Update dependency @fedify/cli to v1.10.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fedify/cli (source)	1.9.1 → 1.10.3

---

Release Notes

fedify-dev/fedify (@​fedify/cli)

v1.10.3

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [#​550 by Lee Dogeon]

v1.10.2

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [#​530]

v1.10.1

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.10.0

Compare Source

Released on December 24, 2025.

@​fedify/fedify

• Enhanced OpenTelemetry instrumentation with span events for capturing
  detailed activity data. Span events now record complete activity JSON
  payloads and verification status, enabling richer observability and
  debugging capabilities without relying solely on span attributes
  (which only support primitive values). [#​323]

  • Added activitypub.activity.received span event to the
    activitypub.inbox span, recording the full activity JSON,
    verification status (activity verified, HTTP signatures verified,
    Linked Data signatures verified), and actor information.
  • Added activitypub.activity.sent span event to the
    activitypub.send_activity span, recording the full activity JSON
    and target inbox URL.
  • Added activitypub.object.fetched span event to the
    activitypub.lookup_object span, recording the fetched object's
    type and complete JSON-LD representation.

• Added OpenTelemetry spans for previously uninstrumented operations:
  [#​323]

  • Added activitypub.fetch_document span for document loader operations,
    tracking URL fetching, HTTP redirects, and final document URLs.
  • Added activitypub.verify_key_ownership span for cryptographic
    key ownership verification, recording actor ID, key ID, verification
    result, and the verification method used.

• Added optional list() method to the KvStore interface for enumerating
  entries by key prefix. This method takes an optional prefix parameter;
  when omitted or empty, it returns all entries. This enables efficient
  prefix scanning which is useful for implementing features like distributed
  trace storage, cache invalidation by prefix, and listing related entries.
  [#​498, #​500]

  • Added KvStoreListEntry interface.
  • Implemented in MemoryKvStore.

• Added FedifySpanExporter class that persists ActivityPub activity traces
  to a KvStore for distributed tracing support. This enables aggregating
  trace data across multiple nodes in a distributed deployment, making it
  possible to build debug dashboards that show complete request flows across
  web servers and background workers. [#​497, #​502]

  • Added @fedify/fedify/otel module.
  • Added FedifySpanExporter class implementing OpenTelemetry's
    SpanExporter interface.
  • Added TraceActivityRecord interface for stored activity data,
    including actorId and signatureDetails fields for debug dashboard
    support.
  • Added SignatureVerificationDetails interface for detailed signature
    verification information.
  • Added TraceSummary interface for trace listing.
  • Added FedifySpanExporterOptions interface.
  • Added GetRecentTracesOptions interface.
  • Added ActivityDirection type.

@​fedify/nestjs

• Allowed Express 5 in the express peer dependency range to support NestJS 11.
  [#​492, #​493 by Cho Hasang]

@​fedify/sqlite

• Implemented list() method in SqliteKvStore. [#​498, #​500]

@​fedify/postgres

• Implemented list() method in PostgresKvStore. [#​498, #​500]

@​fedify/redis

• Implemented list() method in RedisKvStore. [#​498, #​500]

@​fedify/denokv

• Implemented list() method in DenoKvStore. [#​498, #​500]

@​fedify/cfworkers

• Implemented list() method in WorkersKvStore. [#​498, #​500]

v1.9.5

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [[#​550] by Lee Dogeon]

v1.9.4

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [[#​530]]

v1.9.3

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.9.2

Compare Source

Released on December 20, 2025.

@​fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
  the document loader's HTML parsing. An attacker-controlled server could
  respond with a malicious HTML payload that blocked the event loop.
  [CVE-2025-68475]

@​fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error
  that occurred when using SqliteKvStore on Node.js or Bun. The error
  was caused by duplicate Temporal imports during the build process.
  [#​487]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 07:00 AM and 04:59 PM, only on Monday, Tuesday, Wednesday, and Thursday ( * 7-16 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/fedify-cli-1.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sagzy]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR updates the @fedify/cli development dependency from version 1.9.1 to 1.10.3, bringing in several bug fixes and new features from the Fedify ecosystem. The CLI tool is used for development and testing purposes and does not affect the runtime dependencies of the application.

Changes:

• Updated @fedify/cli from 1.9.1 to 1.10.3 in package.json
• Updated yarn.lock with corresponding package resolution and integrity hash

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updated @fedify/cli devDependency version from 1.9.1 to 1.10.3
yarn.lock	Updated package resolution, integrity hash, and registry information for @fedify/cli

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.