Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump fastify from 4.9.2 to 4.10.2 #10583

Merged
merged 1 commit into from Nov 29, 2022
Merged

chore(deps): bump fastify from 4.9.2 to 4.10.2 #10583

merged 1 commit into from Nov 29, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 21, 2022

Bumps fastify from 4.9.2 to 4.10.2.

Release notes

Sourced from fastify's releases.

v4.10.2

⚠️ Security Release ⚠️

Full Changelog: fastify/fastify@v4.10.1...v4.10.2

v4.10.1

What's Changed

New Contributors

Full Changelog: fastify/fastify@v4.10.0...v4.10.1

v4.10.0

What's Changed

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump fastify from 4.9.2 to 4.10.2
8f5e08d 
Bumps [fastify](https://github.com/fastify/fastify) from 4.9.2 to 4.10.2.
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](fastify/fastify@v4.9.2...v4.10.2)

---
updated-dependencies:
- dependency-name: fastify
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Nov 21, 2022
@dependabot dependabot bot mentioned this pull request Nov 21, 2022
Closed
@coveralls
Copy link

Pull Request Test Coverage Report for Build 3cd8035e-566b-4f83-8df3-f4fbf70c1d27

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 93.404%
Totals Coverage Status
Change from base Build a213a525-4c5b-48ee-9803-b76e72178509: 0.0%
Covered Lines: 6202
Relevant Lines: 6640
💛 - Coveralls

@gjasny
Copy link

gjasny commented Nov 22, 2022

This fixes GHSA-3fjj-p79j-c9hh

@elbasan
Copy link

elbasan commented Nov 24, 2022

when can we expect this to be merged?

@goriunov
Copy link

goriunov commented Nov 24, 2022
edited

Same, waiting for this to be merged 😢

This was referenced Nov 26, 2022
Closed
Closed
@micalevisk
Copy link
Member

Tip

🏓 @ufec

If it is just a matter of upgrading the fastify dependency from @nestjs/platform-fastify, you don't need to wait for this PR 😄 Follow this:

for NPM v8+
  1. If you have fastify as a dependency in your project already, add this entry to your package.json:
  "overrides": {
    "@nestjs/platform-fastify": {
      "fastify": "$fastify"
    }
  }

If fastify is not a directly dependency of your project, add this one instead:

  "overrides": {
    "@nestjs/platform-fastify": {
      "fastify": "^4.10.2"
    }
  }
  1. delete the lock file: rm -f package-lock.json
  2. delete the node_modules: rm -r node_modules
  3. npm install
  4. Check out the result: npm ls fastify
for Yarn v1

Use the resolutions feature

and see yarn why fastify

These two are the ones I tried and they worked here.

@goriunov
Copy link

goriunov commented Nov 27, 2022
edited

@micalevisk the suggestion works, but we use an internal common module that wraps different utilities around the platform-fastify and nestjs that is where we have the platform-fastify installed, also we have tons of microservices over 70 that use that utility, and that means that for every microservice we have to go and add

 "overrides": {
    "@nestjs/platform-fastify": {
      "fastify": "^4.10.2"
    }
  }

as it is not propagating from the common module configuration. Also, this is a temporary change as when this PR is merged we will have to remove the overrides from every single place...

I am wondering if there could be another way to allow the manual fastify version update in the future, may be with peer dependency and weaker limitations..

@micalevisk
Copy link
Member

micalevisk commented Nov 27, 2022
edited

@goriunov got you

I don't see why we couldn't move fastify to peer dep instead in the next major bump. But that is probably something that Kamil had evaluated in the past.

This was referenced Nov 27, 2022
Closed
Closed
@kamilmysliwiec kamilmysliwiec merged commit 3009353 into master Nov 29, 2022
@delete-merged-branch delete-merged-branch bot deleted the dependabot/npm_and_yarn/fastify-4.10.2 branch November 29, 2022 08:48
@micalevisk micalevisk mentioned this pull request Dec 2, 2022
Closed
4 tasks
@batflarrow
Copy link

batflarrow commented Jan 25, 2023
edited

@micalevisk I am currently trying to resolve the fastify security vulnerability and I am forced to upgrade @nestjs/platform-fastify to V9 because fastify was upgraded to a non-vulnerable version in nest v9 but our current nest version is v8 and we don't want to upgrade to v9 just yet, is there any way I can resolve the vulnerability and still remain on the same version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@coveralls @gjasny @elbasan @goriunov @micalevisk @batflarrow @kamilmysliwiec