Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency fastify-static to v4 [security] #105

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency fastify-static to v4 [security] #105

wants to merge 1 commit into from

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Mar 7, 2022
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fastify-static ^2.0.0 -> ^4.0.0 age adoption passing confidence
fastify-static ^2.3.4 -> ^4.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-22963

Impact

A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.

The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false.

Patches

The issue has been patched in fastify-static@4.2.4

Workarounds

If updating is not an option, you can sanitize the input URLs using the rewriteUrl server option.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

fastify/fastify-static (fastify-static)

v4.2.4

Compare Source

⚠️ Security release

CVE: CVE-2021-22963
Security Advisory: GHSA-p6vg-p826-qp3v
See also: https://hackerone.com/reports/1354255 (disclosed soon)

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v4.2.3...v4.2.4

v4.2.3

Compare Source

📚 PR:

  • Update README.md
  • Merge pull request #​217 from olmesm/patch-1
  • Bump fastify/github-action-merge-dependabot from 2.0.0 to 2.1.0 (#​207)
  • Bump tsd from 0.15.1 to 0.16.0 (#​209)
  • Bump fastify/github-action-merge-dependabot from 2.1.0 to 2.1.1 (#​210)
  • Bump tsd from 0.16.0 to 0.17.0 (#​211)
  • Bump actions/setup-node from 2.1.5 to 2.2.0 (#​213)
  • Bump @​types/node from 15.14.1 to 16.0.0 (#​215)
  • Bump fastify/github-action-merge-dependabot from 2.1.1 to 2.2.0 (#​216)
  • Bump actions/setup-node from 2.2.0 to 2.3.0 (#​223)
  • Bump actions/setup-node from 2.3.0 to 2.3.1 (#​224)
  • fix: call 404 handler if requested path is a dotfile (#​225)

v4.2.2

Compare Source

📚 PR:

  • fix content-encoding response header for gzip compression (#​206)

v4.2.1

Compare Source

📚 PR:

  • fix content-type header for precompressed assets (#​204)
  • fix index not being served for precompressed assets (#​205)

v4.2.0

Compare Source

📚 PR:

  • Bump tsd from 0.14.0 to 0.15.0 (#​201)
  • Bump actions/checkout from 2 to 2.3.4 (#​202)
  • feat: add support for serving statically compressed files (#​158)

v4.0.1

Compare Source

v4.0.0

Compare Source

📚 PR:

  • docs: using registered instead of registers (#​171)
  • feat: implement download decorator (#​174)
  • Add option to filter files (#​172)
  • feat: remove wildcard string support (#​175)

v3.4.0

Compare Source

📚 PR:

  • feat: add support for multiple root directories under a single prefix (#​169)

v3.3.1

Compare Source

📚 PR:

  • Bump standard from 14.3.4 to 15.0.0
  • Bump snazzy from 8.0.0 to 9.0.0
  • Bump standard from 15.0.1 to 16.0.2
  • fix lint
  • Bump tsd from 0.13.1 to 0.14.0
  • Merge pull request #​163 from fastify/dependabot/npm_and_yarn/tsd-0.14.0
  • feat: add stale (#​152)
  • chore: add dependabot automerge (#​162)
  • Fix glob path encoding (#​166)
  • Fix type of dotfiles property (#​168)

v3.3.0

Compare Source

📚 PR:

  • Bump fastify-plugin from 2.3.4 to 3.0.0
  • fix: prevent premature close error (#​149)

v3.2.1

Compare Source

  • Missing lines for 100% coverage #​134 + run format so pre-commit hook is happy (#​142)
  • Removed socket prop from the stream wrap (#​147)

v3.2.0

Compare Source

📚 PR:

  • Bumped fastify
  • Bump tsd from 0.12.1 to 0.13.1 (#​139)
  • thenable bugfix (#​140)

v3.1.0

Compare Source

📚 PR:

  • Bump tsd from 0.11.0 to 0.12.0 (#​138)
  • feat: dir list index (#​137)
  • bumped fastify v3.0.0-rc.5

v3.0.1

Compare Source

📚 PR:

  • update to latest standard
  • Bumped fastify@3.0.0-rc.4
  • Bump send from 0.16.2 to 0.17.1 (#​130)
  • Bump @​types/node from 13.13.6 to 14.0.1 (#​132)
  • Bump simple-get from 3.1.0 to 4.0.0 (#​133)

v3.0.0

Compare Source

📚 PR:

v2.7.0

Compare Source

📚 PR:

  • add flag to avoid trailing slash in prefix (#​123)

v2.6.0

Compare Source

📚 PR:

  • Add rootPath overload parameter to sendFile function (#​118)

v2.5.1

Compare Source

📚 PR:

  • fix for typescript http2/https warning (#​115)
  • fix: handle missing trailing slash on directories (#​113)

v2.5.0

Compare Source

📚 PR:

  • Added Node 12 to .travis.yml
  • Updated dependencies
  • maxAge test (#​103)
  • feat: allow wildcard being globPattern (#​107)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@renovate-bot