New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dependency maintenance): update dependency fastify to v3.29.4 [security] #823

Open

renovate wants to merge 1 commit into master from renovate/npm-fastify-vulnerability

Contributor

renovate bot commented Jul 13, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	`3.24.1` -> `3.29.4`

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

Release Notes

fastify/fastify (fastify)

`v3.29.4`

⚠️ Security Release ⚠️

Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
and CVE-2022-41919

Full Changelog: fastify/fastify@v3.29.3...v3.29.4

`v3.29.3`

⚠️ Security Release ⚠️

This release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.

Full Changelog: fastify/fastify@v3.29.2...v3.29.3

`v3.29.2`

What's Changed

fix: backport reused connection fix by @salzhrani in https://github.com/fastify/fastify/pull/4217

New Contributors

@salzhrani made their first contribution in https://github.com/fastify/fastify/pull/4217

Full Changelog: fastify/fastify@v3.29.1...v3.29.2

`v3.29.1`

What's Changed

docs: reference new @fastify/* modules by @Fdawgs in https://github.com/fastify/fastify/pull/3860
Child log level in bindings is deprecated by @orov-io in https://github.com/fastify/fastify/pull/3896
Handle aborted requests (#215) by @TimotejR in https://github.com/fastify/fastify/pull/4103

New Contributors

@orov-io made their first contribution in https://github.com/fastify/fastify/pull/3896
@TimotejR made their first contribution in https://github.com/fastify/fastify/pull/4103

Full Changelog: fastify/fastify@v3.29.0...v3.29.1

`v3.29.0`

What's Changed

Update fastify-error dependency by @jsumners in https://github.com/fastify/fastify/pull/3859

Full Changelog: fastify/fastify@v3.28.0...v3.29.0

`v3.28.0`

What's Changed

(v3.x) Allow custom Context Config types for hooks' request properties by @sumbad in https://github.com/fastify/fastify/pull/3787
add generic logger to route handler & FastifyRequest by @MarcoLeko in https://github.com/fastify/fastify/pull/3782
(v3.x) fix: handle invalid url by @climba03003 in https://github.com/fastify/fastify/pull/3806
(v3.x) feat: reply trailers support by @climba03003 in https://github.com/fastify/fastify/pull/3807

Full Changelog: fastify/fastify@v3.27.4...v3.28.0

`v3.27.4`

What's Changed

[Backport v3.x] Fixed Node.js v18/master support by @github-actions in https://github.com/fastify/fastify/pull/3761

Full Changelog: fastify/fastify@v3.27.3...v3.27.4

`v3.27.3`

What's Changed

Drop @typescript-eslint/no-misused-promises (#3741) by @mcollina in https://github.com/fastify/fastify/pull/3757

Full Changelog: fastify/fastify@v3.27.2...v3.27.3

`v3.27.2`

What's Changed

fix: added jsonShorthand in FastifyServerOptions by @DanieleFedeli in https://github.com/fastify/fastify/pull/3681
fix: calling reply.callNotFound uncaught exception by @VigneshMurugan in https://github.com/fastify/fastify/pull/3661
style: fix new standard linting by @Divlo in https://github.com/fastify/fastify/pull/3682
docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by @rluvaton in https://github.com/fastify/fastify/pull/3689
ci(package-manager): run test:ci instead of test by @Divlo in https://github.com/fastify/fastify/pull/3692
docs(ecosystem): adds @immobiliarelabs/fastify-sentry by @simonecorsi in https://github.com/fastify/fastify/pull/3693
chore: fix plugin labeler by @Eomm in https://github.com/fastify/fastify/pull/3694
Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by @AWare in https://github.com/fastify/fastify/pull/3697
fix(types): add opts param to onRegister hook handler signature by @bmenant in https://github.com/fastify/fastify/pull/3641
update Server docs by @matthyk in https://github.com/fastify/fastify/pull/3699
Update middleware docs link by @JamieGrimwood in https://github.com/fastify/fastify/pull/3706
build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by @dependabot in https://github.com/fastify/fastify/pull/3700
build(deps-dev): bump @sinonjs/fake-timers from 8.1.0 to 9.1.0 by @dependabot in https://github.com/fastify/fastify/pull/3683

New Contributors

@Divlo made their first contribution in https://github.com/fastify/fastify/pull/3682
@AWare made their first contribution in https://github.com/fastify/fastify/pull/3697
@bmenant made their first contribution in https://github.com/fastify/fastify/pull/3641
@JamieGrimwood made their first contribution in https://github.com/fastify/fastify/pull/3706

Full Changelog: fastify/fastify@v3.27.1...v3.27.2

`v3.27.1`

What's Changed

docs: fix link to forceCloseConnections option by @RafaelGSS in https://github.com/fastify/fastify/pull/3638
docs(Prototype-Poisoning): invalid content link by @RafaelGSS in https://github.com/fastify/fastify/pull/3639
doc(Guides): fix grammar issue in the Prototype Poisoning file by @rluvaton in https://github.com/fastify/fastify/pull/3640
types: add forceCloseConnection type def by @RafaelGSS in https://github.com/fastify/fastify/pull/3646
Fixes #3648 - URL must be a string by @VigneshMurugan in https://github.com/fastify/fastify/pull/3653
build: reduce dependabot update frequency by @Fdawgs in https://github.com/fastify/fastify/pull/3659
build: correct dependabot config by @Fdawgs in https://github.com/fastify/fastify/pull/3662
add missing types workflow by @KiraPC in https://github.com/fastify/fastify/pull/3668
Serialization errors will be send to errorHandler by @int1ch in https://github.com/fastify/fastify/pull/3674
Add Documentation and TS Types missed for FastifyInstance#setSchemaController by @Grubba27 in https://github.com/fastify/fastify/pull/3480
Add action to lock threads by @jsumners in https://github.com/fastify/fastify/pull/3679

New Contributors

@rluvaton made their first contribution in https://github.com/fastify/fastify/pull/3640
@int1ch made their first contribution in https://github.com/fastify/fastify/pull/3674
@Grubba27 made their first contribution in https://github.com/fastify/fastify/pull/3480

Full Changelog: fastify/fastify@v3.27.0...v3.27.1

`v3.27.0`

What's Changed

Add keep-alive connection tracking and reaping (resolve #3617) by @jsumners in https://github.com/fastify/fastify/pull/3619

Full Changelog: fastify/fastify@v3.26.0...v3.27.0

`v3.26.0`

What's Changed

Documentation: replace fastify.decorate arrow functions with function expressions by @onosendi in https://github.com/fastify/fastify/pull/3577
Update Recommendations.md by @fralonra in https://github.com/fastify/fastify/pull/3583
build(deps-dev): bump helmet from 4.6.0 to 5.0.1 by @dependabot in https://github.com/fastify/fastify/pull/3591
chore: remove duplicated line by @Eomm in https://github.com/fastify/fastify/pull/3599
docs(reference-typescript): fix formatting by @sniperwolf in https://github.com/fastify/fastify/pull/3602
feat: manage display-name meta plugin by @Eomm in https://github.com/fastify/fastify/pull/3608
Add prototype poisoning doc by @jsumners in https://github.com/fastify/fastify/pull/3609
Fix website workflow not triggering by @luisorbaiceta in https://github.com/fastify/fastify/pull/3611
Adding esbuild bundler to the pipeline by @jhonrocha in https://github.com/fastify/fastify/pull/3616
chore (ci): run lint only once by @darkgl0w in https://github.com/fastify/fastify/pull/3623
Fix types to support Ajv plugins with options by @pverdile in https://github.com/fastify/fastify/pull/3601
Update LICENSE by @ravenberg in https://github.com/fastify/fastify/pull/3629
fix: accept-version on default route by @climba03003 in https://github.com/fastify/fastify/pull/3630
fix (test): custom-parser.test.js flaky test by @darkgl0w in https://github.com/fastify/fastify/pull/3627
fix (types): this is FastifyInstance by @darkgl0w in https://github.com/fastify/fastify/pull/3622

New Contributors

@onosendi made their first contribution in https://github.com/fastify/fastify/pull/3577
@sniperwolf made their first contribution in https://github.com/fastify/fastify/pull/3602
@jhonrocha made their first contribution in https://github.com/fastify/fastify/pull/3616
@pverdile made their first contribution in https://github.com/fastify/fastify/pull/3601
@ravenberg made their first contribution in https://github.com/fastify/fastify/pull/3629

Full Changelog: fastify/fastify@v3.25.3...v3.26.0

`v3.25.3`

What's Changed

Move from fastify-warning to process-warning by @mcollina in https://github.com/fastify/fastify/pull/3576
build(deps-dev): bump http-errors from 1.8.1 to 2.0.0 by @dependabot in https://github.com/fastify/fastify/pull/3553

Full Changelog: fastify/fastify@v3.25.2...v3.25.3

`v3.25.2`

What's Changed

docs: Small improvements in the documentation by @DavidIsa in https://github.com/fastify/fastify/pull/3565
Add release trigger for website build by @luisorbaiceta in https://github.com/fastify/fastify/pull/3572
Fix context tracking with als run by @mcollina in https://github.com/fastify/fastify/pull/3571

New Contributors

@DavidIsa made their first contribution in https://github.com/fastify/fastify/pull/3565

Full Changelog: fastify/fastify@v3.25.1...v3.25.2

`v3.25.1`

What's Changed

docs: add fastify-split-validator to Ecosystem by @MetCoder95 in https://github.com/fastify/fastify/pull/3535
docs: fix broken documentation links by @RoXioTD in https://github.com/fastify/fastify/pull/3539
Tests for http2 host constraint server by @luisorbaiceta in https://github.com/fastify/fastify/pull/3504
Fix docs broken links by @luisorbaiceta in https://github.com/fastify/fastify/pull/3542
Fix broken links in README.md by @asaid-0 in https://github.com/fastify/fastify/pull/3545
Add missing types & docs for async onClose hook by @franky47 in https://github.com/fastify/fastify/pull/3541
chore: upgrade github-action-merge-dependabot to v3 by @Eomm in https://github.com/fastify/fastify/pull/3547
Update Ecosystem.md by @DanieleFedeli in https://github.com/fastify/fastify/pull/3548
Fix typo in /docs/index.md by @nooreldeensalah in https://github.com/fastify/fastify/pull/3557
added fastify-file-routes by @spa5k in https://github.com/fastify/fastify/pull/3561
Fixes regressions for function decorators on Request and Reply by @mcollina in https://github.com/fastify/fastify/pull/3560

New Contributors

@RoXioTD made their first contribution in https://github.com/fastify/fastify/pull/3539
@asaid-0 made their first contribution in https://github.com/fastify/fastify/pull/3545
@franky47 made their first contribution in https://github.com/fastify/fastify/pull/3541
@DanieleFedeli made their first contribution in https://github.com/fastify/fastify/pull/3548
@nooreldeensalah made their first contribution in https://github.com/fastify/fastify/pull/3557

Full Changelog: fastify/fastify@v3.25.0...v3.25.1

`v3.25.0`

What's Changed

fix(typescript): use RouteGeneric for setErrorHandler types by @ethanwu10 in https://github.com/fastify/fastify/pull/3493
docs(ecosystem): add middie to core section by @Fdawgs in https://github.com/fastify/fastify/pull/3501
build(deps): bump fastify/github-action-merge-dependabot from 2.6.0 to 2.7.0 by @dependabot in https://github.com/fastify/fastify/pull/3507
add node 17 by @Eomm in https://github.com/fastify/fastify/pull/3456
docs(ecosystem): adds @immobiliarelabs/fastify-metrics by @simonecorsi in https://github.com/fastify/fastify/pull/3509
build(deps): bump fastify/github-action-merge-dependabot from 2.7.0 to 2.7.1 by @dependabot in https://github.com/fastify/fastify/pull/3518
Update logger options to correct properties by @makrandgupta in https://github.com/fastify/fastify/pull/3519
fix: use hasKey to check request dependencies by @RafaelGSS in https://github.com/fastify/fastify/pull/3527
Pass constraint values to the router when checking for a preexisting HEAD route by @airhorns in https://github.com/fastify/fastify/pull/3526
Add Luis Orbaiceta as a contributor by @luisorbaiceta in https://github.com/fastify/fastify/pull/3530
Docs reorganization by @jsumners with help from @lachlancollins in https://github.com/fastify/fastify/pull/3474
Rename index files by @jsumners in https://github.com/fastify/fastify/pull/3533

New Contributors

@ethanwu10 made their first contribution in https://github.com/fastify/fastify/pull/3493
@simonecorsi made their first contribution in https://github.com/fastify/fastify/pull/3509
@makrandgupta made their first contribution in https://github.com/fastify/fastify/pull/3519
@luisorbaiceta made their first contribution in https://github.com/fastify/fastify/pull/3530

Full Changelog: fastify/fastify@v3.24.1...v3.25.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 2 times, most recently from 38fe7dc to d713d7e Compare

February 26, 2024 10:47

renovate bot dismissed renovate-approve’s stale review via

a950088

February 26, 2024 10:54

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from d713d7e to a950088 Compare

February 26, 2024 10:54

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from a950088 to d93e13a Compare

March 28, 2024 06:18

renovate bot dismissed renovate-approve’s stale review via

fa85f79

March 28, 2024 06:27

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from d93e13a to fa85f79 Compare

March 28, 2024 06:27

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from fa85f79 to 75487a2 Compare

April 4, 2024 13:34

renovate bot dismissed renovate-approve’s stale review via

a5b2145

April 4, 2024 13:41

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 75487a2 to a5b2145 Compare

April 4, 2024 13:41

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from a5b2145 to f1c8756 Compare

April 5, 2024 07:51

renovate bot dismissed renovate-approve’s stale review via

d60a535

April 5, 2024 07:58

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from f1c8756 to d60a535 Compare

April 5, 2024 07:58

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from d60a535 to b8b3c44 Compare

April 8, 2024 07:00

renovate bot dismissed renovate-approve’s stale review via

April 8, 2024 07:06

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from b8b3c44 to 6377717 Compare

April 8, 2024 07:06

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 6377717 to 5fa9a53 Compare

April 10, 2024 07:31

renovate bot dismissed renovate-approve’s stale review via

f33000b

April 10, 2024 07:39

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 5fa9a53 to f33000b Compare

April 10, 2024 07:39

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from f33000b to af5a6f3 Compare

April 10, 2024 09:23

renovate bot dismissed renovate-approve’s stale review via

7540d4c

April 10, 2024 09:34

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from af5a6f3 to 7540d4c Compare

April 10, 2024 09:34

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 7540d4c to 988a261 Compare

April 10, 2024 10:38

renovate bot dismissed renovate-approve’s stale review via

2220d65

April 10, 2024 11:08

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 988a261 to 2220d65 Compare

April 10, 2024 11:08

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 2220d65 to 59f4f78 Compare

May 21, 2024 06:26

renovate bot dismissed renovate-approve’s stale review via

4f2165e

May 21, 2024 06:33

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 59f4f78 to 4f2165e Compare

May 21, 2024 06:33

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 4f2165e to 7ec4bff Compare

June 3, 2024 08:57

renovate bot dismissed renovate-approve’s stale review via

b4514d5

June 3, 2024 09:03

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 7ec4bff to b4514d5 Compare

June 3, 2024 09:03

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from b4514d5 to 9143cfb Compare

June 3, 2024 11:12

renovate bot dismissed renovate-approve’s stale review via

3c4c121

June 3, 2024 11:22

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 9143cfb to 3c4c121 Compare

June 3, 2024 11:22

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 3c4c121 to b24a5fe Compare

June 3, 2024 11:50

renovate bot dismissed renovate-approve’s stale review via

6c1818d

June 3, 2024 15:07

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from b24a5fe to 6c1818d Compare

June 3, 2024 15:07

renovate-approve bot previously approved these changes

View reviewed changes

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 6c1818d to e19fdd8 Compare

June 4, 2024 11:50


          fix(dependency maintenance): update dependency fastify to v3.29.4 [se…

09e937a

…curity]

renovate bot dismissed renovate-approve’s stale review via

09e937a

June 4, 2024 11:58

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from e19fdd8 to 09e937a Compare

June 4, 2024 11:58

renovate-approve bot approved these changes

View reviewed changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment