Releases: fedify-dev/botkit
Release list
BotKit 0.5.0
Released on July 8, 2026.
@fedify/botkit
-
Redesigned the bot's web pages with a new, self-contained design language.
The profile, post, and follower pages now use BotKit's own quiet, modern design instead of Pico CSS. The look is driven by the bot's accent color, adapts to light and dark color schemes automatically, and foregrounds the bot's own identity rather than BotKit's brand. Reposts are now clearly distinguished from the bot's own posts. The full system is described in the new DESIGN.md document.
The stylesheet and web fonts are bundled with the package and served locally, so the pages no longer load anything from an external CDN and work with no build step on either Deno or Node.js.
- Added the
PagesOptions.themeoption, which selects the color scheme ("auto","light", or"dark"; default"auto").
- Added the
-
Added support for hosting multiple bots on a single instance. [#16, #24]
The new
createInstance()function creates an instance that owns the shared infrastructure (the key–value store, the message queue, the repository, and HTTP handling), on which multiple bots can be hosted, each with its own actor identity and event handlers.- Added
createInstance()function. - Added
Instanceinterface. - Added
InstanceWithVoidContextDatainterface. - Added
CreateInstanceOptionsinterface. - Added
Instance.createBot()method, which creates a static bot from an identifier and aBotProfile, or a dynamicBotGroupfrom aBotDispatcherfunction that resolves bots on demand (e.g. one bot per region, backed by a database). - Added
BotProfileinterface. - Added
BotDispatchertype. - Added
BotGroupinterface. - Added
CreateBotGroupOptionsinterface, whosemapUsernameoption resolves WebFinger usernames to dynamic bot identifiers. - Added
BotEventHandlersinterface, whichBotandBotGroupboth extend. - Added
DEFAULT_INSTANCE_ACTOR_IDENTIFIERconstant. Multi-bot instances expose an instance actor under a reserved identifier, whose key signs shared-inbox related requests; it can be overridden through theCreateInstanceOptions.instanceActorIdentifieroption. - Added
@fedify/botkit/instancemodule.
Activities delivered to the shared inbox are routed to the bots they are relevant to: the followed or unfollowed bot, the owner of the liked or replied-to message, mentioned bots, addressed bots, and bots following the author. Multi-bot instances serve a bot list at the web root and each bot's pages under
/@{username}.The existing
createBot()function keeps working for single-bot deployments and preserves their behavior, including the web pages served at the root. - Added
-
Added support for consent-respecting quote posts using FEP-044f. [#27, #28, #29, #30, #31, #32, #33]
BotKit now serializes quote policies on outgoing messages, handles incoming
QuoteRequestactivities, automatically accepts or rejects them according to each message's policy, and storesQuoteAuthorizationstamps for accepted quotes. Applications can set a defaultCreateBotOptions.quotePolicy, override it per message withSession.publish()orAuthorizedMessage.update(), and moderate pending requests with the newBot.onQuoteRequestevent handler.When publishing a quote, BotKit now sets the FEP-044f
quoteproperty, sends aQuoteRequestto the quoted message's author, applies acceptedQuoteAuthorizationstamps to the stored message, and strips rejected quote targets from the stored message before delivering anUpdate. BotKit also verifiesQuoteAuthorizationstamps on received third-party quote posts and handles deleted stamps by forwarding theDeleteactivity before stripping the quote from the bot's own post.- Added
QuotePolicy,QuotePolicyOption,QuoteRequest, andQuoteRequestEventHandlertypes. [#27, #28, #31] - Added
Bot.onQuoteRequestevent handler. [#27, #28, #31] - Added
QuoteAcceptedEventHandlerandQuoteRejectedEventHandlertypes. [#27, #29, #32] - Added
Bot.onQuoteAcceptedandBot.onQuoteRejectedevent handlers. [#27, #29, #32] - Added
QuoteRevokedEventHandlertype andBot.onQuoteRevokedevent handler. [#27, #30, #33] - Added
ReadonlyBot.quotePolicy,CreateBotOptions.quotePolicy, andBotProfile.quotePolicyproperties. [#27, #28, #31] - Added
SessionPublishOptions.quotePolicyandAuthorizedMessageUpdateOptions.quotePolicyoptions. [#27, #28, #31] - Added
Message.quotePolicyandAuthorizedMessage.quoteApprovalStateproperties. [#27, #29, #32] - Added
Message.quoteApprovedproperty for inspecting whether a received quote post has valid FEP-044f approval. [#27, #30, #33] - Added
AuthorizedMessage.unauthorizeQuote()method for revoking an existing quote authorization stamp by the quoted message or its URI. [#27, #28, #31] - Added
@fedify/botkit/quotemodule. [#27, #28, #31]
- Added
-
The
Repositoryinterface now stores data for multiple bot actors: every method takes the identifier of the owning bot actor as its first parameter, and data belonging to different identifiers are isolated from each other. This is a breaking change for customRepositoryimplementations. [#16, #24]- Added
identifierparameter to allRepositorymethods. - Added
Repository.findFollowedBots()method, a reverse lookup answering which bots follow a given actor. - Added quote authorization storage methods:
Repository.addQuoteAuthorization(),Repository.getQuoteAuthorization(),Repository.findQuoteAuthorization(), andRepository.removeQuoteAuthorization(). - Added quote authorization reference methods:
Repository.addQuoteAuthorizationReference(),Repository.findQuoteAuthorizationReference(),Repository.findQuoteAuthorizationReferenceIdentifiers(),Repository.findQuoteAuthorizationReferenceAttribution(), andRepository.removeQuoteAuthorizationReference(). [#27, #29, #30, #32, #33] - Added optional
Repository.migrate()method for adopting data stored by BotKit 0.4 or earlier. - Added
Repository.forIdentifier()method andActorScopedRepositoryclass, a view of a repository bound to a single bot actor. KvRepositorynow stores data under bot-scoped keys. Its second constructor parameter is now aKvRepositoryOptionsobject with a singleprefixoption, replacing the removedKvStoreRepositoryPrefixesinterface.createBot()migrates data stored by BotKit 0.4 or earlier to the bot-scoped layout on startup.
- Added
-
Local object URIs now carry the identifier of the owning bot actor, e.g.
/ap/actor/{identifier}/note/{id}instead of/ap/note/{id}. URIs in the old format are still recognized in incoming activities and are permanently redirected to their canonical URIs when dereferenced, so links stored by remote servers keep working after an upgrade. [#16, #24] -
The
Session.botproperty is now typed asReadonlyBot, a read-only view of the bot's identity and profile, instead ofBot. This is a breaking change for code that reached the fullBotthrough a session; such code should hold on to theBotreturned bycreateBot()instead. [[#16](https://github.com/fed...
BotKit 0.4.4
Released on July 6, 2026.
@fedify/botkit
- Fixed
MemoryRepository,KvRepository, andMemoryCachedRepositoryso removing one of multiple active follow requests for the same actor no longer deletes the follower too early or fires a premature unfollow event, and reassigning a follow request no longer leaves stale followers behind. [#25, #26]
@fedify/botkit-sqlite
- Fixed
SqliteRepositoryso removing one of multiple active follow requests for the same actor no longer fails with a foreign key error, and reassigning a follow request no longer leaves stale followers behind. [#25, #26]
@fedify/botkit-postgres
BotKit 0.4.3
Released on June 4, 2026.
- Upgraded Fedify to 2.1.15, which fixes an SSRF protection bypass vulnerability. [CVE-2026-50131]
BotKit 0.3.4
Released on June 4, 2026.
- Upgraded Fedify to 1.9.12, which fixes an SSRF protection bypass vulnerability. [CVE-2026-50131]
BotKit 0.4.2
Released on May 21, 2026.
@fedify/botkit
- Upgraded Fedify to 2.1.14 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]
BotKit 0.3.3
Released on May 21, 2026.
- Upgraded Fedify to 1.9.11 to fix a security vulnerability in Linked Data Signature verification that could allow certain signed activities to be interpreted differently than intended. [CVE-2026-42462]
BotKit 0.4.1
Released on May 12, 2026.
@fedify/botkit
- Upgraded Fedify to 2.1.12, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g.,
http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.
BotKit 0.3.2
Released on May 12, 2026.
- Upgraded Fedify to 1.9.10, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g.,
http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.
BotKit 0.4.0
Released on March 30, 2026.
@fedify/botkit
-
Upgraded Fedify to 2.1.2.
- BotKit now targets Fedify 2.0's modular package layout, using @fedify/vocab, @fedify/vocab-runtime, and @fedify/denokv where appropriate.
Message.languageandSessionPublishOptions.languagenow useIntl.Localeinstead ofLanguageTag.- Bot software versions now use plain strings instead of
SemVerobjects. - Removed the
parseSemVer(),SemVer,LanguageTag, andparseLanguageTag()public exports.
-
BotKit now acknowledges unverified remote
Deleteactivities signed by permanently gone actors with202 Acceptedinstead of401 Unauthorized.- This applies only when Fedify reports a
keyFetchErrorand the remote actor's key fetch returned410 Gone. - The unverified activity is not passed to BotKit event handlers, but the successful response stops repeated redelivery attempts from the remote server.
- This applies only when Fedify reports a
-
Added FEP-5711 inverse properties to the bot actor's
outboxandfollowerscollections. -
Added a remote follow button to the web interface. [#10, #14 by Hyeonseo Kim]
- Added a Follow button on the bot's profile page that allows users to follow the bot from their own fediverse instance without manual searching.
- When clicked, the button opens a modal dialog where users can enter their fediverse handle (e.g.,
@username@instance.com). - The feature uses WebFinger to discover the user's instance and automatically redirects to the appropriate follow page using the OStatus subscribe protocol.
-
Added
Session.republishProfile()to broadcast profile changes to followers. [#18]- The new method sends an ActivityPub
Updateactivity for the bot actor to the bot's followers. - This makes profile updates such as display name, bio, avatar, and header image propagate without waiting for the next post.
- The new method sends an ActivityPub
@fedify/botkit-postgres
BotKit 0.3.1
Released on December 20, 2025.
- Upgraded Fedify to 1.8.15, which includes a critical security fix CVE-2025-68475 that addresses a ReDoS (Regular Expression Denial of Service) vulnerability in HTML parsing. [CVE-2025-68475]