Loading CHANGES.md +55 −1 Original line number Diff line number Diff line Loading @@ -41,6 +41,16 @@ To be released. [#211]: https://github.com/fedify-dev/fedify/issues/211 Version 1.4.6 ------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.4.5 ------------- Loading Loading @@ -194,6 +204,16 @@ Released on February 5, 2025. [#195]: https://github.com/fedify-dev/fedify/issues/195 Version 1.3.13 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.3.12 -------------- Loading Loading @@ -463,6 +483,16 @@ Released on November 30, 2024. [#193]: https://github.com/fedify-dev/fedify/issues/193 Version 1.2.17 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.2.16 -------------- Loading Loading @@ -781,6 +811,16 @@ Released on October 31, 2024. [#118]: https://github.com/fedify-dev/fedify/issues/118 Version 1.1.17 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.1.16 -------------- Loading Loading @@ -1140,6 +1180,19 @@ Released on October 20, 2024. [#150]: https://github.com/fedify-dev/fedify/issues/150 Version 1.0.20 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] [#212]: https://github.com/fedify-dev/fedify/issues/212 [#214]: https://github.com/fedify-dev/fedify/pull/214 Version 1.0.19 -------------- Loading Loading @@ -3291,4 +3344,5 @@ Version 0.1.0 Initial release. Released on March 8, 2024. <!-- cSpell: ignore Dogeon Fabien Wressell Emelia Hana Heesun Kyunghee Jiyu --> <!-- cSpell: ignore Dogeon Fabien Wressell Emelia Fróði Karlsson --> <!-- cSpell: ignore Hana Heesun Kyunghee Jiyu --> src/runtime/url.ts +6 −2 Original line number Diff line number Diff line Loading @@ -34,8 +34,12 @@ export async function validatePublicUrl(url: string): Promise<void> { // FIXME: This is a temporary workaround for the `Bun` runtime; for unknown // reasons, the Web Crypto API does not work as expected after a DNS lookup. // This workaround purposes to prevent unit tests from hanging up: if ("Bun" in globalThis && hostname === "example.com") { if ("Bun" in globalThis) { if (hostname === "example.com" || hostname.endsWith(".example.com")) { return; } else if (hostname === "fedify-test.internal") { throw new UrlError("Invalid or private address: fedify-test.internal"); } } // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses // and ensure that they are all public: Loading src/vocab/actor.ts +2 −2 Original line number Diff line number Diff line import { SpanStatusCode, trace, type TracerProvider } from "@opentelemetry/api"; import { toASCII, toUnicode } from "node:punycode"; import { domainToASCII, domainToUnicode } from "node:url"; import metadata from "../deno.json" with { type: "json" }; import type { GetUserAgentOptions } from "../runtime/docloader.ts"; import { lookupWebFinger } from "../webfinger/lookup.ts"; Loading Loading @@ -259,7 +259,7 @@ export function normalizeActorHandle( throw new TypeError("Invalid actor handle."); } domain = domain.toLowerCase(); domain = options.punycode ? toASCII(domain) : toUnicode(domain); domain = options.punycode ? domainToASCII(domain) : domainToUnicode(domain); domain = domain.toLowerCase(); const user = handle.substring(0, atPos); return options.trimLeadingAt ? `${user}@${domain}` : `@${user}@${domain}`; Loading src/webfinger/handler.ts +2 −2 Original line number Diff line number Diff line import { getLogger } from "@logtape/logtape"; import type { Span, Tracer } from "@opentelemetry/api"; import { SpanKind, SpanStatusCode } from "@opentelemetry/api"; import { toASCII } from "node:punycode"; import { domainToASCII } from "node:url"; import type { ActorAliasMapper, ActorDispatcher, Loading Loading @@ -171,7 +171,7 @@ async function handleWebFingerInternal<TContextData>( ); } } else { const resourceHost = toASCII(match[2].toLowerCase()); const resourceHost = domainToASCII(match[2].toLowerCase()); if (resourceHost != context.url.host && resourceHost != host) { return await onNotFound(request); } Loading Loading
CHANGES.md +55 −1 Original line number Diff line number Diff line Loading @@ -41,6 +41,16 @@ To be released. [#211]: https://github.com/fedify-dev/fedify/issues/211 Version 1.4.6 ------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.4.5 ------------- Loading Loading @@ -194,6 +204,16 @@ Released on February 5, 2025. [#195]: https://github.com/fedify-dev/fedify/issues/195 Version 1.3.13 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.3.12 -------------- Loading Loading @@ -463,6 +483,16 @@ Released on November 30, 2024. [#193]: https://github.com/fedify-dev/fedify/issues/193 Version 1.2.17 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.2.16 -------------- Loading Loading @@ -781,6 +811,16 @@ Released on October 31, 2024. [#118]: https://github.com/fedify-dev/fedify/issues/118 Version 1.1.17 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] Version 1.1.16 -------------- Loading Loading @@ -1140,6 +1180,19 @@ Released on October 20, 2024. [#150]: https://github.com/fedify-dev/fedify/issues/150 Version 1.0.20 -------------- Released on March 9, 2025. - Fedify no more depends on `node:punycode` module, which is deprecated in Node.js. Now it uses the built-in `node:url` module instead. [[#212], [#214] by Fróði Karlsson] [#212]: https://github.com/fedify-dev/fedify/issues/212 [#214]: https://github.com/fedify-dev/fedify/pull/214 Version 1.0.19 -------------- Loading Loading @@ -3291,4 +3344,5 @@ Version 0.1.0 Initial release. Released on March 8, 2024. <!-- cSpell: ignore Dogeon Fabien Wressell Emelia Hana Heesun Kyunghee Jiyu --> <!-- cSpell: ignore Dogeon Fabien Wressell Emelia Fróði Karlsson --> <!-- cSpell: ignore Hana Heesun Kyunghee Jiyu -->
src/runtime/url.ts +6 −2 Original line number Diff line number Diff line Loading @@ -34,8 +34,12 @@ export async function validatePublicUrl(url: string): Promise<void> { // FIXME: This is a temporary workaround for the `Bun` runtime; for unknown // reasons, the Web Crypto API does not work as expected after a DNS lookup. // This workaround purposes to prevent unit tests from hanging up: if ("Bun" in globalThis && hostname === "example.com") { if ("Bun" in globalThis) { if (hostname === "example.com" || hostname.endsWith(".example.com")) { return; } else if (hostname === "fedify-test.internal") { throw new UrlError("Invalid or private address: fedify-test.internal"); } } // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses // and ensure that they are all public: Loading
src/vocab/actor.ts +2 −2 Original line number Diff line number Diff line import { SpanStatusCode, trace, type TracerProvider } from "@opentelemetry/api"; import { toASCII, toUnicode } from "node:punycode"; import { domainToASCII, domainToUnicode } from "node:url"; import metadata from "../deno.json" with { type: "json" }; import type { GetUserAgentOptions } from "../runtime/docloader.ts"; import { lookupWebFinger } from "../webfinger/lookup.ts"; Loading Loading @@ -259,7 +259,7 @@ export function normalizeActorHandle( throw new TypeError("Invalid actor handle."); } domain = domain.toLowerCase(); domain = options.punycode ? toASCII(domain) : toUnicode(domain); domain = options.punycode ? domainToASCII(domain) : domainToUnicode(domain); domain = domain.toLowerCase(); const user = handle.substring(0, atPos); return options.trimLeadingAt ? `${user}@${domain}` : `@${user}@${domain}`; Loading
src/webfinger/handler.ts +2 −2 Original line number Diff line number Diff line import { getLogger } from "@logtape/logtape"; import type { Span, Tracer } from "@opentelemetry/api"; import { SpanKind, SpanStatusCode } from "@opentelemetry/api"; import { toASCII } from "node:punycode"; import { domainToASCII } from "node:url"; import type { ActorAliasMapper, ActorDispatcher, Loading Loading @@ -171,7 +171,7 @@ async function handleWebFingerInternal<TContextData>( ); } } else { const resourceHost = toASCII(match[2].toLowerCase()); const resourceHost = domainToASCII(match[2].toLowerCase()); if (resourceHost != context.url.host && resourceHost != host) { return await onNotFound(request); } Loading
