chore(deps): update dependency fastify to v4.10.2 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	4.2.0 → 4.10.2

GitHub Vulnerability Alerts

CVE-2022-39288

Impact

An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.

(This was updated: upon a close inspection, v3.x is not affected after all).

Patches

Yes, update to > v4.8.0.

Workarounds

You can reject the malicious content types before the body parser enters in action.

  const badNames = Object.getOwnPropertyNames({}.__proto__)
  fastify.addHook('onRequest', async (req, reply) => {
    for (const badName of badNames) {
      if (req.headers['content-type'].indexOf(badName) > -1) {
        reply.code(415)
        throw new Error('Content type not supported')
      }
    }
  })

References

See the HackerOne report #​1715536

For more information

Fastify security policy

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify (fastify)

v4.10.2

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v4.10.1...v4.10.2

v4.10.1

Compare Source

What's Changed

• fix node 19.1.0 port validation test by @​Uzlopak in #​4427
• Add fastify-constraints to community plugins by @​Ceres6 in #​4428
• build(deps-dev): bump @​sinonjs/fake-timers from 9.1.2 to 10.0.0 by @​dependabot in #​4421
• add silent option to LogLevel by @​Uzlopak in #​4432

New Contributors

• @​Ceres6 made their first contribution in #​4428

Full Changelog: fastify/fastify@v4.10.0...v4.10.1

v4.10.0

Compare Source

What's Changed

• docs(reference/reply): spelling fixes by @​Fdawgs in #​4358
• Support different content-type typed reply with TypeProvider by @​rain714 in #​4360
• chore: remove leading empty lines by @​LinusU in #​4364
• fix types after pino 8.7.0 change by @​mcollina in #​4365
• Node.js V19 support by @​mcollina in #​4366
• fix: no check on null or undefined values passed as fn by @​metcoder95 in #​4367
• docs(server): config is lost when reply.call not found() is called by @​cesarvspr in #​4368
• Fix typo - 'sever' to 'server' by @​utsav91 in #​4372
• Add platformatic to the Acknowledgements by @​mcollina in #​4378
• docs: add Simone Busoli to plugin maintainers by @​simoneb in #​4379
• add missing 'validationContext' field to FastifyError type by @​jakubburzynski in #​4363
• fix(type-providers): assignability of instance with enabled type provider by @​driimus in #​4371
• feat: support async trailer by @​climba03003 in #​4380
• fix: trailers async race condition by @​climba03003 in #​4383
• docs(ecosystem): Add fastify-list-routes by @​chuongtrh in #​4385
• build(deps-dev): bump @​sinclair/typebox from 0.24.51 to 0.25.2 by @​dependabot in #​4388
• [ Fix ] Improve error message for hooks check by @​debadutta98 in #​4387
• fix: tiny-lru usage by @​climba03003 in #​4391
• Removes old note about named imports in ESM by @​fox1t in #​4392
• docs: Add section about capacity planning by @​kibertoad in #​4386
• docs(recommendations): grammar fixes by @​Fdawgs in #​4396
• chore(doc): duplicated menu item by @​Eomm in #​4398
• feat: add request.routeOptions object by @​debadutta98 in #​4397
• docs: Document multiple app approach by @​kibertoad in #​4393
• fix example using db decorator on fastify instance by @​mmarti in #​4406
• docs: fix removeAdditional refer by @​shunyue1320 in #​4410

New Contributors

• @​rain714 made their first contribution in #​4360
• @​LinusU made their first contribution in #​4364
• @​cesarvspr made their first contribution in #​4368
• @​utsav91 made their first contribution in #​4372
• @​jakubburzynski made their first contribution in #​4363
• @​driimus made their first contribution in #​4371
• @​chuongtrh made their first contribution in #​4385
• @​debadutta98 made their first contribution in #​4387
• @​mmarti made their first contribution in #​4406
• @​shunyue1320 made their first contribution in #​4410

Full Changelog: fastify/fastify@v4.9.2...v4.10.0

v4.9.2

Compare Source

What's Changed

• types: Add missing context types by @​kibertoad in #​4352
• Revert "fix(logger): lost setBindings type in FastifyBaseLogger" by @​climba03003 in #​4355

Full Changelog: fastify/fastify@v4.9.1...v4.9.2

v4.9.1

Compare Source

What's Changed

• docs(reply): specify streams content-type by @​D10f in #​4337
• fix(logger): lost setBindings type in FastifyBaseLogger by @​BlackHole1 in #​4346
• docs(reference): grammar and structure fixes by @​Fdawgs in #​4348
• docs: example how decorators dependencies works by @​leandroandrade in #​4343
• Undefined is a valid value for if set as a single hook by @​mcollina in #​4351

New Contributors

• @​D10f made their first contribution in #​4337

Full Changelog: fastify/fastify@v4.9.0...v4.9.1

v4.9.0

Compare Source

What's Changed

• fix: error handler content-type guessing by @​climba03003 in #​4329
• build(deps-dev): bump fluent-json-schema from 3.1.0 to 4.0.0 by @​dependabot in #​4331
• feat: Supporting different content-type responses by @​iifawzi in #​4264
• fix: should now call default schema compilers by @​Eomm in #​4340
• docs(ecosystem): replace heply -> beliven due to rebranding by @​zuck in #​4334
• docs(ecosystem): add @​fastify-userland plugins and tools by @​BlackHole1 in #​4345
• Validate and throws a custom error when attempting to register invalid hook functions by @​jhhom in #​4332

New Contributors

• @​jhhom made their first contribution in #​4332

Full Changelog: fastify/fastify@v4.8.1...v4.9.0

v4.8.1

Compare Source

⚠️ Security Release ⚠️

This release fixes GHSA-455w-c45v-86rg for the v4.x line.
This is a HIGH vulnerability that can lead to a crash, resulting in a total loss of availability.
The CVE for this vulnerability is CVE-2022-39288.

Full Changelog: fastify/fastify@v4.8.0...v4.8.1

v4.8.0

Compare Source

What's Changed

• Correct github url for fastify-qs package by @​VanoDevium in #​4321
• docs: add test examples with undici and fetch by @​CristiTeo in #​4300
• update onRoute hook docs by @​matthyk in #​4322
• Export error codes by @​fitiskin in #​4266
• feat: support async constraint by @​climba03003 in #​4323

New Contributors

• @​fitiskin made their first contribution in #​4266

Full Changelog: fastify/fastify@v4.7.0...v4.8.0

v4.7.0

Compare Source

What's Changed

• fix: prevent reuse mutated route option for head by @​climba03003 in #​4273
• docs(ecosystem): add fastify-sqlite by @​Eomm in #​4274
• Add RavenDB to community plugins by @​drakhart in #​4277
• ci: reduce ci test when linting fails by @​Eomm in #​4280
• chore: update dependencies by @​anonrig in #​4284
• Check if route exist before checking Content-Type of body by @​mage1k99 in #​4286
• Replace parseInt with Number at get 6% boost by @​anonrig in #​4289
• fix: type of validation function by @​budarin in #​4283
• GitHub Workflows security hardening by @​sashashura in #​4290
• docs: onRoute hooks in plugins by @​philsch in #​4285
• chore: Lint eco system error by @​zrosenbauer in #​4275
• docs(ecosystem): Add @fastify/one-line-logger by @​nooreldeensalah in #​4293
• docs(ecosystem): capitalization fixes by @​Fdawgs in #​4294
• docs(ecosystem): add slow down plugin by @​CristiTeo in #​4292
• fix: custom validator should not mutate headers schema by @​climba03003 in #​4295
• feat: parse request body for http SEARCH requests by @​kalvenschraut in #​4298
• Fix typo in the comment to Context object (lib/context.js) by @​yakovenkodenis in #​4301
• docs(type-providers): replace FastifyLoggerInstance with FastifyBaseLogger by @​samialdury in #​4304
• docs(contributing): clarify teams for joiners by @​Eomm in #​4303
• test: add number coersion related tests by @​anonrig in #​4297
• feat: add routeSchema and routeConfig + switching context handling by @​metcoder95 in #​4216
• docs(ecosystem): add fastify-s3-buckets by @​kibertoad in #​4311
• fix: Fix typo in docs/Reference/Type-Providers.md by @​SnowSuno in #​4312
• build(deps): bump tiny-lru from 8.0.2 to 9.0.2 by @​dependabot in #​4305

New Contributors

• @​mage1k99 made their first contribution in #​4286
• @​budarin made their first contribution in #​4283
• @​sashashura made their first contribution in #​4290
• @​philsch made their first contribution in #​4285
• @​zrosenbauer made their first contribution in #​4275
• @​CristiTeo made their first contribution in #​4292
• @​kalvenschraut made their first contribution in #​4298
• @​yakovenkodenis made their first contribution in #​4301
• @​samialdury made their first contribution in #​4304
• @​SnowSuno made their first contribution in #​4312

Full Changelog: fastify/fastify@v4.6.0...v4.7.0

v4.6.0

Compare Source

What's Changed

• chore: replace deprecated FastifyLoggerInstance occurences in typings with FastifyBaseLogger by @​Uzlopak in #​4224
• fix(types): allow fastify.https to be null by @​SuperchupuDev in #​4226
• chore: fix typo in docs for typescript chapter by @​soomtong in #​4227
• build(deps-dev): bump tsd from 0.22.0 to 0.23.0 by @​dependabot in #​4231
• chore: update dependabot link by @​leandroandrade in #​4232
• docs: improved migration guide for onRoute by @​ShogunPanda in #​4233
• docs: clarify setDefaultRoute scope by @​jacobpgn in #​4236
• docs(ecosystem): add fastify-aws-timestream and fastify-aws-sns by @​gzileni in #​4230
• docs(guides/migration-guide-v4): update content by @​Fdawgs in #​4242
• Improve doc about configuring pino-pretty with TypeScript by @​giacomorebonato in #​4243
• build(deps): bump jsumners/lock-threads from b27edac to 3 by @​dependabot in #​4244
• Revert "build(deps): bump jsumners/lock-threads from b27edac to 3" by @​climba03003 in #​4245
• docs: Remove Ajv configuration from TypeBox Type Provider examples by @​msmolens in #​4249
• fix: visit schemas with custom prototype by @​Eomm in #​4248
• feat: add hasRoute by @​Uzlopak in #​4238
• Docs: Fixing #schema-validator url at ./Reference/Server/#ajv by @​wilbert-abreu in #​4253
• chore(doc): fix format by @​Eomm in #​4255
• chore: export RouteGenericInterface by @​ChrisCrewdson in #​4234
• chore: improve Ecosystem.md linter to check for improper module name patterns by @​nooreldeensalah in #​4257
• test: remove assert to invalid HTTP version by @​RafaelGSS in #​4260
• chore: improve Ecosystem.md linter to lint all sections by @​nooreldeensalah in #​4258
• Fixing #​4259 - Updating typescript example according to the validation changes by @​iifawzi in #​4261
• docs: add pubsub-http-handler by @​cobraz in #​4263
• Variadic listen signature allows string port by @​marco-ippolito in #​4269
• doc: Remove Ajv configuration for TypeBox in TS examples by @​pmbanugo in #​4268
• docs(ecosystem): add 2 new fastify v3.x+ plugins by @​WNemencha in #​4270
• docs(typescript): fix #​4241 by @​mortifia in #​4247

New Contributors

• @​SuperchupuDev made their first contribution in #​4226
• @​soomtong made their first contribution in #​4227
• @​leandroandrade made their first contribution in #​4232
• @​jacobpgn made their first contribution in #​4236
• @​giacomorebonato made their first contribution in #​4243
• @​msmolens made their first contribution in #​4249
• @​wilbert-abreu made their first contribution in #​4253
• @​ChrisCrewdson made their first contribution in #​4234
• @​iifawzi made their first contribution in #​4261
• @​cobraz made their first contribution in #​4263
• @​marco-ippolito made their first contribution in #​4269
• @​pmbanugo made their first contribution in #​4268
• @​WNemencha made their first contribution in #​4270
• @​mortifia made their first contribution in #​4247

Full Changelog: fastify/fastify@v4.5.3...v4.6.0

v4.5.3

Compare Source

What's Changed

• ecosystem.md: move fastify-secure-session and fastify-soap-client to core plugins by @​Uzlopak in #​4212
• fix: inject hangs with undefined promise resolve by @​simoneb in #​4211
• use hasOwnProperty from Object.prototype by @​Uzlopak in #​4214
• chore: fastify branch list by @​Eomm in #​4218
• chore: add support for TypeScript 4.8 by @​SimenB in #​4222

Full Changelog: fastify/fastify@v4.5.2...v4.5.3

v4.5.2

Compare Source

What's Changed

• Fix 4204 by @​mcollina in #​4205

Full Changelog: fastify/fastify@v4.5.1...v4.5.2

v4.5.1

Compare Source

What's Changed

• make sure preSerialization hooks are null by default by @​mcollina in #​4203

Full Changelog: fastify/fastify@v4.5.0...v4.5.1

v4.5.0

Compare Source

What's Changed

• Add fastify-osm by @​gzileni in #​4185
• docs(reference/routes): fix onSend example by @​Fdawgs in #​4188
• chore: clean dev-dependancies by @​Eomm in #​4189
• Forward upgrade from secondary server to primary by @​mcollina in #​4190
• add unit test for ajv-formats by @​Uzlopak in #​4187
• add option to disable/ignore request-id header by @​philippviereck in #​4193
• doc: add fastify.display-name symbol by @​Eomm in #​4191
• docs(validation-and-serialization): Fix example on query string coercion by @​galiarmero in #​4198
• Add fastify-https-always to Ecosystem doc. by @​mattbishop in #​4201

New Contributors

• @​gzileni made their first contribution in #​4185
• @​philippviereck made their first contribution in #​4193
• @​galiarmero made their first contribution in #​4198

Full Changelog: fastify/fastify@v4.4.0...v4.5.0

v4.4.0

Compare Source

What's Changed

• fix(types): bad naming of validateInput by @​metcoder95 in #​4151
• feat: add webdav http methods by @​hungtcs in #​3836
• fix(types): reply.getHeader can return numbers and arrays by @​seanparmelee in #​4154
• feat(logger): use pino.BaseLogger as main interface for fastify logger by @​sgrigorev in #​4150
• docs(ecosystem): Add fastify-bugsnag as community plugin by @​ZigaStrgar in #​4155
• fix typo in docs/reference/Server.md by @​developerHet in #​4163
• Make ResolveFastifyReplyType union-aware by @​cm-ayf in #​4164
• docs: update code snippet for accurate use by @​lirantal in #​4167
• build(deps): bump lycheeverse/lychee-action from 1.5.0 to 1.5.1 by @​dependabot in #​4169
• build(deps-dev): bump markdownlint-cli2 from 0.4.0 to 0.5.0 by @​dependabot in #​4170
• types: adjust and add testing by @​metcoder95 in #​4158
• docs(ecosystem): add fastify-lyra by @​mateonunez in #​4176
• Add links to type providers by @​kibertoad in #​4177
• docs(ecosystem): add fastify-keycloak-adapter by @​yubinTW in #​4180
• Docs: onResponse hook error logging by @​avanelli in #​4178

New Contributors

• @​hungtcs made their first contribution in #​3836
• @​seanparmelee made their first contribution in #​4154
• @​sgrigorev made their first contribution in #​4150
• @​ZigaStrgar made their first contribution in #​4155
• @​developerHet made their first contribution in #​4163
• @​cm-ayf made their first contribution in #​4164
• @​lirantal made their first contribution in #​4167
• @​mateonunez made their first contribution in #​4176
• @​yubinTW made their first contribution in #​4180
• @​avanelli made their first contribution in #​4178

Full Changelog: fastify/fastify@v4.3.0...v4.4.0

v4.3.0

Compare Source

What's Changed

• dont cache unnecessary content types by @​Uzlopak in #​4134
• fix: default clientError replies on reused connection (#​4101) by @​katreniak in #​4133
• docs(ecosystem): add electron-server by @​anonrig in #​4136
• feat: expose validate/serialize functions through Request and Reply by @​metcoder95 in #​3970
• types: re-export FastifyListenOptions in top-level types by @​kyranet in #​4135
• docs: remove http2 experimental status (#​4142) by @​SebastianZimmer in #​4144
• refactor: rename request.validate to request.validateInput by @​metcoder95 in #​4139
• Fix #​4120: Defer resolution of FastifyRequestType until FastifyRequest by @​sinclairzx81 in #​4123

New Contributors

• @​katreniak made their first contribution in #​4133
• @​SebastianZimmer made their first contribution in #​4144

Full Changelog: fastify/fastify@v4.2.1...v4.3.0

v4.2.1

Compare Source

What's Changed

• Update Migration-Guide-V4.md by @​denes-fekeshazy in #​4091
• ci: reference actions using tags by @​Fdawgs in #​4086
• Remove redundant docs on TypeBox properties by @​simonplend in #​4095
• Add typeorm-fastify-plugin in Alphabetic order by @​jclemens24 in #​4096
• Add ecosystem linting by @​jsumners in #​4097
• fix: FastifySchemaValidationError type insufficient by @​BlackHole1 in #​4094
• build(deps): bump actions/dependency-review-action from 1 to 2 by @​dependabot in #​4102
• refactor: update Reply module by @​denshakhov in #​4072
• fix: Add types to server properties by @​TommyDew42 in #​4100
• docs(TypeScript): Fix a few typos by @​Eldemarkki in #​4106
• fix: no store compiled schema ids by @​Eomm in #​4109
• build(deps-dev): bump @​sinclair/typebox from 0.23.5 to 0.24.9 by @​dependabot in #​4113
• build(deps-dev): bump tsd from 0.21.0 to 0.22.0 by @​dependabot in #​4114
• docs: fix links on README by @​gerardmarquinarubio in #​4116
• docs(Guides/Plugins-Guide.md) : add reminder by @​mrdcvlsc in #​4117
• docs(ecosystem): add simple-tjscli (#​4112) by @​imjuni in #​4118
• refactor(types): deduplicate listen options and export it by @​kyranet in #​4013
• sample usage code fixed by @​indatawetrust in #​4128
• Update TypeScript.md by @​mikicho in #​4126
• run error serializer check only before release by @​mcollina in #​4130
• build(deps-dev): bump fastify-plugin from 3.0.1 to 4.0.0 by @​dependabot in #​4131
• Update README.md by @​davidekete in #​4132

New Contributors

• @​denes-fekeshazy made their first contribution in #​4091
• @​jclemens24 made their first contribution in #​4096
• @​BlackHole1 made their first contribution in #​4094
• @​denshakhov made their first contribution in #​4072
• @​TommyDew42 made their first contribution in #​4100
• @​Eldemarkki made their first contribution in #​4106
• @​gerardmarquinarubio made their first contribution in #​4116
• @​mrdcvlsc made their first contribution in #​4117
• @​kyranet made their first contribution in #​4013
• @​indatawetrust made their first contribution in #​4128
• @​mikicho made their first contribution in #​4126
• @​davidekete made their first contribution in #​4132

Full Changelog: fastify/fastify@v4.2.0...v4.2.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.