fix(api): bump fastify 5.6→5.8 and @trpc/server 11.6→11.16

[raonitimo]

Addresses two HIGH-severity CVEs found via Trivy scan on a self-hosted deployment:

fastify 5.6.1 → 5.8.5

CVE-2026-25223 — Validation bypass via malformed Content-Type header. An attacker can craft the Content-Type to bypass Fastify's request schema validation, sending malformed payloads to validated endpoints like /track. Directly exploitable on any internet-facing openpanel API.

@trpc/server 11.6.0 → 11.16.0

CVE-2025-68130 — Prototype pollution in experimental_nextAppDirCaller. Lower risk (openpanel may not use that specific API path), but the bump is semver-compatible and brings stability fixes.

What changed

• apps/api/package.json: bump fastify + @trpc/server
• packages/trpc/package.json: bump @trpc/server
• pnpm-lock.yaml: resolved

Verified

• pnpm install — clean
• pnpm --filter @openpanel/api build — succeeds

Summary by CodeRabbit

• Chores
  • Updated TRPC client/server and Fastify dependencies across services to newer stable versions for improved reliability and compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a2d10d2-22b9-4197-9034-6fe4a174099f

📥 Commits

Reviewing files that changed from the base of the PR and between f5599cd and b51bba1.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• apps/api/package.json
• apps/start/package.json
• packages/trpc/package.json

✅ Files skipped from review due to trivial changes (2)

• packages/trpc/package.json
• apps/start/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api/package.json

---

📝 Walkthrough

Walkthrough

Dependency version ranges were updated in three package manifests: @trpc/server bumped to ^11.16.0 across packages, @trpc/client bumped to ^11.16.0 in some packages, and fastify was updated to ^5.8.5 in apps/api/package.json. No other manifest fields or exported code entities were changed.

Changes

Cohort / File(s)	Summary
API package updates apps/api/package.json	Bumped @trpc/server to ^11.16.0; bumped fastify from ^5.6.1 to ^5.8.5.
TRPC package manifest packages/trpc/package.json	Bumped @trpc/client and @trpc/server to ^11.16.0.
Start app updates apps/start/package.json	Bumped @trpc/client and @trpc/server to ^11.16.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped through package lands tonight,
Versions nudged and stars aligned,
TRPC rose, Fastify took flight,
Small changes left no trace behind,
A quiet, happy rabbit smile. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: bumping fastify and @trpc/server dependencies across multiple package.json files to address CVEs, which is the core objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

packages/trpc/package.json (1)

23-24: Align @trpc/client and @trpc/server to the same minor version.

Line 24 bumps server to ^11.16.0 while line 23 keeps client at ^11.6.0. This misalignment is problematic for a type-safe framework like tRPC—both packages should share the same minor version for type and protocol consistency. Update @trpc/client to ^11.16.0 to match the server version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/trpc/package.json` around lines 23 - 24, Update the dependency
version for `@trpc/client` so it matches `@trpc/server`: change the "@trpc/client"
entry currently set to "^11.6.0" to "^11.16.0" so both "@trpc/client" and
"@trpc/server" use the same minor version, ensuring type/protocol compatibility
between the two packages.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/trpc/package.json`:
- Around line 23-24: Update the dependency version for `@trpc/client` so it
matches `@trpc/server`: change the "@trpc/client" entry currently set to "^11.6.0"
to "^11.16.0" so both "@trpc/client" and "@trpc/server" use the same minor
version, ensuring type/protocol compatibility between the two packages.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 19bbb2a5-625e-48fa-95ef-c298e7de9855

📥 Commits

Reviewing files that changed from the base of the PR and between 0e677ba and 059f047.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• apps/api/package.json
• packages/trpc/package.json

[CLAassistant]

All committers have signed the CLA.