fix(deps): update dependency fastify to v5.8.3 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.2.1 → 5.8.3
fastify (source)	^3.24.0 → ^5.8.3

---

Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

CVE-2025-32442 / GHSA-mg2h-6x62-wpwc

More information

Details

Impact

In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;.

Users using the the following pattern are affected:

fastify.post('/', {
  handler(request, reply) {
    reply.code(200).send(request.body)
  },
  schema: {
    body: {
      content: {
        'application/json': {
          schema: {
            type: 'object',
            properties: {
              'foo': {
                type: 'string',
              }
            },
            required: ['foo']
          }
        },
      }
    }
  }
})

User using the following pattern are not affected:

fastify.post('/', {
  handler(request, reply) {
    reply.code(200).send(request.body)
  },
  schema: {
    body: {
      type: 'object',
      properties: {
        'foo': {
          type: 'string',
        }
      },
      required: ['foo']
    }
  }
})

Patches

This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2.
Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1.

Workarounds

Do not specify multiple content types in the schema.

References

Are there any links users can visit to find out more?

https://hackerone.com/reports/3087928

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
• https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418
• https://nvd.nist.gov/vuln/detail/CVE-2025-32442
• https://hackerone.com/reports/3087928
• https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
• https://github.com/advisories/GHSA-mg2h-6x62-wpwc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Fastify's Content-Type header tab character allows body validation bypass

CVE-2026-25223 / GHSA-jx2c-rxcm-jvmq

More information

Details

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq
• https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821
• https://hackerone.com/reports/3464114
• https://fastify.dev/docs/latest/Reference/Validation-and-Serialization
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://nvd.nist.gov/vuln/detail/CVE-2026-25223
• https://github.com/advisories/GHSA-jx2c-rxcm-jvmq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

CVE-2026-25224 / GHSA-mrq3-vjjr-p77c

More information

Details

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
• https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
• https://hackerone.com/reports/3524779
• https://nvd.nist.gov/vuln/detail/CVE-2026-25224
• https://github.com/advisories/GHSA-mrq3-vjjr-p77c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

CVE-2026-3635 / GHSA-444r-cwp2-x5xf

More information

Details

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
• https://nvd.nist.gov/vuln/detail/CVE-2026-3635
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify/releases/tag/v5.8.3
• https://www.cve.org/CVERecord?id=CVE-2026-3635
• https://github.com/advisories/GHSA-444r-cwp2-x5xf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify (fastify)

v5.8.3

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in #​6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in #​6566
• test: use fastify.test in test case by @​climba03003 in #​6568
• docs: use fastify.example in documentation by @​climba03003 in #​6567
• docs: add common performance degradation guidance by @​maxpetrusenko in #​6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in #​6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in #​6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in #​6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in #​6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in #​6582
• docs: replace redirected npm.im http-errors link by @​mcollina in #​6588
• types: Allow port to be null in request type definition by @​TristanBarlow in #​6589
• docs: update links by @​Tony133 in #​6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in #​6592

New Contributors

• @​kyrylchenko made their first contribution in #​6566
• @​maxpetrusenko made their first contribution in #​6520
• @​Deepvamja made their first contribution in #​6530
• @​barba-rossa made their first contribution in #​6535
• @​mahmoodhamdi made their first contribution in #​6582
• @​TristanBarlow made their first contribution in #​6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

Compare Source

What's Changed

• docs(ecosystem): add @​yeliex/fastify-problem-details by @​yeliex in #​6546
• Revert "chore: upgrade borp to v1.0.0" by @​climba03003 in #​6564
• docs: document body validation with custom content type parsers by @​mcollina in #​6556
• docs(ecosystem): add fastify-file-router by @​bhouston in #​6441
• docs: add fastify-svelte-view to Ecosystem list by @​matths in #​6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @​mcollina in #​6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @​leftieFriele in #​5661
• docs(guides): update codemod links by @​OluchiEzeifedikwa in #​6479
• docs: add @​glidemq/fastify to community plugins by @​avifenesh in #​6560

New Contributors

• @​yeliex made their first contribution in #​6546
• @​matths made their first contribution in #​6453
• @​leftieFriele made their first contribution in #​5661
• @​OluchiEzeifedikwa made their first contribution in #​6479
• @​avifenesh made their first contribution in #​6560

Full Changelog: fastify/fastify@v5.8.1...v5.8.2

v5.8.1

Compare Source

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

Compare Source

What's Changed

• docs(request): add host security warning references by @​mcollina in #​6476
• docs: fix note style by @​Fdawgs in #​6487
• chore: rename deploy website ci by @​Eomm in #​6492
• chore: support pino v9 and v10 by @​mcollina in #​6496
• chore: update logger types and fix TODO comment by @​Tony133 in #​6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @​Tony133 in #​6472
• docs: fix markdown typo in README.md by @​droppingbeans in #​6491
• test: cover non-numeric content-length client error path by @​mcollina in #​6500
• ci: remove tests-checker workflow by @​Tony133 in #​6481
• ci: remove stale.yml file by @​Tony133 in #​6504
• docs(security): remove hackerone references; change note style by @​Fdawgs in #​6501
• chore: rename @​sinclair/typebox to typebox by @​Tony133 in #​6494
• ci(links-check): add external link checker using linkinator-action by @​umxr in #​6386
• chore: upgrade borp to v1.0.0 by @​Tony133 in #​6510
• docs: Add OpenJS CNA reference to SECURITY.md by @​mcollina in #​6516
• fix: avoid mutating shared routerOptions across instances by @​mcollina in #​6515
• fix(types): accept async route hooks in shorthand options by @​mcollina in #​6514
• docs: Improve shutdown lifecycle documentation by @​kibertoad in #​6517
• chore: remove unused tsconfig.eslint.json by @​mrazauskas in #​6524
• feat: First-class support for handler-level timeouts by @​kibertoad in #​6521
• docs(security): clarify insecureHTTPParser threat model scope by @​mcollina in #​6533
• chore(license): standardise license notice by @​Fdawgs in #​6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @​slegarraga in #​6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @​super-mcgin in #​6528
• docs(reference/hooks): fix note style by @​Fdawgs in #​6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in #​6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in #​6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​6542
• ci: remove broken links and add ecosystem link validator by @​mcollina in #​6421
• ci(validate-ecoystem-links): add job level permission by @​Fdawgs in #​6545
• style: remove trailing whitespace by @​Fdawgs in #​6543

New Contributors

• @​droppingbeans made their first contribution in #​6491
• @​umxr made their first contribution in #​6386
• @​slegarraga made their first contribution in #​6531
• @​super-mcgin made their first contribution in #​6528

Full Changelog: fastify/fastify@v5.7.4...v5.8.0

v5.7.4

Compare Source

Full Changelog: fastify/fastify@v5.7.3...v5.7.4

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #​6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in #​6447
• chore: update sponsor url by @​Eomm in #​6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in #​6442
• docs: fix invalid shorten form schema example by @​climba03003 in #​6448
• docs: Simplify and tighten decorators example by @​smith558 in #​6451
• docs: Fix incorrect variable use by @​smith558 in #​6455
• chore: update sponsor link by @​Eomm in #​6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in #​6464
• docs: move querystringParser option under routerOptions by @​inyourtime in #​6463
• chore: Updated content-type header parsing by @​jsumners in #​6414

New Contributors

• @​bhouston made their first contribution in #​6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

Compare Source

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​6434
• chore: updated version in the fastify.js by @​Tony133 in #​6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in #​6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in #​6110
• chore: remove test file by @​Eomm in #​6384
• feat: speed up loading with custom compiler by @​Eomm in #​6383
• docs: replace all instances of twitter.com with x.com by @​cseas in #​6355
• docs: correct logger option in example by @​inyourtime in #​6391
• docs: fix links by @​Shriti507 in #​6394
• chore: skip unnecessary object creation by @​Eomm in #​6400
• docs: Update JSON Schema link in documentation by @​jon23d in #​6402
• docs(ecosystem): add fastify-ses-mailer by @​KaranHotwani in #​6395
• docs: add security note about validation errors in response by @​mcollina in #​6407
• docs: add security threat model by @​mcollina in #​6406
• chore: update onboarding and offboarding instructions by @​Eomm in #​6403
• fix: set status code before publishing diagnostics error channel by @​tt-a1i in #​6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @​mcollina in #​6420
• chore: fix type test by @​mrazauskas in #​6418
• docs: improve Validation-and-Serialization.md by @​twentytwo777 in #​6423
• test: skip IPv6 test if its support is not present by @​LiviaMedeiros in #​6428
• test: fix test when localhost has multiple addresses by @​LiviaMedeiros in #​6427
• docs: add security warning for requestIdHeader by @​mcollina in #​6425
• docs(ecosystem): add elements-fastify by @​rohitsoni007 in #​6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @​dependabot[bot] in #​6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @​dependabot[bot] in #​6436
• chore: Bump @​types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @​AnkanMisra in #​6392
• fix(types): require send() payload when Reply type is specified by @​tt-a1i in #​6432
• fix: ajv options type validation by @​gianmarco27 in #​6437
• docs: add non-vulnerability examples to threat model by @​RafaelGSS in #​6431
• feat: implement conditional request logging by @​kibertoad in #​5732
• docs(sponsor): add serpapi by @​Eomm in #​6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @​mcollina in #​6444

New Contributors

• @​craftsman01 made their first contribution in #​6110
• @​cseas made their first contribution in #​6355
• @​Shriti507 made their first contribution in #​6394
• @​jon23d made their first contribution in #​6402
• @​KaranHotwani made their first contribution in #​6395
• @​tt-a1i made their first contribution in #​6412
• @​mrazauskas made their first contribution in #​6418
• @​twentytwo777 made their first contribution in #​6423
• @​rohitsoni007 made their first contribution in #​6416
• @​AnkanMisra made their first contribution in #​6392
• @​gianmarco27 made their first contribution in #​6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

v5.6.2

Compare Source

v5.6.1

Compare Source

What's Changed

• fix: fix typo of deprecation warning FSTDEP022 by @​Uzlopak in #​6313
• docs(decorators): fix TypeScript inconsistency by @​emicovi in #​6224
• chore: fix typos by @​deining in #​6316
• docs(security): add secondary contact/security escalation policy by @​UlisesGascon in #​6315
• chore(gha): remove benchmark github workflows by @​Eomm in #​6322
• chore(sponsor): add lambdatest by @​Eomm in #​6324
• fix: (types) allow FastifySchemaValidationError[] as an error by @​gurgunday in #​6326
• fix: correct session.close() context in http2 timeout handler by @​David-van-der-Sluijs in #​6327
• fix: close http2 sessions on close server by @​kostyak127 in #​6137

New Contributors

• @​deining made their first contribution in #​6316
• @​UlisesGascon made their first contribution in #​6315
• @​David-van-der-Sluijs made their first contribution in #​6327
• @​kostyak127 made their first contribution in #​6137

Full Changelog: fastify/fastify@v5.6.0...v5.6.1

v5.6.0

Compare Source

What's Changed

• fix: update typescript pino type to pick by @​dancastillo in #​6287
• feat(types): router option types by @​dancastillo in #​6282
• fix(types): Fix use of "esModuleInterop: false" by @​joshkel in #​6292
• docs: fix typo in Reference: TypeScript.md by @​hmanzoni in #​6302
• docs: clarify router performance note by @​Prasad2604 in #​6306

New Contributors

• @​joshkel made their first contribution in #​6292
• @​hmanzoni made their first contribution in #​6302
• @​Prasad2604 made their first contribution in #​6306

Full Changelog: fastify/fastify@v5.5.0...v5.6.0

v5.5.0

Compare Source

What's Changed

• docs: fix markdown linting issue by @​Uzlopak in #​6175
• chore: removed simple-get from mkcalendar tests by @​ilteoood in #​6199
• chore: removed simple-get from versioned-routes tests by @​ilteoood in #​6202
• chore: removed simple-get from hooks tests by @​ilteoood in #​6210
• fix: close pipelining test by @​ilteoood in #​6204
• chore: removed simple-get from unlock test by @​ilteoood in #​6178
• chore: removed simple-get from use-semicolon-delimiter tests by @​ilteoood in #​6203
• chore: removed simple-get from custom-https-server tests by @​ilteoood in #​6201
• chore: remove simple-get from custom parser 5 by @​ilteoood in #​6172
• chore: removed simple-get from head tests by @​ilteoood in #​6196
• chore: removed simple-get from request id tests by @​ilteoood in #​6193
• chore: remove simple get from custom parser 1 by @​ilteoood in #​6167
• chore: removed simple-get from custom-parser-0 by @​ilteoood in #​6168
• chore: remove simple-get from custom parser 2 by @​ilteoood in #​6169
• chore: remove simple-get from custom parser 4 by @​ilteoood in #​6171
• chore: removed simple-get from promises test by @​ilteoood in #​6183
• chore: removed simple-get from move test by @​ilteoood in #​6179
• chore: remove simple-get from custom querystring parser by @​ilteoood in #​6166
• chore: remove simple-get from propfind by @​ilteoood in #​6174
• chore: removed simple-get from case insensitive test by @​ilteoood in #​6188
• chore: remove simple get from async-await tests by @​ilteoood in #​6165
• chore: removed simple-get from header overflow test by @​ilteoood in #​6190
• chore: removed simple-get from check test by @​ilteoood in #​6176
• chore: removed simple-get from async hooks test by @​ilteoood in #​6189
• feat(types): export more schema related types by @​marcalexiei in #​6207
• chore: removed simple-get from copy tests by @​ilteoood in #​6198
• chore: removed simple-get from request-error test by @​ilteoood in #​6184
• chore: removed simple-get from decorator tests by @​ilteoood in #​6192
• ci: pin third-party actions to commit-hash by @​Fdawgs in #​6218
• fix: close fastify instance by @​ilteoood in #​6177
• chore(license): replace date range by @​Fdawgs in #​6219
• chore: removed simple-get from plugin-1 test by @​ilteoood in #​6180
• chore: removed simple-get from plugin-2 test by @​ilteoood in #​6181
• chore: removed simple-get from plugin-3 test by @​ilteoood in #​6182
• chore: remove simple get from reply test by @​ilteoood in #​6160
• feat(types): add missing error types by @​davidwood in #​6217
• docs: setErrorHandler description by @​AlvesJorge in #​6227
• docs: fix onError hook execution order documentation by @​emicovi in #​6225
• fix: handle abort signal in fastify.listen by @​climba03003 in #​6235
• feat: prepare to use Promise.withResolvers by @​climba03003 in #​6232
• docs: updated SECURITY.md by @​Eomm in #​6233
• fix(docs): fix markdown to exclude leading parenthesis by @​IanWoodard in #​6238
• ci: fix thollander/actions-comment-pull-request commit-hash by @​Fdawgs in #​6244
• docs(routes): add payload to preParsing signature by @​callmehiphop in #​6240
• docs(ecosystem): add fastify-route-preset plugin by @​inyourtime in #​6220
• chore: remove simple get from async request, get and register... by @​ilteoood in #​6246
• docs: improve custom validator documentation for async hooks by @​emicovi in #​6228
• chore: remove simple get from route shorthand by @​ilteoood in #​6245
• chore: Bump @​stylistic/eslint-plugin from 4.4.1 to 5.1.0 in the dev-dependencies-eslint group by @​dependabot[bot] in #​6242
• chore: Bump @​types/node from 22.15.34 to 24.0.8 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6243
• chore(tests): remove simple get by @​ilteoood in #​6249
• chore: finally remove simple get by @​ilteoood in #​6251
• chore: remove undici from schema-validation.test.js by @​Uzlopak in #​6252
• test: fix flakyness of close-pipelining-test, upgrade undici to v7 by @​Uzlopak in #​6256
• fix: account for EPIPE fetch errors in tests by @​gurgunday in #​6255
• docs: correct parameter name in frameworkErrors handler by @​inyourtime in #​6257
• docs: fix server page headings level by @​golopot in #​6258
• fix: add FST_ERR_CTP_INVALID_JSON_BODY by @​Uzlopak in #​5925
• feat: optimize content type parser by using AsyncResource.bind() by @​gurgunday in #​6262
• fix: remove unnecessary body length check in contentTypeParser by @​gurgunday in #​6266
• docs(ecosystem): add fastify-multilingual by @​gbrugger in #​6268
• chore: fix docs Request.md by @​ts0307 in #​6270
• chore: Bump typescript from 5.8.3 to 5.9.2 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6273
• chore: Bump cross-env from 7.0.3 to 10.0.0 by @​dependabot[bot] in #​6274
• feat(types): enforce reply status code types with type providers by @​samchungy in #​6250
• feat: move router options to own key by @​dancastillo in #​5985
• docs: refine CONTRIBUTING.md for better readability by @​Dipali127 in #​6277
• chore: refactor reply.send and prioritize kReplyIsError by @​gurgunday in #​6267
• docs(ecosystem): add fastify-permissions plugin by @​pckrishnadas88 in #​6265
• docs: Add Hey API to ecosystem by @​mrlubos in #​6280
• fix: OPTIONS Content-Type handling by @​gurgunday in #​6263

New Contributors

• @​marcalexiei made their first contribution in #​6207
• @​davidwood made their first contribution in #​6217
• [@​AlvesJorge](https://redirect.g

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: CASL Ability is Vulnerable to Prototype Pollution in npm @casl/ability CVE: GHSA-x9vf-53q3-cvx6 CASL Ability is Vulnerable to Prototype Pollution (CRITICAL) Affected versions: >= 2.4.0 < 6.7.5 Patched version: 6.7.5 From: packages/plugin-casl/package.json → npm/@casl/ability@6.7.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@casl/ability@6.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method in npm basic-ftp CVE: GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method (CRITICAL) Affected versions: < 5.2.0 Patched version: 5.2.0 From: pnpm-lock.yaml → npm/basic-ftp@5.0.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: pnpm-lock.yaml → npm/form-data@4.0.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: packages/plugin-router-hapi/package.json → npm/handlebars@4.7.8 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @makeomatic/node-rdkafka is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: packages/plugin-kafka-types/package.json → npm/@makeomatic/node-rdkafka@2.18.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@makeomatic/node-rdkafka@2.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/aws-sdk@2.1692.0 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/cheerio@1.0.0 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm ioredis is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: packages/plugin-dlock/package.json → npm/ioredis@5.4.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ioredis@5.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​casl/​ability@​6.7.3
	handlebars@​4.7.9 ⏵ 4.7.8		-75
	@​esbuild/​linux-arm64@​0.23.1
	aws-sdk@​2.1692.0
	consul@​0.40.0
	eslint@​8.57.1
	glob@​10.5.0 ⏵ 11.0.1		-15
	@​types/​lodash.merge@​4.6.9
	eslint-config-makeomatic@​6.0.0
	@​types/​qs@​6.15.0 ⏵ 6.9.18
	@​makeomatic/​node-rdkafka@​2.18.0
	@​types/​glob@​8.1.0
	@​typescript-eslint/​parser@​7.18.0
	@​types/​cheerio@​0.22.35
	@​types/​bluebird-retry@​0.11.8
	@​types/​aws4@​1.11.6
	@​types/​hapi__vision@​5.5.8
	lsmod@​1.0.0
	@​microfleet/​amqp-coffee@​1.3.1 ⏵ 2.8.2			-27
	@​types/​split2@​4.2.3
	@​makeomatic/​deploy@​13.1.0
	@​types/​callsite@​1.0.34
	esbuild@​0.23.1
	@​types/​consul@​0.40.3
	@​types/​semver@​7.5.8
	@​types/​common-errors@​1.0.6 ⏵ 1.0.5	-3			-3
	@​types/​readable-stream@​4.0.18
	@​hapi/​boom@​9.1.4 ⏵ 10.0.1
	lodash@​4.18.1 ⏵ 4.17.21		-18
	@​microfleet/​dlock@​16.0.0
	bluebird-retry@​0.11.0
	lodash.merge@​4.6.2
	@​hapi/​vision@​7.0.3
See 37 more rows in the dashboard

View full report