🚨 [security] [boilerplate/ts/infra/rest/fastify] Update fastify 5.7.4 → 5.8.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ fastify (5.7.4 → 5.8.1) · Repo

Security Advisories 🚨

🚨 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

Description

Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact

An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds

Deploy a WAF rule to protect against this

Fix

The fix is available starting with v5.8.1.

Release Notes

5.8.0

What's Changed

• docs(request): add host security warning references by @mcollina in #6476
• docs: fix note style by @Fdawgs in #6487
• chore: rename deploy website ci by @Eomm in #6492
• chore: support pino v9 and v10 by @mcollina in #6496
• chore: update logger types and fix TODO comment by @Tony133 in #6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @Tony133 in #6472
• docs: fix markdown typo in README.md by @droppingbeans in #6491
• test: cover non-numeric content-length client error path by @mcollina in #6500
• ci: remove tests-checker workflow by @Tony133 in #6481
• ci: remove stale.yml file by @Tony133 in #6504
• docs(security): remove hackerone references; change note style by @Fdawgs in #6501
• chore: rename @sinclair/typebox to typebox by @Tony133 in #6494
• ci(links-check): add external link checker using linkinator-action by @umxr in #6386
• chore: upgrade borp to v1.0.0 by @Tony133 in #6510
• docs: Add OpenJS CNA reference to SECURITY.md by @mcollina in #6516
• fix: avoid mutating shared routerOptions across instances by @mcollina in #6515
• fix(types): accept async route hooks in shorthand options by @mcollina in #6514
• docs: Improve shutdown lifecycle documentation by @kibertoad in #6517
• chore: remove unused tsconfig.eslint.json by @mrazauskas in #6524
• feat: First-class support for handler-level timeouts by @kibertoad in #6521
• docs(security): clarify insecureHTTPParser threat model scope by @mcollina in #6533
• chore(license): standardise license notice by @Fdawgs in #6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @slegarraga in #6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @super-mcgin in #6528
• docs(reference/hooks): fix note style by @Fdawgs in #6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @dependabot[bot] in #6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @dependabot[bot] in #6542
• ci: remove broken links and add ecosystem link validator by @mcollina in #6421
• ci(validate-ecoystem-links): add job level permission by @Fdawgs in #6545
• style: remove trailing whitespace by @Fdawgs in #6543

New Contributors

• @droppingbeans made their first contribution in #6491
• @umxr made their first contribution in #6386
• @slegarraga made their first contribution in #6531
• @super-mcgin made their first contribution in #6528

Full Changelog: v5.7.4...v5.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 35 commits:

• Bumped v5.8.1
• Merge commit from fork
• chore: sync version
• Bumped v5.8.0
• style: remove trailing whitespace (#6543)
• ci(validate-ecoystem-links): add job level permission (#6545)
• ci: remove broken links and add ecosystem link validator (#6421)
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 (#6542)
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 (#6540)
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 (#6539)
• docs(reference/hooks): fix note style (#6538)
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message (#6528)
• docs: clarify anyOf nullable coercion behavior with primitive types (#6531)
• chore(license): standardise license notice (#6511)
• docs(security): clarify insecureHTTPParser threat model assumptions (#6533)
• feat: First-class support for handler-level timeouts (#6521)
• chore: remove unused `tsconfig.eslint.json` (#6524)
• docs: Improve shutdown lifecycle documentation (#6517)
• fix(types): accept async route hooks in shorthand options (#6514)
• fix: avoid mutating shared routerOptions across instances (#6515)
• docs: Add OpenJS CNA reference to SECURITY.md (#6516)
• chore: upgrade borp to v1.0.0 (#6510)
• ci(links-check): add external link checker using linkinator-action (#6386)
• chore: rename @sinclair/typebox to typebox (#6494)
• docs(security): remove hackerone references; change note style (#6501)
• ci: remove stale.yml file (#6504)
• chore: remove tests-checker workflow (#6481)
• test: cover non-numeric content-length client error path (#6500)
• Fix markdown typo in README.md (#6491)
• refactor(test-types): replace deprecated FastifyPlugin with FastifyPluginAsync in dummy-plugin (#6472)
• chore: update logger types and fix TODO comment (#6470)
• chore: support pino v9 and v10 (#6496)
• chore: rename deploy website ci (#6492)
• docs: fix note style (#6487)
• docs(request): add host security warning references (#6476)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #545.