rebuilds the affected tables in place, andSqliteRepository.migrate()assigns the carried-over rows to a bot actor identifier;createBot()calls it automatically on startup. [#16, #24]
@fedify/botkit-postgres
Added a
quote_authorizationstable for FEP-044f quote authorization stamps. [#27, #28, #31]Added a
quote_authorization_refstable for received FEP-044f quote authorization stamps that have been applied to local quote posts. [#27, #29, #32]All tables now have a
bot_idcolumn and composite primary keys, so a single schema stores the data of multiple bots. Initializing a schema created by version 0.4 upgrades it in place, andPostgresRepository.migrate()assigns the carried-over rows to a bot actor identifier;createBot()calls it automatically on startup. [#16, #24]Upgraded Postgres.js to 3.4.9.
@fedify/botkit-redis
- Added the new @fedify/botkit-redis package, which provides
RedisRepository, a Redis-backed implementation of BotKit'sRepositoryinterface for bots running on Deno or Node.js. It supports URL-managed and caller-managed Redis clients, configurable key prefixes, bot-scoped storage, quote authorization storage, reverse lookups, and poll votes. [#12, #35]
Version 0.4.4
Released on July 6, 2026.
@fedify/botkit
- Fixed
MemoryRepository,KvRepository, andMemoryCachedRepositoryso removing one of multiple active follow requests for the same actor no longer deletes the follower too early or fires a premature unfollow event, and reassigning a follow request no longer leaves stale followers behind. [#25, #26]
@fedify/botkit-sqlite
- Fixed
SqliteRepositoryso removing one of multiple active follow requests for the same actor no longer fails with a foreign key error, and reassigning a follow request no longer leaves stale followers behind. [#25, #26]
@fedify/botkit-postgres
- Fixed
PostgresRepositoryso removing one of multiple active follow requests for the same actor no longer reports a follower removal until the last active follow request is removed. [#25, #26]
Version 0.4.3
Released on June 4, 2026.
- Upgraded Fedify to 2.1.15, which fixes an SSRF protection bypass vulnerability. [CVE-2026-50131]
Version 0.4.2
Released on May 21, 2026.
@fedify/botkit
- Upgraded Fedify to 2.1.14 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]
Version 0.4.1
Released on May 12, 2026.
@fedify/botkit
- Upgraded Fedify to 2.1.12, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g.,
http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.
Version 0.4.0
Released on March 30, 2026.
@fedify/botkit
Upgraded Fedify to 2.1.2.
- BotKit now targets Fedify 2.0's modular package layout, using @fedify/vocab, @fedify/vocab-runtime, and @fedify/denokv where appropriate.
Message.languageandSessionPublishOptions.languagenow useIntl.Localeinstead ofLanguageTag.- Bot software versions now use plain strings instead of
SemVerobjects. - Removed the
parseSemVer(),SemVer,LanguageTag, andparseLanguageTag()public exports.
BotKit now acknowledges unverified remote
Deleteactivities signed by permanently gone actors with202 Acceptedinstead of401 Unauthorized.- This applies only when Fedify reports a
keyFetchErrorand the remote actor's key fetch returned410 Gone. - The unverified activity is not passed to BotKit event handlers, but the successful response stops repeated redelivery attempts from the remote server.
- This applies only when Fedify reports a
Added FEP-5711 inverse properties to the bot actor's
outboxandfollowerscollections.Added a remote follow button to the web interface. [#10, #14 by Hyeonseo Kim]
- Added a Follow button on the bot's profile page that allows users to follow the bot from their own fediverse instance without manual searching.
- When clicked, the button opens a modal dialog where users can enter their fediverse handle (e.g.,
@username@instance.com). - The feature uses WebFinger to discover the user's instance and automatically redirects to the appropriate follow page using the OStatus subscribe protocol.
Added
Session.republishProfile()to broadcast profile changes to followers. [#18]- The new method sends an ActivityPub
Updateactivity for the bot actor to the bot's followers. - This makes profile updates such as display name, bio, avatar, and header image propagate without waiting for the next post.
- The new method sends an ActivityPub
@fedify/botkit-postgres
- Added a new PostgreSQL repository package,
@fedify/botkit-postgres, which providesPostgresRepository,PostgresRepositoryOptions, andinitializePostgresRepositorySchema(). [#11, #19]
Version 0.3.4
Released on June 4, 2026.
- Upgraded Fedify to 1.9.12, which fixes an SSRF protection bypass vulnerability. [CVE-2026-50131]
Version 0.3.3
Released on May 21, 2026.
- Upgraded Fedify to 1.9.11 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]
Version 0.3.2
Released on May 12, 2026.
- Upgraded Fedify to 1.9.10, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g.,
http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.
Version 0.3.1
Released on December 20, 2025.
- Upgraded Fedify to 1.8.15, which includes a critical security fix CVE-2025-68475 that addresses a ReDoS (Regular Expression Denial of Service) vulnerability in HTML parsing. [CVE-2025-68475]
Version 0.3.0
Released on August 28, 2025.
- BotKit now supports Node.js alongside of Deno. The minimum required version of Node.js is 22.0.0.
@fedify/botkit
BotKit now supports publishing polls. [#7, #8]
- Added
Pollinterface. - Added
Voteinterface. - Added an overload of the
Session.publish()method that acceptsSessionPublishOptionsWithQuestionas the second argument. - Added
SessionPublishOptionsWithQuestioninterface. - Added
Bot.onVoteevent. - Added
VoteEventHandlertype. - Added
KvStoreRepositoryPrefixes.pollsoption.
- Added
Added
@fedify/botkit/repositorymodule that provides repository implementations for BotKit.- Added
RepositoryGetMessagesOptionsinterface. - Added
RepositoryGetFollowersOptionsinterface. - Added
Uuidtype. - Added
KvKeytype. - Added
KvStoretype. - Added
KvStoreRepositoryPrefixesinterface. - Added
Announceclass. - Added
Createclass. - Added
MemoryCachedRepositoryclass.
- Added
Added web frontend followers page. [#2, #13 by Hyeonseo Kim]
- Added
/followersroute that displays a list of bot followers. - Made follower count on the main page clickable, linking to
/followers.
- Added
Upgraded Fedify to 1.8.8.
@fedify/botkit-sqlite
- Added
SqliteRepositoryclass that implements a SQLite-based repository for BotKit. - Added
SqliteRepositoryOptionsinterface.
Version 0.2.4
Released on August 26, 2025.
- Upgraded Fedifyh to 1.5.7 which fixes a bug where HTTP Signature verification failed for requests having
createdorexpiresfields in theirSignatureheader, causing500 Internal Server Errorresponses in inbox handlers.
Version 0.2.3
Released on August 25, 2025.
- Upgraded Fedify to 1.5.6, which fixes a bug where ActivityPub Discovery failed to recognize XHTML self-closing
<link>tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (/>), improving compatibility with XHTML documents that follow the self-closing tag format.
Version 0.2.2
Released on August 8, 2025.
- Upgrade Fedify to 1.5.5, which includes a critical security fix CVE-2025-54888 that addresses an authentication bypass vulnerability allowing actor impersonation. [CVE-2025-54888]
Version 0.2.1
Released on July 8, 2025.
- Fixed a bug where messages from
Session.getOutbox()didn't haveupdate()anddelete()methods. [#9]
Version 0.2.0
Released on April 21, 2025.
Image attachments in posts became shown in the web interface.
Added custom emoji support.
- The return type of
Text.getTags()method becameAsyncIterable<Link | Object>(wasAsyncIterable<Link>). - Added
Bot.addCustomEmojis()method. - Added
CustomEmojiTextclass. - Added
customEmoji()function. - Added
CustomEmojiBaseinterface. - Added
CustomEmojiFromUrlinterface. - Added
CustomEmojiFromFileinterface. - Added
CustomEmojitype. - Added
DeferredCustomEmojitype. - The
text()tagged template literal function now acceptsEmojiobjects (provided by Fedify).
- The return type of
Added emoji reaction support.
- Added
Emojitype. - Added
isEmoji()predicate function. - Added
emoji()tagged template literal function. - Added
Message.react()method. - Added
Reactioninterface. - Added
AuthorizedReactioninterface. - Added
Bot.onReactevent. - Added
Bot.onUnreactevent. - Added
ReactionEventHandlertype. - Added
UndoneReactionEventHandlertype.
- Added
Added quote support.
- Added
SessionPublishOptions.quoteTargetoption. - Added
Message.quoteTargetproperty. - Added
Bot.onQuoteevent. - Added
QuoteEventHandlertype.
- Added
Added
SessionGetOutboxOptionsinterface.Activities are more precisely propagated.
- The
Message.reply()method now sends theCreateactivity to the author of the original message as well. - The
Message.share()method now sends theAnnounceactivity to the author of the original message as well. - The
AuthorizedSharedMessage.unshare()method now sends theUndoactivity to the author of the original message as well. - The
AuthorizedMessage.update()method now sends theUpdateactivity to the author of the original message as well if it is a reply. - The
AuthorizedMessage.delete()method now sends theDeleteactivity to the author of the original message as well if it is a reply.
- The
Version 0.1.4
Released on August 26, 2025.
- Upgraded Fedifyh to 1.4.15 which fixes a bug where HTTP Signature verification failed for requests having
createdorexpiresfields in theirSignatureheader, causing500 Internal Server Errorresponses in inbox handlers.
Version 0.1.3
Released on August 25, 2025.
- Upgraded Fedify to 1.4.14, which fixes a bug where ActivityPub Discovery failed to recognize XHTML self-closing
<link>tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (/>), improving compatibility with XHTML documents that follow the self-closing tag format.
Version 0.1.2
Released on August 8, 2025.
- Upgraded Fedify to 1.4.13, which includes a critical security fix CVE-2025-54888 that addresses an authentication bypass vulnerability allowing actor impersonation. [CVE-2025-54888]
Version 0.1.1
Released on February 10, 2025.
- Fixed a bug where direct and followers-only messages that reply to a bot had been forwarded to the bot's followers.
Version 0.1.0
Initial release. Released on February 7, 2025.