Update dependency fastify to v4.10.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	4.7.0 -> 4.10.2

GitHub Vulnerability Alerts

CVE-2022-39288

Impact

An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.

(This was updated: upon a close inspection, v3.x is not affected after all).

Patches

Yes, update to > v4.8.0.

Workarounds

You can reject the malicious content types before the body parser enters in action.

  const badNames = Object.getOwnPropertyNames({}.__proto__)
  fastify.addHook('onRequest', async (req, reply) => {
    for (const badName of badNames) {
      if (req.headers['content-type'].indexOf(badName) > -1) {
        reply.code(415)
        throw new Error('Content type not supported')
      }
    }
  })

References

See the HackerOne report #​1715536

For more information

Fastify security policy

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2.
For 3.x users, please update to at least 3.29.4.

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify

v4.10.2

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v4.10.1...v4.10.2

v4.10.1

Compare Source

What's Changed

• fix node 19.1.0 port validation test by @​Uzlopak in https://github.com/fastify/fastify/pull/4427
• Add fastify-constraints to community plugins by @​Ceres6 in https://github.com/fastify/fastify/pull/4428
• build(deps-dev): bump @​sinonjs/fake-timers from 9.1.2 to 10.0.0 by @​dependabot in https://github.com/fastify/fastify/pull/4421
• add silent option to LogLevel by @​Uzlopak in https://github.com/fastify/fastify/pull/4432

New Contributors

• @​Ceres6 made their first contribution in https://github.com/fastify/fastify/pull/4428

Full Changelog: fastify/fastify@v4.10.0...v4.10.1

v4.10.0

Compare Source

What's Changed

• docs(reference/reply): spelling fixes by @​Fdawgs in https://github.com/fastify/fastify/pull/4358
• Support different content-type typed reply with TypeProvider by @​rain714 in https://github.com/fastify/fastify/pull/4360
• chore: remove leading empty lines by @​LinusU in https://github.com/fastify/fastify/pull/4364
• fix types after pino 8.7.0 change by @​mcollina in https://github.com/fastify/fastify/pull/4365
• Node.js V19 support by @​mcollina in https://github.com/fastify/fastify/pull/4366
• fix: no check on null or undefined values passed as fn by @​metcoder95 in https://github.com/fastify/fastify/pull/4367
• docs(server): config is lost when reply.call not found() is called by @​cesarvspr in https://github.com/fastify/fastify/pull/4368
• Fix typo - 'sever' to 'server' by @​utsav91 in https://github.com/fastify/fastify/pull/4372
• Add platformatic to the Acknowledgements by @​mcollina in https://github.com/fastify/fastify/pull/4378
• docs: add Simone Busoli to plugin maintainers by @​simoneb in https://github.com/fastify/fastify/pull/4379
• add missing 'validationContext' field to FastifyError type by @​jakubburzynski in https://github.com/fastify/fastify/pull/4363
• fix(type-providers): assignability of instance with enabled type provider by @​driimus in https://github.com/fastify/fastify/pull/4371
• feat: support async trailer by @​climba03003 in https://github.com/fastify/fastify/pull/4380
• fix: trailers async race condition by @​climba03003 in https://github.com/fastify/fastify/pull/4383
• docs(ecosystem): Add fastify-list-routes by @​chuongtrh in https://github.com/fastify/fastify/pull/4385
• build(deps-dev): bump @​sinclair/typebox from 0.24.51 to 0.25.2 by @​dependabot in https://github.com/fastify/fastify/pull/4388
• [ Fix ] Improve error message for hooks check by @​debadutta98 in https://github.com/fastify/fastify/pull/4387
• fix: tiny-lru usage by @​climba03003 in https://github.com/fastify/fastify/pull/4391
• Removes old note about named imports in ESM by @​fox1t in https://github.com/fastify/fastify/pull/4392
• docs: Add section about capacity planning by @​kibertoad in https://github.com/fastify/fastify/pull/4386
• docs(recommendations): grammar fixes by @​Fdawgs in https://github.com/fastify/fastify/pull/4396
• chore(doc): duplicated menu item by @​Eomm in https://github.com/fastify/fastify/pull/4398
• feat: add request.routeOptions object by @​debadutta98 in https://github.com/fastify/fastify/pull/4397
• docs: Document multiple app approach by @​kibertoad in https://github.com/fastify/fastify/pull/4393
• fix example using db decorator on fastify instance by @​mmarti in https://github.com/fastify/fastify/pull/4406
• docs: fix removeAdditional refer by @​shunyue1320 in https://github.com/fastify/fastify/pull/4410

New Contributors

• @​rain714 made their first contribution in https://github.com/fastify/fastify/pull/4360
• @​LinusU made their first contribution in https://github.com/fastify/fastify/pull/4364
• @​cesarvspr made their first contribution in https://github.com/fastify/fastify/pull/4368
• @​utsav91 made their first contribution in https://github.com/fastify/fastify/pull/4372
• @​jakubburzynski made their first contribution in https://github.com/fastify/fastify/pull/4363
• @​driimus made their first contribution in https://github.com/fastify/fastify/pull/4371
• @​chuongtrh made their first contribution in https://github.com/fastify/fastify/pull/4385
• @​debadutta98 made their first contribution in https://github.com/fastify/fastify/pull/4387
• @​mmarti made their first contribution in https://github.com/fastify/fastify/pull/4406
• @​shunyue1320 made their first contribution in https://github.com/fastify/fastify/pull/4410

Full Changelog: fastify/fastify@v4.9.2...v4.10.0

v4.9.2

Compare Source

What's Changed

• types: Add missing context types by @​kibertoad in https://github.com/fastify/fastify/pull/4352
• Revert "fix(logger): lost setBindings type in FastifyBaseLogger" by @​climba03003 in https://github.com/fastify/fastify/pull/4355

Full Changelog: fastify/fastify@v4.9.1...v4.9.2

v4.9.1

Compare Source

What's Changed

• docs(reply): specify streams content-type by @​D10f in https://github.com/fastify/fastify/pull/4337
• fix(logger): lost setBindings type in FastifyBaseLogger by @​BlackHole1 in https://github.com/fastify/fastify/pull/4346
• docs(reference): grammar and structure fixes by @​Fdawgs in https://github.com/fastify/fastify/pull/4348
• docs: example how decorators dependencies works by @​leandroandrade in https://github.com/fastify/fastify/pull/4343
• Undefined is a valid value for if set as a single hook by @​mcollina in https://github.com/fastify/fastify/pull/4351

New Contributors

• @​D10f made their first contribution in https://github.com/fastify/fastify/pull/4337

Full Changelog: fastify/fastify@v4.9.0...v4.9.1

v4.9.0

Compare Source

What's Changed

• fix: error handler content-type guessing by @​climba03003 in https://github.com/fastify/fastify/pull/4329
• build(deps-dev): bump fluent-json-schema from 3.1.0 to 4.0.0 by @​dependabot in https://github.com/fastify/fastify/pull/4331
• feat: Supporting different content-type responses by @​iifawzi in https://github.com/fastify/fastify/pull/4264
• fix: should now call default schema compilers by @​Eomm in https://github.com/fastify/fastify/pull/4340
• docs(ecosystem): replace heply -> beliven due to rebranding by @​zuck in https://github.com/fastify/fastify/pull/4334
• docs(ecosystem): add @​fastify-userland plugins and tools by @​BlackHole1 in https://github.com/fastify/fastify/pull/4345
• Validate and throws a custom error when attempting to register invalid hook functions by @​jhhom in https://github.com/fastify/fastify/pull/4332

New Contributors

• @​jhhom made their first contribution in https://github.com/fastify/fastify/pull/4332

Full Changelog: fastify/fastify@v4.8.1...v4.9.0

v4.8.1

Compare Source

⚠️ Security Release ⚠️

This release fixes GHSA-455w-c45v-86rg for the v4.x line.
This is a HIGH vulnerability that can lead to a crash, resulting in a total loss of availability.
The CVE for this vulnerability is CVE-2022-39288.

Full Changelog: fastify/fastify@v4.8.0...v4.8.1

v4.8.0

Compare Source

What's Changed

• Correct github url for fastify-qs package by @​VanoDevium in https://github.com/fastify/fastify/pull/4321
• docs: add test examples with undici and fetch by @​CristiTeo in https://github.com/fastify/fastify/pull/4300
• update onRoute hook docs by @​matthyk in https://github.com/fastify/fastify/pull/4322
• Export error codes by @​fitiskin in https://github.com/fastify/fastify/pull/4266
• feat: support async constraint by @​climba03003 in https://github.com/fastify/fastify/pull/4323

New Contributors

• @​fitiskin made their first contribution in https://github.com/fastify/fastify/pull/4266

Full Changelog: fastify/fastify@v4.7.0...v4.8.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.