Download Latest Version
8.2.1 source code.tar.gz (1.1 MB)
Get an email when there's a new version of ActivityPub
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| 8.2.0 source code.tar.gz | 2026-04-27 | 1.1 MB | |
| 8.2.0 source code.zip | 2026-04-27 | 1.3 MB | |
| README.md | 2026-04-27 | 2.9 kB | |
| Totals: 3 Items | 2.4 MB | 2 | |
What's Changed
- Trim dev-only lint configs from the release archive by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3214
- Require PKCE by default for public OAuth clients by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3222
- Require PHPUnit 9.6.33+ (CVE-2026-24765) by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3224
- Respect force_signature in Delete handler's deferred verification by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3223
- Enforce caller ownership on OAuth token revocation by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3221
- Harden HTTP signature verification against replay by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3212
- Sanitize inbox activity type to prevent action hook pollution by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3227
- Harden OAuth client discovery and SSE proxy outbound requests by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3228
- Resolve AAAA records in resolve_public_host so IPv6-only hosts work by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3229
- Tighten clock tolerance on the deprecated signature verifier by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3230
- Reject internal-address authority values on followers/sync at the route layer by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3232
- Fail closed in OAuth rate limits when client IP can't be determined by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3231
- Block additional reserved IPv6 ranges in resolve_public_host by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3233
- Require signatures on HEAD requests to peer-only endpoints by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3235
- Return 429 from the OAuth token endpoint when rate-limited by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3236
- Decode percent-encoded authority before the followers/sync blocklist by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3234
- Drop credentialed CORS reflection on ActivityPub REST endpoints by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3237
- Stop trusting client-supplied proxy headers for rate-limit IP by default by @pfefferle in https://github.com/Automattic/wordpress-activitypub/pull/3238
New Contributors
- @tbradsha made their first contribution in https://github.com/Automattic/wordpress-activitypub/pull/3217
Full Changelog: https://github.com/Automattic/wordpress-activitypub/compare/8.1.1...8.2.0
