github-actions[bot]
commented
9 months ago :tada: This PR is included in version 2.0.24 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Closed renovate[bot] closed 9 months ago
github-actions[bot]
commented
9 months ago :tada: This PR is included in version 2.0.24 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
This PR contains the following updates:
3.27.0->3.29.4GitHub Vulnerability Alerts
CVE-2022-41919
Impact
The attacker can use the incorrect
Content-Typeto bypass thePre-Flightchecking offetch.fetch()requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only acceptsapplication/jsoncontent type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.Patches
For
4.xusers, please update to at least4.10.2For3.xusers, please update to at least3.29.4Workarounds
Implement Cross-Site Request Forgery protection using
@fastify/csrf.References
Check out the HackerOne report: https://hackerone.com/reports/1763832.
For more information
Fastify security policy
Release Notes
fastify/fastify (fastify)
### [`v3.29.4`](https://togithub.com/fastify/fastify/releases/tag/v3.29.4) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.29.3...v3.29.4) #### ⚠️ Security Release ⚠️ - Fix for ["Incorrect Content-Type parsing can lead to CSRF attack"](https://togithub.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh) and CVE-2022-41919 **Full Changelog**: https://github.com/fastify/fastify/compare/v3.29.3...v3.29.4 ### [`v3.29.3`](https://togithub.com/fastify/fastify/releases/tag/v3.29.3) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.29.2...v3.29.3) ### ⚠️ ~Security Release~ ⚠️ This release backport the fixes of https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg for the v3.x line. While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report. **Full Changelog**: https://github.com/fastify/fastify/compare/v3.29.2...v3.29.3 ### [`v3.29.2`](https://togithub.com/fastify/fastify/releases/tag/v3.29.2) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.29.1...v3.29.2) #### What's Changed - fix: backport reused connection fix by [@salzhrani](https://togithub.com/salzhrani) in [https://github.com/fastify/fastify/pull/4217](https://togithub.com/fastify/fastify/pull/4217) #### New Contributors - [@salzhrani](https://togithub.com/salzhrani) made their first contribution in [https://github.com/fastify/fastify/pull/4217](https://togithub.com/fastify/fastify/pull/4217) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.29.1...v3.29.2 ### [`v3.29.1`](https://togithub.com/fastify/fastify/releases/tag/v3.29.1) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.29.0...v3.29.1) #### What's Changed - docs: reference new `@fastify/*` modules by [@Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify/pull/3860](https://togithub.com/fastify/fastify/pull/3860) - Child log level in bindings is deprecated by [@orov-io](https://togithub.com/orov-io) in [https://github.com/fastify/fastify/pull/3896](https://togithub.com/fastify/fastify/pull/3896) - Handle aborted requests ([#215](https://togithub.com/fastify/fastify/issues/215)) by [@TimotejR](https://togithub.com/TimotejR) in [https://github.com/fastify/fastify/pull/4103](https://togithub.com/fastify/fastify/pull/4103) #### New Contributors - [@orov-io](https://togithub.com/orov-io) made their first contribution in [https://github.com/fastify/fastify/pull/3896](https://togithub.com/fastify/fastify/pull/3896) - [@TimotejR](https://togithub.com/TimotejR) made their first contribution in [https://github.com/fastify/fastify/pull/4103](https://togithub.com/fastify/fastify/pull/4103) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.29.0...v3.29.1 ### [`v3.29.0`](https://togithub.com/fastify/fastify/releases/tag/v3.29.0) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.28.0...v3.29.0) #### What's Changed - Update fastify-error dependency by [@jsumners](https://togithub.com/jsumners) in [https://github.com/fastify/fastify/pull/3859](https://togithub.com/fastify/fastify/pull/3859) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.28.0...v3.29.0 ### [`v3.28.0`](https://togithub.com/fastify/fastify/releases/tag/v3.28.0) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.27.4...v3.28.0) #### What's Changed - (v3.x) Allow custom Context Config types for hooks' `request` properties by [@sumbad](https://togithub.com/sumbad) in [https://github.com/fastify/fastify/pull/3787](https://togithub.com/fastify/fastify/pull/3787) - add generic logger to route handler & FastifyRequest by [@MarcoLeko](https://togithub.com/MarcoLeko) in [https://github.com/fastify/fastify/pull/3782](https://togithub.com/fastify/fastify/pull/3782) - (v3.x) fix: handle invalid url by [@climba03003](https://togithub.com/climba03003) in [https://github.com/fastify/fastify/pull/3806](https://togithub.com/fastify/fastify/pull/3806) - (v3.x) feat: reply trailers support by [@climba03003](https://togithub.com/climba03003) in [https://github.com/fastify/fastify/pull/3807](https://togithub.com/fastify/fastify/pull/3807) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.27.4...v3.28.0 ### [`v3.27.4`](https://togithub.com/fastify/fastify/releases/tag/v3.27.4) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.27.3...v3.27.4) #### What's Changed - \[Backport v3.x] Fixed Node.js v18/master support by [@github-actions](https://togithub.com/github-actions) in [https://github.com/fastify/fastify/pull/3761](https://togithub.com/fastify/fastify/pull/3761) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.27.3...v3.27.4 ### [`v3.27.3`](https://togithub.com/fastify/fastify/releases/tag/v3.27.3) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.27.2...v3.27.3) #### What's Changed - Drop [@typescript-eslint/no-misused-promises](https://togithub.com/typescript-eslint/no-misused-promises) ([#3741](https://togithub.com/fastify/fastify/issues/3741)) by [@mcollina](https://togithub.com/mcollina) in [https://github.com/fastify/fastify/pull/3757](https://togithub.com/fastify/fastify/pull/3757) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.27.2...v3.27.3 ### [`v3.27.2`](https://togithub.com/fastify/fastify/releases/tag/v3.27.2) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.27.1...v3.27.2) #### What's Changed - fix: added jsonShorthand in FastifyServerOptions by [@DanieleFedeli](https://togithub.com/DanieleFedeli) in [https://github.com/fastify/fastify/pull/3681](https://togithub.com/fastify/fastify/pull/3681) - fix: calling reply.callNotFound uncaught exception by [@VigneshMurugan](https://togithub.com/VigneshMurugan) in [https://github.com/fastify/fastify/pull/3661](https://togithub.com/fastify/fastify/pull/3661) - style: fix new `standard` linting by [@Divlo](https://togithub.com/Divlo) in [https://github.com/fastify/fastify/pull/3682](https://togithub.com/fastify/fastify/pull/3682) - docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by [@rluvaton](https://togithub.com/rluvaton) in [https://github.com/fastify/fastify/pull/3689](https://togithub.com/fastify/fastify/pull/3689) - ci(package-manager): run `test:ci` instead of `test` by [@Divlo](https://togithub.com/Divlo) in [https://github.com/fastify/fastify/pull/3692](https://togithub.com/fastify/fastify/pull/3692) - docs(ecosystem): adds [@immobiliarelabs/fastify-sentry](https://togithub.com/immobiliarelabs/fastify-sentry) by [@simonecorsi](https://togithub.com/simonecorsi) in [https://github.com/fastify/fastify/pull/3693](https://togithub.com/fastify/fastify/pull/3693) - chore: fix plugin labeler by [@Eomm](https://togithub.com/Eomm) in [https://github.com/fastify/fastify/pull/3694](https://togithub.com/fastify/fastify/pull/3694) - Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by [@AWare](https://togithub.com/AWare) in [https://github.com/fastify/fastify/pull/3697](https://togithub.com/fastify/fastify/pull/3697) - fix(types): add opts param to onRegister hook handler signature by [@bmenant](https://togithub.com/bmenant) in [https://github.com/fastify/fastify/pull/3641](https://togithub.com/fastify/fastify/pull/3641) - update Server docs by [@matthyk](https://togithub.com/matthyk) in [https://github.com/fastify/fastify/pull/3699](https://togithub.com/fastify/fastify/pull/3699) - Update middleware docs link by [@JamieGrimwood](https://togithub.com/JamieGrimwood) in [https://github.com/fastify/fastify/pull/3706](https://togithub.com/fastify/fastify/pull/3706) - build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify/pull/3700](https://togithub.com/fastify/fastify/pull/3700) - build(deps-dev): bump [@sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 8.1.0 to 9.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify/pull/3683](https://togithub.com/fastify/fastify/pull/3683) #### New Contributors - [@Divlo](https://togithub.com/Divlo) made their first contribution in [https://github.com/fastify/fastify/pull/3682](https://togithub.com/fastify/fastify/pull/3682) - [@AWare](https://togithub.com/AWare) made their first contribution in [https://github.com/fastify/fastify/pull/3697](https://togithub.com/fastify/fastify/pull/3697) - [@bmenant](https://togithub.com/bmenant) made their first contribution in [https://github.com/fastify/fastify/pull/3641](https://togithub.com/fastify/fastify/pull/3641) - [@JamieGrimwood](https://togithub.com/JamieGrimwood) made their first contribution in [https://github.com/fastify/fastify/pull/3706](https://togithub.com/fastify/fastify/pull/3706) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.27.1...v3.27.2 ### [`v3.27.1`](https://togithub.com/fastify/fastify/releases/tag/v3.27.1) [Compare Source](https://togithub.com/fastify/fastify/compare/v3.27.0...v3.27.1) #### What's Changed - docs: fix link to forceCloseConnections option by [@RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/fastify/fastify/pull/3638](https://togithub.com/fastify/fastify/pull/3638) - docs(Prototype-Poisoning): invalid content link by [@RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/fastify/fastify/pull/3639](https://togithub.com/fastify/fastify/pull/3639) - doc(Guides): fix grammar issue in the Prototype Poisoning file by [@rluvaton](https://togithub.com/rluvaton) in [https://github.com/fastify/fastify/pull/3640](https://togithub.com/fastify/fastify/pull/3640) - types: add forceCloseConnection type def by [@RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/fastify/fastify/pull/3646](https://togithub.com/fastify/fastify/pull/3646) - Fixes [#3648](https://togithub.com/fastify/fastify/issues/3648) - URL must be a string by [@VigneshMurugan](https://togithub.com/VigneshMurugan) in [https://github.com/fastify/fastify/pull/3653](https://togithub.com/fastify/fastify/pull/3653) - build: reduce dependabot update frequency by [@Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify/pull/3659](https://togithub.com/fastify/fastify/pull/3659) - build: correct dependabot config by [@Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify/pull/3662](https://togithub.com/fastify/fastify/pull/3662) - add missing types workflow by [@KiraPC](https://togithub.com/KiraPC) in [https://github.com/fastify/fastify/pull/3668](https://togithub.com/fastify/fastify/pull/3668) - Serialization errors will be send to errorHandler by [@int1ch](https://togithub.com/int1ch) in [https://github.com/fastify/fastify/pull/3674](https://togithub.com/fastify/fastify/pull/3674) - Add Documentation and TS Types missed for FastifyInstance#setSchemaController by [@Grubba27](https://togithub.com/Grubba27) in [https://github.com/fastify/fastify/pull/3480](https://togithub.com/fastify/fastify/pull/3480) - Add action to lock threads by [@jsumners](https://togithub.com/jsumners) in [https://github.com/fastify/fastify/pull/3679](https://togithub.com/fastify/fastify/pull/3679) #### New Contributors - [@rluvaton](https://togithub.com/rluvaton) made their first contribution in [https://github.com/fastify/fastify/pull/3640](https://togithub.com/fastify/fastify/pull/3640) - [@int1ch](https://togithub.com/int1ch) made their first contribution in [https://github.com/fastify/fastify/pull/3674](https://togithub.com/fastify/fastify/pull/3674) - [@Grubba27](https://togithub.com/Grubba27) made their first contribution in [https://github.com/fastify/fastify/pull/3480](https://togithub.com/fastify/fastify/pull/3480) **Full Changelog**: https://github.com/fastify/fastify/compare/v3.27.0...v3.27.1Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.