chore(deps): update dependency fastify to v5 [security] by renovate[bot] · Pull Request #18 · rstackjs/rspack-plugin-ci

renovate · 2026-02-03T16:13:08Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	`^3.29.5` → `^5.0.0`

GitHub Vulnerability Alerts

CVE-2026-25223

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2026-3635

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Severity

CVSS Score: 6.1 / 10 (Medium)
Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Release Notes

fastify/fastify (fastify)

`v5.8.3`

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

docs(readme): add @Tony133 to plugin team by @Tony133 in #6565
Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in #6566
test: use fastify.test in test case by @climba03003 in #6568
docs: use fastify.example in documentation by @climba03003 in #6567
docs: add common performance degradation guidance by @maxpetrusenko in #6520
docs(server): fix camelCase anchor links in TOC by @Deepvamja in #6530
ci(link-checker): fix root-relative links resolution by @barba-rossa in #6535
docs: update syntax markdown, absolute paths and links by @Tony133 in #6569
docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in #6537
docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in #6582
docs: replace redirected npm.im http-errors link by @mcollina in #6588
types: Allow port to be null in request type definition by @TristanBarlow in #6589
docs: update links by @Tony133 in #6593
ci(lock-threads): use shared lock-threads workflow by @Fdawgs in #6592

New Contributors

@kyrylchenko made their first contribution in #6566
@maxpetrusenko made their first contribution in #6520
@Deepvamja made their first contribution in #6530
@barba-rossa made their first contribution in #6535
@mahmoodhamdi made their first contribution in #6582
@TristanBarlow made their first contribution in #6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

`v5.8.2`

Compare Source

What's Changed

docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in #6546
Revert "chore: upgrade borp to v1.0.0" by @climba03003 in #6564
docs: document body validation with custom content type parsers by @mcollina in #6556
docs(ecosystem): add fastify-file-router by @bhouston in #6441
docs: add fastify-svelte-view to Ecosystem list by @matths in #6453
fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in #6558
docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in #5661
docs(guides): update codemod links by @OluchiEzeifedikwa in #6479
docs: add @glidemq/fastify to community plugins by @avifenesh in #6560

New Contributors

@yeliex made their first contribution in #6546
@matths made their first contribution in #6453
@leftieFriele made their first contribution in #5661
@OluchiEzeifedikwa made their first contribution in #6479
@avifenesh made their first contribution in #6560

Full Changelog: fastify/fastify@v5.8.1...v5.8.2

`v5.8.1`

Compare Source

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

`v5.8.0`

Compare Source

What's Changed

docs(request): add host security warning references by @mcollina in #6476
docs: fix note style by @Fdawgs in #6487
chore: rename deploy website ci by @Eomm in #6492
chore: support pino v9 and v10 by @mcollina in #6496
chore: update logger types and fix TODO comment by @Tony133 in #6470
refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @Tony133 in #6472
docs: fix markdown typo in README.md by @droppingbeans in #6491
test: cover non-numeric content-length client error path by @mcollina in #6500
ci: remove tests-checker workflow by @Tony133 in #6481
ci: remove stale.yml file by @Tony133 in #6504
docs(security): remove hackerone references; change note style by @Fdawgs in #6501
chore: rename @sinclair/typebox to typebox by @Tony133 in #6494
ci(links-check): add external link checker using linkinator-action by @umxr in #6386
chore: upgrade borp to v1.0.0 by @Tony133 in #6510
docs: Add OpenJS CNA reference to SECURITY.md by @mcollina in #6516
fix: avoid mutating shared routerOptions across instances by @mcollina in #6515
fix(types): accept async route hooks in shorthand options by @mcollina in #6514
docs: Improve shutdown lifecycle documentation by @kibertoad in #6517
chore: remove unused tsconfig.eslint.json by @mrazauskas in #6524
feat: First-class support for handler-level timeouts by @kibertoad in #6521
docs(security): clarify insecureHTTPParser threat model scope by @mcollina in #6533
chore(license): standardise license notice by @Fdawgs in #6511
docs: clarify anyOf nullable coercion behavior with primitive types by @slegarraga in #6531
fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @super-mcgin in #6528
docs(reference/hooks): fix note style by @Fdawgs in #6538
chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @dependabot[bot] in #6539
chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #6540
chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @dependabot[bot] in #6542
ci: remove broken links and add ecosystem link validator by @mcollina in #6421
ci(validate-ecoystem-links): add job level permission by @Fdawgs in #6545
style: remove trailing whitespace by @Fdawgs in #6543

New Contributors

@droppingbeans made their first contribution in #6491
@umxr made their first contribution in #6386
@slegarraga made their first contribution in #6531
@super-mcgin made their first contribution in #6528

Full Changelog: fastify/fastify@v5.7.4...v5.8.0

`v5.7.4`

Compare Source

Full Changelog: fastify/fastify@v5.7.3...v5.7.4

`v5.7.3`

Compare Source

⚠️ Security Release

Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

docs: update Reply.send() documentation for string serialization by @mcollina in #6466
chore: ignore agents config files by @mcollina in #6474
docs: update vulnerability reporting to use GitHub Security by @mcollina in #6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

`v5.7.2`

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

chore: npm ignore AI related files by @climba03003 in #6447
chore: update sponsor url by @Eomm in #6450
docs: add fastify-http-exceptions to Ecosystem.md by @bhouston in #6442
docs: fix invalid shorten form schema example by @climba03003 in #6448
docs: Simplify and tighten decorators example by @smith558 in #6451
docs: Fix incorrect variable use by @smith558 in #6455
chore: update sponsor link by @Eomm in #6460
fix: Fix MIT Licence file to conform to standard by @smith558 in #6464
docs: move querystringParser option under routerOptions by @inyourtime in #6463
chore: Updated content-type header parsing by @jsumners in #6414

New Contributors

@bhouston made their first contribution in #6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

`v5.7.1`

Compare Source

What's Changed

chore: Bump actions/checkout from 5 to 6 by @dependabot[bot] in #6434
chore: updated version in the fastify.js by @Tony133 in #6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

`v5.7.0`

Compare Source

What's Changed

docs: Improved firebase serverless guide about process remaining stuck by @alexandercerutti in #6380
docs: update migration guide with date-time breaking change by @craftsman01 in #6110
chore: remove test file by @Eomm in #6384
feat: speed up loading with custom compiler by @Eomm in #6383
docs: replace all instances of twitter.com with x.com by @cseas in #6355
docs: correct logger option in example by @inyourtime in #6391
docs: fix links by @Shriti507 in #6394
chore: skip unnecessary object creation by @Eomm in #6400
docs: Update JSON Schema link in documentation by @jon23d in #6402
docs(ecosystem): add fastify-ses-mailer by @KaranHotwani in #6395
docs: add security note about validation errors in response by @mcollina in #6407
docs: add security threat model by @mcollina in #6406
chore: update onboarding and offboarding instructions by @Eomm in #6403
fix: set status code before publishing diagnostics error channel by @tt-a1i in #6412
fix: use JSON.stringify in onBadUrl for proper escaping by @mcollina in #6420
chore: fix type test by @mrazauskas in #6418
docs: improve Validation-and-Serialization.md by @twentytwo777 in #6423
test: skip IPv6 test if its support is not present by @LiviaMedeiros in #6428
test: fix test when localhost has multiple addresses by @LiviaMedeiros in #6427
docs: add security warning for requestIdHeader by @mcollina in #6425
docs(ecosystem): add elements-fastify by @rohitsoni007 in #6416
chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #6433
chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @dependabot[bot] in #6436
chore: Bump @types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @dependabot[bot] in #6435
fix(ts): Align routerOptions defaultRoute types with runtime by @AnkanMisra in #6392
fix(types): require send() payload when Reply type is specified by @tt-a1i in #6432
fix: ajv options type validation by @gianmarco27 in #6437
docs: add non-vulnerability examples to threat model by @RafaelGSS in #6431
feat: implement conditional request logging by @kibertoad in #5732
docs(sponsor): add serpapi by @Eomm in #6443
perf: use native WebStream API instead of Readable.fromWeb wrapper by @mcollina in #6444

New Contributors

@craftsman01 made their first contribution in #6110
@cseas made their first contribution in #6355
@Shriti507 made their first contribution in #6394
@jon23d made their first contribution in #6402
@KaranHotwani made their first contribution in #6395
@tt-a1i made their first contribution in #6412
@mrazauskas made their first contribution in #6418
@twentytwo777 made their first contribution in #6423
@rohitsoni007 made their first contribution in #6416
@AnkanMisra made their first contribution in #6392
@gianmarco27 made their first contribution in #6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

`v5.6.2`

Compare Source

`v5.6.1`

Compare Source

What's Changed

fix: fix typo of deprecation warning FSTDEP022 by @Uzlopak in #6313
docs(decorators): fix TypeScript inconsistency by @emicovi in #6224
chore: fix typos by @deining in #6316
docs(security): add secondary contact/security escalation policy by @UlisesGascon in #6315
chore(gha): remove benchmark github workflows by @Eomm in #6322
chore(sponsor): add lambdatest by @Eomm in #6324
fix: (types) allow FastifySchemaValidationError[] as an error by @gurgunday in #6326
fix: correct session.close() context in http2 timeout handler by @David-van-der-Sluijs in #6327
fix: close http2 sessions on close server by @kostyak127 in #6137

New Contributors

@deining made their first contribution in #6316
@UlisesGascon made their first contribution in #6315
@David-van-der-Sluijs made their first contribution in #6327
@kostyak127 made their first contribution in #6137

Full Changelog: fastify/fastify@v5.6.0...v5.6.1

`v5.6.0`

Compare Source

What's Changed

fix: update typescript pino type to pick by @dancastillo in #6287
feat(types): router option types by @dancastillo in #6282
fix(types): Fix use of "esModuleInterop: false" by @joshkel in #6292
docs: fix typo in Reference: TypeScript.md by @hmanzoni in #6302
docs: clarify router performance note by @Prasad2604 in #6306

New Contributors

@joshkel made their first contribution in #6292
@hmanzoni made their first contribution in #6302
@Prasad2604 made their first contribution in #6306

Full Changelog: fastify/fastify@v5.5.0...v5.6.0

`v5.5.0`

Compare Source

What's Changed

docs: fix markdown linting issue by @Uzlopak in #6175
chore: removed simple-get from mkcalendar tests by @ilteoood in #6199
chore: removed simple-get from versioned-routes tests by @ilteoood in #6202
chore: removed simple-get from hooks tests by @ilteoood in #6210
fix: close pipelining test by @ilteoood in #6204
chore: removed simple-get from unlock test by @ilteoood in #6178
chore: removed simple-get from use-semicolon-delimiter tests by @ilteoood in #6203
chore: removed simple-get from custom-https-server tests by @ilteoood in #6201
chore: remove simple-get from custom parser 5 by @ilteoood in #6172
chore: removed simple-get from head tests by @ilteoood in #6196
chore: removed simple-get from request id tests by @ilteoood in #6193
chore: remove simple get from custom parser 1 by @ilteoood in #6167
chore: removed simple-get from custom-parser-0 by @ilteoood in #6168
chore: remove simple-get from custom parser 2 by @ilteoood in #6169
chore: remove simple-get from custom parser 4 by @ilteoood in #6171
chore: removed simple-get from promises test by @ilteoood in #6183
chore: removed simple-get from move test by @ilteoood in #6179
chore: remove simple-get from custom querystring parser by @ilteoood in #6166
chore: remove simple-get from propfind by @ilteoood in #6174
chore: removed simple-get from case insensitive test by @ilteoood in #6188
chore: remove simple get from async-await tests by @ilteoood in #6165
chore: removed simple-get from header overflow test by @ilteoood in #6190
chore: removed simple-get from check test by @ilteoood in #6176
chore: removed simple-get from async hooks test by @ilteoood in #6189
feat(types): export more schema related types by @marcalexiei in #6207
chore: removed simple-get from copy tests by @ilteoood in #6198
chore: removed simple-get from request-error test by @ilteoood in #6184
chore: removed simple-get from decorator tests by @ilteoood in #6192
ci: pin third-party actions to commit-hash by @Fdawgs in #6218
fix: close fastify instance by @ilteoood in #6177
chore(license): replace date range by @Fdawgs in #6219
chore: removed simple-get from plugin-1 test by @ilteoood in #6180
chore: removed simple-get from plugin-2 test by @ilteoood in #6181
chore: removed simple-get from plugin-3 test by @ilteoood in #6182
chore: remove simple get from reply test by @ilteoood in #6160
feat(types): add missing error types by @davidwood in #6217
docs: setErrorHandler description by @AlvesJorge in #6227
docs: fix onError hook execution order documentation by @emicovi in #6225
fix: handle abort signal in fastify.listen by @climba03003 in #6235
feat: prepare to use Promise.withResolvers by @climba03003 in #6232
docs: updated SECURITY.md by @Eomm in #6233
fix(docs): fix markdown to exclude leading parenthesis by @IanWoodard in #6238
ci: fix thollander/actions-comment-pull-request commit-hash by @Fdawgs in #6244
docs(routes): add payload to preParsing signature by @callmehiphop in #6240
docs(ecosystem): add fastify-route-preset plugin by @inyourtime in #6220
chore: remove simple get from async request, get and register... by @ilteoood in #6246
docs: improve custom validator documentation for async hooks by @emicovi in #6228
chore: remove simple get from route shorthand by @ilteoood in #6245
chore: Bump @stylistic/eslint-plugin from 4.4.1 to 5.1.0 in the dev-dependencies-eslint group by @dependabot[bot] in #6242
chore: Bump @types/node from 22.15.34 to 24.0.8 in the dev-dependencies-typescript group by @dependabot[bot] in #6243
chore(tests): remove simple get by @ilteoood in #6249
chore: finally remove simple get by @ilteoood in #6251
chore: remove undici from schema-validation.test.js by @Uzlopak in #6252
test: fix flakyness of close-pipelining-test, upgrade undici to v7 by @Uzlopak in #6256
fix: account for EPIPE fetch errors in tests by @gurgunday in #6255
docs: correct parameter name in frameworkErrors handler by @inyourtime in #6257
docs: fix server page headings level by @golopot in #6258
fix: add FST_ERR_CTP_INVALID_JSON_BODY by @Uzlopak in #5925
feat: optimize content type parser by using AsyncResource.bind() by @gurgunday in #6262
fix: remove unnecessary body length check in contentTypeParser by @gurgunday in #6266
docs(ecosystem): add fastify-multilingual by @gbrugger in #6268
chore: fix docs Request.md by @ts0307 in #6270
chore: Bump typescript from 5.8.3 to 5.9.2 in the dev-dependencies-typescript group by @dependabot[bot] in #6273
chore: Bump cross-env from 7.0.3 to 10.0.0 by @dependabot[bot] in #6274
feat(types): enforce reply status code types with type providers by @samchungy in #6250
feat: move router options to own key by @dancastillo in #5985
docs: refine CONTRIBUTING.md for better readability by @Dipali127 in #6277
chore: refactor reply.send and prioritize kReplyIsError by @gurgunday in #6267
docs(ecosystem): add fastify-permissions plugin by @pckrishnadas88 in #6265
docs: Add Hey API to ecosystem by @mrlubos in #6280
fix: OPTIONS Content-Type handling by @gurgunday in #6263

New Contributors

@marcalexiei made their first contribution in #6207
@davidwood made their first contribution in #6217
@AlvesJorge made their first contribution in #6227
@emicovi made their first contribution in #6225
@IanWoodard made their first contribution in #6238
@callmehiphop made their first contribution in #6240
@golopot made their first contribution in #6258
@gbrugger made their first contribution in #6268
@ts0307 made their first contribution in #6270
@Dipali127 made their first contribution in #6277
@pckrishnadas88 made their first contribution in #6265
@mrlubos made their first contribution in #6280

Full Changelog: fastify/fastify@v5.4.0...v5.5.0

`v5.4.0`

Compare Source

What's Changed

test: mv routes-* from tap by @jean-michelet in #6092
test: mv skip-reply-send from tap by @jean-michelet in #6094
test: mv plugins from tap by @jean-michelet in #6088
fix(ci): ignore alternative runtime result by @Eomm in #6125
test: mv schema-* from tap by @jean-michelet in #6093
test: mv hooks-async from tap by @jean-michelet in #6084
fix(types): add missing version to request.routeOptions by @inyourtime in #6126
docs: remove fastify-sentry plugin by @dnlup in #6131
docs: add community plugins disclaimer by @jean-michelet in #6132
docs: use cross-platform compatible info emoji by @Fdawgs in #6134
perf: nits in reply.js by @Cangit in #6136
docs: join core team by @jean-michelet in #6142
docs: fix typo in hash.digest function by @piotr-cz in #6145
test: mv hooks from tap by @jean-michelet in #6087
test: improve issue 4959 unit test by @Uzlopak in #6147
chore: Bump markdownlint-cli2 from 0.17.2 to 0.18.1 by @dependabot in #6150
chore: remove dependencie tap and others updated by @Tony133 in #6148
fix: hook async flaky by @ilteoood in #6155
chore: Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @dependabot in #6151
chore: removing simple-get from allow-unsafe-regex by @ilteoood in #6154
chore: remove simple get on 404s test file by @ilteoood in #6153
chore: remove simple-get in handle-request.test.js by @ilteoood in #6159
chore: remove simple-get from url-rewriting by @ilteoood in #6163
chore: remove simple-get in report.test.js by @ilteoood in #6157
chore: remove simple-get from custom parser async by @ilteoood in #6164
chore: removed simple-get from mkcol tests by @ilteoood in #6194
chore: removed simple-get from proto-poisoning test by @ilteoood in #6185
ci: Added Node.js v24 by @mcollina in #6113
chore: removed simple-get from nullable validation test by @ilteoood in #6191
feat: configure errorhandler override by @jean-michelet in #6104
chore: remove simple-get from search test by @ilteoood in #6158
chore: remove simple get from secure with fallback test by @ilteoood in #6162
chore: removed simple-get from als test by @ilteoood in #6187
chore: remove simple-get from listen 4 by @ilteoood in #6173
fix: do not freeze request.routeOptions by @mcollina in #6141
chore: removed simple-get from sync-delay-request tests by [@ilteoood](

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 2 times, most recently from da7f627 to a4f4577 Compare February 18, 2026 07:59

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 2 times, most recently from a0549a8 to 5c91885 Compare February 25, 2026 08:41

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 2 times, most recently from 217504a to 851e287 Compare March 14, 2026 12:57

renovate bot changed the title ~~chore(deps): update dependency fastify to v5 [security]~~ chore(deps): update dependency fastify to v5 [security] - autoclosed Mar 28, 2026

renovate bot closed this Mar 28, 2026

renovate bot deleted the renovate/npm-fastify-vulnerability branch March 28, 2026 02:37

renovate bot changed the title ~~chore(deps): update dependency fastify to v5 [security] - autoclosed~~ chore(deps): update dependency fastify to v5 [security] Mar 31, 2026

renovate bot reopened this Mar 31, 2026

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 2 times, most recently from 851e287 to a456520 Compare March 31, 2026 08:38

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch 2 times, most recently from 453feef to 1b2d1cb Compare April 19, 2026 08:50

chore(deps): update dependency fastify to v5 [security]

a431a7e

renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 1b2d1cb to a431a7e Compare April 19, 2026 09:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency fastify to v5 [security]#18

chore(deps): update dependency fastify to v5 [security]#18
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-fastify-vulnerability

renovate bot commented Feb 3, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

Resources

Severity

Summary

Affected Versions

Impact

Severity

Release Notes

⚠️ Security Release

What's Changed

New Contributors

What's Changed

New Contributors

⚠️ Security Release

What's Changed

New Contributors

⚠️ Security Release

What's Changed

⚠️ Notice ⚠️

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Feb 3, 2026 •

edited

Loading