Update dependency fastify to v4.10.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	4.5.3 → 4.10.2

GitHub Vulnerability Alerts

CVE-2022-39288

Impact

An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.

(This was updated: upon a close inspection, v3.x is not affected after all).

Patches

Yes, update to > v4.8.0.

Workarounds

You can reject the malicious content types before the body parser enters in action.

  const badNames = Object.getOwnPropertyNames({}.__proto__)
  fastify.addHook('onRequest', async (req, reply) => {
    for (const badName of badNames) {
      if (req.headers['content-type'].indexOf(badName) > -1) {
        reply.code(415)
        throw new Error('Content type not supported')
      }
    }
  })

References

See the HackerOne report #​1715536

For more information

Fastify security policy

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify (fastify)

v4.10.2

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v4.10.1...v4.10.2

v4.10.1

Compare Source

What's Changed

• fix node 19.1.0 port validation test by @​Uzlopak in #​4427
• Add fastify-constraints to community plugins by @​Ceres6 in #​4428
• build(deps-dev): bump @​sinonjs/fake-timers from 9.1.2 to 10.0.0 by @​dependabot in #​4421
• add silent option to LogLevel by @​Uzlopak in #​4432

New Contributors

• @​Ceres6 made their first contribution in #​4428

Full Changelog: fastify/fastify@v4.10.0...v4.10.1

v4.10.0

Compare Source

What's Changed

• docs(reference/reply): spelling fixes by @​Fdawgs in #​4358
• Support different content-type typed reply with TypeProvider by @​rain714 in #​4360
• chore: remove leading empty lines by @​LinusU in #​4364
• fix types after pino 8.7.0 change by @​mcollina in #​4365
• Node.js V19 support by @​mcollina in #​4366
• fix: no check on null or undefined values passed as fn by @​metcoder95 in #​4367
• docs(server): config is lost when reply.call not found() is called by @​cesarvspr in #​4368
• Fix typo - 'sever' to 'server' by @​utsav91 in #​4372
• Add platformatic to the Acknowledgements by @​mcollina in #​4378
• docs: add Simone Busoli to plugin maintainers by @​simoneb in #​4379
• add missing 'validationContext' field to FastifyError type by @​jakubburzynski in #​4363
• fix(type-providers): assignability of instance with enabled type provider by @​driimus in #​4371
• feat: support async trailer by @​climba03003 in #​4380
• fix: trailers async race condition by @​climba03003 in #​4383
• docs(ecosystem): Add fastify-list-routes by @​chuongtrh in #​4385
• build(deps-dev): bump @​sinclair/typebox from 0.24.51 to 0.25.2 by @​dependabot in #​4388
• [ Fix ] Improve error message for hooks check by @​debadutta98 in #​4387
• fix: tiny-lru usage by @​climba03003 in #​4391
• Removes old note about named imports in ESM by @​fox1t in #​4392
• docs: Add section about capacity planning by @​kibertoad in #​4386
• docs(recommendations): grammar fixes by @​Fdawgs in #​4396
• chore(doc): duplicated menu item by @​Eomm in #​4398
• feat: add request.routeOptions object by @​debadutta98 in #​4397
• docs: Document multiple app approach by @​kibertoad in #​4393
• fix example using db decorator on fastify instance by @​mmarti in #​4406
• docs: fix removeAdditional refer by @​shunyue1320 in #​4410

New Contributors

• @​rain714 made their first contribution in #​4360
• @​LinusU made their first contribution in #​4364
• @​cesarvspr made their first contribution in #​4368
• @​utsav91 made their first contribution in #​4372
• @​jakubburzynski made their first contribution in #​4363
• @​driimus made their first contribution in #​4371
• @​chuongtrh made their first contribution in #​4385
• @​debadutta98 made their first contribution in #​4387
• @​mmarti made their first contribution in #​4406
• @​shunyue1320 made their first contribution in #​4410

Full Changelog: fastify/fastify@v4.9.2...v4.10.0

v4.9.2

Compare Source

What's Changed

• types: Add missing context types by @​kibertoad in #​4352
• Revert "fix(logger): lost setBindings type in FastifyBaseLogger" by @​climba03003 in #​4355

Full Changelog: fastify/fastify@v4.9.1...v4.9.2

v4.9.1

Compare Source

What's Changed

• docs(reply): specify streams content-type by @​D10f in #​4337
• fix(logger): lost setBindings type in FastifyBaseLogger by @​BlackHole1 in #​4346
• docs(reference): grammar and structure fixes by @​Fdawgs in #​4348
• docs: example how decorators dependencies works by @​leandroandrade in #​4343
• Undefined is a valid value for if set as a single hook by @​mcollina in #​4351

New Contributors

• @​D10f made their first contribution in #​4337

Full Changelog: fastify/fastify@v4.9.0...v4.9.1

v4.9.0

Compare Source

What's Changed

• fix: error handler content-type guessing by @​climba03003 in #​4329
• build(deps-dev): bump fluent-json-schema from 3.1.0 to 4.0.0 by @​dependabot in #​4331
• feat: Supporting different content-type responses by @​iifawzi in #​4264
• fix: should now call default schema compilers by @​Eomm in #​4340
• docs(ecosystem): replace heply -> beliven due to rebranding by @​zuck in #​4334
• docs(ecosystem): add @​fastify-userland plugins and tools by @​BlackHole1 in #​4345
• Validate and throws a custom error when attempting to register invalid hook functions by @​jhhom in #​4332

New Contributors

• @​jhhom made their first contribution in #​4332

Full Changelog: fastify/fastify@v4.8.1...v4.9.0

v4.8.1

Compare Source

⚠️ Security Release ⚠️

This release fixes GHSA-455w-c45v-86rg for the v4.x line.
This is a HIGH vulnerability that can lead to a crash, resulting in a total loss of availability.
The CVE for this vulnerability is CVE-2022-39288.

Full Changelog: fastify/fastify@v4.8.0...v4.8.1

v4.8.0

Compare Source

What's Changed

• Correct github url for fastify-qs package by @​VanoDevium in #​4321
• docs: add test examples with undici and fetch by @​CristiTeo in #​4300
• update onRoute hook docs by @​matthyk in #​4322
• Export error codes by @​fitiskin in #​4266
• feat: support async constraint by @​climba03003 in #​4323

New Contributors

• @​fitiskin made their first contribution in #​4266

Full Changelog: fastify/fastify@v4.7.0...v4.8.0

v4.7.0

Compare Source

What's Changed

• fix: prevent reuse mutated route option for head by @​climba03003 in #​4273
• docs(ecosystem): add fastify-sqlite by @​Eomm in #​4274
• Add RavenDB to community plugins by @​drakhart in #​4277
• ci: reduce ci test when linting fails by @​Eomm in #​4280
• chore: update dependencies by @​anonrig in #​4284
• Check if route exist before checking Content-Type of body by @​mage1k99 in #​4286
• Replace parseInt with Number at get 6% boost by @​anonrig in #​4289
• fix: type of validation function by @​budarin in #​4283
• GitHub Workflows security hardening by @​sashashura in #​4290
• docs: onRoute hooks in plugins by @​philsch in #​4285
• chore: Lint eco system error by @​zrosenbauer in #​4275
• docs(ecosystem): Add @fastify/one-line-logger by @​nooreldeensalah in #​4293
• docs(ecosystem): capitalization fixes by @​Fdawgs in #​4294
• docs(ecosystem): add slow down plugin by @​CristiTeo in #​4292
• fix: custom validator should not mutate headers schema by @​climba03003 in #​4295
• feat: parse request body for http SEARCH requests by @​kalvenschraut in #​4298
• Fix typo in the comment to Context object (lib/context.js) by @​yakovenkodenis in #​4301
• docs(type-providers): replace FastifyLoggerInstance with FastifyBaseLogger by @​samialdury in #​4304
• docs(contributing): clarify teams for joiners by @​Eomm in #​4303
• test: add number coersion related tests by @​anonrig in #​4297
• feat: add routeSchema and routeConfig + switching context handling by @​metcoder95 in #​4216
• docs(ecosystem): add fastify-s3-buckets by @​kibertoad in #​4311
• fix: Fix typo in docs/Reference/Type-Providers.md by @​SnowSuno in #​4312
• build(deps): bump tiny-lru from 8.0.2 to 9.0.2 by @​dependabot in #​4305

New Contributors

• @​mage1k99 made their first contribution in #​4286
• @​budarin made their first contribution in #​4283
• @​sashashura made their first contribution in #​4290
• @​philsch made their first contribution in #​4285
• @​zrosenbauer made their first contribution in #​4275
• @​CristiTeo made their first contribution in #​4292
• @​kalvenschraut made their first contribution in #​4298
• @​yakovenkodenis made their first contribution in #​4301
• @​samialdury made their first contribution in #​4304
• @​SnowSuno made their first contribution in #​4312

Full Changelog: fastify/fastify@v4.6.0...v4.7.0

v4.6.0

Compare Source

What's Changed

• chore: replace deprecated FastifyLoggerInstance occurences in typings with FastifyBaseLogger by @​Uzlopak in #​4224
• fix(types): allow fastify.https to be null by @​SuperchupuDev in #​4226
• chore: fix typo in docs for typescript chapter by @​soomtong in #​4227
• build(deps-dev): bump tsd from 0.22.0 to 0.23.0 by @​dependabot in #​4231
• chore: update dependabot link by @​leandroandrade in #​4232
• docs: improved migration guide for onRoute by @​ShogunPanda in #​4233
• docs: clarify setDefaultRoute scope by @​jacobpgn in #​4236
• docs(ecosystem): add fastify-aws-timestream and fastify-aws-sns by @​gzileni in #​4230
• docs(guides/migration-guide-v4): update content by @​Fdawgs in #​4242
• Improve doc about configuring pino-pretty with TypeScript by @​giacomorebonato in #​4243
• build(deps): bump jsumners/lock-threads from b27edac to 3 by @​dependabot in #​4244
• Revert "build(deps): bump jsumners/lock-threads from b27edac to 3" by @​climba03003 in #​4245
• docs: Remove Ajv configuration from TypeBox Type Provider examples by @​msmolens in #​4249
• fix: visit schemas with custom prototype by @​Eomm in #​4248
• feat: add hasRoute by @​Uzlopak in #​4238
• Docs: Fixing #schema-validator url at ./Reference/Server/#ajv by @​wilbert-abreu in #​4253
• chore(doc): fix format by @​Eomm in #​4255
• chore: export RouteGenericInterface by @​ChrisCrewdson in #​4234
• chore: improve Ecosystem.md linter to check for improper module name patterns by @​nooreldeensalah in #​4257
• test: remove assert to invalid HTTP version by @​RafaelGSS in #​4260
• chore: improve Ecosystem.md linter to lint all sections by @​nooreldeensalah in #​4258
• Fixing #​4259 - Updating typescript example according to the validation changes by @​iifawzi in #​4261
• docs: add pubsub-http-handler by @​cobraz in #​4263
• Variadic listen signature allows string port by @​marco-ippolito in #​4269
• doc: Remove Ajv configuration for TypeBox in TS examples by @​pmbanugo in #​4268
• docs(ecosystem): add 2 new fastify v3.x+ plugins by @​WNemencha in #​4270
• docs(typescript): fix #​4241 by @​mortifia in #​4247

New Contributors

• @​SuperchupuDev made their first contribution in #​4226
• @​soomtong made their first contribution in #​4227
• @​leandroandrade made their first contribution in #​4232
• @​jacobpgn made their first contribution in #​4236
• @​giacomorebonato made their first contribution in #​4243
• @​msmolens made their first contribution in #​4249
• @​wilbert-abreu made their first contribution in #​4253
• @​ChrisCrewdson made their first contribution in #​4234
• @​iifawzi made their first contribution in #​4261
• @​cobraz made their first contribution in #​4263
• @​marco-ippolito made their first contribution in #​4269
• @​pmbanugo made their first contribution in #​4268
• @​WNemencha made their first contribution in #​4270
• @​mortifia made their first contribution in #​4247

Full Changelog: fastify/fastify@v4.5.3...v4.6.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.