fix(dependency maintenance): update dependency fastify to v3.29.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	3.24.1 -> 3.29.4

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify (fastify)

v3.29.4

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v3.29.3...v3.29.4

v3.29.3

Compare Source

⚠️ Security Release ⚠️

This release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.

Full Changelog: fastify/fastify@v3.29.2...v3.29.3

v3.29.2

Compare Source

What's Changed

• fix: backport reused connection fix by @​salzhrani in #​4217

New Contributors

• @​salzhrani made their first contribution in #​4217

Full Changelog: fastify/fastify@v3.29.1...v3.29.2

v3.29.1

Compare Source

What's Changed

• docs: reference new @fastify/* modules by @​Fdawgs in #​3860
• Child log level in bindings is deprecated by @​orov-io in #​3896
• Handle aborted requests (#​215) by @​TimotejR in #​4103

New Contributors

• @​orov-io made their first contribution in #​3896
• @​TimotejR made their first contribution in #​4103

Full Changelog: fastify/fastify@v3.29.0...v3.29.1

v3.29.0

Compare Source

What's Changed

• Update fastify-error dependency by @​jsumners in #​3859

Full Changelog: fastify/fastify@v3.28.0...v3.29.0

v3.28.0

Compare Source

What's Changed

• (v3.x) Allow custom Context Config types for hooks' request properties by @​sumbad in #​3787
• add generic logger to route handler & FastifyRequest by @​MarcoLeko in #​3782
• (v3.x) fix: handle invalid url by @​climba03003 in #​3806
• (v3.x) feat: reply trailers support by @​climba03003 in #​3807

Full Changelog: fastify/fastify@v3.27.4...v3.28.0

v3.27.4

Compare Source

What's Changed

• [Backport v3.x] Fixed Node.js v18/master support by @​github-actions in #​3761

Full Changelog: fastify/fastify@v3.27.3...v3.27.4

v3.27.3

Compare Source

What's Changed

• Drop @​typescript-eslint/no-misused-promises (#​3741) by @​mcollina in #​3757

Full Changelog: fastify/fastify@v3.27.2...v3.27.3

v3.27.2

Compare Source

What's Changed

• fix: added jsonShorthand in FastifyServerOptions by @​DanieleFedeli in #​3681
• fix: calling reply.callNotFound uncaught exception by @​VigneshMurugan in #​3661
• style: fix new standard linting by @​Divlo in #​3682
• docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by @​rluvaton in #​3689
• ci(package-manager): run test:ci instead of test by @​Divlo in #​3692
• docs(ecosystem): adds @​immobiliarelabs/fastify-sentry by @​simonecorsi in #​3693
• chore: fix plugin labeler by @​Eomm in #​3694
• Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by @​AWare in #​3697
• fix(types): add opts param to onRegister hook handler signature by @​bmenant in #​3641
• update Server docs by @​matthyk in #​3699
• Update middleware docs link by @​JamieGrimwood in #​3706
• build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by @​dependabot in #​3700
• build(deps-dev): bump @​sinonjs/fake-timers from 8.1.0 to 9.1.0 by @​dependabot in #​3683

New Contributors

• @​Divlo made their first contribution in #​3682
• @​AWare made their first contribution in #​3697
• @​bmenant made their first contribution in #​3641
• @​JamieGrimwood made their first contribution in #​3706

Full Changelog: fastify/fastify@v3.27.1...v3.27.2

v3.27.1

Compare Source

What's Changed

• docs: fix link to forceCloseConnections option by @​RafaelGSS in #​3638
• docs(Prototype-Poisoning): invalid content link by @​RafaelGSS in #​3639
• doc(Guides): fix grammar issue in the Prototype Poisoning file by @​rluvaton in #​3640
• types: add forceCloseConnection type def by @​RafaelGSS in #​3646
• Fixes #​3648 - URL must be a string by @​VigneshMurugan in #​3653
• build: reduce dependabot update frequency by @​Fdawgs in #​3659
• build: correct dependabot config by @​Fdawgs in #​3662
• add missing types workflow by @​KiraPC in #​3668
• Serialization errors will be send to errorHandler by @​int1ch in #​3674
• Add Documentation and TS Types missed for FastifyInstance#setSchemaController by @​Grubba27 in #​3480
• Add action to lock threads by @​jsumners in #​3679

New Contributors

• @​rluvaton made their first contribution in #​3640
• @​int1ch made their first contribution in #​3674
• @​Grubba27 made their first contribution in #​3480

Full Changelog: fastify/fastify@v3.27.0...v3.27.1

v3.27.0

Compare Source

What's Changed

• Add keep-alive connection tracking and reaping (resolve #​3617) by @​jsumners in #​3619

Full Changelog: fastify/fastify@v3.26.0...v3.27.0

v3.26.0

Compare Source

What's Changed

• Documentation: replace fastify.decorate arrow functions with function expressions by @​onosendi in #​3577
• Update Recommendations.md by @​fralonra in #​3583
• build(deps-dev): bump helmet from 4.6.0 to 5.0.1 by @​dependabot in #​3591
• chore: remove duplicated line by @​Eomm in #​3599
• docs(reference-typescript): fix formatting by @​sniperwolf in #​3602
• feat: manage display-name meta plugin by @​Eomm in #​3608
• Add prototype poisoning doc by @​jsumners in #​3609
• Fix website workflow not triggering by @​luisorbaiceta in #​3611
• Adding esbuild bundler to the pipeline by @​jhonrocha in #​3616
• chore (ci): run lint only once by @​darkgl0w in #​3623
• Fix types to support Ajv plugins with options by @​pverdile in #​3601
• Update LICENSE by @​ravenberg in #​3629
• fix: accept-version on default route by @​climba03003 in #​3630
• fix (test): custom-parser.test.js flaky test by @​darkgl0w in #​3627
• fix (types): this is FastifyInstance by @​darkgl0w in #​3622

New Contributors

• @​onosendi made their first contribution in #​3577
• @​sniperwolf made their first contribution in #​3602
• @​jhonrocha made their first contribution in #​3616
• @​pverdile made their first contribution in #​3601
• @​ravenberg made their first contribution in #​3629

Full Changelog: fastify/fastify@v3.25.3...v3.26.0

v3.25.3

Compare Source

What's Changed

• Move from fastify-warning to process-warning by @​mcollina in #​3576
• build(deps-dev): bump http-errors from 1.8.1 to 2.0.0 by @​dependabot in #​3553

Full Changelog: fastify/fastify@v3.25.2...v3.25.3

v3.25.2

Compare Source

What's Changed

• docs: Small improvements in the documentation by @​DavidIsa in #​3565
• Add release trigger for website build by @​luisorbaiceta in #​3572
• Fix context tracking with als run by @​mcollina in #​3571

New Contributors

• @​DavidIsa made their first contribution in #​3565

Full Changelog: fastify/fastify@v3.25.1...v3.25.2

v3.25.1

Compare Source

What's Changed

• docs: add fastify-split-validator to Ecosystem by @​MetCoder95 in #​3535
• docs: fix broken documentation links by @​RoXioTD in #​3539
• Tests for http2 host constraint server by @​luisorbaiceta in #​3504
• Fix docs broken links by @​luisorbaiceta in #​3542
• Fix broken links in README.md by @​asaid-0 in #​3545
• Add missing types & docs for async onClose hook by @​franky47 in #​3541
• chore: upgrade github-action-merge-dependabot to v3 by @​Eomm in #​3547
• Update Ecosystem.md by @​DanieleFedeli in #​3548
• Fix typo in /docs/index.md by @​nooreldeensalah in #​3557
• added fastify-file-routes by @​spa5k in #​3561
• Fixes regressions for function decorators on Request and Reply by @​mcollina in #​3560

New Contributors

• @​RoXioTD made their first contribution in #​3539
• @​asaid-0 made their first contribution in #​3545
• @​franky47 made their first contribution in #​3541
• @​DanieleFedeli made their first contribution in #​3548
• @​nooreldeensalah made their first contribution in #​3557

Full Changelog: fastify/fastify@v3.25.0...v3.25.1

v3.25.0

Compare Source

What's Changed

• fix(typescript): use RouteGeneric for setErrorHandler types by @​ethanwu10 in #​3493
• docs(ecosystem): add middie to core section by @​Fdawgs in #​3501
• build(deps): bump fastify/github-action-merge-dependabot from 2.6.0 to 2.7.0 by @​dependabot in #​3507
• add node 17 by @​Eomm in #​3456
• docs(ecosystem): adds @​immobiliarelabs/fastify-metrics by @​simonecorsi in #​3509
• build(deps): bump fastify/github-action-merge-dependabot from 2.7.0 to 2.7.1 by @​dependabot in #​3518
• Update logger options to correct properties by @​makrandgupta in #​3519
• fix: use hasKey to check request dependencies by @​RafaelGSS in #​3527
• Pass constraint values to the router when checking for a preexisting HEAD route by @​airhorns in #​3526
• Add Luis Orbaiceta as a contributor by @​luisorbaiceta in #​3530
• Docs reorganization by @​jsumners with help from @​lachlancollins in #​3474
• Rename index files by @​jsumners in #​3533

New Contributors

• @​ethanwu10 made their first contribution in #​3493
• @​simonecorsi made their first contribution in #​3509
• @​makrandgupta made their first contribution in #​3519
• @​luisorbaiceta made their first contribution in #​3530

Full Changelog: fastify/fastify@v3.24.1...v3.25.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.