BotKit 0.4.1

Released on May 12, 2026.

@fedify/botkit

• Upgraded Fedify to 2.1.12, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.

BotKit 0.3.2

Released on May 12, 2026.

• Upgraded Fedify to 1.9.10, which addresses a private network protection bypass vulnerability. This vulnerability allowed certain IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) to bypass SSRF (Server-Side Request Forgery) protection, potentially allowing attackers to access internal network resources.

BotKit 0.4.0

Released on March 30, 2026.

@fedify/botkit

• Upgraded Fedify to 2.1.2.

  • BotKit now targets Fedify 2.0's modular package layout, using @fedify/vocab, @fedify/vocab-runtime, and @fedify/denokv where appropriate.
  • Message.language and SessionPublishOptions.language now use Intl.Locale instead of LanguageTag.
  • Bot software versions now use plain strings instead of SemVer objects.
  • Removed the parseSemVer(), SemVer, LanguageTag, and parseLanguageTag() public exports.

• BotKit now acknowledges unverified remote Delete activities signed by permanently gone actors with 202 Accepted instead of 401 Unauthorized.

  • This applies only when Fedify reports a keyFetchError and the remote actor's key fetch returned 410 Gone.
  • The unverified activity is not passed to BotKit event handlers, but the successful response stops repeated redelivery attempts from the remote server.

• Added FEP-5711 inverse properties to the bot actor's outbox and followers collections.

• Added a remote follow button to the web interface. [#10, #14 by Hyeonseo Kim]

  • Added a Follow button on the bot's profile page that allows users to follow the bot from their own fediverse instance without manual searching.
  • When clicked, the button opens a modal dialog where users can enter their fediverse handle (e.g., @username@instance.com).
  • The feature uses WebFinger to discover the user's instance and automatically redirects to the appropriate follow page using the OStatus subscribe protocol.

• Added Session.republishProfile() to broadcast profile changes to followers. [#18]

  • The new method sends an ActivityPub Update activity for the bot actor to the bot's followers.
  • This makes profile updates such as display name, bio, avatar, and header image propagate without waiting for the next post.

@fedify/botkit-postgres

• Added a new PostgreSQL repository package, @fedify/botkit-postgres, which provides PostgresRepository, PostgresRepositoryOptions, and initializePostgresRepositorySchema(). [#11, #19]

BotKit 0.3.1

Released on December 20, 2025.

• Upgraded Fedify to 1.8.15, which includes a critical security fix CVE-2025-68475 that addresses a ReDoS (Regular Expression Denial of Service) vulnerability in HTML parsing. [CVE-2025-68475]

BotKit 0.3.0

Released on August 28, 2025.

• BotKit now supports Node.js alongside of Deno. The minimum required version of Node.js is 22.0.0.

@fedify/botkit

• BotKit now supports publishing polls. [#7, #8]

  • Added Poll interface.
  • Added Vote interface.
  • Added an overload of the Session.publish() method that accepts SessionPublishOptionsWithQuestion as the second argument.
  • Added SessionPublishOptionsWithQuestion interface.
  • Added Bot.onVote event.
  • Added VoteEventHandler type.
  • Added KvStoreRepositoryPrefixes.polls option.

• Added @fedify/botkit/repository module that provides repository implementations for BotKit.

  • Added RepositoryGetMessagesOptions interface.
  • Added RepositoryGetFollowersOptions interface.
  • Added Uuid type.
  • Added KvKey type.
  • Added KvStore type.
  • Added KvStoreRepositoryPrefixes interface.
  • Added Announce class.
  • Added Create class.
  • Added MemoryCachedRepository class.

• Added web frontend followers page. [#2, #13 by Hyeonseo Kim]

  • Added /followers route that displays a list of bot followers.
  • Made follower count on the main page clickable, linking to /followers.

• Upgraded Fedify to 1.8.8.

@fedify/botkit-sqlite

• Added SqliteRepository class that implements a SQLite-based repository for BotKit.
• Added SqliteRepositoryOptions interface.

BotKit 0.2.4

Released on August 26, 2025.

• Upgraded Fedifyh to 1.5.7 which fixes a bug where HTTP Signature verification failed for requests having created or expires fields in their Signature header, causing 500 Internal Server Error responses in inbox handlers.

BotKit 0.1.3

Released on August 25, 2025.

• Upgraded Fedify to 1.4.14, which fixes a bug where ActivityPub Discovery failed to recognize XHTML self-closing <link> tags. The HTML/XHTML parser now correctly handles whitespace before the self-closing slash (/>), improving compatibility with XHTML documents that follow the self-closing tag format.

BotKit 0.2.2

Released on August 8, 2025.

• Upgrade Fedify to 1.5.5, which includes a critical security fix CVE-2025-54888 that addresses an authentication bypass vulnerability allowing actor impersonation. [CVE-2025-54888]

BotKit 0.1.2

Released on August 8, 2025.

• Upgrade Fedify to 1.4.13, which includes a critical security fix CVE-2025-54888 that addresses an authentication bypass vulnerability allowing actor impersonation. [CVE-2025-54888]

BotKit 0.2.1

Released on July 8, 2025.

• Fixed a bug where messages from Session.getOutbox() didn't have update() and delete() methods. [#9]