Update dependency @fedify/redis to v1.10.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fedify/redis (source)	1.9.1 → 1.10.3

---

Release Notes

fedify-dev/fedify (@​fedify/redis)

v1.10.3

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [#​550 by Lee Dogeon]

v1.10.2

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [#​530]

v1.10.1

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.10.0

Compare Source

Released on December 24, 2025.

@​fedify/fedify

• Enhanced OpenTelemetry instrumentation with span events for capturing
  detailed activity data. Span events now record complete activity JSON
  payloads and verification status, enabling richer observability and
  debugging capabilities without relying solely on span attributes
  (which only support primitive values). [#​323]

  • Added activitypub.activity.received span event to the
    activitypub.inbox span, recording the full activity JSON,
    verification status (activity verified, HTTP signatures verified,
    Linked Data signatures verified), and actor information.
  • Added activitypub.activity.sent span event to the
    activitypub.send_activity span, recording the full activity JSON
    and target inbox URL.
  • Added activitypub.object.fetched span event to the
    activitypub.lookup_object span, recording the fetched object's
    type and complete JSON-LD representation.

• Added OpenTelemetry spans for previously uninstrumented operations:
  [#​323]

  • Added activitypub.fetch_document span for document loader operations,
    tracking URL fetching, HTTP redirects, and final document URLs.
  • Added activitypub.verify_key_ownership span for cryptographic
    key ownership verification, recording actor ID, key ID, verification
    result, and the verification method used.

• Added optional list() method to the KvStore interface for enumerating
  entries by key prefix. This method takes an optional prefix parameter;
  when omitted or empty, it returns all entries. This enables efficient
  prefix scanning which is useful for implementing features like distributed
  trace storage, cache invalidation by prefix, and listing related entries.
  [#​498, #​500]

  • Added KvStoreListEntry interface.
  • Implemented in MemoryKvStore.

• Added FedifySpanExporter class that persists ActivityPub activity traces
  to a KvStore for distributed tracing support. This enables aggregating
  trace data across multiple nodes in a distributed deployment, making it
  possible to build debug dashboards that show complete request flows across
  web servers and background workers. [#​497, #​502]

  • Added @fedify/fedify/otel module.
  • Added FedifySpanExporter class implementing OpenTelemetry's
    SpanExporter interface.
  • Added TraceActivityRecord interface for stored activity data,
    including actorId and signatureDetails fields for debug dashboard
    support.
  • Added SignatureVerificationDetails interface for detailed signature
    verification information.
  • Added TraceSummary interface for trace listing.
  • Added FedifySpanExporterOptions interface.
  • Added GetRecentTracesOptions interface.
  • Added ActivityDirection type.

@​fedify/nestjs

• Allowed Express 5 in the express peer dependency range to support NestJS 11.
  [#​492, #​493 by Cho Hasang]

@​fedify/sqlite

• Implemented list() method in SqliteKvStore. [#​498, #​500]

@​fedify/postgres

• Implemented list() method in PostgresKvStore. [#​498, #​500]

@​fedify/redis

• Implemented list() method in RedisKvStore. [#​498, #​500]

@​fedify/denokv

• Implemented list() method in DenoKvStore. [#​498, #​500]

@​fedify/cfworkers

• Implemented list() method in WorkersKvStore. [#​498, #​500]

v1.9.5

Compare Source

Released on February 1, 2026.

@​fedify/fedify

• Fixed traverseCollection() yielding no items when a Collection has
  an inline CollectionPage in its first property without an explicit
  id. This is common in Mastodon's replies collections. The function
  previously used collection.firstId to determine pagination, which
  returned null for inline pages without an id, causing it to
  incorrectly fall into the non-paginated branch. [[#​550] by Lee Dogeon]

v1.9.4

Compare Source

Released on January 23, 2026.

@​fedify/testing

• Fixed TestContext.getActorKeyPairs() returning empty array instead of
  calling registered key pairs dispatcher. The method now properly invokes
  the key pairs dispatcher when it is registered via
  setKeyPairsDispatcher(). [[#​530]]

v1.9.3

Compare Source

Released on January 22, 2026.

@​fedify/testing

• Fixed TestContext.getActor() and TestContext.getObject() returning
  null instead of calling registered dispatchers. The methods now properly
  invoke actor and object dispatchers when they are registered via
  setActorDispatcher() and setObjectDispatcher(). [[#​530]]

v1.9.2

Compare Source

Released on December 20, 2025.

@​fedify/fedify

• Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
  the document loader's HTML parsing. An attacker-controlled server could
  respond with a malicious HTML payload that blocked the event loop.
  [CVE-2025-68475]

@​fedify/sqlite

• Fixed SyntaxError: Identifier 'Temporal' has already been declared error
  that occurred when using SqliteKvStore on Node.js or Bun. The error
  was caused by duplicate Temporal imports during the build process.
  [#​487]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Between 07:00 AM and 04:59 PM, only on Monday, Tuesday, Wednesday, and Thursday ( * 7-16 * * 1,2,3,4 ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/fedify-redis-1.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sagzy]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Swish!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This Renovate PR updates the project’s Redis-backed Fedify KV store dependency to pick up upstream fixes and enhancements.

Changes:

• Bump @fedify/redis from 1.9.1 to 1.10.3 in package.json.
• Refresh yarn.lock to lock @fedify/redis@1.10.3 and its updated transitive dependency range for @logtape/logtape.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates the direct dependency version for @fedify/redis.
yarn.lock	Updates the lockfile entry for @fedify/redis@1.10.3 and associated resolved artifacts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Around line 66-69: The package.json has a peer dependency conflict:
`@fedify/redis`@1.10.3 requires `@fedify/fedify`@^1.10.3 but package.json pins
`@fedify/fedify` at 1.9.1; update the dependency entries for "@fedify/fedify" (and
optionally "@fedify/hono") to 1.10.3 (or a compatible ^1.10.3 range) so they
satisfy `@fedify/redis`, then run your package manager to regenerate the lockfile
and run the test/build to verify no regressions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for lockfile entries
fd -t f '^(yarn\.lock|package-lock\.json|pnpm-lock\.yaml)$' -x rg -n '@fedify/redis' {} +

Repository: TryGhost/ActivityPub

Length of output: 294

---

🌐 Web query:

@fedify/redis 1.10.3 peer dependencies release notes breaking changes

💡 Result:

Does @fedify/redis 1.10.3 exist?

Yes—JSR shows @fedify/redis@1.10.3 published ~2 weeks ago, with these (effective) dependency constraints: @fedify/fedify ^1.10.3, @logtape/logtape ^1.2.2, and ioredis ^5.6.1. [1]

Peer dependencies (what you must align)

• The key one to align is @fedify/fedify ^1.10.3 (shown as a dependency on JSR; on npm it’s typically treated/declared as the peer requirement for adapter packages). [1]
• Fedify previously changed the adapter packages (including @fedify/redis) to use explicit @fedify/fedify peer version ranges instead of “any version”. [2]

Release notes for 1.10.3

Fedify’s 1.10.3 changelog lists a fix in @fedify/fedify and does not list any @fedify/redis-specific changes for that release. [2]

Breaking changes in 1.10.3

None called out for @fedify/redis in the 1.10.3 release notes; the practical “break risk” is just the tighter requirement to use a compatible @fedify/fedify version (see peer range above). [1][2]

Sources: [1] [2]

---

@fedify/redis 1.10.3 requires @fedify/fedify ^1.10.3, but package.json has @fedify/fedify at 1.9.1—upgrade @fedify/fedify to resolve the peer dependency conflict.

Line 68 bumps @fedify/redis to 1.10.3, which declares a peer dependency on @fedify/fedify@^1.10.3 (per JSR). Your package.json currently pins @fedify/fedify at 1.9.1, creating a peer dependency violation. Either downgrade @fedify/redis to 1.9.1 to match the rest of the @fedify ecosystem, or upgrade @fedify/fedify (and @fedify/hono) to 1.10.3 or later. The lockfile is already aligned with the 1.10.3 version.

🤖 Prompt for AI Agents

In `@package.json` around lines 66 - 69, The package.json has a peer dependency
conflict: `@fedify/redis`@1.10.3 requires `@fedify/fedify`@^1.10.3 but package.json
pins `@fedify/fedify` at 1.9.1; update the dependency entries for "@fedify/fedify"
(and optionally "@fedify/hono") to 1.10.3 (or a compatible ^1.10.3 range) so
they satisfy `@fedify/redis`, then run your package manager to regenerate the
lockfile and run the test/build to verify no regressions.