graphql-fastify-server
graphql-fastify-server copied to clipboard
Published
20 hours ago •
rpvsilva
rpvsilva
fix(deps): update dependency fastify to v5.3.2 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| fastify (source) | 5.1.0 -> 5.3.2 |
GitHub Vulnerability Alerts
CVE-2025-32442
Impact
In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;.
Users using the the following pattern are affected:
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
content: {
'application/json': {
schema: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
},
}
}
}
})
User using the following pattern are not affected:
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
}
})
Patches
This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2. Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1.
Workarounds
Do not specify multiple content types in the schema.
References
Are there any links users can visit to find out more?
https://hackerone.com/reports/3087928
Release Notes
fastify/fastify (fastify)
v5.3.2
⚠️ Security Release ⚠️
Unfortunately, v5.3.1 did not include a complete fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442. This is a follow-up patch to cover an edge case.
What's Changed
- docs: fix archived concurrently link to point to active repo by @TimTeylor in https://github.com/fastify/fastify/pull/6063
- fix: treat space as a delimiter in content-type parsing by @mcollina in https://github.com/fastify/fastify/pull/6064
New Contributors
- @TimTeylor made their first contribution in https://github.com/fastify/fastify/pull/6063
Full Changelog: https://github.com/fastify/fastify/compare/v5.3.1...v5.3.2
v5.3.1
⚠️ Security Release ⚠️
- Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442
What's Changed
- test: migrate logger options to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6059
- test: migrate logger logging to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6060
- test: convert custom parser 1 to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6053
- test: custom querystring parser by @ilteoood in https://github.com/fastify/fastify/pull/6054
- test: migrate stream 4 to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6062
- test: migrate request logger to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6058
- test: migrate custom parser 0 to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6052
- test: migrate logger instantiation to node test runner by @ilteoood in https://github.com/fastify/fastify/pull/6061
New Contributors
- @ilteoood made their first contribution in https://github.com/fastify/fastify/pull/6059
Full Changelog: https://github.com/fastify/fastify/compare/v5.3.0...v5.3.1
v5.3.0
What's Changed
- fix: wrong reply return type by @dangkyokhoang in https://github.com/fastify/fastify/pull/6026
- feat: allow to access decorators by @jean-michelet in https://github.com/fastify/fastify/pull/5768
- ci: continue-on-error on alternative runtime by @Eomm in https://github.com/fastify/fastify/pull/6031
- fix: clear
[kState].readyPromisefor garbage collection by @LiviaMedeiros in https://github.com/fastify/fastify/pull/6030 - ci: set workflow permissions to read-only by default by @Fdawgs in https://github.com/fastify/fastify/pull/6035
- chore: Bump the dependencies-major group with 2 updates by @dependabot in https://github.com/fastify/fastify/pull/6036
- chore: Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @dependabot in https://github.com/fastify/fastify/pull/6037
- chore: remove sponsort by @Eomm in https://github.com/fastify/fastify/pull/6040
- test: fix skip in upgrade test by @LiviaMedeiros in https://github.com/fastify/fastify/pull/6044
- chore: migrate custom-parser.4.test.js to node:test by @Matthew-Mallimo in https://github.com/fastify/fastify/pull/6042
- docs: add fastify-lm to Ecosystem.md by @galiprandi in https://github.com/fastify/fastify/pull/6032
- test: skip IPv6 tests if its support is not present by @LiviaMedeiros in https://github.com/fastify/fastify/pull/6048
New Contributors
- @dangkyokhoang made their first contribution in https://github.com/fastify/fastify/pull/6026
- @Matthew-Mallimo made their first contribution in https://github.com/fastify/fastify/pull/6042
- @galiprandi made their first contribution in https://github.com/fastify/fastify/pull/6032
Full Changelog: https://github.com/fastify/fastify/compare/v5.2.2...v5.3.0
v5.2.2
What's Changed
- build: use static path instead of __filename by @climba03003 in https://github.com/fastify/fastify/pull/5922
- fix(linting): fix linting error in error-handler.js by @Uzlopak in https://github.com/fastify/fastify/pull/5926
- chore: Bump the dev-dependencies group across 1 directory with 6 updates by @dependabot in https://github.com/fastify/fastify/pull/5930
- fix: don't check for payload type in default json parser by @gurgunday in https://github.com/fastify/fastify/pull/5933
- docs: Include req.hostname change in upgrade guide by @tmcw in https://github.com/fastify/fastify/pull/5935
- build(dependabot): regroup dev dependencies by @Fdawgs in https://github.com/fastify/fastify/pull/5931
- chore: Bump borp from 0.18.0 to 0.19.0 by @dependabot in https://github.com/fastify/fastify/pull/5936
- chore: don't return the
donefunction by @gurgunday in https://github.com/fastify/fastify/pull/5937 - ci(workflows): unpin node 22 version by @Fdawgs in https://github.com/fastify/fastify/pull/5941
- perf: don't use optional chaining for typeof .then checks by @gurgunday in https://github.com/fastify/fastify/pull/5942
- docs: the no floating promise guide is not needed anymore by @mcollina in https://github.com/fastify/fastify/pull/5946
- docs: grammar and spelling fixes by @Fdawgs in https://github.com/fastify/fastify/pull/5944
- perf(lib/pluginutils): cache rc version regex by @Fdawgs in https://github.com/fastify/fastify/pull/5940
- build(dependabot): reduce npm updates to monthly by @Fdawgs in https://github.com/fastify/fastify/pull/5939
- docs(guides): grammar and spelling fixes by @Fdawgs in https://github.com/fastify/fastify/pull/5947
- test: migrated genReqId.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5943
- chore: Bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 by @dependabot in https://github.com/fastify/fastify/pull/5948
- docs(reference/contenttypeparser): make more concise by @Fdawgs in https://github.com/fastify/fastify/pull/5950
- docs(getting-started): clarify fastify-cli is separate by @Fdawgs in https://github.com/fastify/fastify/pull/5949
- docs(validation-and-serialization): fix typo by @matthyk in https://github.com/fastify/fastify/pull/5952
- test: migrated route-shorthand.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5923
- test: migrated register.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5918
- Update broken link to N|Solid by @xuhdev in https://github.com/fastify/fastify/pull/5954
- docs(reference): even more conciseness by @Fdawgs in https://github.com/fastify/fastify/pull/5951
- test: migrate from tap to node test for close & custom-parser-async by @coluzziandrea in https://github.com/fastify/fastify/pull/5915
- docs(reference/type-providers): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5962
- docs(reference/errors): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5963
- docs(reference/logging): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5958
- docs(reference/request): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5965
- docs(ecosystem): add
@fastify/otelto core list by @Fdawgs in https://github.com/fastify/fastify/pull/5967 - docs(reference/validation): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5964
- docs(reference/plugins): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5956
- docs(reference/decorators): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5966
- chore(sponsor): Add Lokalise sponsorship reference by @kibertoad in https://github.com/fastify/fastify/pull/5968
- test: migrated listen.2.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5960
- docs(ecosystem): add fastify-enforce-routes-pattern by @Jerome1337 in https://github.com/fastify/fastify/pull/5961
- chore(sponsor): add Jspreadsheet by @Eomm in https://github.com/fastify/fastify/pull/5971
- docs(reference/routes): conciseness improvements by @Fdawgs in https://github.com/fastify/fastify/pull/5969
- fix(types): missing supportedMethods by @johaven in https://github.com/fastify/fastify/pull/5970
- chore: Bump the dev-dependencies-eslint group with 2 updates by @dependabot in https://github.com/fastify/fastify/pull/5975
- ci: remove master branch support by @Fdawgs in https://github.com/fastify/fastify/pull/5974
- docs(reference): mimic github notes and warning style by @Fdawgs in https://github.com/fastify/fastify/pull/5973
- docs: Drop platformatic cloud reference in serverless.md by @mcollina in https://github.com/fastify/fastify/pull/5982
- docs: add a Genezio step by step guide by @cristim67 in https://github.com/fastify/fastify/pull/5980
- docs(lts): fix anchor tag format by @kadoshita in https://github.com/fastify/fastify/pull/5986
- docs: Update documentation for listening to
0.0.0.0by @jonasongg in https://github.com/fastify/fastify/pull/5988 - docs(serverless): cut down genezio example by @Fdawgs in https://github.com/fastify/fastify/pull/5990
- docs: add link to official demo by @jean-michelet in https://github.com/fastify/fastify/pull/5994
- chore(license): update licensing year by @Tony133 in https://github.com/fastify/fastify/pull/5992
- docs: wrong query string parser information by @smith558 in https://github.com/fastify/fastify/pull/5993
- docs: typo in v5 migration docs by @salmanm in https://github.com/fastify/fastify/pull/5995
- docs: update example to use correct parser by @smith558 in https://github.com/fastify/fastify/pull/5996
- test: migrated request-error.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5987
- chore: Bump the dev-dependencies-eslint group with 2 updates by @dependabot in https://github.com/fastify/fastify/pull/5999
- chore: Bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 by @dependabot in https://github.com/fastify/fastify/pull/6001
- docs: fix docorators example by @logan272 in https://github.com/fastify/fastify/pull/5997
- chore: fix docs by @Eomm in https://github.com/fastify/fastify/pull/6007
- test: migrated stream.5.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5955
- build(test/bundler/esbuild): bump esbuild by @Fdawgs in https://github.com/fastify/fastify/pull/6010
- test: migrated throw.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/6002
- docs(guides/ecosystem): update broken link to scalar by @inyourtime in https://github.com/fastify/fastify/pull/6015
- feat: add listen async callback warning by @Eomm in https://github.com/fastify/fastify/pull/6011
- docs(readme): fix broken ci badges by @Fdawgs in https://github.com/fastify/fastify/pull/6016
- docs: remove --node-arg prefix by @piotr-cz in https://github.com/fastify/fastify/pull/6018
- test: migrated listen.1.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/6014
- chore: Bump typescript from 5.7.3 to 5.8.2 in the dev-dependencies-typescript group by @dependabot in https://github.com/fastify/fastify/pull/6000
- test: migrated upgrade.test.js from tap to node:test and update inde… by @Tony133 in https://github.com/fastify/fastify/pull/5917
- test: fix flaky by @Eomm in https://github.com/fastify/fastify/pull/6021
- test: migrated listen.3.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/6022
- test: migrated listen.4.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/6024
- fix: double hook execution by @Eomm in https://github.com/fastify/fastify/pull/6013
- test(content-type-parser): replace tiny-lru proxy with toad-cache by @Fdawgs in https://github.com/fastify/fastify/pull/6025
New Contributors
- @xuhdev made their first contribution in https://github.com/fastify/fastify/pull/5954
- @coluzziandrea made their first contribution in https://github.com/fastify/fastify/pull/5915
- @Jerome1337 made their first contribution in https://github.com/fastify/fastify/pull/5961
- @cristim67 made their first contribution in https://github.com/fastify/fastify/pull/5980
- @jonasongg made their first contribution in https://github.com/fastify/fastify/pull/5988
- @smith558 made their first contribution in https://github.com/fastify/fastify/pull/5993
- @logan272 made their first contribution in https://github.com/fastify/fastify/pull/5997
- @piotr-cz made their first contribution in https://github.com/fastify/fastify/pull/6018
Full Changelog: https://github.com/fastify/fastify/compare/v5.2.1...v5.2.2
v5.2.1
What's Changed
- chore: org members reorder by @Eomm in https://github.com/fastify/fastify/pull/5898
- docs(request): clarify request host functionality by @Fdawgs in https://github.com/fastify/fastify/pull/5904
- chore(package): add fdawgs to contributors array by @Fdawgs in https://github.com/fastify/fastify/pull/5905
- chore: updated test reporter by @jsumners in https://github.com/fastify/fastify/pull/5907
- test: migrated custom-parser.2.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5902
- test: migrated nullable-validation.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5880
- test: migrated custom-parser.3.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5903
- test: migrate delete test from tap to node test runner by @Kalpana98 in https://github.com/fastify/fastify/pull/5906
- docs: add climba03003 to team by @climba03003 in https://github.com/fastify/fastify/pull/5910
- build(deps): replace
proxy-addrwith@fastify/proxy-addrby @Fdawgs in https://github.com/fastify/fastify/pull/5913 - fix: ReadableStream.locked crashes application by @climba03003 in https://github.com/fastify/fastify/pull/5920
- docs: fix typo by @FKPSC in https://github.com/fastify/fastify/pull/5921
New Contributors
- @Kalpana98 made their first contribution in https://github.com/fastify/fastify/pull/5906
- @FKPSC made their first contribution in https://github.com/fastify/fastify/pull/5921
Full Changelog: https://github.com/fastify/fastify/compare/v5.2.0...v5.2.1
v5.2.0
What's Changed
- docs: add HeroDevs mentions to README and LTS docs by @AndreAngelantoni in https://github.com/fastify/fastify/pull/5730
- test: migrated reply-early-hints.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5803
- chore: Bump lycheeverse/lychee-action from 1.10.0 to 2.0.2 by @dependabot in https://github.com/fastify/fastify/pull/5807
- chore: Bump thollander/actions-comment-pull-request from 2 to 3 by @dependabot in https://github.com/fastify/fastify/pull/5806
- test: migrated request-timeout.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5805
- fix: streamline migrated tests, make migrated the filenames of migrated tests kebab-case by @Uzlopak in https://github.com/fastify/fastify/pull/5800
- ci(benchmark): fix github token input by @Fdawgs in https://github.com/fastify/fastify/pull/5809
- test: migrated reply-code.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5808
- test: migrated middleware.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5795
- fix: test asserts to strict asserts by @dancastillo in https://github.com/fastify/fastify/pull/5815
- chore: renamed test files in kebab-case by @Tony133 in https://github.com/fastify/fastify/pull/5814
- style(.gitattributes): standardize style across fastify repos by @Fdawgs in https://github.com/fastify/fastify/pull/5816
- style: remove trailing whitespace by @Fdawgs in https://github.com/fastify/fastify/pull/5817
- test: migrated encapsulated-error-handler.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5824
- docs: Add
fastify-mongo-sanitizeandremix-fastifyto comm. by @ExorTek in https://github.com/fastify/fastify/pull/5822 - test: migrated encapsulated-child-logger-factory.test.js from tap to … by @Tony133 in https://github.com/fastify/fastify/pull/5823
- docs: add loggerInstance to Server doc by @llimllib in https://github.com/fastify/fastify/pull/5786
- test: migrated post-empty-body.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5813
- docs(CONTRIBUTING.md): read the announcements by @Eomm in https://github.com/fastify/fastify/pull/5825
- test: migrated listen.5.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5827
- test: migrated use-semicolon-delimiter.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5812
- docs: smaller documentation fixes by @metcoder95 in https://github.com/fastify/fastify/pull/5834
- fix(types): addHttpMethod type signature on fastify instance (#5810) by @kalvenschraut in https://github.com/fastify/fastify/pull/5811
- test: migrated schema-examples.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5833
- test: Migrate tests to Node test container by @KristianLentino99 in https://github.com/fastify/fastify/pull/5777
- test: migrated max-requests-per-socket.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5828
- test: migrated proto-poisoning.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5836
- test: migrated content-type and context-config tests from tap to node:test by @stojkov-z in https://github.com/fastify/fastify/pull/5778
- docs: Added fastify-passkit-webservice to community plugins by @alexandercerutti in https://github.com/fastify/fastify/pull/5819
- test: migrate trust-proxy, type-provider, url-rewriting to node:test by @dancastillo in https://github.com/fastify/fastify/pull/5829
- test: migrated fluent-schema.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5832
- test: migrated set-error-handler.test.js and header-overflow.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5835
- chore: Bump secure-json-parse from 2.7.0 to 3.0.1 in the dependencies-major group by @dependabot in https://github.com/fastify/fastify/pull/5845
- test: migrated pretty-print.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5844
- test: migrated custom-parser.4.test.js and custom-parser.5.test.js fr… by @Tony133 in https://github.com/fastify/fastify/pull/5837
- docs: fix example for supplying own logger instance by @keithito in https://github.com/fastify/fastify/pull/5857
- feat: Add hook name within timeout error message by @kibertoad in https://github.com/fastify/fastify/pull/5851
- docs: make whitespace consistent by @joeytwiddle in https://github.com/fastify/fastify/pull/5863
- test: migrated fastify-instance.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5859
- test: migrated request-id.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5858
- test: migrated tests from tap to node test by @Tony133 in https://github.com/fastify/fastify/pull/5839
- test: migrated router-options.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5840
- test: migrated route.8.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5864
- chore: Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 by @dependabot in https://github.com/fastify/fastify/pull/5869
- test: migrated validation-error-handling from tap to node:test by @reidn3r in https://github.com/fastify/fastify/pull/5856
- test: migrated handler-context.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5868
- test: migrated find-route.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5867
- chore: sponsor link by @Eomm in https://github.com/fastify/fastify/pull/5871
- docs(readme): point ci badge at main branch by @Fdawgs in https://github.com/fastify/fastify/pull/5873
- test: migrate content-parser test to use node:test by @Rantoledo in https://github.com/fastify/fastify/pull/5847
- docs(readme): revert to standard workflow badge syntax by @Fdawgs in https://github.com/fastify/fastify/pull/5877
- chore: readme lighter install script by @giulianok in https://github.com/fastify/fastify/pull/5872
- docs(CONTRIBUTING.md): added v4 to version branches by @giuliowaitforitdavide in https://github.com/fastify/fastify/pull/5886
- fix(errorHandler.js): linting problems in pipeline by @giuliowaitforitdavide in https://github.com/fastify/fastify/pull/5885
- ci: pin node version 22.11 by @climba03003 in https://github.com/fastify/fastify/pull/5889
- docs(ecosystem): update apitally description by @itssimon in https://github.com/fastify/fastify/pull/5891
- types: remove connection property in FastifyRequest by @giuliowaitforitdavide in https://github.com/fastify/fastify/pull/5884
- fix: crash when host header is missing by various of reason by @climba03003 in https://github.com/fastify/fastify/pull/5892
- chore: fix flaky test by @Eomm in https://github.com/fastify/fastify/pull/5881
- perf: use
node:prefix to bypass require.cache call for builtins by @Fdawgs in https://github.com/fastify/fastify/pull/5894 - chore: bump dev fastify-plugin by @Eomm in https://github.com/fastify/fastify/pull/5879
- types: use
node:prefix for builtins by @Fdawgs in https://github.com/fastify/fastify/pull/5896 - test: migrated content-length.test.js from tap to node:test by @Tony133 in https://github.com/fastify/fastify/pull/5878
New Contributors
- @AndreAngelantoni made their first contribution in https://github.com/fastify/fastify/pull/5730
- @ExorTek made their first contribution in https://github.com/fastify/fastify/pull/5822
- @llimllib made their first contribution in https://github.com/fastify/fastify/pull/5786
- @KristianLentino99 made their first contribution in https://github.com/fastify/fastify/pull/5777
- @stojkov-z made their first contribution in https://github.com/fastify/fastify/pull/5778
- @alexandercerutti made their first contribution in https://github.com/fastify/fastify/pull/5819
- @keithito made their first contribution in https://github.com/fastify/fastify/pull/5857
- @joeytwiddle made their first contribution in https://github.com/fastify/fastify/pull/5863
- @reidn3r made their first contribution in https://github.com/fastify/fastify/pull/5856
- @giulianok made their first contribution in https://github.com/fastify/fastify/pull/5872
Full Changelog: https://github.com/fastify/fastify/compare/v5.1.0...v5.2.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}