fix(deps): update dependency fastify to v4.10.2 [security] #841

renovate · 2023-03-27T19:58:15Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	`4.4.0` -> `4.10.2`

GitHub Vulnerability Alerts

CVE-2022-39288

Impact

An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.

(This was updated: upon a close inspection, v3.x is not affected after all).

Patches

Yes, update to > v4.8.0.

Workarounds

You can reject the malicious content types before the body parser enters in action.

  const badNames = Object.getOwnPropertyNames({}.__proto__)
  fastify.addHook('onRequest', async (req, reply) => {
    for (const badName of badNames) {
      if (req.headers['content-type'].indexOf(badName) > -1) {
        reply.code(415)
        throw new Error('Content type not supported')
      }
    }
  })

References

See the HackerOne report #1715536

For more information

Fastify security policy

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

Release Notes

fastify/fastify (fastify)

What's Changed

types: Add missing context types by @kibertoad in https://github.com/fastify/fastify/pull/4352
Revert "fix(logger): lost setBindings type in FastifyBaseLogger" by @climba03003 in https://github.com/fastify/fastify/pull/4355

Full Changelog: fastify/fastify@v4.9.1...v4.9.2

`v4.9.1`

Compare Source

What's Changed

docs(reply): specify streams content-type by @D10f in https://github.com/fastify/fastify/pull/4337
fix(logger): lost setBindings type in FastifyBaseLogger by @BlackHole1 in https://github.com/fastify/fastify/pull/4346
docs(reference): grammar and structure fixes by @Fdawgs in https://github.com/fastify/fastify/pull/4348
docs: example how decorators dependencies works by @leandroandrade in https://github.com/fastify/fastify/pull/4343
Undefined is a valid value for if set as a single hook by @mcollina in https://github.com/fastify/fastify/pull/4351

New Contributors

@D10f made their first contribution in https://github.com/fastify/fastify/pull/4337

Full Changelog: fastify/fastify@v4.9.0...v4.9.1

`v4.9.0`

Compare Source

What's Changed

fix: error handler content-type guessing by @climba03003 in https://github.com/fastify/fastify/pull/4329
build(deps-dev): bump fluent-json-schema from 3.1.0 to 4.0.0 by @dependabot in https://github.com/fastify/fastify/pull/4331
feat: Supporting different content-type responses by @iifawzi in https://github.com/fastify/fastify/pull/4264
fix: should now call default schema compilers by @Eomm in https://github.com/fastify/fastify/pull/4340
docs(ecosystem): replace heply -> beliven due to rebranding by @zuck in https://github.com/fastify/fastify/pull/4334
docs(ecosystem): add @fastify-userland plugins and tools by @BlackHole1 in https://github.com/fastify/fastify/pull/4345
Validate and throws a custom error when attempting to register invalid hook functions by @jhhom in https://github.com/fastify/fastify/pull/4332

New Contributors

@jhhom made their first contribution in https://github.com/fastify/fastify/pull/4332

Full Changelog: fastify/fastify@v4.8.1...v4.9.0

`v4.8.1`

Compare Source

⚠️ Security Release ⚠️

This release fixes GHSA-455w-c45v-86rg for the v4.x line.
This is a HIGH vulnerability that can lead to a crash, resulting in a total loss of availability.
The CVE for this vulnerability is CVE-2022-39288.

Full Changelog: fastify/fastify@v4.8.0...v4.8.1

`v4.8.0`

Compare Source

What's Changed

Correct github url for fastify-qs package by @VanoDevium in https://github.com/fastify/fastify/pull/4321
docs: add test examples with undici and fetch by @CristiTeo in https://github.com/fastify/fastify/pull/4300
update onRoute hook docs by @matthyk in https://github.com/fastify/fastify/pull/4322
Export error codes by @fitiskin in https://github.com/fastify/fastify/pull/4266
feat: support async constraint by @climba03003 in https://github.com/fastify/fastify/pull/4323

New Contributors

@fitiskin made their first contribution in https://github.com/fastify/fastify/pull/4266

Full Changelog: fastify/fastify@v4.7.0...v4.8.0

`v4.7.0`

Compare Source

What's Changed

fix: prevent reuse mutated route option for head by @climba03003 in https://github.com/fastify/fastify/pull/4273
docs(ecosystem): add fastify-sqlite by @Eomm in https://github.com/fastify/fastify/pull/4274
Add RavenDB to community plugins by @drakhart in https://github.com/fastify/fastify/pull/4277
ci: reduce ci test when linting fails by @Eomm in https://github.com/fastify/fastify/pull/4280
chore: update dependencies by @anonrig in https://github.com/fastify/fastify/pull/4284
Check if route exist before checking Content-Type of body by @mage1k99 in https://github.com/fastify/fastify/pull/4286
Replace parseInt with Number at get 6% boost by @anonrig in https://github.com/fastify/fastify/pull/4289
fix: type of validation function by @budarin in https://github.com/fastify/fastify/pull/4283
GitHub Workflows security hardening by @sashashura in https://github.com/fastify/fastify/pull/4290
docs: onRoute hooks in plugins by @philsch in https://github.com/fastify/fastify/pull/4285
chore: Lint eco system error by @zrosenbauer in https://github.com/fastify/fastify/pull/4275
docs(ecosystem): Add @fastify/one-line-logger by @nooreldeensalah in https://github.com/fastify/fastify/pull/4293
docs(ecosystem): capitalization fixes by @Fdawgs in https://github.com/fastify/fastify/pull/4294
docs(ecosystem): add slow down plugin by @CristiTeo in https://github.com/fastify/fastify/pull/4292
fix: custom validator should not mutate headers schema by @climba03003 in https://github.com/fastify/fastify/pull/4295
feat: parse request body for http SEARCH requests by @kalvenschraut in https://github.com/fastify/fastify/pull/4298
Fix typo in the comment to Context object (lib/context.js) by @yakovenkodenis in https://github.com/fastify/fastify/pull/4301
docs(type-providers): replace FastifyLoggerInstance with FastifyBaseLogger by @samialdury in https://github.com/fastify/fastify/pull/4304
docs(contributing): clarify teams for joiners by @Eomm in https://github.com/fastify/fastify/pull/4303
test: add number coersion related tests by @anonrig in https://github.com/fastify/fastify/pull/4297
feat: add routeSchema and routeConfig + switching context handling by @metcoder95 in https://github.com/fastify/fastify/pull/4216
docs(ecosystem): add fastify-s3-buckets by @kibertoad in https://github.com/fastify/fastify/pull/4311
fix: Fix typo in docs/Reference/Type-Providers.md by @SnowSuno in https://github.com/fastify/fastify/pull/4312
build(deps): bump tiny-lru from 8.0.2 to 9.0.2 by @dependabot in https://github.com/fastify/fastify/pull/4305

New Contributors

@mage1k99 made their first contribution in https://github.com/fastify/fastify/pull/4286
@budarin made their first contribution in https://github.com/fastify/fastify/pull/4283
@sashashura made their first contribution in https://github.com/fastify/fastify/pull/4290
@philsch made their first contribution in https://github.com/fastify/fastify/pull/4285
@zrosenbauer made their first contribution in https://github.com/fastify/fastify/pull/4275
@CristiTeo made their first contribution in https://github.com/fastify/fastify/pull/4292
@kalvenschraut made their first contribution in https://github.com/fastify/fastify/pull/4298
@yakovenkodenis made their first contribution in https://github.com/fastify/fastify/pull/4301
@samialdury made their first contribution in https://github.com/fastify/fastify/pull/4304
@SnowSuno made their first contribution in https://github.com/fastify/fastify/pull/4312

Full Changelog: fastify/fastify@v4.6.0...v4.7.0

`v4.6.0`

Compare Source

What's Changed

chore: replace deprecated FastifyLoggerInstance occurences in typings with FastifyBaseLogger by @Uzlopak in https://github.com/fastify/fastify/pull/4224
fix(types): allow fastify.https to be null by @SuperchupuDev in https://github.com/fastify/fastify/pull/4226
chore: fix typo in docs for typescript chapter by @soomtong in https://github.com/fastify/fastify/pull/4227
build(deps-dev): bump tsd from 0.22.0 to 0.23.0 by @dependabot in https://github.com/fastify/fastify/pull/4231
chore: update dependabot link by @leandroandrade in https://github.com/fastify/fastify/pull/4232
docs: improved migration guide for onRoute by @ShogunPanda in https://github.com/fastify/fastify/pull/4233
docs: clarify setDefaultRoute scope by @jacobpgn in https://github.com/fastify/fastify/pull/4236
docs(ecosystem): add fastify-aws-timestream and fastify-aws-sns by @gzileni in https://github.com/fastify/fastify/pull/4230
docs(guides/migration-guide-v4): update content by @Fdawgs in https://github.com/fastify/fastify/pull/4242
Improve doc about configuring pino-pretty with TypeScript by @giacomorebonato in https://github.com/fastify/fastify/pull/4243
build(deps): bump jsumners/lock-threads from b27edac to 3 by @dependabot in https://github.com/fastify/fastify/pull/4244
Revert "build(deps): bump jsumners/lock-threads from b27edac to 3" by @climba03003 in https://github.com/fastify/fastify/pull/4245
docs: Remove Ajv configuration from TypeBox Type Provider examples by @msmolens in https://github.com/fastify/fastify/pull/4249
fix: visit schemas with custom prototype by @Eomm in https://github.com/fastify/fastify/pull/4248
feat: add hasRoute by @Uzlopak in https://github.com/fastify/fastify/pull/4238
Docs: Fixing #schema-validator url at ./Reference/Server/#ajv by @wilbert-abreu in https://github.com/fastify/fastify/pull/4253
chore(doc): fix format by @Eomm in https://github.com/fastify/fastify/pull/4255
chore: export RouteGenericInterface by @ChrisCrewdson in https://github.com/fastify/fastify/pull/4234
chore: improve Ecosystem.md linter to check for improper module name patterns by @nooreldeensalah in https://github.com/fastify/fastify/pull/4257
test: remove assert to invalid HTTP version by @RafaelGSS in https://github.com/fastify/fastify/pull/4260
chore: improve Ecosystem.md linter to lint all sections by @nooreldeensalah in https://github.com/fastify/fastify/pull/4258
Fixing #4259 - Updating typescript example according to the validation changes by @iifawzi in https://github.com/fastify/fastify/pull/4261
docs: add pubsub-http-handler by @cobraz in https://github.com/fastify/fastify/pull/4263
Variadic listen signature allows string port by @marco-ippolito in https://github.com/fastify/fastify/pull/4269
doc: Remove Ajv configuration for TypeBox in TS examples by @pmbanugo in https://github.com/fastify/fastify/pull/4268
docs(ecosystem): add 2 new fastify v3.x+ plugins by @WNemencha in https://github.com/fastify/fastify/pull/4270
docs(typescript): fix #4241 by @mortifia in https://github.com/fastify/fastify/pull/4247

New Contributors

@SuperchupuDev made their first contribution in https://github.com/fastify/fastify/pull/4226
@soomtong made their first contribution in https://github.com/fastify/fastify/pull/4227
@leandroandrade made their first contribution in https://github.com/fastify/fastify/pull/4232
@jacobpgn made their first contribution in https://github.com/fastify/fastify/pull/4236
@giacomorebonato made their first contribution in https://github.com/fastify/fastify/pull/4243
@msmolens made their first contribution in https://github.com/fastify/fastify/pull/4249
@wilbert-abreu made their first contribution in https://github.com/fastify/fastify/pull/4253
@ChrisCrewdson made their first contribution in https://github.com/fastify/fastify/pull/4234
@iifawzi made their first contribution in https://github.com/fastify/fastify/pull/4261
@cobraz made their first contribution in https://github.com/fastify/fastify/pull/4263
@marco-ippolito made their first contribution in https://github.com/fastify/fastify/pull/4269
@pmbanugo made their first contribution in https://github.com/fastify/fastify/pull/4268
@WNemencha made their first contribution in https://github.com/fastify/fastify/pull/4270
@mortifia made their first contribution in https://github.com/fastify/fastify/pull/4247

Full Changelog: fastify/fastify@v4.5.3...v4.6.0

`v4.5.3`

Compare Source

What's Changed

ecosystem.md: move fastify-secure-session and fastify-soap-client to core plugins by @Uzlopak in https://github.com/fastify/fastify/pull/4212
fix: inject hangs with undefined promise resolve by @simoneb in https://github.com/fastify/fastify/pull/4211
use hasOwnProperty from Object.prototype by @Uzlopak in https://github.com/fastify/fastify/pull/4214
chore: fastify branch list by @Eomm in https://github.com/fastify/fastify/pull/4218
chore: add support for TypeScript 4.8 by @SimenB in https://github.com/fastify/fastify/pull/4222

Full Changelog: fastify/fastify@v4.5.2...v4.5.3

`v4.5.2`

Compare Source

What's Changed

Fix 4204 by @mcollina in https://github.com/fastify/fastify/pull/4205

Full Changelog: fastify/fastify@v4.5.1...v4.5.2

`v4.5.1`

Compare Source

What's Changed

make sure preSerialization hooks are null by default by @mcollina in https://github.com/fastify/fastify/pull/4203

Full Changelog: fastify/fastify@v4.5.0...v4.5.1

`v4.5.0`

Compare Source

What's Changed

Add fastify-osm by @gzileni in https://github.com/fastify/fastify/pull/4185
docs(reference/routes): fix onSend example by @Fdawgs in https://github.com/fastify/fastify/pull/4188
chore: clean dev-dependancies by @Eomm in https://github.com/fastify/fastify/pull/4189
Forward upgrade from secondary server to primary by @mcollina in https://github.com/fastify/fastify/pull/4190
add unit test for ajv-formats by @Uzlopak in https://github.com/fastify/fastify/pull/4187
add option to disable/ignore request-id header by @philippviereck in https://github.com/fastify/fastify/pull/4193
doc: add fastify.display-name symbol by @Eomm in https://github.com/fastify/fastify/pull/4191
docs(validation-and-serialization): Fix example on query string coercion by @galiarmero in https://github.com/fastify/fastify/pull/4198
Add fastify-https-always to Ecosystem doc. by @mattbishop in https://github.com/fastify/fastify/pull/4201

New Contributors

@gzileni made their first contribution in https://github.com/fastify/fastify/pull/4185
@philippviereck made their first contribution in https://github.com/fastify/fastify/pull/4193
@galiarmero made their first contribution in https://github.com/fastify/fastify/pull/4198

Full Changelog: fastify/fastify@v4.4.0...v4.5.0

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

codecov-commenter · 2023-08-19T15:17:01Z

Codecov Report

Merging #841 (8645181) into master (19a5e32) will not change coverage.
Report is 1 commits behind head on master.
The diff coverage is n/a.

❗ Current head 8645181 differs from pull request most recent head 403f24b. Consider uploading reports for the commit 403f24b to get more accurate results

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@           Coverage Diff           @@
##           master     #841   +/-   ##
=======================================
  Coverage   57.66%   57.66%           
=======================================
  Files          27       27           
  Lines        3413     3413           
  Branches      272      272           
=======================================
  Hits         1968     1968           
  Misses       1445     1445

renovate bot requested review from koba04 and sosukesuzuki as code owners March 27, 2023 19:58

renovate bot added the renovate label Mar 27, 2023

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from efef835 to 7b48f16 Compare August 19, 2023 15:12

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 18 times, most recently from 915caa6 to d85a311 Compare August 21, 2023 12:42

fix(deps): update dependency fastify to v4.10.2 [security]

483c29f

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from d85a311 to 483c29f Compare August 21, 2023 12:50

teppeis merged commit 715ab0c into master Aug 21, 2023
5 checks passed

teppeis deleted the renovate/npm-fastify-vulnerability branch August 21, 2023 13:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency fastify to v4.10.2 [security] #841

fix(deps): update dependency fastify to v4.10.2 [security] #841

renovate bot commented Mar 27, 2023 •

edited

Loading

codecov-commenter commented Aug 19, 2023 •

edited

Loading

fix(deps): update dependency fastify to v4.10.2 [security] #841

fix(deps): update dependency fastify to v4.10.2 [security] #841

Conversation

renovate bot commented Mar 27, 2023 • edited Loading

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

For more information

Impact

Patches

Workarounds

References

For more information

Release Notes

⚠️ Security Release ⚠️

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

⚠️ Security Release ⚠️

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

What's Changed

What's Changed

New Contributors

Configuration

codecov-commenter commented Aug 19, 2023 • edited Loading

Codecov Report

renovate bot commented Mar 27, 2023 •

edited

Loading

codecov-commenter commented Aug 19, 2023 •

edited

Loading