Merge tag '2.0.3'

dahlia · dahlia · commit 1eea01b5757d · 2026-03-03T19:18:08.000+09:00
Fedify 2.0.3
diff --git a/CHANGES.md b/CHANGES.md
@@ -64,6 +64,34 @@ To be released.
     that are not real vocabulary types but rather anonymous object structures.
 
 
+Version 2.0.3
+-------------
+
+Released on March 3, 2026.
+
+### @fedify/postgres
+
+ -  Fixed `PostgresMessageQueue.listen()` crashing the process when a
+    malformed `NOTIFY` payload is received.  `Temporal.Duration.from()`
+    was called without error handling, so an invalid duration string
+    caused an unhandled `RangeError` that propagated through the postgres
+    driver.  The `NOTIFY` callback is now wrapped in a `try`–`catch` that
+    logs the error and falls back to an immediate poll.  [[#594]]
+
+ -  Fixed `PostgresMessageQueue.listen()` permanently stalling all message
+    processing when a message handler hangs indefinitely (e.g., due to an
+    unresponsive remote server).  The `serializedPoll` mechanism chains
+    every `poll()` invocation onto a single promise, so a single hung
+    handler blocked the entire queue permanently.  Handler invocations
+    are now wrapped with a configurable timeout (default: 60 seconds)
+    via the new `handlerTimeout` option in `PostgresMessageQueueOptions`.
+    When a handler exceeds the timeout, it is treated as an error and the
+    poll loop moves on, preventing permanent stalls.  [[#595]]
+
+[#594]: https://github.com/fedify-dev/fedify/issues/594
+[#595]: https://github.com/fedify-dev/fedify/issues/595
+
+
 Version 2.0.2
 -------------
 
diff --git a/packages/postgres/src/mq.test.ts b/packages/postgres/src/mq.test.ts
@@ -847,4 +847,250 @@ nodeTest(
   },
 );
 
+// Regression test for unhandled Temporal.Duration.from() error in NOTIFY
+// callback crashing the process.
+//
+// When the NOTIFY payload is malformed (e.g., empty string or invalid duration
+// format), Temporal.Duration.from() throws a RangeError.  Without a try-catch,
+// this error propagates as an unhandled promise rejection through the postgres
+// driver's NotificationResponse handler, crashing the entire process.
+//
+// This test sends a malformed NOTIFY payload directly via SQL, then verifies
+// that the listener survives and continues to process subsequent messages.
+//
+// See: https://github.com/fedify-dev/fedify/issues/594
+nodeTest(
+  "PostgresMessageQueue survives malformed NOTIFY payload",
+  { skip: dbUrl == null },
+  async () => {
+    if (dbUrl == null) return; // Bun does not support skip option
+
+    const tableName = getRandomKey("message");
+    const channelName = getRandomKey("channel");
+
+    const sql = postgres(dbUrl!);
+    const mq = new PostgresMessageQueue(sql, {
+      tableName,
+      channelName,
+      pollInterval: { milliseconds: 100 },
+    });
+
+    try {
+      await mq.initialize();
+
+      const messages: string[] = [];
+      const controller = new AbortController();
+
+      const listening = mq.listen(
+        (message: string) => {
+          messages.push(message);
+        },
+        { signal: controller.signal },
+      );
+
+      // Wait for the LISTEN subscription to become active
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Send malformed NOTIFY payloads that will cause
+      // Temporal.Duration.from() to throw a RangeError
+      await sql`SELECT pg_notify(${channelName}, '')`;
+      await sql`SELECT pg_notify(${channelName}, 'not-a-duration')`;
+      await sql`SELECT pg_notify(${channelName}, '!!!')`;
+
+      // Give the listener time to process (and survive) the bad payloads
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Now enqueue a real message and verify the listener is still alive
+      await mq.enqueue("after-malformed");
+
+      const start = Date.now();
+      while (messages.length < 1 && Date.now() - start < 10_000) {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+      }
+
+      deepStrictEqual(
+        messages,
+        ["after-malformed"],
+        "Listener should survive malformed NOTIFY payloads and continue " +
+          "processing subsequent messages",
+      );
+
+      controller.abort();
+      await listening;
+    } finally {
+      await mq.drop();
+      await sql.end();
+    }
+  },
+);
+
+// Regression test for serializedPoll permanently stalling when handler hangs.
+//
+// In PostgresMessageQueue.listen(), the serializedPoll mechanism chains every
+// poll() invocation onto a single promise (pollLock).  If a poll() call never
+// resolves—because the message handler hangs indefinitely on a network request
+// or other I/O—then all subsequent poll() invocations are chained onto the
+// pending promise and also never execute, permanently halting all message
+// processing.
+//
+// This test verifies that with handlerTimeout configured, a hung handler is
+// aborted after the timeout, allowing the poll loop to recover and process
+// subsequent messages.
+//
+// See: https://github.com/fedify-dev/fedify/issues/595
+nodeTest(
+  "PostgresMessageQueue continues processing when handler hangs (no ordering key)",
+  { skip: dbUrl == null },
+  async () => {
+    if (dbUrl == null) return; // Bun does not support skip option
+
+    const tableName = getRandomKey("message");
+    const channelName = getRandomKey("channel");
+
+    const sql = postgres(dbUrl!);
+    const mq = new PostgresMessageQueue(sql, {
+      tableName,
+      channelName,
+      pollInterval: { milliseconds: 100 },
+      handlerTimeout: { seconds: 1 },
+    });
+
+    try {
+      await mq.initialize();
+
+      // Enqueue two messages — the handler will hang on the first one
+      await mq.enqueue("hang");
+      await mq.enqueue("normal");
+
+      const processed: string[] = [];
+      const controller = new AbortController();
+
+      const listening = mq.listen(
+        async (message: string) => {
+          if (message === "hang") {
+            // Simulate a handler that hangs forever (e.g., unresponsive
+            // remote server)
+            await new Promise(() => {}); // never resolves
+          }
+          processed.push(message);
+        },
+        { signal: controller.signal },
+      );
+
+      // Wait for the second message to be processed.
+      // Without the timeout fix, this would hang forever because the first
+      // handler never completes and serializedPoll blocks all subsequent
+      // polls.
+      const start = Date.now();
+      while (!processed.includes("normal") && Date.now() - start < 15_000) {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+      }
+
+      deepStrictEqual(
+        processed.includes("normal"),
+        true,
+        "Second message should be processed despite first handler hanging",
+      );
+
+      controller.abort();
+      await listening;
+    } finally {
+      await mq.drop();
+      await sql.end();
+    }
+  },
+);
+
+// Regression test for serializedPoll stalling with ordering key messages.
+//
+// Same issue as above, but for messages with ordering keys.  This also verifies
+// that the advisory lock and reserved connection are properly released when the
+// handler times out, so subsequent messages with the same ordering key can be
+// processed.
+//
+// See: https://github.com/fedify-dev/fedify/issues/595
+nodeTest(
+  "PostgresMessageQueue continues processing when handler hangs (ordering key)",
+  { skip: dbUrl == null },
+  async () => {
+    if (dbUrl == null) return; // Bun does not support skip option
+
+    const tableName = getRandomKey("message");
+    const channelName = getRandomKey("channel");
+
+    const sql = postgres(dbUrl!);
+    const sqlCheck = postgres(dbUrl!);
+    const mq = new PostgresMessageQueue(sql, {
+      tableName,
+      channelName,
+      pollInterval: { milliseconds: 100 },
+      handlerTimeout: { seconds: 1 },
+    });
+
+    const orderingKey = "hang-test-key";
+
+    try {
+      await mq.initialize();
+
+      // Enqueue two messages with the same ordering key
+      await mq.enqueue("hang", { orderingKey });
+      await mq.enqueue("normal", { orderingKey });
+
+      const processed: string[] = [];
+      const controller = new AbortController();
+
+      const listening = mq.listen(
+        async (message: string) => {
+          if (message === "hang") {
+            await new Promise(() => {}); // never resolves
+          }
+          processed.push(message);
+        },
+        { signal: controller.signal },
+      );
+
+      // Wait for the second message to be processed
+      const start = Date.now();
+      while (!processed.includes("normal") && Date.now() - start < 15_000) {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+      }
+
+      deepStrictEqual(
+        processed.includes("normal"),
+        true,
+        "Second message should be processed despite first handler hanging " +
+          "(ordering key)",
+      );
+
+      controller.abort();
+      await listening;
+
+      // Verify advisory lock was released after timeout
+      const lockResult = await sqlCheck`
+        SELECT pg_try_advisory_lock(
+          hashtext(${tableName}),
+          hashtext(${orderingKey})
+        ) AS acquired
+      `;
+      deepStrictEqual(
+        lockResult[0].acquired,
+        true,
+        "Advisory lock should be released after handler timeout",
+      );
+      if (lockResult[0].acquired) {
+        await sqlCheck`
+          SELECT pg_advisory_unlock(
+            hashtext(${tableName}),
+            hashtext(${orderingKey})
+          )
+        `;
+      }
+    } finally {
+      await mq.drop();
+      await sql.end();
+      await sqlCheck.end();
+    }
+  },
+);
+
 // cspell: ignore sqls
diff --git a/packages/postgres/src/mq.ts b/packages/postgres/src/mq.ts
