Fastify template has vulnerability in itself

[I-Am-Anger]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Installing nestjs/sample/10-fastify packages with npm install doesn't work as expected - installation reports CSRF attack

report:
fastify 4.0.0 - 4.10.1
Severity: high
fastify vulnerable to denial of service via malicious Content-Type - GHSA-455w-c45v-86rg
Fastify: Incorrect Content-Type parsing can lead to CSRF attack - GHSA-3fjj-p79j-c9hh
fix available via npm audit fix --force
Will install @nestjs/platform-fastify@9.2.0, which is outside the stated dependency range
node_modules/fastify
@nestjs/platform-fastify 9.0.0-next.1 - 9.1.4
Depends on vulnerable versions of fastify
node_modules/@nestjs/platform-fastify

2 high severity vulnerabilities

Minimum reproduction code

https://github.com/nestjs/nest/tree/master/sample/10-fastify

Steps to reproduce

1. degit https://github.com/nestjs/nest/sample/10-fastify project
2. cd project
3. npm install

Expected behavior

Installs node modules

Package

• I don't know. Or some 3rd-party package
• @nestjs/common
• @nestjs/core
• @nestjs/microservices
• @nestjs/platform-express
• @nestjs/platform-fastify
• @nestjs/platform-socket.io
• @nestjs/platform-ws
• @nestjs/testing
• @nestjs/websockets
• Other (see below)

Other package

No response

NestJS version

9.0.1

Packages versions

{
"name": "nest-typescript-starter",
"version": "1.0.0",
"description": "Nest TypeScript starter repository",
"license": "MIT",
"scripts": {
"prebuild": "rimraf dist",
"build": "nest build",
"format": "prettier --write "src//*.ts" "test//.ts"",
"start": "nest start",
"start:dev": "nest start --watch",
"start:debug": "nest start --debug --watch",
"start:prod": "node dist/main",
"lint": "eslint '{src,apps,libs,test}/**/.ts' --fix",
"test": "jest",
"test:watch": "jest --watch",
"test:cov": "jest --coverage",
"test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
"test:e2e": "echo 'No e2e tests implemented yet.'"
},
"dependencies": {
"@nestjs/common": "9.0.1",
"@nestjs/core": "9.0.1",
"@nestjs/platform-fastify": "9.0.1",
"class-transformer": "0.5.1",
"class-validator": "0.13.2",
"reflect-metadata": "0.1.13",
"rimraf": "3.0.2",
"rxjs": "7.5.5"
},
"devDependencies": {
"@nestjs/cli": "9.0.0",
"@nestjs/schematics": "9.0.1",
"@nestjs/testing": "9.0.1",
"@types/express": "4.17.13",
"@types/node": "18.0.3",
"@types/supertest": "2.0.12",
"@typescript-eslint/eslint-plugin": "5.30.5",
"@typescript-eslint/parser": "5.30.5",
"eslint": "8.19.0",
"eslint-config-prettier": "8.5.0",
"eslint-plugin-import": "2.26.0",
"jest": "28.1.2",
"prettier": "2.7.1",
"supertest": "6.2.4",
"ts-jest": "28.0.5",
"ts-loader": "9.3.1",
"ts-node": "10.8.2",
"tsconfig-paths": "4.0.0",
"typescript": "4.7.4"
}
}

Node.js version

No response

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[micalevisk]

I guess this will be fixed by #10583