Update dependency fastify to v3.29.4 [SECURITY] #17
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.27.1
->3.29.4
GitHub Vulnerability Alerts
CVE-2022-41919
Impact
The attacker can use the incorrect
Content-Type
to bypass thePre-Flight
checking offetch
.fetch()
requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only acceptsapplication/json
content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.Patches
For
4.x
users, please update to at least4.10.2
For
3.x
users, please update to at least3.29.4
Workarounds
Implement Cross-Site Request Forgery protection using
@fastify/csrf
.References
Check out the HackerOne report: https://hackerone.com/reports/1763832.
For more information
Fastify security policy
Release Notes
fastify/fastify (fastify)
v3.29.4
Compare Source
and CVE-2022-41919
Full Changelog: fastify/fastify@v3.29.3...v3.29.4
v3.29.3
Compare Source
Security ReleaseThis release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.
Full Changelog: fastify/fastify@v3.29.2...v3.29.3
v3.29.2
Compare Source
What's Changed
New Contributors
Full Changelog: fastify/fastify@v3.29.1...v3.29.2
v3.29.1
Compare Source
What's Changed
@fastify/*
modules by @Fdawgs in https://github.com/fastify/fastify/pull/3860New Contributors
Full Changelog: fastify/fastify@v3.29.0...v3.29.1
v3.29.0
Compare Source
What's Changed
Full Changelog: fastify/fastify@v3.28.0...v3.29.0
v3.28.0
Compare Source
What's Changed
request
properties by @sumbad in https://github.com/fastify/fastify/pull/3787Full Changelog: fastify/fastify@v3.27.4...v3.28.0
v3.27.4
Compare Source
What's Changed
Full Changelog: fastify/fastify@v3.27.3...v3.27.4
v3.27.3
Compare Source
What's Changed
Full Changelog: fastify/fastify@v3.27.2...v3.27.3
v3.27.2
Compare Source
What's Changed
standard
linting by @Divlo in https://github.com/fastify/fastify/pull/3682test:ci
instead oftest
by @Divlo in https://github.com/fastify/fastify/pull/3692New Contributors
Full Changelog: fastify/fastify@v3.27.1...v3.27.2
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.