fix(deps): update dependency fastify to v5 [security]

[ham-renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	^4.26.1 → ^5.0.0
fastify (source)	^4.26.2 → ^5.0.0

GitHub Vulnerability Alerts

CVE-2026-25224

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

CVE-2026-25223

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

---

Release Notes

fastify/fastify (fastify)

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #​6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in #​6447
• chore: update sponsor url by @​Eomm in #​6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in #​6442
• docs: fix invalid shorten form schema example by @​climba03003 in #​6448
• docs: Simplify and tighten decorators example by @​smith558 in #​6451
• docs: Fix incorrect variable use by @​smith558 in #​6455
• chore: update sponsor link by @​Eomm in #​6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in #​6464
• docs: move querystringParser option under routerOptions by @​inyourtime in #​6463
• chore: Updated content-type header parsing by @​jsumners in #​6414

New Contributors

• @​bhouston made their first contribution in #​6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

Compare Source

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​6434
• chore: updated version in the fastify.js by @​Tony133 in #​6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in #​6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in #​6110
• chore: remove test file by @​Eomm in #​6384
• feat: speed up loading with custom compiler by @​Eomm in #​6383
• docs: replace all instances of twitter.com with x.com by @​cseas in #​6355
• docs: correct logger option in example by @​inyourtime in #​6391
• docs: fix links by @​Shriti507 in #​6394
• chore: skip unnecessary object creation by @​Eomm in #​6400
• docs: Update JSON Schema link in documentation by @​jon23d in #​6402
• docs(ecosystem): add fastify-ses-mailer by @​KaranHotwani in #​6395
• docs: add security note about validation errors in response by @​mcollina in #​6407
• docs: add security threat model by @​mcollina in #​6406
• chore: update onboarding and offboarding instructions by @​Eomm in #​6403
• fix: set status code before publishing diagnostics error channel by @​tt-a1i in #​6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @​mcollina in #​6420
• chore: fix type test by @​mrazauskas in #​6418
• docs: improve Validation-and-Serialization.md by @​twentytwo777 in #​6423
• test: skip IPv6 test if its support is not present by @​LiviaMedeiros in #​6428
• test: fix test when localhost has multiple addresses by @​LiviaMedeiros in #​6427
• docs: add security warning for requestIdHeader by @​mcollina in #​6425
• docs(ecosystem): add elements-fastify by @​rohitsoni007 in #​6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @​dependabot[bot] in #​6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @​dependabot[bot] in #​6436
• chore: Bump @​types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @​AnkanMisra in #​6392
• fix(types): require send() payload when Reply type is specified by @​tt-a1i in #​6432
• fix: ajv options type validation by @​gianmarco27 in #​6437
• docs: add non-vulnerability examples to threat model by @​RafaelGSS in #​6431
• feat: implement conditional request logging by @​kibertoad in #​5732
• docs(sponsor): add serpapi by @​Eomm in #​6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @​mcollina in #​6444

New Contributors

• @​craftsman01 made their first contribution in #​6110
• @​cseas made their first contribution in #​6355
• @​Shriti507 made their first contribution in #​6394
• @​jon23d made their first contribution in #​6402
• @​KaranHotwani made their first contribution in #​6395
• @​tt-a1i made their first contribution in #​6412
• @​mrazauskas made their first contribution in #​6418
• @​twentytwo777 made their first contribution in #​6423
• @​rohitsoni007 made their first contribution in #​6416
• @​AnkanMisra made their first contribution in #​6392
• @​gianmarco27 made their first contribution in #​6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

v5.6.2

Compare Source

What's Changed

• refactor: rename source file names with kebab-case by @​jean-michelet in #​6331
• ci(ci): check dependabot prs originate from repo by @​Fdawgs in #​6330
• fix: accept htab ows by @​jean-michelet in #​6303
• fix: handle non FastifyErrors in custom handler properly, set type of error-parameter for setErrorHandler and errorHandler to unknown, but configurable via generic TError by @​Uzlopak in #​6308
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in #​6319
• ci: improve citgm workflows by @​Uzlopak in #​6334
• docs: explain stream error handling by @​lundibundi in #​5746
• fix: error throwing in reply by @​juanlet in #​6299
• refactor: delegate options processing to a dedicated function by @​jean-michelet in #​6333
• ci: remove label of citgm only on pull_request.labeled, add options for workflow_dispatch by @​Uzlopak in #​6335
• chore: Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​6343
• chore: Bump joi from 17.13.3 to 18.0.1 by @​dependabot[bot] in #​6347
• chore: Bump lycheeverse/lychee-action from 2.4.1 to 2.6.1 by @​dependabot[bot] in #​6345
• chore: Bump actions/dependency-review-action from 4.7.1 to 4.8.0 by @​dependabot[bot] in #​6344
• chore: Bump actions/labeler from 5 to 6 by @​dependabot[bot] in #​6341
• chore: Bump actions/setup-node from 4 to 5 by @​dependabot[bot] in #​6342
• chore: Bump actions/github-script from 7 to 8 by @​dependabot[bot] in #​6340
• docs: mention that addHttpMethod override existing methods by @​jean-michelet in #​6350
• chore: remove reference to simple-get by @​ilteoood in #​6353
• chore: remove commented tests by @​ilteoood in #​6352
• fix: respect child logger factory in fastify options by @​cysp in #​6349
• docs(ecosystem): adding attaryz/fastify-devtools to community plugins by @​attaryz in #​6339
• docs: remove ambiguity from statement by @​udohjeremiah in #​6360
• chore: add @fastify/sse as fastify core plugin to documentation and citgm by @​manshusainishab in #​6364
• docs(guides/fluent-schema): replace last nb usage by @​Fdawgs in #​6365
• style(ci): remove whitespace from concurrency group by @​Fdawgs in #​6366
• docs: Fix broken link to TypeBox doc website wrt AJV setup by @​melroy89 in #​6367
• docs(reference/plugins): mention async plugins by @​Fdawgs in #​6357
• chore: add max-len ESLint rule with 120 character limit by @​emicovi in #​6221
• chore: Bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @​dependabot[bot] in #​6374
• chore: Bump pino from 9.14.0 to 10.1.0 in the dependencies-major group by @​dependabot[bot] in #​6378
• chore: Bump pnpm/action-setup from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​6375
• chore: Bump tsd from 0.32.0 to 0.33.0 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6346
• chore: Bump lycheeverse/lychee-action from 2.6.1 to 2.7.0 by @​dependabot[bot] in #​6377
• fix: handle web stream payload in HEAD route by @​orionmiz in #​6372
• chore: Bump actions/setup-node from 5 to 6 by @​dependabot[bot] in #​6376
• chore: Bump borp from 0.20.2 to 0.21.0 by @​dependabot[bot] in #​6379
• fix: parse ipv6 hostname by @​jean-michelet in #​6373
• fix: consistent error handling for custom validators in async validation contexts by @​emicovi in #​6247

New Contributors

• @​juanlet made their first contribution in #​6299
• @​cysp made their first contribution in #​6349
• @​attaryz made their first contribution in #​6339
• @​udohjeremiah made their first contribution in #​6360
• @​manshusainishab made their first contribution in #​6364
• @​orionmiz made their first contribution in #​6372

Full Changelog: fastify/fastify@v5.6.1...v5.6.2

v5.6.1

Compare Source

What's Changed

• fix: fix typo of deprecation warning FSTDEP022 by @​Uzlopak in #​6313
• docs(decorators): fix TypeScript inconsistency by @​emicovi in #​6224
• chore: fix typos by @​deining in #​6316
• docs(security): add secondary contact/security escalation policy by @​UlisesGascon in #​6315
• chore(gha): remove benchmark github workflows by @​Eomm in #​6322
• chore(sponsor): add lambdatest by @​Eomm in #​6324
• fix: (types) allow FastifySchemaValidationError[] as an error by @​gurgunday in #​6326
• fix: correct session.close() context in http2 timeout handler by @​David-van-der-Sluijs in #​6327
• fix: close http2 sessions on close server by @​kostyak127 in #​6137

New Contributors

• @​deining made their first contribution in #​6316
• @​UlisesGascon made their first contribution in #​6315
• @​David-van-der-Sluijs made their first contribution in #​6327
• @​kostyak127 made their first contribution in #​6137

Full Changelog: fastify/fastify@v5.6.0...v5.6.1

v5.6.0

Compare Source

What's Changed

• fix: update typescript pino type to pick by @​dancastillo in #​6287
• feat(types): router option types by @​dancastillo in #​6282
• fix(types): Fix use of "esModuleInterop: false" by @​joshkel in #​6292
• docs: fix typo in Reference: TypeScript.md by @​hmanzoni in #​6302
• docs: clarify router performance note by @​Prasad2604 in #​6306

New Contributors

• @​joshkel made their first contribution in #​6292
• @​hmanzoni made their first contribution in #​6302
• @​Prasad2604 made their first contribution in #​6306

Full Changelog: fastify/fastify@v5.5.0...v5.6.0

v5.5.0

Compare Source

What's Changed

• docs: fix markdown linting issue by @​Uzlopak in #​6175
• chore: removed simple-get from mkcalendar tests by @​ilteoood in #​6199
• chore: removed simple-get from versioned-routes tests by @​ilteoood in #​6202
• chore: removed simple-get from hooks tests by @​ilteoood in #​6210
• fix: close pipelining test by @​ilteoood in #​6204
• chore: removed simple-get from unlock test by @​ilteoood in #​6178
• chore: removed simple-get from use-semicolon-delimiter tests by @​ilteoood in #​6203
• chore: removed simple-get from custom-https-server tests by @​ilteoood in #​6201
• chore: remove simple-get from custom parser 5 by @​ilteoood in #​6172
• chore: removed simple-get from head tests by @​ilteoood in #​6196
• chore: removed simple-get from request id tests by @​ilteoood in #​6193
• chore: remove simple get from custom parser 1 by @​ilteoood in #​6167
• chore: removed simple-get from custom-parser-0 by @​ilteoood in #​6168
• chore: remove simple-get from custom parser 2 by @​ilteoood in #​6169
• chore: remove simple-get from custom parser 4 by @​ilteoood in #​6171
• chore: removed simple-get from promises test by @​ilteoood in #​6183
• chore: removed simple-get from move test by @​ilteoood in #​6179
• chore: remove simple-get from custom querystring parser by @​ilteoood in #​6166
• chore: remove simple-get from propfind by @​ilteoood in #​6174
• chore: removed simple-get from case insensitive test by @​ilteoood in #​6188
• chore: remove simple get from async-await tests by @​ilteoood in #​6165
• chore: removed simple-get from header overflow test by @​ilteoood in #​6190
• chore: removed simple-get from check test by @​ilteoood in #​6176
• chore: removed simple-get from async hooks test by @​ilteoood in #​6189
• feat(types): export more schema related types by @​marcalexiei in #​6207
• chore: removed simple-get from copy tests by @​ilteoood in #​6198
• chore: removed simple-get from request-error test by @​ilteoood in #​6184
• chore: removed simple-get from decorator tests by @​ilteoood in #​6192
• ci: pin third-party actions to commit-hash by @​Fdawgs in #​6218
• fix: close fastify instance by @​ilteoood in #​6177
• chore(license): replace date range by @​Fdawgs in #​6219
• chore: removed simple-get from plugin-1 test by @​ilteoood in #​6180
• chore: removed simple-get from plugin-2 test by @​ilteoood in #​6181
• chore: removed simple-get from plugin-3 test by @​ilteoood in #​6182
• chore: remove simple get from reply test by @​ilteoood in #​6160
• feat(types): add missing error types by @​davidwood in #​6217
• docs: setErrorHandler description by @​AlvesJorge in #​6227
• docs: fix onError hook execution order documentation by @​emicovi in #​6225
• fix: handle abort signal in fastify.listen by @​climba03003 in #​6235
• feat: prepare to use Promise.withResolvers by @​climba03003 in #​6232
• docs: updated SECURITY.md by @​Eomm in #​6233
• fix(docs): fix markdown to exclude leading parenthesis by @​IanWoodard in #​6238
• ci: fix thollander/actions-comment-pull-request commit-hash by @​Fdawgs in #​6244
• docs(routes): add payload to preParsing signature by @​callmehiphop in #​6240
• docs(ecosystem): add fastify-route-preset plugin by @​inyourtime in #​6220
• chore: remove simple get from async request, get and register... by @​ilteoood in #​6246
• docs: improve custom validator documentation for async hooks by @​emicovi in #​6228
• chore: remove simple get from route shorthand by @​ilteoood in #​6245
• chore: Bump @​stylistic/eslint-plugin from 4.4.1 to 5.1.0 in the dev-dependencies-eslint group by @​dependabot[bot] in #​6242
• chore: Bump @​types/node from 22.15.34 to 24.0.8 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6243
• chore(tests): remove simple get by @​ilteoood in #​6249
• chore: finally remove simple get by @​ilteoood in #​6251
• chore: remove undici from schema-validation.test.js by @​Uzlopak in #​6252
• test: fix flakyness of close-pipelining-test, upgrade undici to v7 by @​Uzlopak in #​6256
• fix: account for EPIPE fetch errors in tests by @​gurgunday in #​6255
• docs: correct parameter name in frameworkErrors handler by @​inyourtime in #​6257
• docs: fix server page headings level by @​golopot in #​6258
• fix: add FST_ERR_CTP_INVALID_JSON_BODY by @​Uzlopak in #​5925
• feat: optimize content type parser by using AsyncResource.bind() by @​gurgunday in #​6262
• fix: remove unnecessary body length check in contentTypeParser by @​gurgunday in #​6266
• docs(ecosystem): add fastify-multilingual by @​gbrugger in #​6268
• chore: fix docs Request.md by @​ts0307 in #​6270
• chore: Bump typescript from 5.8.3 to 5.9.2 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6273
• chore: Bump cross-env from 7.0.3 to 10.0.0 by @​dependabot[bot] in #​6274
• feat(types): enforce reply status code types with type providers by @​samchungy in #​6250
• feat: move router options to own key by @​dancastillo in #​5985
• docs: refine CONTRIBUTING.md for better readability by @​Dipali127 in #​6277
• chore: refactor reply.send and prioritize kReplyIsError by @​gurgunday in #​6267
• docs(ecosystem): add fastify-permissions plugin by @​pckrishnadas88 in #​6265
• docs: Add Hey API to ecosystem by @​mrlubos in #​6280
• fix: OPTIONS Content-Type handling by @​gurgunday in #​6263

New Contributors

• @​marcalexiei made their first contribution in #​6207
• @​davidwood made their first contribution in #​6217
• @​AlvesJorge made their first contribution in #​6227
• @​emicovi made their first contribution in #​6225
• @​IanWoodard made their first contribution in #​6238
• @​callmehiphop made their first contribution in #​6240
• @​golopot made their first contribution in #​6258
• @​gbrugger made their first contribution in #​6268
• @​ts0307 made their first contribution in #​6270
• @​Dipali127 made their first contribution in #​6277
• @​pckrishnadas88 made their first contribution in #​6265
• @​mrlubos made their first contribution in #​6280

Full Changelog: fastify/fastify@v5.4.0...v5.5.0

v5.4.0

Compare Source

What's Changed

• test: mv routes-* from tap by @​jean-michelet in #​6092
• test: mv skip-reply-send from tap by @​jean-michelet in #​6094
• test: mv plugins from tap by @​jean-michelet in #​6088
• fix(ci): ignore alternative runtime result by @​Eomm in #​6125
• test: mv schema-* from tap by @​jean-michelet in #​6093
• test: mv hooks-async from tap by @​jean-michelet in #​6084
• fix(types): add missing version to request.routeOptions by @​inyourtime in #​6126
• docs: remove fastify-sentry plugin by @​dnlup in #​6131
• docs: add community plugins disclaimer by @​jean-michelet in #​6132
• docs: use cross-platform compatible info emoji by @​Fdawgs in #​6134
• perf: nits in reply.js by @​Cangit in #​6136
• docs: join core team by @​jean-michelet in #​6142
• docs: fix typo in hash.digest function by @​piotr-cz in #​6145
• test: mv hooks from tap by @​jean-michelet in #​6087
• test: improve issue 4959 unit test by @​Uzlopak in #​6147
• chore: Bump markdownlint-cli2 from 0.17.2 to 0.18.1 by @​dependabot in #​6150
• chore: remove dependencie tap and others updated by @​Tony133 in #​6148
• fix: hook async flaky by @​ilteoood in #​6155
• chore: Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @​dependabot in #​6151
• chore: removing simple-get from allow-unsafe-regex by @​ilteoood in #​6154
• chore: remove simple get on 404s test file by @​ilteoood in #​6153
• chore: remove simple-get in handle-request.test.js by @​ilteoood in #​6159
• chore: remove simple-get from url-rewriting by @​ilteoood in #​6163
• chore: remove simple-get in report.test.js by @​ilteoood in #​6157
• chore: remove simple-get from custom parser async by @​ilteoood in #​6164
• chore: removed simple-get from mkcol tests by @​ilteoood in #​6194
• chore: removed simple-get from proto-poisoning test by @​ilteoood in #​6185
• ci: Added Node.js v24 by @​mcollina in #​6113
• chore: removed simple-get from nullable validation test by @​ilteoood in #​6191
• feat: configure errorhandler override by @​jean-michelet in #​6104
• chore: remove simple-get from search test by @​ilteoood in #​6158
• chore: remove simple get from secure with fallback test by @​ilteoood in #​6162
• chore: removed simple-get from als test by @​ilteoood in #​6187
• chore: remove simple-get from listen 4 by @​ilteoood in #​6173
• fix: do not freeze request.routeOptions by @​mcollina in #​6141
• chore: removed simple-get from sync-delay-request tests by @​ilteoood in #​6212
• chore: removed simple-get from output-validation tests by @​ilteoood in #​6213
• chore: removed simple-get from async-delay-request tests by @​ilteoood in #​6211
• chore: removed simple-get from body-limit tests by @​ilteoood in #​6209
• chore: removed simple-get from trust-proxy tests by @​ilteoood in #​6205
• chore: removed simple-get from proppatch tests by @​ilteoood in #​6200
• chore(ci): cleanup citgm.yml by @​Eomm in #​6195
• chore: removed simple-get from https tests by @​ilteoood in #​6197
• chore: removed simple-get from lock test by @​ilteoood in #​6186

Full Changelog: fastify/fastify@v5.3.3...v5.4.0

v5.3.3

Compare Source

What's Changed

• docs: update Vercel section by @​leerob in #​6046
• docs(ecosystem): add fastify-papr plugin by @​inaiat in #​6051
• test: migrated helper and input validation to node test runner by @​ilteoood in #​6074
• style: add "no comma-dangle" rule to eslint config and remove trailing commas by @​cecia234 in #​6069
• test: migrate stream tests to node test runner by @​ilteoood in #​6065
• test: logger response by @​ilteoood in #​6055
• test: migrate schema feature to node test runner by @​ilteoood in #​6066
• fix: Added more cases for JSON schema validation by @​mcollina in #​6067
• test: migrated inject.test.js from tap to node:test by @​Tony133 in #​6068
• test: migrated plugin 1 to node test runner by @​ilteoood in #​6075
• ci: fix branch pattern by @​Eomm in #​6090
• docs: added Jeasx to Ecosystem.md by @​jablonski in #​6082
• test: mv promises from tap by @​jean-michelet in #​6085
• refactor: node:http2 is always available by @​Cangit in #​6073
• fix: update borp to 0.20.0. by @​lholmquist in #​6091
• chore: Bump fluent-json-schema from 5.0.0 to 6.0.0 by @​dependabot in #​6101
• chore: Bump tsd from 0.31.2 to 0.32.0 in the dev-dependencies-typescript group by @​dependabot in #​6100
• test: migrated decorator.test.js from tap to node:test by @​Tony133 in #​5957
• test: stabilize pipelining shutdown test with controlled close timing by @​jean-michelet in #​6099
• test: migrated output-validation.test.js from tap to node:test by @​Tony133 in #​6076
• test: remove tap from hooks-on ready file by @​IcaroSilvaFK in #​6080
• test: mv hooks.on-listen from tap by @​jean-michelet in #​6086
• ci: ignore scripts by @​Fdawgs in #​6108
• docs: add a warning about setErrorHandler overriding a previously defined error ha

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Warning

Rate limit exceeded

@ham-renovate has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 21 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between b672b59 and a0dbb50.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• infrastructure/evault-core/package.json
• platforms/registry/api/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-fastify-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ham-renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 5.x releases. But if you manually upgrade to 5.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.