This release includes 2 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
Affected surfaces
ReleasePort's take
Moderate signalv2.1.0 removes the `activitypub://post-thread/{postUrl}` URI form and changes the `software` field in `activitypub://instance-info/{domain}` to an object. New tooling and configuration options are added for software detection.
Why it matters: Breaking change requires updating any code that constructs or parses `activitypub://post-thread/{postUrl}` URIs; also update consumers of the `software` field in instance‑info responses, which now expects a JSON object. Measurable impact: severity 70 indicates high disruption risk for integrations.
Summary
AI summaryUpdates 2.1.0] - 2026-05-28, Internal, and Breaking changes across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Breaking | High |
Removed `activitypub://post-thread/{postUrl}` URI form; use `{domain}/{statusId}` instead. Removed `activitypub://post-thread/{postUrl}` URI form; use `{domain}/{statusId}` instead. Source: llm_adapter@2026-05-29 Confidence: high |
— |
| Breaking | High |
`activitypub://instance-info/{domain}` `software` field now an object instead of a string. `activitypub://instance-info/{domain}` `software` field now an object instead of a string. Source: llm_adapter@2026-05-29 Confidence: high |
— |
| Feature | Medium |
Added `get-instance-software` tool to detect ActivityPub software via NodeInfo 2.0/2.1. Added `get-instance-software` tool to detect ActivityPub software via NodeInfo 2.0/2.1. Source: llm_adapter@2026-05-29 Confidence: high |
— |
| Feature | Medium |
Enriched `activitypub://instance-info/{domain}` resource with structured `software:` block from NodeInfo detection. Enriched `activitypub://instance-info/{domain}` resource with structured `software:` block from NodeInfo detection. Source: llm_adapter@2026-05-29 Confidence: high |
— |
| Feature | Low |
Introduced `MCP_INSTANCE_SOFTWARE_TTL_MS` env var to tune NodeInfo detection cache TTL (default 24 h). Introduced `MCP_INSTANCE_SOFTWARE_TTL_MS` env var to tune NodeInfo detection cache TTL (default 24 h). Source: llm_adapter@2026-05-29 Confidence: high |
— |
| Dependency | Low |
Added Dependabot config for weekly npm and GitHub Actions updates, grouping minor/patch bumps. Added Dependabot config for weekly npm and GitHub Actions updates, grouping minor/patch bumps. Source: llm_adapter@2026-05-29 Confidence: high |
— |
Full changelog
[2.1.0] - 2026-05-28
Added
get-instance-softwaretool. Detects ActivityPub software (Mastodon, Pleroma, Misskey, Akkoma, Sharkey, GotoSocial, Friendica, etc.) and version via NodeInfo 2.0/2.1. Returns a structured{detection, software, protocols, openRegistrations}shape, rendered as prose in the MCP response. Failure modes returndetection: "unavailable"with a one-line reason — the tool never throws on detection failure.activitypub://instance-info/{domain}resource enrichment. Resource responses now include a structuredsoftware:block from the same NodeInfo detection, fetched in parallel with the existing instance-info payload. Resource fetches succeed even when software detection returnsunavailable.MCP_INSTANCE_SOFTWARE_TTL_MSenv var. Tunes the positive-cache TTL for NodeInfo detection results. Default:86_400_000(24h). Negative-cache TTL (for detection failures) is hardcoded at 1h.- Dependabot config. Weekly npm and GitHub Actions update PRs, with minor+patch updates grouped to reduce noise; major bumps surface as individual PRs for explicit review.
Breaking changes
activitypub://post-thread/{postUrl}URI form removed. Deprecated in v2.0.0 with a warning; removed in 2.1.0. Use the canonicalactivitypub://post-thread/{domain}/{statusId}form. Callers using the legacy form receive anInvalidParamserror with a migration message.activitypub://instance-info/{domain}softwarefield is now an object. Previously a plain string (e.g."mastodon") sourced from the upstream instance metadata. v2.1 replaces it with the structured{detection, software, protocols, openRegistrations}block from NodeInfo detection. The old string is no longer present in the response. Consumers readingbody.softwareas a string should switch tobody.software.software?.name.
Internal
- Windows smoke-test bin-shim resolution.
- Windows CRLF lint failure + CodeQL URL-sanitization alert.
- Replaced hardcoded absolute path in
upload-mediatest with relative resolution. - New
src/discovery/nodeinfo.tsmodule: NodeInfo Zod schemas,getInstanceSoftwarewith positive + negative LRU caches, SSRF/blocklist guards, same-host/subdomain check on the linked NodeInfo URL, single-flight dedup for concurrent lookups. - Live-Fediverse integration test against
mastodon.socialfor NodeInfo detection.
Breaking Changes
- `activitypub://post-thread/{postUrl}` URI form removed; use `activitypub://post-thread/{domain}/{statusId}`.
- `activitypub://instance-info/{domain}` `software` field now an object `{detection, software, protocols, openRegistrations}` instead of a string.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About cameronrye/activitypub-mcp
A comprehensive MCP server that enables LLMs to explore and interact with the Fediverse through ActivityPub protocol. Features WebFinger discovery, timeline fetching, instance exploration, and cross-platform support for Mastodon, Pleroma, Misskey, and other ActivityPub servers.
Related context
Related tools
Earlier breaking changes
- v2.0.0 'get-relationship' no longer accepts legacy `accountIds` array; requires single `acct` string.
- v2.0.0 `MCP_HTTP_CORS_ORIGINS` no longer defaults to '*'; must be set explicitly.
- v2.0.0 `scheduledId` renamed to `scheduledPostId` in scheduling tools.
- v2.0.0 `ACTIVITYPUB_ACCOUNTS` delimiter changed from colon to pipe.
- v2.0.0 Node 20+ required; Node 18 EOL.
Beta — feedback welcome: [email protected]