fix(dependencies): update dependency fastify to v3.29.4 [security]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	3.9.2 -> 3.29.4

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify (fastify)

v3.29.4

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v3.29.3...v3.29.4

v3.29.3

Compare Source

⚠️ Security Release ⚠️

This release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.

Full Changelog: fastify/fastify@v3.29.2...v3.29.3

v3.29.2

Compare Source

What's Changed

• fix: backport reused connection fix by @​salzhrani in #​4217

New Contributors

• @​salzhrani made their first contribution in #​4217

Full Changelog: fastify/fastify@v3.29.1...v3.29.2

v3.29.1

Compare Source

What's Changed

• docs: reference new @fastify/* modules by @​Fdawgs in #​3860
• Child log level in bindings is deprecated by @​orov-io in #​3896
• Handle aborted requests (#​215) by @​TimotejR in #​4103

New Contributors

• @​orov-io made their first contribution in #​3896
• @​TimotejR made their first contribution in #​4103

Full Changelog: fastify/fastify@v3.29.0...v3.29.1

v3.29.0

Compare Source

What's Changed

• Update fastify-error dependency by @​jsumners in #​3859

Full Changelog: fastify/fastify@v3.28.0...v3.29.0

v3.28.0

Compare Source

What's Changed

• (v3.x) Allow custom Context Config types for hooks' request properties by @​sumbad in #​3787
• add generic logger to route handler & FastifyRequest by @​MarcoLeko in #​3782
• (v3.x) fix: handle invalid url by @​climba03003 in #​3806
• (v3.x) feat: reply trailers support by @​climba03003 in #​3807

Full Changelog: fastify/fastify@v3.27.4...v3.28.0

v3.27.4

Compare Source

What's Changed

• [Backport v3.x] Fixed Node.js v18/master support by @​github-actions in #​3761

Full Changelog: fastify/fastify@v3.27.3...v3.27.4

v3.27.3

Compare Source

What's Changed

• Drop @​typescript-eslint/no-misused-promises (#​3741) by @​mcollina in #​3757

Full Changelog: fastify/fastify@v3.27.2...v3.27.3

v3.27.2

Compare Source

What's Changed

• fix: added jsonShorthand in FastifyServerOptions by @​DanieleFedeli in #​3681
• fix: calling reply.callNotFound uncaught exception by @​VigneshMurugan in #​3661
• style: fix new standard linting by @​Divlo in #​3682
• docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by @​rluvaton in #​3689
• ci(package-manager): run test:ci instead of test by @​Divlo in #​3692
• docs(ecosystem): adds @​immobiliarelabs/fastify-sentry by @​simonecorsi in #​3693
• chore: fix plugin labeler by @​Eomm in #​3694
• Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by @​AWare in #​3697
• fix(types): add opts param to onRegister hook handler signature by @​bmenant in #​3641
• update Server docs by @​matthyk in #​3699
• Update middleware docs link by @​JamieGrimwood in #​3706
• build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by @​dependabot in #​3700
• build(deps-dev): bump @​sinonjs/fake-timers from 8.1.0 to 9.1.0 by @​dependabot in #​3683

New Contributors

• @​Divlo made their first contribution in #​3682
• @​AWare made their first contribution in #​3697
• @​bmenant made their first contribution in #​3641
• @​JamieGrimwood made their first contribution in #​3706

Full Changelog: fastify/fastify@v3.27.1...v3.27.2

v3.27.1

Compare Source

What's Changed

• docs: fix link to forceCloseConnections option by @​RafaelGSS in #​3638
• docs(Prototype-Poisoning): invalid content link by @​RafaelGSS in #​3639
• doc(Guides): fix grammar issue in the Prototype Poisoning file by @​rluvaton in #​3640
• types: add forceCloseConnection type def by @​RafaelGSS in #​3646
• Fixes #​3648 - URL must be a string by @​VigneshMurugan in #​3653
• build: reduce dependabot update frequency by @​Fdawgs in #​3659
• build: correct dependabot config by @​Fdawgs in #​3662
• add missing types workflow by @​KiraPC in #​3668
• Serialization errors will be send to errorHandler by @​int1ch in #​3674
• Add Documentation and TS Types missed for FastifyInstance#setSchemaController by @​Grubba27 in #​3480
• Add action to lock threads by @​jsumners in #​3679

New Contributors

• @​rluvaton made their first contribution in #​3640
• @​int1ch made their first contribution in #​3674
• @​Grubba27 made their first contribution in #​3480

Full Changelog: fastify/fastify@v3.27.0...v3.27.1

v3.27.0

Compare Source

What's Changed

• Add keep-alive connection tracking and reaping (resolve #​3617) by @​jsumners in #​3619

Full Changelog: fastify/fastify@v3.26.0...v3.27.0

v3.26.0

Compare Source

What's Changed

• Documentation: replace fastify.decorate arrow functions with function expressions by @​onosendi in #​3577
• Update Recommendations.md by @​fralonra in #​3583
• build(deps-dev): bump helmet from 4.6.0 to 5.0.1 by @​dependabot in #​3591
• chore: remove duplicated line by @​Eomm in #​3599
• docs(reference-typescript): fix formatting by @​sniperwolf in #​3602
• feat: manage display-name meta plugin by @​Eomm in #​3608
• Add prototype poisoning doc by @​jsumners in #​3609
• Fix website workflow not triggering by @​luisorbaiceta in #​3611
• Adding esbuild bundler to the pipeline by @​jhonrocha in #​3616
• chore (ci): run lint only once by @​darkgl0w in #​3623
• Fix types to support Ajv plugins with options by @​pverdile in #​3601
• Update LICENSE by @​ravenberg in #​3629
• fix: accept-version on default route by @​climba03003 in #​3630
• fix (test): custom-parser.test.js flaky test by @​darkgl0w in #​3627
• fix (types): this is FastifyInstance by @​darkgl0w in #​3622

New Contributors

• @​onosendi made their first contribution in #​3577
• @​sniperwolf made their first contribution in #​3602
• @​jhonrocha made their first contribution in #​3616
• @​pverdile made their first contribution in #​3601
• @​ravenberg made their first contribution in #​3629

Full Changelog: fastify/fastify@v3.25.3...v3.26.0

v3.25.3

Compare Source

What's Changed

• Move from fastify-warning to process-warning by @​mcollina in #​3576
• build(deps-dev): bump http-errors from 1.8.1 to 2.0.0 by @​dependabot in #​3553

Full Changelog: fastify/fastify@v3.25.2...v3.25.3

v3.25.2

Compare Source

What's Changed

• docs: Small improvements in the documentation by @​DavidIsa in #​3565
• Add release trigger for website build by @​luisorbaiceta in #​3572
• Fix context tracking with als run by @​mcollina in #​3571

New Contributors

• @​DavidIsa made their first contribution in #​3565

Full Changelog: fastify/fastify@v3.25.1...v3.25.2

v3.25.1

Compare Source

What's Changed

• docs: add fastify-split-validator to Ecosystem by @​MetCoder95 in #​3535
• docs: fix broken documentation links by @​RoXioTD in #​3539
• Tests for http2 host constraint server by @​luisorbaiceta in #​3504
• Fix docs broken links by @​luisorbaiceta in #​3542
• Fix broken links in README.md by @​asaid-0 in #​3545
• Add missing types & docs for async onClose hook by @​franky47 in #​3541
• chore: upgrade github-action-merge-dependabot to v3 by @​Eomm in #​3547
• Update Ecosystem.md by @​DanieleFedeli in #​3548
• Fix typo in /docs/index.md by @​nooreldeensalah in #​3557
• added fastify-file-routes by @​spa5k in #​3561
• Fixes regressions for function decorators on Request and Reply by @​mcollina in #​3560

New Contributors

• @​RoXioTD made their first contribution in #​3539
• @​asaid-0 made their first contribution in #​3545
• @​franky47 made their first contribution in #​3541
• @​DanieleFedeli made their first contribution in #​3548
• @​nooreldeensalah made their first contribution in #​3557

Full Changelog: fastify/fastify@v3.25.0...v3.25.1

v3.25.0

Compare Source

What's Changed

• fix(typescript): use RouteGeneric for setErrorHandler types by @​ethanwu10 in #​3493
• docs(ecosystem): add middie to core section by @​Fdawgs in #​3501
• build(deps): bump fastify/github-action-merge-dependabot from 2.6.0 to 2.7.0 by @​dependabot in #​3507
• add node 17 by @​Eomm in #​3456
• docs(ecosystem): adds @​immobiliarelabs/fastify-metrics by @​simonecorsi in #​3509
• build(deps): bump fastify/github-action-merge-dependabot from 2.7.0 to 2.7.1 by @​dependabot in #​3518
• Update logger options to correct properties by @​makrandgupta in #​3519
• fix: use hasKey to check request dependencies by @​RafaelGSS in #​3527
• Pass constraint values to the router when checking for a preexisting HEAD route by @​airhorns in #​3526
• Add Luis Orbaiceta as a contributor by @​luisorbaiceta in #​3530
• Docs reorganization by @​jsumners with help from @​lachlancollins in #​3474
• Rename index files by @​jsumners in #​3533

New Contributors

• @​ethanwu10 made their first contribution in #​3493
• @​simonecorsi made their first contribution in #​3509
• @​makrandgupta made their first contribution in #​3519
• @​luisorbaiceta made their first contribution in #​3530

Full Changelog: fastify/fastify@v3.24.1...v3.25.0

v3.24.1

Compare Source

What's Changed

• fix: server.requestTimeout miss when https by @​zgoby in #​3447
• docs: add Google Cloud Functions example to Serverless Documentation by @​etino in #​3445
• docs: add fastify-polyglot plugin to the ecosystem by @​heplyadm in #​3452
• fix(typescript): define instance listen callback error nullable by @​sf3ris in #​3449
• docs: replace "sons" with "descendants" by @​mroderick in #​3453
• build(deps): bump fastify/github-action-merge-dependabot from 2.5.0 to 2.6.0 by @​dependabot in #​3459
• docs(examples): fix ts-server exit code of error by @​qin20 in #​3458
• docs: add fastify-crud-generator plugin by @​zuck in #​3460
• fix: server.maxRequestsPerSocket miss by @​zgoby in #​3463
• fix: logger req serializers by @​climba03003 in #​3465
• build(deps-dev): bump tsd from 0.18.0 to 0.19.0 by @​dependabot in #​3466
• docs: add code sample for development logger config by @​capaj in #​3464
• docs: add post example to intro by @​saihaj in #​3438
• fix: use current instance schema controller by @​MetCoder95 in #​3454
• fix(typescript): add type declaration for FastifyRequest.context by @​chrskrchr in #​3472
• docs: add set-cookie special case by @​genzyy in #​3470
• docs(reply): grammar and readability fixes for set-cookie section by @​Fdawgs in #​3477
• build(dependabot): ignore minor and patch github-actions updates by @​Fdawgs in #​3451
• fix the sentence of serializerCompiler by @​mm1995tk in #​3490

New Contributors

• @​zgoby made their first contribution in #​3447
• @​etino made their first contribution in #​3445
• @​sf3ris made their first contribution in #​3449
• @​qin20 made their first contribution in #​3458
• @​capaj made their first contribution in #​3464
• @​saihaj made their first contribution in #​3438
• @​chrskrchr made their first contribution in #​3472
• @​genzyy made their first contribution in #​3470
• @​mm1995tk made their first contribution in #​3490

Full Changelog: fastify/fastify@v3.24.0...v3.24.1

v3.24.0

Compare Source

What's Changed

• build(deps-dev): bump @​sinonjs/fake-timers from 7.1.2 to 8.1.0 by @​dependabot in #​3418
• feat: make version field deterministic and reliable by @​jesec in #​3427
• chore(.npmignore): remove default ignored files/paths by @​Fdawgs in #​3434
• make getResponseTime deterministic by @​thomaschaaf in #​3431
• docs: clarify on request.body content and usage by @​Fdawgs in #​3436
• test: add hook tests by @​Eomm in #​3439

New Contributors

• @​thomaschaaf made their first contribution in #​3431

Full Changelog: fastify/fastify@v3.23.1...v3.24.0

v3.23.1

Compare Source

What's Changed

• fix: setSchemaController not inheriting Schemas from root parent by @​MetCoder95 in #​3401
• fix: socket null in logger by @​codeflyer in #​3422

Full Changelog: fastify/fastify@v3.23.0...v3.23.1

v3.23.0

Compare Source

What's Changed

• Updated the docs related to AJV plugins by @​amis-shokoohi in #​3189
• fix: remove unused types imports by @​juanpicado in #​3392
• docs(test/bundler): grammar and spelling fixes by @​Fdawgs in #​3393
• build(deps-dev): bump split2 from 3.2.2 to 4.1.0 by @​dependabot in #​3395
• Update Validation-and-Serialization.md by @​Eomm in #​3400
• Add requestTimeout option by @​fatal10110 in #​3407
• fix: verify request socket before access attributes by @​codeflyer in #​3420

New Contributors

• @​amis-shokoohi made their first contribution in #​3189
• @​juanpicado made their first contribution in #​3392
• @​fatal10110 made their first contribution in #​3407
• @​codeflyer made their first contribution in #​3420

Full Changelog: fastify/fastify@v3.22.1...v3.23.0

v3.22.1

Compare Source

What's Changed

• Update NGINX section with comments and fixes by @​weiliddat in #​3352
• Update Validation-and-Serialization.md by @​fralonra in #​3359
• fix(typescript): register missing args for function options by @​climba03003 in #​3355
• build(deps-dev): bump tsd from 0.17.0 to 0.18.0 by @​dependabot in #​3368
• test: fix typo in tap test pass message by @​tniessen in #​3370
• docs:inform user to set target property by @​siemah in #​3291
• Drop readable-stream dependency by @​mcollina in #​3372
• fix: pipe stream inside error handler by @​climba03003 in #​3375
• fix(typescript): types for schemaController by @​Krysik in #​3369
• fix: spell error by @​liuhanqu in #​3379

New Contributors

• @​siemah made their first contribution in #​3291
• @​Krysik made their first contribution in #​3369
• @​liuhanqu made their first contribution in #​3379

Full Changelog: fastify/fastify@v3.22.0...v3.22.1

v3.22.0

Compare Source

What's Changed

• Update Hooks.md by @​NobDod in #​3336
• feat: max requests per socket by @​climba03003 in #​3335
• Fix links to querystringParser by @​jakearchibald in #​3345
• docs: add fastify-supabase to fastify ecosystem by @​darkgl0w in #​3348

New Contributors

• @​NobDod made their first contribution in #​3336
• @​jakearchibald made their first contribution in #​3345

Full Changelog: fastify/fastify@v3.21.6...v3.22.0

v3.21.6

Compare Source

What's Changed

• Do not coerce undefined to null, always set it to decorated value. by @​mcollina in #​3337

Full Changelog: fastify/fastify@v3.21.5...v3.21.6

v3.21.5

Compare Source

What's Changed

• Only null and undefined are valid values for same shape optimization by @​mcollina in #​3334

Full Changelog: fastify/fastify@v3.21.4...v3.21.5

v3.21.4

Compare Source

What's Changed

• Docs: Add and clarify query string handling tips by @​sveinnthorarins in #​3319
• docs: try to fit the doc with the code by @​rubiagatra in #​3325
• build(deps): bump fastify/github-action-merge-dependabot from 2.4.0 to 2.5.0 by @​dependabot in #​3327
• fix decorator checks in plugin definitions by @​mcollina in #​3333

New Contributors

• @​sveinnthorarins made their first contribution in #​3319
• @​rubiagatra made their first contribution in #​3325

Full Changelog: fastify/fastify@v3.21.3...v3.21.4

v3.21.3

Compare Source

What's Changed

• docs: link logo to the website by @​DRoet in #​3322
• docs: grammar, spelling, and readability fixes by @​Fdawgs in #​3321
• fix: check existence by @​climba03003 in #​3324

Full Changelog: fastify/fastify@v3.21.2...v3.21.3

v3.21.2

Compare Source

What's Changed

• Enforce the same shapes by @​mcollina in #​3317
• chore(benchmark): use tagged version to comment PR by @​RafaelGSS in #​3320
• fix: reply object not marked as sent for stream payloads by @​adrian-branescu in #​3318

New Contributors

• @​adrian-branescu made their first contribution in #​3318

Full Changelog: fastify/fastify@v3.21.1...v3.21.2

v3.21.1

Compare Source

What's Changed

• add nginx to Recommendations by @​mhf-ir in #​3298
• Add relative links in Readme by @​Nazeeh21 in #​3250
• fix: check serialized payload by @​Eomm in #​3308
• FastifyInstance#setErrorHandler supports async handlers by @​AnnikaCodes in #​3309
• docs: update fastify-websocket description by @​DRoet in #​3311
• close() returns a Promise, not a PromiseLike by @​mcollina in #​3312
• Doc - Schema validators per validation types by @​alainrk in #​3310

New Contributors

• @​mhf-ir made their first contribution in #​3298
• @​Nazeeh21 made their first contribution in #​3250
• @​AnnikaCodes made their first contribution in #​3309
• @​DRoet made their first contribution in #​3311
• @​alainrk made their first contribution in #​3310

Full Changelog: fastify/fastify@v3.21.0...v3.21.1

v3.21.0

Compare Source

What's Changed

• Add fastify-appwrite plugin by @​Dev-Manny in #​3259
• Docs: esm syntax by @​zekth in #​3253
• ci: automerge only minor semver by @​Eomm in #​3264
• docs: how to use ajv8 within fastify3 by @​Eomm in #​3265
• Fix schema controller error when adding response schemas by @​Eomm in #​3269
• Add contributing guide by @​jsumners in #​2610
• fixes minor typo in ContentTypeParser.md by @​kedarv in #​3273
• adding type for fastify.routing by @​axe-me in #​3270
• docs: fix http status on validation by @​Eomm in #​3275
• docs: fix syntax by @​Eomm in #​3276
• fix error messages by @​matthyk in #​3277
• docs: add fastify-bree by @​climba03003 in #​3278
• add diagnostics_channel publish at initialization time by @​bengl in #​3279
• feat: webpack test stack by @​zekth in #​3240
• Fix Schema Documentation Link by @​rorymalcolm in #​3290
• fixed unresponsive server #​3283 by @​Krishanu230 in #​3285
• fix: add content type parsers after removeAllContentTypeParsers by @​diceride in #​3292
• chore: fix error message check by @​Eomm in #​3297
• fix headers no longer readonly by @​jonnyynnoj in #​3295

New Contributors

• @​Dev-Manny made their first contribution in #​3259
• @​kedarv made their first contribution in #​3273
• @​axe-me made their first contribution in #​3270
• @​bengl made their first contribution in #​3279
• @​rorymalcolm made their first contribution in #​3290
• @​Krishanu230 made their first contribution in #​3285
• @​diceride made their first contribution in #​3292
• @​jonnyynnoj made their first contribution in #​3295

Full Changelog: fastify/fastify@v3.20.2...v3.21.0

v3.20.2

Compare Source

What's Changed

• docs: add info about Reply generic interface by @​shwao in #​3223
• doc: update status of session by @​zekth in #​3239
• Clarify getting started by @​hugocaillard in #​3241
• build(deps): bump fastify/github-action-merge-dependabot from 2.2.0 to 2.3.0 by @​dependabot in #​3243
• fix: request set headers by @​Eomm in #​2817
• docs: fix import wrong statement by @​climba03003 in #​3248
• Fixed dead link for @​fastify/session by @​VIEWVIEWVIEW in #​3246
• build(deps): bump fastify/github-action-merge-dependabot from 2.3.0 to 2.4.0 by @​dependabot in #​3249
• Add Fastify-allow plugin reference by @​mattbishop in #​3242
• Fixed socket leakage in TLS connection by @​gugu in #​3254

New Contributors

• @​hugocaillard made their first contribution in #​3241
• @​VIEWVIEWVIEW made their first contribution in #​3246
• @​gugu made their first contribution in #​3254

Full Changelog: fastify/fastify@v3.20.1...v3.20.2

v3.20.1

Compare Source

What's Changed

• upgrade minimum find-my-way version by @​matthyk in #​3232
• Add serializerOpts to server option interface by @​ddadaal in #​3231
• docs: update all nodejs doc links to point to v14.x documentation by @​Fdawgs in #​3227
• docs: Added fastify-slonik plugin reference in fastify-ecosystem page. by @​Unbuttun in #​3226

New Contributors

• @​ddadaal made their first contribution in #​3231
• @​Unbuttun made their first contribution in #​3226

Full Changelog: fastify/fastify@v3.20.0...v3.20.1

v3.20.0

Compare Source

What's Changed

• Add this types to decorator functions by @​matthyk in #​3203
• Fix request hanging when synchronously returning a value in setErrorHandler by @​weiliddat in #​3211
• docs: add fastify-recaptcha by @​qwertyforce in #​3212
• feat: update Getting-Started.md by @​Adibla in #​3213
• fix: add file option in FastifyLoggerOptions interface by @​nicks96432 in #​3214
• Extend content type parser by @​matthyk in #​3210
• fix generic constraint type by @​matthyk in #​3221
• docs: fix interface in route generic example by @​shwao in #​3222

New Contributors

• @​Adibla made their first contribution in #​3213
• @​nicks96432 made their first contribution in #​3214
• @​shwao made their first contribution in #​3222

Full Changelog: fastify/fastify@v3.19.2...v3.20.0

v3.19.2

Compare Source

PR:

• Bump

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.