This repository has been archived by the owner on Dec 20, 2024. It is now read-only.

fix(deps): update dependency fastify to v3.29.4 [security] #276

Open

renovate wants to merge 1 commit into main from renovate/npm-fastify-vulnerability

Contributor

renovate bot commented Mar 18, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	`3.21.6` -> `3.29.4`

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

Release Notes

fastify/fastify (fastify)

`v3.29.4`

⚠️ Security Release ⚠️

Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
and CVE-2022-41919

Full Changelog: fastify/fastify@v3.29.3...v3.29.4

`v3.29.3`

⚠️ Security Release ⚠️

This release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.

Full Changelog: fastify/fastify@v3.29.2...v3.29.3

`v3.29.2`

What's Changed

fix: backport reused connection fix by @salzhrani in https://github.com/fastify/fastify/pull/4217

New Contributors

@salzhrani made their first contribution in https://github.com/fastify/fastify/pull/4217

Full Changelog: fastify/fastify@v3.29.1...v3.29.2

`v3.29.1`

What's Changed

docs: reference new @fastify/* modules by @Fdawgs in https://github.com/fastify/fastify/pull/3860
Child log level in bindings is deprecated by @orov-io in https://github.com/fastify/fastify/pull/3896
Handle aborted requests (#215) by @TimotejR in https://github.com/fastify/fastify/pull/4103

New Contributors

@orov-io made their first contribution in https://github.com/fastify/fastify/pull/3896
@TimotejR made their first contribution in https://github.com/fastify/fastify/pull/4103

Full Changelog: fastify/fastify@v3.29.0...v3.29.1

`v3.29.0`

What's Changed

Update fastify-error dependency by @jsumners in https://github.com/fastify/fastify/pull/3859

Full Changelog: fastify/fastify@v3.28.0...v3.29.0

`v3.28.0`

What's Changed

(v3.x) Allow custom Context Config types for hooks' request properties by @sumbad in https://github.com/fastify/fastify/pull/3787
add generic logger to route handler & FastifyRequest by @MarcoLeko in https://github.com/fastify/fastify/pull/3782
(v3.x) fix: handle invalid url by @climba03003 in https://github.com/fastify/fastify/pull/3806
(v3.x) feat: reply trailers support by @climba03003 in https://github.com/fastify/fastify/pull/3807

Full Changelog: fastify/fastify@v3.27.4...v3.28.0

`v3.27.4`

What's Changed

[Backport v3.x] Fixed Node.js v18/master support by @github-actions in https://github.com/fastify/fastify/pull/3761

Full Changelog: fastify/fastify@v3.27.3...v3.27.4

`v3.27.3`

What's Changed

Drop @typescript-eslint/no-misused-promises (#3741) by @mcollina in https://github.com/fastify/fastify/pull/3757

Full Changelog: fastify/fastify@v3.27.2...v3.27.3

`v3.27.2`

What's Changed

fix: added jsonShorthand in FastifyServerOptions by @DanieleFedeli in https://github.com/fastify/fastify/pull/3681
fix: calling reply.callNotFound uncaught exception by @VigneshMurugan in https://github.com/fastify/fastify/pull/3661
style: fix new standard linting by @Divlo in https://github.com/fastify/fastify/pull/3682
docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by @rluvaton in https://github.com/fastify/fastify/pull/3689
ci(package-manager): run test:ci instead of test by @Divlo in https://github.com/fastify/fastify/pull/3692
docs(ecosystem): adds @immobiliarelabs/fastify-sentry by @simonecorsi in https://github.com/fastify/fastify/pull/3693
chore: fix plugin labeler by @Eomm in https://github.com/fastify/fastify/pull/3694
Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by @AWare in https://github.com/fastify/fastify/pull/3697
fix(types): add opts param to onRegister hook handler signature by @bmenant in https://github.com/fastify/fastify/pull/3641
update Server docs by @matthyk in https://github.com/fastify/fastify/pull/3699
Update middleware docs link by @JamieGrimwood in https://github.com/fastify/fastify/pull/3706
build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by @dependabot in https://github.com/fastify/fastify/pull/3700
build(deps-dev): bump @sinonjs/fake-timers from 8.1.0 to 9.1.0 by @dependabot in https://github.com/fastify/fastify/pull/3683

New Contributors

@Divlo made their first contribution in https://github.com/fastify/fastify/pull/3682
@AWare made their first contribution in https://github.com/fastify/fastify/pull/3697
@bmenant made their first contribution in https://github.com/fastify/fastify/pull/3641
@JamieGrimwood made their first contribution in https://github.com/fastify/fastify/pull/3706

Full Changelog: fastify/fastify@v3.27.1...v3.27.2

`v3.27.1`

What's Changed

docs: fix link to forceCloseConnections option by @RafaelGSS in https://github.com/fastify/fastify/pull/3638
docs(Prototype-Poisoning): invalid content link by @RafaelGSS in https://github.com/fastify/fastify/pull/3639
doc(Guides): fix grammar issue in the Prototype Poisoning file by @rluvaton in https://github.com/fastify/fastify/pull/3640
types: add forceCloseConnection type def by @RafaelGSS in https://github.com/fastify/fastify/pull/3646
Fixes #3648 - URL must be a string by @VigneshMurugan in https://github.com/fastify/fastify/pull/3653
build: reduce dependabot update frequency by @Fdawgs in https://github.com/fastify/fastify/pull/3659
build: correct dependabot config by @Fdawgs in https://github.com/fastify/fastify/pull/3662
add missing types workflow by @KiraPC in https://github.com/fastify/fastify/pull/3668
Serialization errors will be send to errorHandler by @int1ch in https://github.com/fastify/fastify/pull/3674
Add Documentation and TS Types missed for FastifyInstance#setSchemaController by @Grubba27 in https://github.com/fastify/fastify/pull/3480
Add action to lock threads by @jsumners in https://github.com/fastify/fastify/pull/3679

New Contributors

@rluvaton made their first contribution in https://github.com/fastify/fastify/pull/3640
@int1ch made their first contribution in https://github.com/fastify/fastify/pull/3674
@Grubba27 made their first contribution in https://github.com/fastify/fastify/pull/3480

Full Changelog: fastify/fastify@v3.27.0...v3.27.1

`v3.27.0`

What's Changed

Add keep-alive connection tracking and reaping (resolve #3617) by @jsumners in https://github.com/fastify/fastify/pull/3619

Full Changelog: fastify/fastify@v3.26.0...v3.27.0

`v3.26.0`

What's Changed

Documentation: replace fastify.decorate arrow functions with function expressions by @onosendi in https://github.com/fastify/fastify/pull/3577
Update Recommendations.md by @fralonra in https://github.com/fastify/fastify/pull/3583
build(deps-dev): bump helmet from 4.6.0 to 5.0.1 by @dependabot in https://github.com/fastify/fastify/pull/3591
chore: remove duplicated line by @Eomm in https://github.com/fastify/fastify/pull/3599
docs(reference-typescript): fix formatting by @sniperwolf in https://github.com/fastify/fastify/pull/3602
feat: manage display-name meta plugin by @Eomm in https://github.com/fastify/fastify/pull/3608
Add prototype poisoning doc by @jsumners in https://github.com/fastify/fastify/pull/3609
Fix website workflow not triggering by @luisorbaiceta in https://github.com/fastify/fastify/pull/3611
Adding esbuild bundler to the pipeline by @jhonrocha in https://github.com/fastify/fastify/pull/3616
chore (ci): run lint only once by @darkgl0w in https://github.com/fastify/fastify/pull/3623
Fix types to support Ajv plugins with options by @pverdile in https://github.com/fastify/fastify/pull/3601
Update LICENSE by @ravenberg in https://github.com/fastify/fastify/pull/3629
fix: accept-version on default route by @climba03003 in https://github.com/fastify/fastify/pull/3630
fix (test): custom-parser.test.js flaky test by @darkgl0w in https://github.com/fastify/fastify/pull/3627
fix (types): this is FastifyInstance by @darkgl0w in https://github.com/fastify/fastify/pull/3622

New Contributors

@onosendi made their first contribution in https://github.com/fastify/fastify/pull/3577
@sniperwolf made their first contribution in https://github.com/fastify/fastify/pull/3602
@jhonrocha made their first contribution in https://github.com/fastify/fastify/pull/3616
@pverdile made their first contribution in https://github.com/fastify/fastify/pull/3601
@ravenberg made their first contribution in https://github.com/fastify/fastify/pull/3629

Full Changelog: fastify/fastify@v3.25.3...v3.26.0

`v3.25.3`

What's Changed

Move from fastify-warning to process-warning by @mcollina in https://github.com/fastify/fastify/pull/3576
build(deps-dev): bump http-errors from 1.8.1 to 2.0.0 by @dependabot in https://github.com/fastify/fastify/pull/3553

Full Changelog: fastify/fastify@v3.25.2...v3.25.3

`v3.25.2`

What's Changed

docs: Small improvements in the documentation by @DavidIsa in https://github.com/fastify/fastify/pull/3565
Add release trigger for website build by @luisorbaiceta in https://github.com/fastify/fastify/pull/3572
Fix context tracking with als run by @mcollina in https://github.com/fastify/fastify/pull/3571

New Contributors

@DavidIsa made their first contribution in https://github.com/fastify/fastify/pull/3565

Full Changelog: fastify/fastify@v3.25.1...v3.25.2

`v3.25.1`

What's Changed

docs: add fastify-split-validator to Ecosystem by @MetCoder95 in https://github.com/fastify/fastify/pull/3535
docs: fix broken documentation links by @RoXioTD in https://github.com/fastify/fastify/pull/3539
Tests for http2 host constraint server by @luisorbaiceta in https://github.com/fastify/fastify/pull/3504
Fix docs broken links by @luisorbaiceta in https://github.com/fastify/fastify/pull/3542
Fix broken links in README.md by @asaid-0 in https://github.com/fastify/fastify/pull/3545
Add missing types & docs for async onClose hook by @franky47 in https://github.com/fastify/fastify/pull/3541
chore: upgrade github-action-merge-dependabot to v3 by @Eomm in https://github.com/fastify/fastify/pull/3547
Update Ecosystem.md by @DanieleFedeli in https://github.com/fastify/fastify/pull/3548
Fix typo in /docs/index.md by @nooreldeensalah in https://github.com/fastify/fastify/pull/3557
added fastify-file-routes by @spa5k in https://github.com/fastify/fastify/pull/3561
Fixes regressions for function decorators on Request and Reply by @mcollina in https://github.com/fastify/fastify/pull/3560

New Contributors

@RoXioTD made their first contribution in https://github.com/fastify/fastify/pull/3539
@asaid-0 made their first contribution in https://github.com/fastify/fastify/pull/3545
@franky47 made their first contribution in https://github.com/fastify/fastify/pull/3541
@DanieleFedeli made their first contribution in https://github.com/fastify/fastify/pull/3548
@nooreldeensalah made their first contribution in https://github.com/fastify/fastify/pull/3557

Full Changelog: fastify/fastify@v3.25.0...v3.25.1

`v3.25.0`

What's Changed

fix(typescript): use RouteGeneric for setErrorHandler types by @ethanwu10 in https://github.com/fastify/fastify/pull/3493
docs(ecosystem): add middie to core section by @Fdawgs in https://github.com/fastify/fastify/pull/3501
build(deps): bump fastify/github-action-merge-dependabot from 2.6.0 to 2.7.0 by @dependabot in https://github.com/fastify/fastify/pull/3507
add node 17 by @Eomm in https://github.com/fastify/fastify/pull/3456
docs(ecosystem): adds @immobiliarelabs/fastify-metrics by @simonecorsi in https://github.com/fastify/fastify/pull/3509
build(deps): bump fastify/github-action-merge-dependabot from 2.7.0 to 2.7.1 by @dependabot in https://github.com/fastify/fastify/pull/3518
Update logger options to correct properties by @makrandgupta in https://github.com/fastify/fastify/pull/3519
fix: use hasKey to check request dependencies by @RafaelGSS in https://github.com/fastify/fastify/pull/3527
Pass constraint values to the router when checking for a preexisting HEAD route by @airhorns in https://github.com/fastify/fastify/pull/3526
Add Luis Orbaiceta as a contributor by @luisorbaiceta in https://github.com/fastify/fastify/pull/3530
Docs reorganization by @jsumners with help from @lachlancollins in https://github.com/fastify/fastify/pull/3474
Rename index files by @jsumners in https://github.com/fastify/fastify/pull/3533

New Contributors

@ethanwu10 made their first contribution in https://github.com/fastify/fastify/pull/3493
@simonecorsi made their first contribution in https://github.com/fastify/fastify/pull/3509
@makrandgupta made their first contribution in https://github.com/fastify/fastify/pull/3519
@luisorbaiceta made their first contribution in https://github.com/fastify/fastify/pull/3530

Full Changelog: fastify/fastify@v3.24.1...v3.25.0

`v3.24.1`

What's Changed

fix: server.requestTimeout miss when https by @zgoby in https://github.com/fastify/fastify/pull/3447
docs: add Google Cloud Functions example to Serverless Documentation by @etino in https://github.com/fastify/fastify/pull/3445
docs: add fastify-polyglot plugin to the ecosystem by @heplyadm in https://github.com/fastify/fastify/pull/3452
fix(typescript): define instance listen callback error nullable by @sf3ris in https://github.com/fastify/fastify/pull/3449
docs: replace "sons" with "descendants" by @mroderick in https://github.com/fastify/fastify/pull/3453
build(deps): bump fastify/github-action-merge-dependabot from 2.5.0 to 2.6.0 by @dependabot in https://github.com/fastify/fastify/pull/3459
docs(examples): fix ts-server exit code of error by @qin20 in https://github.com/fastify/fastify/pull/3458
docs: add fastify-crud-generator plugin by @zuck in https://github.com/fastify/fastify/pull/3460
fix: server.maxRequestsPerSocket miss by @zgoby in https://github.com/fastify/fastify/pull/3463
fix: logger req serializers by @climba03003 in https://github.com/fastify/fastify/pull/3465
build(deps-dev): bump tsd from 0.18.0 to 0.19.0 by @dependabot in https://github.com/fastify/fastify/pull/3466
docs: add code sample for development logger config by @capaj in https://github.com/fastify/fastify/pull/3464
docs: add post example to intro by @saihaj in https://github.com/fastify/fastify/pull/3438
fix: use current instance schema controller by @MetCoder95 in https://github.com/fastify/fastify/pull/3454
fix(typescript): add type declaration for FastifyRequest.context by @chrskrchr in https://github.com/fastify/fastify/pull/3472
docs: add set-cookie special case by @genzyy in https://github.com/fastify/fastify/pull/3470
docs(reply): grammar and readability fixes for set-cookie section by @Fdawgs in https://github.com/fastify/fastify/pull/3477
build(dependabot): ignore minor and patch github-actions updates by @Fdawgs in https://github.com/fastify/fastify/pull/3451
fix the sentence of serializerCompiler by @mm1995tk in https://github.com/fastify/fastify/pull/3490

New Contributors

@zgoby made their first contribution in https://github.com/fastify/fastify/pull/3447
@etino made their first contribution in https://github.com/fastify/fastify/pull/3445
@sf3ris made their first contribution in https://github.com/fastify/fastify/pull/3449
@qin20 made their first contribution in https://github.com/fastify/fastify/pull/3458
@capaj made their first contribution in https://github.com/fastify/fastify/pull/3464
@saihaj made their first contribution in https://github.com/fastify/fastify/pull/3438
@chrskrchr made their first contribution in https://github.com/fastify/fastify/pull/3472
@genzyy made their first contribution in https://github.com/fastify/fastify/pull/3470
@mm1995tk made their first contribution in https://github.com/fastify/fastify/pull/3490

Full Changelog: fastify/fastify@v3.24.0...v3.24.1

`v3.24.0`

What's Changed

build(deps-dev): bump @sinonjs/fake-timers from 7.1.2 to 8.1.0 by @dependabot in https://github.com/fastify/fastify/pull/3418
feat: make version field deterministic and reliable by @jesec in https://github.com/fastify/fastify/pull/3427
chore(.npmignore): remove default ignored files/paths by @Fdawgs in https://github.com/fastify/fastify/pull/3434
make getResponseTime deterministic by @thomaschaaf in https://github.com/fastify/fastify/pull/3431
docs: clarify on request.body content and usage by @Fdawgs in https://github.com/fastify/fastify/pull/3436
test: add hook tests by @Eomm in https://github.com/fastify/fastify/pull/3439

New Contributors

@thomaschaaf made their first contribution in https://github.com/fastify/fastify/pull/3431

Full Changelog: fastify/fastify@v3.23.1...v3.24.0

`v3.23.1`

What's Changed

fix: setSchemaController not inheriting Schemas from root parent by @MetCoder95 in https://github.com/fastify/fastify/pull/3401
fix: socket null in logger by @codeflyer in https://github.com/fastify/fastify/pull/3422

Full Changelog: fastify/fastify@v3.23.0...v3.23.1

`v3.23.0`

What's Changed

Updated the docs related to AJV plugins by @amis-shokoohi in https://github.com/fastify/fastify/pull/3189
fix: remove unused types imports by @juanpicado in https://github.com/fastify/fastify/pull/3392
docs(test/bundler): grammar and spelling fixes by @Fdawgs in https://github.com/fastify/fastify/pull/3393
build(deps-dev): bump split2 from 3.2.2 to 4.1.0 by @dependabot in https://github.com/fastify/fastify/pull/3395
Update Validation-and-Serialization.md by @Eomm in https://github.com/fastify/fastify/pull/3400
Add requestTimeout option by @fatal10110 in https://github.com/fastify/fastify/pull/3407
fix: verify request socket before access attributes by @codeflyer in https://github.com/fastify/fastify/pull/3420

New Contributors

@amis-shokoohi made their first contribution in https://github.com/fastify/fastify/pull/3189
@juanpicado made their first contribution in https://github.com/fastify/fastify/pull/3392
@fatal10110 made their first contribution in https://github.com/fastify/fastify/pull/3407
@codeflyer made their first contribution in https://github.com/fastify/fastify/pull/3420

Full Changelog: fastify/fastify@v3.22.1...v3.23.0

`v3.22.1`

What's Changed

Update NGINX section with comments and fixes by @weiliddat in https://github.com/fastify/fastify/pull/3352
Update Validation-and-Serialization.md by @fralonra in https://github.com/fastify/fastify/pull/3359
fix(typescript): register missing args for function options by @climba03003 in https://github.com/fastify/fastify/pull/3355
build(deps-dev): bump tsd from 0.17.0 to 0.18.0 by @dependabot in https://github.com/fastify/fastify/pull/3368
test: fix typo in tap test pass message by @tniessen in https://github.com/fastify/fastify/pull/3370
docs:inform user to set target property by @siemah in https://github.com/fastify/fastify/pull/3291
Drop readable-stream dependency by @mcollina in https://github.com/fastify/fastify/pull/3372
fix: pipe stream inside error handler by @climba03003 in https://github.com/fastify/fastify/pull/3375
fix(typescript): types for schemaController by @Krysik in https://github.com/fastify/fastify/pull/3369
fix: spell error by @liuhanqu in https://github.com/fastify/fastify/pull/3379

New Contributors

@siemah made their first contribution in https://github.com/fastify/fastify/pull/3291
@Krysik made their first contribution in https://github.com/fastify/fastify/pull/3369
@liuhanqu made their first contribution in https://github.com/fastify/fastify/pull/3379

Full Changelog: fastify/fastify@v3.22.0...v3.22.1

`v3.22.0`

What's Changed

Update Hooks.md by @NobDod in https://github.com/fastify/fastify/pull/3336
feat: max requests per socket by @climba03003 in https://github.com/fastify/fastify/pull/3335
Fix links to querystringParser by @jakearchibald in https://github.com/fastify/fastify/pull/3345
docs: add fastify-supabase to fastify ecosystem by @darkgl0w in https://github.com/fastify/fastify/pull/3348

New Contributors

@NobDod made their first contribution in https://github.com/fastify/fastify/pull/3336
@jakearchibald made their first contribution in https://github.com/fastify/fastify/pull/3345

Full Changelog: fastify/fastify@v3.21.6...v3.22.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          fix(deps): update dependency fastify to v3.29.4 [security]

bb56b59

renovate bot added the dependencies label

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels