- Nodeinfo will only count users from database up to once per day, using a cached count for subsequent requests within 24 hours. This can help limit query targeting warnings from mongo
- Add nock fetch work around to fix tests in node 18.
- Adjust workflow to run tests using node 18 and 16. Don't run tests against 14.
- Fix unverifiable delete detection when object is a tombstone
- Also handle unverifiable updates
- Added ability to verify signatures from remote actors that have changed their signature keys (blind key rotation)
- Fix bug not finding already cached actors keys and refetching from remote server unnecessarily
- Handle inbox unverifiable deletes without trying to fetch remote actor object (Mastodon compat)
- Avoid error when receiving an embedded object for the object property when an activity object is expected (Hubzilla compat)
- Federation http requests now include a User-Agent string formed from your apex settings:
${settings.name}/${settings.version} (+http://${settings.domain})
- Fix jsonld validator no longer accepting
application/ld+json; profile="https://www.w3.org/ns/activitystreams"for POST
- Fix jsonld validator not accepting
application/ld+json; profile="https://www.w3.org/ns/activitystreams"for GET
- Update cookiejar for GHSA-h452-7996-h45h
- new
baseUrlconfig option that allows you to specify server origin instead ofdomainwhich specifies the host but assumes https protocol
- Unhandled error from invalid inputs in collection page requests
- Updated depenencies
- jsold included breaking changes (from v5.2.0 -> v8.1.0), but not to any features currently used by apex
- Fixed not finding shared inbox endpoints due to looking in the wrong place
- Implement delivery consolidation to shared inboxes where available
- Update operations no longer try to update object.object.id (i.e. an Object of an Activity that is itself nested as the object of another activity). This un-indexed query was consuming a lot of cpu and always turned up empty anyway.
- lockfile udpated to v2 and engines minimum to node 16/npm 7
- http-signatures fork dependency changed to explicitly use https instead of ssh so package can be installed in CI with npm >=7
This version may still work with node 14/npm 6, but marking change as breaking because it sometimes fails to handle v2 lockfiles correctly
- New index on
streams.object.idto cover Update on embedded objects (expect a one-time slow startup to build the index) - getCollection gains optional
queryargument which is passsed through to store.getStream to allow additional filtering or aggregation to be applied
- Undo activity can now take a blocked user IRI as its object and will resolve to that block activity to allow easily unblocking withough knowing the original block activity IRI
- Ignore incoming JSON-LD default language to fix processing for activities coming from Pleroma
- Fix inbox undo not succeeding if the object was already deleted
- Update dependencies
For previous release notes, see Github releases