Skip to content

Upgrade fastify to 5.x to fix CVE-2026-25223#55

Merged
manasag merged 4 commits intomainfrom
claude/slack-retry-attempt-Ohu4q
Feb 6, 2026
Merged

Upgrade fastify to 5.x to fix CVE-2026-25223#55
manasag merged 4 commits intomainfrom
claude/slack-retry-attempt-Ohu4q

Conversation

@manasag
Copy link
Copy Markdown
Contributor

@manasag manasag commented Feb 5, 2026
edited
Loading

Updates:

  • fastify: ^4.23.2 → ^5.7.2 (fixes HIGH severity CVE-2026-25223)
  • @fastify/compress: ^7.0.3 → ^8.0.1 (fastify 5.x compatibility)
  • glob@7.2.3 deprecation warning
  • inflight@1.0.6 deprecation warning
  • json-schema-to-typescript from ^13.1.1 to ^15.0.4 (uses tinyglobby instead of deprecated glob).
  • @opentelemetry/api: ^1.8.0 → ^1.9.0
  • @opentelemetry/sdk-node: ^0.51.0 → ^0.211.0
  • @opentelemetry/exporter-metrics-otlp-grpc: ^0.53.0 → ^0.211.0
  • @opentelemetry/exporter-metrics-otlp-proto: ^0.53.0 → ^0.211.0
  • @opentelemetry/instrumentation-fastify: ^0.36.0 → ^0.55.0
  • @opentelemetry/instrumentation-fetch: ^0.53.0 → ^0.211.0
  • @opentelemetry/instrumentation-http: ^0.53.0 → ^0.211.0
  • @opentelemetry/instrumentation-pino: ^0.38.0 → ^0.57.0
  • @opentelemetry/resources: ^1.24.0 → ^2.5.0
  • @opentelemetry/sdk-metrics: ^1.24.0 → ^2.5.0
  • @opentelemetry/semantic-conventions: ^1.24.0 → ^1.39.0

Code changes:

  • server.ts: Update error handler for Fastify 5's unknown error type
  • instrumentation.ts: Add type cast for OpenTelemetry version compatibility

https://claude.ai/code/session_01N29zs4UUEFRztoPocWY5M9

claude added 4 commits February 5, 2026 23:15
@claude
Upgrade fastify to 5.x to fix CVE-2026-25223
93a6ff2 
Updates:
- fastify: ^4.23.2 → ^5.7.2 (fixes HIGH severity CVE-2026-25223)
- @fastify/compress: ^7.0.3 → ^8.0.1 (fastify 5.x compatibility)

Code changes:
- server.ts: Update error handler for Fastify 5's unknown error type
- instrumentation.ts: Add type cast for OpenTelemetry version compatibility

https://claude.ai/code/session_01N29zs4UUEFRztoPocWY5M9
@claude
Update json-schema-to-typescript to fix npm warnings
07817f5 
Updates json-schema-to-typescript from ^13.1.1 to ^15.0.4, which uses
tinyglobby instead of the deprecated glob package. This fixes the
inflight and glob deprecation warnings.

Note: The @opentelemetry/otlp-proto-exporter-base deprecation warning
requires updating OpenTelemetry packages to resolve.

https://claude.ai/code/session_01N29zs4UUEFRztoPocWY5M9
@claude
Update OpenTelemetry packages to latest versions
f51faed 
Updates:
- @opentelemetry/api: ^1.8.0 → ^1.9.0
- @opentelemetry/exporter-metrics-otlp-grpc: ^0.53.0 → ^0.211.0
- @opentelemetry/exporter-metrics-otlp-proto: ^0.53.0 → ^0.211.0
- @opentelemetry/instrumentation-fastify: ^0.36.0 → ^0.55.0
- @opentelemetry/instrumentation-fetch: ^0.53.0 → ^0.211.0
- @opentelemetry/instrumentation-http: ^0.53.0 → ^0.211.0
- @opentelemetry/instrumentation-pino: ^0.38.0 → ^0.57.0
- @opentelemetry/resources: ^1.24.0 → ^2.5.0
- @opentelemetry/sdk-metrics: ^1.24.0 → ^2.5.0
- @opentelemetry/sdk-node: ^0.51.0 → ^0.211.0
- @opentelemetry/semantic-conventions: ^1.24.0 → ^1.39.0

This fixes the @opentelemetry/otlp-proto-exporter-base deprecation warning.

https://claude.ai/code/session_01N29zs4UUEFRztoPocWY5M9
@claude
v8.4.0 release
6e4ddd0 
- Upgraded fastify from 4.x to 5.x to fix CVE-2026-25223 (HIGH severity)
- Updated all OpenTelemetry packages to latest versions
- Updated json-schema-to-typescript to fix deprecated dependency warnings

https://claude.ai/code/session_01N29zs4UUEFRztoPocWY5M9
@manasag manasag merged commit 42482a4 into main Feb 6, 2026
2 checks passed
@manasag manasag deleted the claude/slack-retry-attempt-Ohu4q branch February 6, 2026 05:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@manasag @claude