chore(deps): update dependency fastify to v3.29.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	3.27.0 -> 3.29.4

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify (fastify)

v3.29.4

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v3.29.3...v3.29.4

v3.29.3

Compare Source

⚠️ Security Release ⚠️

This release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.

Full Changelog: fastify/fastify@v3.29.2...v3.29.3

v3.29.2

Compare Source

What's Changed

• fix: backport reused connection fix by @​salzhrani in https://github.com/fastify/fastify/pull/4217

New Contributors

• @​salzhrani made their first contribution in https://github.com/fastify/fastify/pull/4217

Full Changelog: fastify/fastify@v3.29.1...v3.29.2

v3.29.1

Compare Source

What's Changed

• docs: reference new @fastify/* modules by @​Fdawgs in https://github.com/fastify/fastify/pull/3860
• Child log level in bindings is deprecated by @​orov-io in https://github.com/fastify/fastify/pull/3896
• Handle aborted requests (#​215) by @​TimotejR in https://github.com/fastify/fastify/pull/4103

New Contributors

• @​orov-io made their first contribution in https://github.com/fastify/fastify/pull/3896
• @​TimotejR made their first contribution in https://github.com/fastify/fastify/pull/4103

Full Changelog: fastify/fastify@v3.29.0...v3.29.1

v3.29.0

Compare Source

What's Changed

• Update fastify-error dependency by @​jsumners in https://github.com/fastify/fastify/pull/3859

Full Changelog: fastify/fastify@v3.28.0...v3.29.0

v3.28.0

Compare Source

What's Changed

• (v3.x) Allow custom Context Config types for hooks' request properties by @​sumbad in https://github.com/fastify/fastify/pull/3787
• add generic logger to route handler & FastifyRequest by @​MarcoLeko in https://github.com/fastify/fastify/pull/3782
• (v3.x) fix: handle invalid url by @​climba03003 in https://github.com/fastify/fastify/pull/3806
• (v3.x) feat: reply trailers support by @​climba03003 in https://github.com/fastify/fastify/pull/3807

Full Changelog: fastify/fastify@v3.27.4...v3.28.0

v3.27.4

Compare Source

What's Changed

• [Backport v3.x] Fixed Node.js v18/master support by @​github-actions in https://github.com/fastify/fastify/pull/3761

Full Changelog: fastify/fastify@v3.27.3...v3.27.4

v3.27.3

Compare Source

What's Changed

• Drop @​typescript-eslint/no-misused-promises (#​3741) by @​mcollina in https://github.com/fastify/fastify/pull/3757

Full Changelog: fastify/fastify@v3.27.2...v3.27.3

v3.27.2

Compare Source

What's Changed

• fix: added jsonShorthand in FastifyServerOptions by @​DanieleFedeli in https://github.com/fastify/fastify/pull/3681
• fix: calling reply.callNotFound uncaught exception by @​VigneshMurugan in https://github.com/fastify/fastify/pull/3661
• style: fix new standard linting by @​Divlo in https://github.com/fastify/fastify/pull/3682
• docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by @​rluvaton in https://github.com/fastify/fastify/pull/3689
• ci(package-manager): run test:ci instead of test by @​Divlo in https://github.com/fastify/fastify/pull/3692
• docs(ecosystem): adds @​immobiliarelabs/fastify-sentry by @​simonecorsi in https://github.com/fastify/fastify/pull/3693
• chore: fix plugin labeler by @​Eomm in https://github.com/fastify/fastify/pull/3694
• Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by @​AWare in https://github.com/fastify/fastify/pull/3697
• fix(types): add opts param to onRegister hook handler signature by @​bmenant in https://github.com/fastify/fastify/pull/3641
• update Server docs by @​matthyk in https://github.com/fastify/fastify/pull/3699
• Update middleware docs link by @​JamieGrimwood in https://github.com/fastify/fastify/pull/3706
• build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by @​dependabot in https://github.com/fastify/fastify/pull/3700
• build(deps-dev): bump @​sinonjs/fake-timers from 8.1.0 to 9.1.0 by @​dependabot in https://github.com/fastify/fastify/pull/3683

New Contributors

• @​Divlo made their first contribution in https://github.com/fastify/fastify/pull/3682
• @​AWare made their first contribution in https://github.com/fastify/fastify/pull/3697
• @​bmenant made their first contribution in https://github.com/fastify/fastify/pull/3641
• @​JamieGrimwood made their first contribution in https://github.com/fastify/fastify/pull/3706

Full Changelog: fastify/fastify@v3.27.1...v3.27.2

v3.27.1

Compare Source

What's Changed

• docs: fix link to forceCloseConnections option by @​RafaelGSS in https://github.com/fastify/fastify/pull/3638
• docs(Prototype-Poisoning): invalid content link by @​RafaelGSS in https://github.com/fastify/fastify/pull/3639
• doc(Guides): fix grammar issue in the Prototype Poisoning file by @​rluvaton in https://github.com/fastify/fastify/pull/3640
• types: add forceCloseConnection type def by @​RafaelGSS in https://github.com/fastify/fastify/pull/3646
• Fixes #​3648 - URL must be a string by @​VigneshMurugan in https://github.com/fastify/fastify/pull/3653
• build: reduce dependabot update frequency by @​Fdawgs in https://github.com/fastify/fastify/pull/3659
• build: correct dependabot config by @​Fdawgs in https://github.com/fastify/fastify/pull/3662
• add missing types workflow by @​KiraPC in https://github.com/fastify/fastify/pull/3668
• Serialization errors will be send to errorHandler by @​int1ch in https://github.com/fastify/fastify/pull/3674
• Add Documentation and TS Types missed for FastifyInstance#setSchemaController by @​Grubba27 in https://github.com/fastify/fastify/pull/3480
• Add action to lock threads by @​jsumners in https://github.com/fastify/fastify/pull/3679

New Contributors

• @​rluvaton made their first contribution in https://github.com/fastify/fastify/pull/3640
• @​int1ch made their first contribution in https://github.com/fastify/fastify/pull/3674
• @​Grubba27 made their first contribution in https://github.com/fastify/fastify/pull/3480

Full Changelog: fastify/fastify@v3.27.0...v3.27.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

🎉 This PR is included in version 2.0.24 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀