Closed renovate[bot] closed 1 year ago
Name | Link |
---|---|
Latest commit | 59ffc89f78040592dee90f37bed14c57658a22e0 |
Latest deploy log | https://app.netlify.com/sites/quirrel-docs/deploys/642aeaa207a45400081a6c89 |
Name | Link |
---|---|
Latest commit | 59ffc89f78040592dee90f37bed14c57658a22e0 |
Latest deploy log | https://app.netlify.com/sites/quirrel-development-ui/deploys/642aeaa2d036630007524bfe |
This PR contains the following updates:
4.9.2
->4.10.2
GitHub Vulnerability Alerts
CVE-2022-41919
Impact
The attacker can use the incorrect
Content-Type
to bypass thePre-Flight
checking offetch
.fetch()
requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only acceptsapplication/json
content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.Patches
For
4.x
users, please update to at least4.10.2
For3.x
users, please update to at least3.29.4
Workarounds
Implement Cross-Site Request Forgery protection using
@fastify/csrf
.References
Check out the HackerOne report: https://hackerone.com/reports/1763832.
For more information
Fastify security policy
Release Notes
fastify/fastify
### [`v4.10.2`](https://togithub.com/fastify/fastify/releases/tag/v4.10.2) [Compare Source](https://togithub.com/fastify/fastify/compare/v4.10.1...v4.10.2) #### ⚠️ Security Release ⚠️ - Fix for ["Incorrect Content-Type parsing can lead to CSRF attack"](https://togithub.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh) and CVE-2022-41919 **Full Changelog**: https://github.com/fastify/fastify/compare/v4.10.1...v4.10.2 ### [`v4.10.1`](https://togithub.com/fastify/fastify/releases/tag/v4.10.1) [Compare Source](https://togithub.com/fastify/fastify/compare/v4.10.0...v4.10.1) #### What's Changed - fix node 19.1.0 port validation test by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/fastify/fastify/pull/4427](https://togithub.com/fastify/fastify/pull/4427) - Add fastify-constraints to community plugins by [@Ceres6](https://togithub.com/Ceres6) in [https://github.com/fastify/fastify/pull/4428](https://togithub.com/fastify/fastify/pull/4428) - build(deps-dev): bump [@sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 9.1.2 to 10.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify/pull/4421](https://togithub.com/fastify/fastify/pull/4421) - add silent option to LogLevel by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/fastify/fastify/pull/4432](https://togithub.com/fastify/fastify/pull/4432) #### New Contributors - [@Ceres6](https://togithub.com/Ceres6) made their first contribution in [https://github.com/fastify/fastify/pull/4428](https://togithub.com/fastify/fastify/pull/4428) **Full Changelog**: https://github.com/fastify/fastify/compare/v4.10.0...v4.10.1 ### [`v4.10.0`](https://togithub.com/fastify/fastify/releases/tag/v4.10.0) [Compare Source](https://togithub.com/fastify/fastify/compare/v4.9.2...v4.10.0) #### What's Changed - docs(reference/reply): spelling fixes by [@Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify/pull/4358](https://togithub.com/fastify/fastify/pull/4358) - Support different content-type typed reply with TypeProvider by [@rain714](https://togithub.com/rain714) in [https://github.com/fastify/fastify/pull/4360](https://togithub.com/fastify/fastify/pull/4360) - chore: remove leading empty lines by [@LinusU](https://togithub.com/LinusU) in [https://github.com/fastify/fastify/pull/4364](https://togithub.com/fastify/fastify/pull/4364) - fix types after pino 8.7.0 change by [@mcollina](https://togithub.com/mcollina) in [https://github.com/fastify/fastify/pull/4365](https://togithub.com/fastify/fastify/pull/4365) - Node.js V19 support by [@mcollina](https://togithub.com/mcollina) in [https://github.com/fastify/fastify/pull/4366](https://togithub.com/fastify/fastify/pull/4366) - fix: no check on `null` or `undefined` values passed as fn by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/fastify/fastify/pull/4367](https://togithub.com/fastify/fastify/pull/4367) - docs(server): config is lost when reply.call not found() is called by [@cesarvspr](https://togithub.com/cesarvspr) in [https://github.com/fastify/fastify/pull/4368](https://togithub.com/fastify/fastify/pull/4368) - Fix typo - 'sever' to 'server' by [@utsav91](https://togithub.com/utsav91) in [https://github.com/fastify/fastify/pull/4372](https://togithub.com/fastify/fastify/pull/4372) - Add platformatic to the Acknowledgements by [@mcollina](https://togithub.com/mcollina) in [https://github.com/fastify/fastify/pull/4378](https://togithub.com/fastify/fastify/pull/4378) - docs: add Simone Busoli to plugin maintainers by [@simoneb](https://togithub.com/simoneb) in [https://github.com/fastify/fastify/pull/4379](https://togithub.com/fastify/fastify/pull/4379) - add missing 'validationContext' field to FastifyError type by [@jakubburzynski](https://togithub.com/jakubburzynski) in [https://github.com/fastify/fastify/pull/4363](https://togithub.com/fastify/fastify/pull/4363) - fix(type-providers): assignability of instance with enabled type provider by [@driimus](https://togithub.com/driimus) in [https://github.com/fastify/fastify/pull/4371](https://togithub.com/fastify/fastify/pull/4371) - feat: support async trailer by [@climba03003](https://togithub.com/climba03003) in [https://github.com/fastify/fastify/pull/4380](https://togithub.com/fastify/fastify/pull/4380) - fix: trailers async race condition by [@climba03003](https://togithub.com/climba03003) in [https://github.com/fastify/fastify/pull/4383](https://togithub.com/fastify/fastify/pull/4383) - docs(ecosystem): Add fastify-list-routes by [@chuongtrh](https://togithub.com/chuongtrh) in [https://github.com/fastify/fastify/pull/4385](https://togithub.com/fastify/fastify/pull/4385) - build(deps-dev): bump [@sinclair/typebox](https://togithub.com/sinclair/typebox) from 0.24.51 to 0.25.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify/pull/4388](https://togithub.com/fastify/fastify/pull/4388) - \[ Fix ] Improve error message for hooks check by [@debadutta98](https://togithub.com/debadutta98) in [https://github.com/fastify/fastify/pull/4387](https://togithub.com/fastify/fastify/pull/4387) - fix: tiny-lru usage by [@climba03003](https://togithub.com/climba03003) in [https://github.com/fastify/fastify/pull/4391](https://togithub.com/fastify/fastify/pull/4391) - Removes old note about named imports in ESM by [@fox1t](https://togithub.com/fox1t) in [https://github.com/fastify/fastify/pull/4392](https://togithub.com/fastify/fastify/pull/4392) - docs: Add section about capacity planning by [@kibertoad](https://togithub.com/kibertoad) in [https://github.com/fastify/fastify/pull/4386](https://togithub.com/fastify/fastify/pull/4386) - docs(recommendations): grammar fixes by [@Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify/pull/4396](https://togithub.com/fastify/fastify/pull/4396) - chore(doc): duplicated menu item by [@Eomm](https://togithub.com/Eomm) in [https://github.com/fastify/fastify/pull/4398](https://togithub.com/fastify/fastify/pull/4398) - feat: add request.routeOptions object by [@debadutta98](https://togithub.com/debadutta98) in [https://github.com/fastify/fastify/pull/4397](https://togithub.com/fastify/fastify/pull/4397) - docs: Document multiple app approach by [@kibertoad](https://togithub.com/kibertoad) in [https://github.com/fastify/fastify/pull/4393](https://togithub.com/fastify/fastify/pull/4393) - fix example using db decorator on fastify instance by [@mmarti](https://togithub.com/mmarti) in [https://github.com/fastify/fastify/pull/4406](https://togithub.com/fastify/fastify/pull/4406) - docs: fix removeAdditional refer by [@shunyue1320](https://togithub.com/shunyue1320) in [https://github.com/fastify/fastify/pull/4410](https://togithub.com/fastify/fastify/pull/4410) #### New Contributors - [@rain714](https://togithub.com/rain714) made their first contribution in [https://github.com/fastify/fastify/pull/4360](https://togithub.com/fastify/fastify/pull/4360) - [@LinusU](https://togithub.com/LinusU) made their first contribution in [https://github.com/fastify/fastify/pull/4364](https://togithub.com/fastify/fastify/pull/4364) - [@cesarvspr](https://togithub.com/cesarvspr) made their first contribution in [https://github.com/fastify/fastify/pull/4368](https://togithub.com/fastify/fastify/pull/4368) - [@utsav91](https://togithub.com/utsav91) made their first contribution in [https://github.com/fastify/fastify/pull/4372](https://togithub.com/fastify/fastify/pull/4372) - [@jakubburzynski](https://togithub.com/jakubburzynski) made their first contribution in [https://github.com/fastify/fastify/pull/4363](https://togithub.com/fastify/fastify/pull/4363) - [@driimus](https://togithub.com/driimus) made their first contribution in [https://github.com/fastify/fastify/pull/4371](https://togithub.com/fastify/fastify/pull/4371) - [@chuongtrh](https://togithub.com/chuongtrh) made their first contribution in [https://github.com/fastify/fastify/pull/4385](https://togithub.com/fastify/fastify/pull/4385) - [@debadutta98](https://togithub.com/debadutta98) made their first contribution in [https://github.com/fastify/fastify/pull/4387](https://togithub.com/fastify/fastify/pull/4387) - [@mmarti](https://togithub.com/mmarti) made their first contribution in [https://github.com/fastify/fastify/pull/4406](https://togithub.com/fastify/fastify/pull/4406) - [@shunyue1320](https://togithub.com/shunyue1320) made their first contribution in [https://github.com/fastify/fastify/pull/4410](https://togithub.com/fastify/fastify/pull/4410) **Full Changelog**: https://github.com/fastify/fastify/compare/v4.9.2...v4.10.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.