Update modules for v5

[jsumners]

To prepare for v5 we need to go through the list of repositories in this issue and:

1. Determine if the module/project should be archived and marked as deprecated. Mostly we should look at the commit history to determine if the community is interested in the module/project. A secondary check would be inspecting the data for the module at npm-stat.com. Unless we have people using, and contributing to modules, we should be reducing our maintenance burden by archiving them.
2. Evaluate if the module/project needs any updates. Most likely this will simply mean updating dependencies, dropping Node <= 16, and updating CI configuration accordingly (see footnote 1). Note: we must pin tap@16.3.9 for any projects utilizing it. See https://github.com/fastify/fastify/issues/5116#issuecomment-1790152300 for a required change related to this. Blue Oak is now OSI approved (https://opensource.org/license/blue-oak-model-license/), thus solving the licensing issue on this dependency.

If you are interested in helping with any of these, please create a new issue in the repo you're interested in that has the title "Updating for v5" and a body with something like "👋 I'm X, and would like to work on this." It should also include a link back to this issue. After that issue is created, a member of the Fastify team will create a next branch for you to target. Once that branch is created, you will be able to start a new Pull Request that targets it. We will help out with any questions you may have.

• [ ] ~.github~
• [x] accept-negotiator
• [ ] ~action-pr-title~
• [x] ajv-compiler
• [x] any-schema-you-like
• [x] avvio
• [ ] aws-lambda-fastify
• [ ] ~benchmarks~
• [x] busboy
• [ ] compile-schemas-to-typescript
• [ ] create-fastify
• [x] csrf
• [x] csrf-protection
• [x] deepmerge
• [ ] ~deprecate-modules~
• [ ] ~docs-chinese~
• [ ] ~docs-korean~
• [ ] ~docs-portuguese~
• [x] env-schema
• [ ] ~example~
• [x] fast-content-type-parse (@nrayburn-tech)
• [x] fast-json-stringify
• [x] fast-json-stringify-compiler
• [ ] ~fast-proxy~
• [x] fast-uri
• [x] fastify
• [x] fastify-accepts
• [x] fastify-accepts-serializer
• [ ] fastify-api
• [x] fastify-auth
• [x] fastify-autoload
• [x] fastify-awilix
• [x] fastify-basic-auth
• [x] fastify-bearer-auth
• [x] fastify-caching
• [x] fastify-circuit-breaker
• [ ] fastify-citgm
• [ ] fastify-cli
• [x] fastify-compress
• [x] fastify-cookie
• [x] fastify-cors
• [x] fastify-diagnostics-channel
• [x] ~fastify-dx~
• [x] ~fastify-early-hints~
• [ ] fastify-elasticsearch
• [x] fastify-env
• [x] fastify-error
• [x] fastify-etag
• [ ] ~fastify-example-todo~
• [ ] ~fastify-example-twitter~
• [x] fastify-express
• [x] fastify-flash
• [x] fastify-formbody
• [x] fastify-funky
• [x] fastify-helmet
• [ ] fastify-hotwire
• [x] fastify-http-proxy
• [x] fastify-jwt
• [x] fastify-kafka
• [x] fastify-leveldb
• [x] fastify-mongodb
• [x] fastify-multipart
• [x] fastify-mysql
• [ ] fastify-nextjs
• [x] fastify-oauth2
• [ ] fastify-passport
• [x] fastify-plugin
• [x] fastify-postgres
• [x] fastify-rate-limit (@Eliphaz-Bouye)
• [x] fastify-redis
• [x] fastify-reply-from
• [x] fastify-request-context
• [x] fastify-response-validation
• [x] fastify-routes
• [x] fastify-routes-stats
• [x] fastify-schedule
• [x] fastify-secure-session
• [x] fastify-sensible
• [ ] ~fastify-snippet~
• [ ] ~fastify-soap-client~
• [ ] ~fastify-starter-codesandbox~
• [x] fastify-static
• [x] fastify-swagger
• [x] fastify-swagger-ui
• [ ] ~fastify-test~
• [x] fastify-throttle
• [ ] fastify-type-provider-fluent-json-schema
• [x] fastify-type-provider-json-schema-to-ts
• [x] fastify-type-provider-typebox
• [ ] ~fastify-typescript-extended-sample~
• [x] fastify-url-data
• [ ] fastify-vite
• [x] fastify-websocket
• [ ] fastify-zipkin
• [x] fluent-json-schema
• [x] forwarded (@Gesma94)
• [ ] ~gh-issues-finder~
• [ ] ~github-action-merge-dependabot~
• [ ] ~graphics~
• [ ] ~help~
• [ ] json-schema-ref-resolver
• [x] light-my-request
• [ ] manifetch
• [x] middie
• [x] one-line-logger
• [ ] pacchetto
• [x] point-of-view
• [x] pre-commit
• [x] process-warning
• [x] proxy-addr
• [ ] ~releasify~
• [x] restartable
• [x] safe-regex2
• [x] secure-json-parse
• [ ] ~semver-major-release-script~
• [x] send
• [x] session
• [x] skeleton
• [ ] ~tsconfig~
• [x] under-pressure
• [ ] ~vite-plugin-blueprint~
• [ ] ~website~
• [x] workflows (@nrayburn-tech)

---

Footnote 1

Regarding updating the CI configuration in these projects. Most projects in the list should have a CI workflow that looks like https://github.com/fastify/fast-content-type-parse/blob/4de4e57f2d2c2893094c2a46069e04767b179d8e/.github/workflows/ci.yml#L1-L23. Thus, we have a few possible changes:

1. If a project has a different configuration that the one linked in the previous paragraph, it is likely that the configuration should be update to match it.
2. If the project is using the linked configuration, it should be updated to reference the v4 tag of the worklows repo once issue https://github.com/fastify/workflows/issues/106 has been resolved.
3. If it is determined that the shared configuration should not be used for the project, the configuration should be updated as outlined at the top of this issue.

[Uzlopak]

@mcollina

Did you get feedback from openjs regarding tap v18 used as dev dependency?

[Fdawgs]

Majority of the repos are using the shared workflows so CI changes should be easy enough.

I'll hop on that.

[eliphazb]

@jsumners I've just created a issue to work on fastify/rate-limit plugin the link : https://github.com/fastify/fastify-rate-limit/issues/333

[gurgunday]

Note: we must pin tap@16.3.9 for any projects utilizing it.

Should we pin specifically to tap@16.3.9 or is ^16 sufficient?

[gurgunday]

Also, maybe we can also work on centralizing all CI workflows (and possibly most scripts) during this release cycle

I see that some repos use plugins-ci, which is great, but others use dedicated workflows

WDYT?

CC @Eomm

[jsumners]

Note: we must pin tap@16.3.9 for any projects utilizing it.

Should we pin specifically to tap@16.3.9 or is ^16 sufficient?

16.3.9 is the last release in the accepted release line. It should be pinned explicitly as an indicator of intention

[Eomm]

Also, maybe we can also work on centralizing all CI workflows (and possibly most scripts) during this release cycle

We have centralized all the main extranal software such as redis. so I think it is a matter of missing PR or unsupported versions

Right now the releases are going to change: we are waiting the OpenJS Foundation as npm provenance signature host

[Fdawgs]

As part of pinning tap, Dependabot configs also needs to be updated to ignore major tap versions to stop it from opening PRs, see: https://github.com/fastify/fastify/blob/396b8b95bf0f1313b9deeb387d68fdc7ffa97abe/.github/dependabot.yml#L35-L37

[Eomm]

A reminder that we have this notion page to see all the public repos and download stats:

• https://eomm.notion.site/7a064537ee794af698684df68e215b54?v=a660ff01ca5344769a5f2b1a1c4eeda4&pvs=4

[nrayburn-tech]

Just wanted to put a checklist of items to look at when updating a package that I have found so far. These won't apply for every repo, but they should be checked if they apply or not for every repo. I'll keep adding to this as I find anything else. (Feel free to edit/update this comment or copy it into the main issue summary.)

• Update the workflows in the .github folder. Point them to v4 (temporarily using a hash until v4 is ready https://github.com/fastify/workflows/issues/108)
• Pin tap to 16.3.9
• Update the dependabot config to ignore tap major updates (https://github.com/fastify/fastify/issues/5116#issuecomment-1790152300)
• Remove engines from the package.json if it exists
• Update the minimum fastify version if the project is using fastify-plugin (https://github.com/fastify/any-schema-you-like/blob/01523e724db7ef1be3c73f27d7f30f5e5f2ee671/index.js#L34)
• Update any documentation that might contain the minimum supported fastify version (https://github.com/fastify/ajv-compiler/blob/701dc72f187a43a898e2fa0c14732647f8e915b9/README.md?plain=1#L13-L17)

[Fdawgs]

We may not need to pin tap: https://github.com/openjs-foundation/cross-project-council/issues/1170#issuecomment-1802733531

[jsumners]

I am keeping up with that thread (as you probably can see). I will update the task list here if it comes about in time that Blue Oak is authorized. But we can bump tap at any time without affecting the major-ness of any releases.

[Uzlopak]

Maybe we should archive the docs-chinese, docs-portuguese and docs-korean, as there is basically no activity.

[mcollina]

We can not upgrade tap in any repo that supports node v14, so it'd be a Fastify v5 affair.

As far as it seems, Blue Oak is on track to be OSI approved in a month. If it's not, then we would need to migrate (seems very unlikely).

[mcollina]

I think it's mostly safe for v5 to upgrade to latest tap.

[gurgunday]

fastify-dx is archived, it can be marked as done

[Fdawgs]

As far as it seems, Blue Oak is on track to be OSI approved in a month. If it's not, then we would need to migrate (seems very unlikely).

@mcollina I remember seeing you mention a Linux/OpenJS Foundation mailing list discussing this but lost the link. I think the consensus was it's good to go?

[climba03003]

I remember seeing you mention a Linux/OpenJS Foundation mailing list discussing this but lost the link.

Starting from http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2023-November/005441.html The last comment was Dec 27 2023, I do not subscribe the mailing list. I don't know if there were new comment in Jan 2024.

[jsumners]

There is not yet a resolution on the OSI inclusion of Blue Oak.

[jsumners]

fastify-dx is archived, it can be marked as done

@galvez please mark fastify-dx as deprecated on npmjs.com.

[jsumners]

Blue Oak is now OSI approved. We should be able to utilize tap@18 without issue at this point (unless @mcollina says we need even further approval from OpenJSF)`.

https://opensource.org/license/blue-oak-model-license/

[Fdawgs]

Blue Oak is now OSI approved. We should be able to utilize tap@18 without issue at this point (unless @mcollina says we need even further approval from OpenJSF)`.

https://opensource.org/license/blue-oak-model-license/

Will sort the .gitignore files for all the repos, see https://github.com/fastify/skeleton/issues/51#issuecomment-1915323188

[climba03003]

Tracking for OpenJSF approval https://github.com/openjs-foundation/cross-project-council/issues/1170

[jsumners]

It is approved. My updates above are accurate.

https://github.com/openjs-foundation/cross-project-council/pull/1245

[Fdawgs]

Will sort the .gitignore files for all the repos, see fastify/skeleton#51 (comment)

PR made for all repos which sorts this.

[simoneb]

Hi all, we (Nearform) would like to help out with this, even take care of all the repos as a batch. Before taking this up, I would like to confirm that the plan is still as described in this issue:

1. assessing whether the repo is to be archived/deprecated
2. if not, make the necessary changes
   1. update CI
   2. bump deps

On the second point above, I would like to confirm that the changes we see in one of the repos that were already updated are those that should be done across the other repos, for example: https://github.com/fastify/fastify-cookie/pull/276. Meaning:

• bumping the CI workflow to use v4
• updating all dependencies. On this point, I would like to understand if there's any specific criteria to follow. Do we bump all deps to the latest version? Do we bump major versions? Any other advice is welcome

Thanks

[jsumners]

Yes, that is an accurate summation. Regarding dependencies, please update to the latest major versions unless there is some reason to prevent it (e.g. the module changed to ESM only).

[Fdawgs]

Blue Oak is now OSI approved. We should be able to utilize tap@18 without issue at this point (unless @mcollina says we need even further approval from OpenJSF)`.

https://opensource.org/license/blue-oak-model-license/

Any that have already been updated to pin tap need to be updated to unpin it.

[jsumners]

That is complicated. tap@16 isn't going to give us full coverage checking on Node 20+, but current tap is a very heavy dependency. Switching to node:test has other issues. I really don't know what to do here.

[gurgunday]

I think long term node:test looks amazing and for me is delightful to use, but I agree that it's too much work right now

[simoneb]

I agree that node:test is the way to go in the future, but I wouldn't see it as part of this issue.

[climba03003]

If we plan to change the test runner, it should be the last step before release. The result is that, it create a large conflict between current main and next branch.

[mcollina]

I don't think we should change the test runner, we already have enough work as it is.

[synapse]

Hey guys, we've come across some issues with tap when updating it to the latest versions.

• In some repos it complains about the .taprc file, and throws errors complaining about unknown config options (the upgrade to v18 docs do not seem to cover these issues or how to convert old options).
• tap v18 also affects plugins like fastify/swagger which fails against the unit tests due to stricter assertions. More info here
• it also fails some tests in specific os's like when tested on ubuntu thus skipping all the other os tests

What would be the best scenario in these case? Tap 16.x seems to be running just fine for now with all the other deps upgrades. Should we keep version 16?

[jsumners]

Most of the changes for tap@18 are covered in https://github.com/fastify/fastify/pull/4978. But, as I said, this specific dependency is complicated. The old tap@16 uses istanbul for code coverage and there are known issues with it not picking up coverage on Node >= 20 (which is why you see c8 in the changes linked in this response). I don't like the idea of changing the test framework, but I'm not convinced it is avoidable.

[jsumners]

@fastify/collaborators please read https://github.com/orgs/fastify/discussions/39

[mcollina]

Should we keep version 16?

No, not really, we should move to v18 or move to node:test. The former is preferred because it'll be less changes.

[synapse]

Hey everyone, us, the team at Nearform has been doing an amazing job over the past week to upgrade as many plugins as possible to be ready for Fastify v5. We've also put together a comprehensive list of all the plugins, along with additional links to the PRs we've opened and NPM Stats for repositories that we believe are no longer in use or not worth upgrading. However, the decision on whether to upgrade these repositories is ultimately up to you.

:x: - closed without merge :+1: - done by us + merged :white_check_mark: - done by somebody else :stopwatch: - done by us - not merged yet :skull_and_crossbones: - we consider that this repo should be archived (up to you) :toolbox: - working on this :question: - doubts/questions :warning: - has issues upgrading

• [ ] accept-negotiator
• [ ] action-pr-title :skull_and_crossbones: NPM Stats
• [ ] ajv-compiler
• [ ] any-schema-you-like :skull_and_crossbones: NPM Stats
• [x] avvio :white_check_mark:
• [x] aws-lambda-fastify :white_check_mark:
• [ ] benchmarks :skull_and_crossbones: NPM Stats
• [ ] busboy :stopwatch: (@synapse) PR
• [ ] compile-schemas-to-typescript :skull_and_crossbones: NPM Stats
• [ ] create-fastify :skull_and_crossbones::question: NPM Stats
• [ ] csrf :stopwatch: (@synapse) PR
• [ ] csrf-protection
• [ ] deepmerge :stopwatch: PR
• [ ] deprecate-modules :skull_and_crossbones: NPM Stats
• [ ] docs-chinese :skull_and_crossbones: NPM Stats
• [ ] docs-korean :skull_and_crossbones: NPM Stats
• [ ] docs-portuguese :skull_and_crossbones: NPM Stats
• [ ] env-schema :toolbox: (@synapse)
• [ ] example
• [ ] fast-json-stringify :stopwatch: (@synapse) PR
• [ ] fast-json-stringify-compiler
• [ ] fast-proxy
• [ ] fast-uri
• [ ] fastify
• [x] fastify-accepts :+1: (@bilalshareef) PR
• [ ] fastify-accepts-serializer :stopwatch: (@bilalshareef) PR
• [ ] fastify-api :skull_and_crossbones::question: NPM Stats
• [x] fastify-auth :+1: (@synapse) PR
• [ ] fastify-autoload
• [ ] fastify-awilix :stopwatch: (@bilalshareef) PR
• [ ] fastify-basic-auth :stopwatch: (@synapse) PR
• [ ] fastify-bearer-auth
• [x] fastify-caching :white_check_mark:
• [x] fastify-circuit-breaker :+1: (@bilalshareef) PR
• [ ] fastify-citgm :skull_and_crossbones: NPM Stats
• [ ] fastify-cli
• [ ] fastify-compress
• [ ] fastify-cookie :white_check_mark:
• [x] fastify-cors :+1: (@bilalshareef) PR
• [ ] fastify-diagnostics-channel :skull_and_crossbones: NPM Stats
• [x] fastify-dx :white_check_mark:
• [ ] fastify-early-hints :toolbox: (@bilalshareef)
• [ ] fastify-elasticsearch
• [x] fastify-env :+1: (@bilalshareef) PR
• [ ] fastify-error :stopwatch: (@synapse) PR
• [x] fastify-etag :+1: (@bilalshareef) PR
• [ ] fastify-example-todo :skull_and_crossbones: [NPM Stats]()
• [ ] fastify-example-twitter :skull_and_crossbones: [NPM Stats]()
• [x] fastify-express :+1: (@synapse) PR
• [ ] fastify-flash :stopwatch: (@synapse)
• [x] fastify-formbody :+1: (@synapse) PR
• [ ] fastify-funky :skull_and_crossbones: NPM Stats
• [x] fastify-helmet :+1: (@synapse) PR
• [ ] fastify-hotwire :skull_and_crossbones: NPM Stats
• [ ] fastify-http-proxy
• [ ] fastify-jwt :stopwatch: (@synapse) PR
• [ ] fastify-kafka :skull_and_crossbones::question: (peak around 10) NPM Stats
• [ ] fastify-leveldb :skull_and_crossbones: NPM Stats
• [ ] fastify-mongodb :stopwatch: (@synapse) PR
• [ ] fastify-multipart :x: (@synapse) PR
• [ ] fastify-mysql :stopwatch: (@synapse) PR
• [ ] fastify-nextjs :stopwatch: (@synapse) PR
• [ ] fastify-oauth2 :stopwatch: (@synapse) PR
• [ ] fastify-passport :stopwatch: (@synapse) PR
• [ ] fastify-plugin :stopwatch: (@synapse) PR
• [x] fastify-postgres :+1: (@synapse) PR
• [ ] fastify-rate-limit :white_check_mark:
• [ ] fastify-redis :stopwatch: (@synapse) PR
• [ ] fastify-reply-from :warning: problematic upgrade
• [x] fastify-request-context :+1: PR
• [ ] fastify-response-validation
• [x] fastify-routes :+1: (@bilalshareef) PR
• [ ] fastify-routes-stats
• [x] fastify-schedule :+1: (@bilalshareef) PR
• [x] fastify-secure-session :+1: (@bilalshareef) PR
• [x] fastify-sensible :+1: (@bilalshareef) PR
• [ ] fastify-snippet :skull_and_crossbones: NPM Stats
• [ ] fastify-soap-client :skull_and_crossbones: NPM Stats
• [ ] fastify-starter-codesandbox :skull_and_crossbones: NPM Stats
• [ ] fastify-static :stopwatch: (@bilalshareef) PR
• [ ] fastify-swagger
• [ ] fastify-swagger-ui
• [ ] fastify-test :skull_and_crossbones: NPM Stats
• [ ] fastify-throttle
• [ ] fastify-type-provider-fluent-json-schema :skull_and_crossbones: NPM Stats
• [ ] fastify-type-provider-json-schema-to-ts :skull_and_crossbones: NPM Stats
• [ ] fastify-type-provider-typebox :skull_and_crossbones: NPM Stats
• [ ] fastify-typescript-extended-sample :skull_and_crossbones: NPM Stats
• [ ] fastify-url-data :white_check_mark:
• [ ] fastify-vite :question: (not sure what to do with this)
• [ ] fastify-websocket :stopwatch:
• [ ] fastify-zipkin :skull_and_crossbones: NPM Stats
• [ ] fluent-json-schema
• [ ] forwarded
• [ ] gh-issues-finder :skull_and_crossbones: NPM Stats
• [ ] github-action-merge-dependabot :skull_and_crossbones: NPM Stats
• [ ] graphics
• [ ] help
• [ ] json-schema-ref-resolver
• [ ] light-my-request
• [ ] manifetch
• [ ] middie
• [ ] one-line-logger
• [ ] pacchetto
• [ ] point-of-view
• [ ] pre-commit
• [ ] process-warning
• [ ] proxy-addr
• [ ] releasify
• [ ] restartable
• [ ] safe-regex2
• [ ] secure-json-parse
• [ ] semver-major-release-script
• [ ] send
• [ ] session
• [ ] skeleton
• [ ] tsconfig
• [ ] under-pressure
• [ ] vite-plugin-blueprint
• [ ] website
• [ ] workflows :white_check_mark:

[gurgunday]

This is absolutely amazing, especially since I also had some ideas about archiving a few of the repos

Thank you so much

[gurgunday]

@synapse small issue with the list showing dead packages, some packages were checked against the wrong names

For instance we should check for @fastify/accept-negotiator instead, which is downloaded 1 million times a week, and not 0

These (and potentially others) seem to be wrong: https://www.npmjs.com/package/accept-negotiator https://www.npmjs.com/package/action-pr-title https://www.npmjs.com/package/github-action-merge-dependabot

I can't edit comments so can't fix it manually, would be appreciated if you could take a look

[synapse]

Hey @gurgunday sorry for that, I've rechecked all repos previously marked as to be archived. Indeed the NPM naming was different from the repo name. I've updated them, fortunately there were only a few of them off. I also left you the markdown source there in case you want to update the main one. Let me know if there are thing that seem off

[Fdawgs]

Ah crud, just realised we missed something. We need to update the plugin version across all of them, for example: https://github.com/fastify/under-pressure/blob/7eca099076d525dea037405582f0cd48ee593cf3/index.js#L312

[gurgunday]

I think someone said doing that without first releasing a version of v5 causes a crash?

Haven't looked at the code though so not sure

[nrayburn-tech]

The fastify plugin seems to support multiple versions by using Semver ranges. https://github.com/fastify/fastify-plugin?tab=readme-ov-file#fastify-version

Somebody from the fastify team should probably share what is expected, but I would guess something like the below.

• if the plugin only supports v4 today, update it to only support v5 on the next branch.
• If the plugin supports multiple versions then the plugin probably needs an issue created and a discussion to decide how to move forward.

Once the next branch is updated, if it only supports v5 then that branch won’t be usable until a v5 version is released. It might make sense to wait for an alpha or beta version of v5 that can be used before making that change. Or, doing an alpha release solely for this reason.

[Fdawgs]

I think someone said doing that without first releasing a version of v5 causes a crash?

Ah yeah, good point. Ignore me 😹

[gurgunday]

@nrayburn-tech yeah next plugins will definitely only support v5 (and node LTS versions >=18) in general — that's been the case in previous cycles

We should release an alpha/beta very soon, as soon as we can rebase next

Then we (or @Fdawgs, who is good at this 😄) can run a script to mass update next plugins to change that plugin version

[puskin94]

it looks all the plugins / repos are in one of this 2 statuses:

1. a PR for reaching v5 has been submitted and merged
2. a PR for reaching v5 has been submitted and it is in the review status

v5 is near 🥳

[simoneb]

Thanks everybody. I'd like to mention especially @synapse, @bilalshareef, @puskin94 and @gesma94 who have contributed this work on behalf of Nearform.

[simoneb]

Is there anything else that needs support to get this over the line?

[gurgunday]

Other than a few small issues in repos like restartable and autoload, we're nearly done with plugin updates

I will propose archiving a few plugins, so I haven't updated them, but the rest is complete I think

We should start doing prereleases of v5 soon