There is currently no verson of fastify/jwt 8.x version without vulns. Let me help fix it!

[JohnAllenTech]

Prerequisites

• [x] I have written a descriptive issue title
• [x] I have searched existing issues to ensure the issue has not already been raised

Issue

Hi 👋,

I am currently using @fastify/[email protected] alongside Fastify v4 in our production services. A medium-severity vulnerability was reported by Snyk in a transitive dependency — fast-jwt — which affects our setup. The vulnerability is resolved in [email protected].

Unfortunately, @fastify/[email protected] uses an older version of fast-jwt, and upgrading to @fastify/[email protected] is not an immediate option right now, as it requires Fastify v5, which is ESM-only and introduces additional migration complexity.

Request: Would you be open to releasing a patch version of @fastify/[email protected] that bumps the fast-jwt dependency to a version ≥5.0.6 (if it's backward compatible)? I’d be happy to submit a PR and test the update if needed.

Heres a list to the underlying vuln

https://nvd.nist.gov/vuln/detail/CVE-2025-30144 https://github.com/advisories/GHSA-gm45-q3v2-6cf8

Thanks for maintaining such a great project! 🙏

[jsumners]

Fastify v5 is not ESM only.

[jsumners]

v5 of fast-jwt drops support for Node v18, but version 8.x of this module continues to support Node v18. I'd recommend providing a patch to fast-jwt that fixes their v4 branch.

[Fdawgs]

Closing as we no longer support Fastify v4 or plugin versions for v4 as per the LTS strategy.

[JohnAllenTech]

Fastify v5 is not ESM only.

How am I only seeing this now! Let me look into this thanks so much!