Update dependency fastify to ^4.29.1 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	^4.17.0 → ^4.29.1

GitHub Vulnerability Alerts

CVE-2026-25223

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

CVE-2026-3635

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

---

Release Notes

fastify/fastify (fastify)

v4.29.1

Compare Source

⚠️ Security Release ⚠️

Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442.

Full Changelog: fastify/fastify@v4.29.0...v4.29.1

v4.29.0

Compare Source

What's Changed

• fix(backport v4.x): config type in RouteShorthandOptions by @​bastienmenis in #​5527
• feat(backport 4.x): add body parsing on copy move mkcol methods by @​johaven in #​5549
• [Backport 4.x] fix: res serializer not given reply (#​5556) by @​github-actions in #​5563
• chore(backport 4.x): allow ! in PR title by @​github-actions in #​5572
• [Backport 4.x] feat: support different body schema per content type by @​github-actions in #​5559
• [Backport 4.x] chore(sponsor): add valtown by @​github-actions in #​5593
• [Backport 4.x] fix: nullish host by @​github-actions in #​5594
• refactor(4.x): add deprecate warning of json shorthand by @​climba03003 in #​5587
• [Backport 4.x] chore(sponsor): add handsontable by @​github-actions in #​5595
• [Backport 4.x] fix: throwing "FST_ERR_DUPLICATED_ROUTE" error instead of raw error by @​github-actions in #​5624
• fix(backport 4.x): reorder handling of Response replies by @​github-actions in #​5629
• [Backport 4.x] docs: add default value for maxParamLength by @​github-actions in #​5631
• [Backport 4.x] chore: fix sponsor link by @​github-actions in #​5641
• [Backport 4.x] feat: add fastify v4 codemods by @​github-actions in #​5654
• [Backport 4.x] feat: bind this to instance in onclose by @​github-actions in #​5679
• [Backport 4.x] docs: update v4 codemods by @​github-actions in #​5686

New Contributors

• @​bastienmenis made their first contribution in #​5527

Full Changelog: fastify/fastify@v4.28.1...v4.29.0

v4.28.1

Compare Source

What's Changed

• [Backport 4.x] fix: server.listen listener is not cleanup properly by @​github-actions in #​5523
• [Backport 4.x] test: fix test finished earlier than expected by @​github-actions in #​5541
• fix(v4): update .npmignore by @​Eomm in #​5538

Full Changelog: fastify/fastify@v4.28.0...v4.28.1

v4.28.0

Compare Source

What's Changed

• test: fix closing - pipelining by @​climba03003 in #​5486
• refactor(backport v4.x): change reply.redirect() signature (#​5483) by @​gurgunday in #​5484
• refactor(backport v4.x): hasRoute method comparison with case insensitive by @​SMNBLMRR in #​5513
• fix: (backport) Type inferrence with auxilliary hook handlers by @​aadito123 in #​5518

Full Changelog: fastify/fastify@v4.27.0...v4.28.0

v4.27.0

Compare Source

What's Changed

• docs(request): update request page by @​Tony133 in #​5343
• ci: Add Nsolid runtime to CI and Integration tests by @​riosje in #​5332
• docs(Ecosystem): add fastify-i18n, vite-plugin-fastify, and vite-plug… by @​Shyam-Chen in #​5346
• docs(ecosystem): update x-ray community plugin link by @​jorgevrgs in #​5350
• docs: spelling corrections by @​10xLaCroixDrinker in #​5349
• docs: Remove ES module with NodeNext note by @​melroy89 in #​5361
• docs(ecosystem): add fastify-msgraph-change-notifications-webhook to community plugins by @​flower-of-the-bridges in #​5360
• docs: Add GitHub links to Type Providers + mention Zod by @​melroy89 in #​5365
• docs: fix errors table layout by @​aivopaas in #​5374
• chore: Bump pnpm/action-setup from 2 to 3 by @​dependabot in #​5381
• docs(typescript): update generic constraints link by @​Tony133 in #​5379
• types: narrow code reply type based on schema by @​hpx7 in #​5380
• fix: errorCodes import using ESM by @​melroy89 in #​5390
• fix: Extend tap with .test.mjs tests & Rename existing ESM test by @​melroy89 in #​5391
• docs(typescript): update example https server by @​Tony133 in #​5389
• docs(typescript): update snippet code by @​Tony133 in #​5406
• fix: benchmark CI by @​gurgunday in #​5414
• fix: remove-label job uses the wrong repo by @​gurgunday in #​5415
• fix: only run citgm if citgm-core-plugins label is set by @​gurgunday in #​5416
• feat: adds webdav methods that require body & content type parsing by @​johaven in #​5411
• docs: improve onError docs by specifying what the error handler is by @​tmcw in #​5358
• chore: add mercedes-benz as new sponsor by @​Eomm in #​5424
• chore(ecosystem): Add Fastify asyncforge plugin by @​rozzilla in #​5429
• types: reply.getSerializationFunction can return undefined by @​remidewitte in #​5384
• chore: Bump pino from 8.21.0 to 9.0.0 in the dependencies-major group by @​dependabot in #​5431
• chore: exclude node 14 and 16 on macOS by @​gurgunday in #​5433
• chore: Bump lycheeverse/lychee-action from 1.9.3 to 1.10.0 by @​dependabot in #​5436
• docs: update indentation on snippet code by @​Tony133 in #​5418
• docs(guides/abort): suggest explicit use of the aborted property by @​Fdawgs in #​5438
• feat: disable request logging by @​SamSalvatico in #​5435
• chore: add @​gurgunday to the Core Team by @​gurgunday in #​5442
• feat: add mkcalendar and report methods by @​keyservlad in #​5439
• feat: handle synchronous errors in errorHandler by @​mcollina in #​5445
• types: request route schema might be undefined by @​nflaig in #​5394

New Contributors

• @​Tony133 made their first contribution in #​5343
• @​riosje made their first contribution in #​5332
• @​jorgevrgs made their first contribution in #​5350
• @​10xLaCroixDrinker made their first contribution in #​5349
• @​melroy89 made their first contribution in #​5361
• @​flower-of-the-bridges made their first contribution in #​5360
• @​aivopaas made their first contribution in #​5374
• @​hpx7 made their first contribution in #​5380
• @​johaven made their first contribution in #​5411
• @​tmcw made their first contribution in #​5358
• @​remidewitte made their first contribution in #​5384
• @​SamSalvatico made their first contribution in #​5435
• @​keyservlad made their first contribution in #​5439

Full Changelog: fastify/fastify@v4.26.2...v4.27.0

v4.26.2

Compare Source

What's Changed

• fix: typo in module exports by @​lirantal in #​5316
• docs(ts): Fix links by @​rozzilla in #​5308
• fix: cb is not a function at fallbackErrorHandler by @​Uzlopak in #​5317
• feat: add a Firebase Functions step by step guide by @​lirantal in #​5318
• types: fix test failure by @​gurgunday in #​5330
• perf: use FifoMap to check contentType by @​gurgunday in #​5331
• docs(ecosystem): adds fastify-override to plugins list by @​matthyk in #​5336
• types: Export preClose hook types by @​matthyk in #​5335
• fix: database migration doc missing db connection code by @​nuhman in #​5339
• chore: Bump pnpm/action-setup from 2 to 3 by @​dependabot in #​5341
• chore: Bump xt0rted/markdownlint-problem-matcher from 2.0.0 to 3.0.0 by @​dependabot in #​5342

New Contributors

• @​nuhman made their first contribution in #​5339

Full Changelog: fastify/fastify@v4.26.1...v4.26.2

v4.26.1

Compare Source

What's Changed

• docs(ecosystem): adds fastify-hana to the community plugins list by @​yoav0gal in #​5289
• docs: fix misattributed property parent in deprecation warning: request.elapsedTime by @​mscottnelson in #​5299
• chore: Bump lycheeverse/lychee-action from 1.8.0 to 1.9.3 by @​dependabot in #​5300
• chore: Bump actions/dependency-review-action from 3 to 4 by @​dependabot in #​5301
• chore(.gitignore): add .tap/ dir by @​Fdawgs in #​5303
• fix: amend error codes for latest avvio v8.3.0 by @​mcollina in #​5309
• fix(types): Request route options url add undefined by @​rozzilla in #​5307
• chore: add docs for tracing warnings by @​jsumners in #​5310

New Contributors

• @​mscottnelson made their first contribution in #​5299

Full Changelog: fastify/fastify@v4.26.0...v4.26.1

v4.26.0

Compare Source

What's Changed

• docs(ecosystem): add missing plugins to core list by @​Fdawgs in #​5234
• ci: CITGM github workflow by @​Uzlopak in #​5233
• chore: bump find-may-way to v8.0.0 by @​mcollina in #​5236
• fix: setValidatorCompiler with addSchema by @​derammo in #​5188
• feat(routes): expose findRoute and param validator by @​sf3ris in #​5230
• feat: add use semicolon delimter config, default = true by @​dancastillo in #​5239
• chore: add autocannon and concurrently as dev dependencies by @​Uzlopak in #​5240
• fix: return the correct serializer function when no content-type is defined by @​DouglasdeMoura in #​5229
• Sync next by @​Uzlopak in #​5238
• docs: add open-collective by @​Eomm in #​5216
• chore: Bump actions/upload-artifact from 3 to 4 by @​dependabot in #​5249
• chore: Bump actions/labeler from 4 to 5 by @​dependabot in #​5248
• docs(ecosystem): update fastify-rabbitmq // add fastify-hl7 to ecosystem.md by @​Bugs5382 in #​5245
• chore: update actions/labeler@​5 by @​climba03003 in #​5254
• fix: restrict findRoute exposed property by @​climba03003 in #​5253
• fix(test): flaky on-listen hook test by @​Uzlopak in #​5256
• fix: remove unused promise warning in setNotFoundHandler with preHandler by @​mcollina in #​5258
• fix: Always call resource.emitDestroy() by @​mcollina in #​5228
• docs: Add missing punctuation in Ecosystem by @​matthyk in #​5261
• docs: remove word repetition on Decorators docs by @​rlawisch in #​5260
• chore(types): Remove unused type imports by @​codershiba in #​5264
• chore(license): Update licensing year by @​codershiba in #​5266
• chore(docs): Add clarification about fastify.setErrorHandler() by @​codershiba in #​5265
• refactor: deprecate Reply#getResponseTime() in favour of Reply#elapsedTime by @​codershiba in #​5263
• chore: remove www. from fastify.dev urls by @​Fdawgs in #​5270
• feat: expose method for setGenReqId on FastifyInstance by @​dancastillo in #​5259
• fix: ensure onListen hooks are called when they should be by @​bienzaaron in #​5273
• docs: re-word clarification about setErrorHandler() by @​codershiba in #​5269
• docs(ecosystem): remove unsupported package by @​Fdawgs in #​5278
• docs: Fix Pino docs link by @​BoscoDomingo in #​5284
• chore: add github sponsor by @​Eomm in #​5293
• docs(ecosystem): adds fastify-sqlite-typed to the community plugins list by @​yoav0gal in #​5288
• docs: add ESM usage example in Getting Started by @​atilagulers in #​5294
• docs: repoint readers to shared .github files by @​Fdawgs in #​5268
• feat: Web Stream API by @​climba03003 in #​5286
• chore: sync generated code by @​Eomm in #​5295

New Contributors

• @​derammo made their first contribution in #​5188
• @​DouglasdeMoura made their first contribution in #​5229
• @​rlawisch made their first contribution in #​5260
• @​codershiba made their first contribution in #​5264
• @​BoscoDomingo made their first contribution in #​5284
• @​yoav0gal made their first contribution in #​5288
• @​atilagulers made their first contribution in #​5294

Full Changelog: fastify/fastify@v4.25.2...v4.26.0

v4.25.2

Compare Source

What's Changed

• fix: npm run test:watch by @​domdomegg in #​5221
• fix: always consume stream payloads when responding to 204 with no body by @​mcollina in #​5231
• docs: update setErrorHandler to explain not found behaviour by @​domdomegg in #​5218

New Contributors

• @​domdomegg made their first contribution in #​5221

Full Changelog: fastify/fastify@v4.25.1...v4.25.2

v4.25.1

Compare Source

What's Changed

• fix: route constraints by @​climba03003 in #​5207
• fix: Better plugin name detection for FSTWRN002 by @​mcollina in #​5209
• chore: at-large project by @​Eomm in #​5211

Full Changelog: fastify/fastify@v4.25.0...v4.25.1

v4.25.0

Compare Source

What's Changed

• feat: Improve RouteShorthandOptions['constraints'] type by @​Fcmam5 in #​5097
• fix: add @​eomm and @​jsumners as lead maintainers by @​mcollina in #​5115
• fix: reply.send supports Uint8Array payload by @​SgtPooki in #​5124
• refactor: migrate deprecation warnings to actual deprecation warnings by @​jsumners in #​5126
• docs: added documentation about warnings by @​giuliowaitforitdavide in #​5108
• test(logger): restrict temp file permissions by @​Fdawgs in #​5128
• refactor(lib/hooks): replace typeof undefined check by @​Fdawgs in #​5127
• chore: replace mention of fastify .io domain with .dev by @​Fdawgs in #​5129
• docs(security): add prose explaining OpenSSF CII Best Practices badge results by @​ljharb in #​5111
• chore: Bump actions/setup-node from 3 to 4 by @​dependabot in #​5134
• fix(types): add handler property to routeOptions by @​MikeJeffers in #​5136
• docs(readme): fix ci badge path by @​Fdawgs in #​5138
• docs: Fix small typo in Typescript docs by @​john-ko in #​5145
• feat(plugins): mixing async and callback style now returns a warning by @​giuliowaitforitdavide in #​5139
• docs: mention about multipart support by @​fawazahmed0 in #​5144
• docs: add @​fastify/vite to core plugins list by @​galvez in #​5153
• docs: add @​scalar/fastify-api-reference to community plugins list by @​hanspagel in #​5154
• docs: Remove routeOptions reference in Reply.md by @​shadahmad7 in #​5156
• docs(ecosystem): add fastify-uws by @​tinchoz49 in #​5160
• docs: removed unmaintained fastify-nodemailer from ecosystem by @​giovanni-bertoncelli in #​5161
• docs: clarify handling of streams and buffers by @​brettwillis in #​5166
• docs(#​5142): aligned errors and warnings documentation by @​giuliowaitforitdavide in #​5162
• docs(reference/hooks): add information about prehandler by @​RjManhas in #​5163
• fix: type FastifyInstance['route'] and RouteShorthandMethod by @​MunifTanjim in #​5155
• docs (reference): Fix small typo in Request by @​bngarren in #​5186
• chore: gitpodify by @​ghostdevv in #​5168
• docs(ecosystem): Add Apitally by @​itssimon in #​5175
• fix: Update reply.context deprecation warning by @​avaly in #​5179
• docs(ecosystem): adds @​blastorg/fastify/aws-dynamodb-cache to community plugins list by @​fredrikj31 in #​5158
• docs: update preHandler hook example by @​tarunrajput in #​5189
• types: added http header types to reply by @​skwee357 in #​5046
• test: add tests for TOC of errors.md by @​Uzlopak in #​5194
• ci: pin node 18 to 18.18.2 by @​Uzlopak in #​5197
• docs(ecosystem): add http-wizard by @​flodlc in #​5132
• chore: Bump actions/github-script from 6 to 7 by @​dependabot in #​5183
• ci: fix broken ci by skipping tests if node v > 18.19.0 by @​Uzlopak in #​5195
• fix: allow async hooks in RouteShorthandOptions without breaking request and reply types by @​bienzaaron in #​5147
• fix(#​5180): close secondary bindings after primary is closed by @​metcoder95 in #​5201
• chore: update process-warning by @​Eomm in #​5206
• types: nullish error types in callback function's parameter for after and ready method by @​nokazn in #​5191
• fix(#​5049): Remove duplicated calls to onReady by @​metcoder95 in #​5051
• chore: remove unused type assertion by @​UndefinedBehaviour in #​5184

New Contributors

• @​Fcmam5 made their first contribution in #​5097
• @​SgtPooki made their first contribution in #​5124
• @​MikeJeffers made their first contribution in #​5136
• @​john-ko made their first contribution in #​5145
• @​fawazahmed0 made their first contribution in #​5144
• @​hanspagel made their first contribution in #​5154
• @​shadahmad7 made their first contribution in #​5156
• @​giovanni-bertoncelli made their first contribution in #​5161
• @​RjManhas made their first contribution in #​5163
• @​MunifTanjim made their first contribution in #​5155
• @​bngarren made their first contribution in #​5186
• @​ghostdevv made their first contribution in #​5168
• @​itssimon made their first contribution in #​5175
• @​avaly made their first contribution in #​5179
• @​fredrikj31 made their first contribution in #​5158
• @​tarunrajput made their first contribution in #​5189
• @​skwee357 made their first contribution in #​5046
• @​flodlc made their first contribution in #​5132
• @​nokazn made their first contribution in #​5191
• @​UndefinedBehaviour made their first contribution in #​5184

Full Changelog: fastify/fastify@v4.24.3...v4.25.0

v4.24.3

Compare Source

What's Changed

• fix: timeout on citgm tests by @​simone-sanfratello in #​5101
• chore: add missing use strict directives by @​Fdawgs in #​5106

Full Changelog: fastify/fastify@v4.24.2...v4.24.3

v4.24.2

Compare Source

What's Changed

• fix: build problems when Symbol.asyncDispose type is not available. by @​arthurfiorette in #​5096

Full Changelog: fastify/fastify@v4.24.1...v4.24.2

v4.24.1

Compare Source

What's Changed

• fix: citgm by @​simone-sanfratello in #​5075
• fix: HEAD route reseting by @​ivan-tymoshenko in #​5090

Full Changelog: fastify/fastify@v4.24.0...v4.24.1

v4.24.0

Compare Source

What's Changed

• docs: Add blank line before onclose hook heading by @​kadoshita in #​5042
• build(dependabot): ignore tap major updates by @​Fdawgs in #​5047
• chore: Bump actions/checkout from 3 to 4 by @​dependabot in #​5048
• chore: more perf by @​Eomm in #​5016
• docs(ecosystem): add fastify-prisma by @​zrosenbauer in #​5041
• test: fix ci due yup breaking by @​Eomm in #​5058
• perf: optimize split params by @​Connormiha in #​5057
• chore: implicitly infer SchemaCompiler as readonly by @​DemonHa in #​5060
• test(logger): splitting existing tests to avoid pipeline failing for timeout by @​giuliowaitforitdavide in #​5064
• fix(async-hooks): mixing async and callback style in preHandler option now returns an error by @​giuliowaitforitdavide in #​5069
• fix: enhance 100 and 200 or 204 handling by @​Iamshankhadeep in #​5056
• docs: add fastify-cloudflare-turnstile to ecosystem by @​112RG in #​5067
• docs: Fixing a couple typos by @​Cadienvan in #​5079
• feat: Add Symbol.asyncDispose to improve DX in short lived servers. by @​arthurfiorette in #​5082
• docs: Documentation changes requested at #​5082 by @​arthurfiorette in #​5083
• docs: remove thenable promisesaplus spec references by @​dancastillo in #​5081
• docs(ecosystem): add fastify-event-bus by @​Shiva127 in #​5085
• docs: update docs for FastifyPlugin by @​dancastillo in #​5070
• docs: Update for .hijack heading by @​jackbatzner in #​5088
• fix(warnings): fixed warning when accessing context property from Request and Reply objects by @​giuliowaitforitdavide in #​5084
• fix: HEAD route search by @​ivan-tymoshenko in #​5078

New Contributors

• @​kadoshita made their first contribution in #​5042
• @​Connormiha made their first contribution in #​5057
• @​DemonHa made their first contribution in #​5060
• @​Iamshankhadeep made their first contribution in #​5056
• @​Cadienvan made their first contribution in #​5079
• @​arthurfiorette made their first contribution in #​5082
• @​jackbatzner made their first contribution in #​5088

Full Changelog: fastify/fastify@v4.23.2...v4.24.0

v4.23.2

Compare Source

What's Changed

• fix: add routeOptions.schema to types by @​Uzlopak in #​5035

Full Changelog: fastify/fastify@v4.23.1...v4.23.2

v4.23.1

Compare Source

What's Changed

• fix: correct warnings for request.routerPath and request.routerMethod by @​Uzlopak in #​5032
• fix: add routeOptions.config to types by @​mcollina in #​5034

Full Changelog: fastify/fastify@v4.23.0...v4.23.1

v4.23.0

Compare Source

What's Changed

• test: reduce output of reqIdGenFactory.test.js by @​Uzlopak in #​5012
• feat: Add onListen Hook by @​BrendenInhelder in #​4899
• docs(readme): avoid line breaks in documentation links by @​antoineneff in #​5014
• chore(examples): added curly braces to conditions for consistency by @​turnerran in #​5015
• feat: access handler name add properties to req route options by @​cesarvspr in #​4470
• chore: Bump the dev-dependencies group with 1 update by @​dependabot in #​5018
• docs: minor improvements by @​Uzlopak in #​5019
• chore(deps): replace tiny-lru with toad-cache by @​kibertoad in #​4668
• docs(ecosystem.md): Fix wrong entry for ecosystem.md by @​Uzlopak in #​5021
• perf: use node: prefix to bypass require.cache call for builtins by @​Fdawgs in #​5026
• docs(typo): mistype of monkeypatch by @​Menkveld-24 in #​5027
• chore: change website to .dev instead of .io by @​Eomm in #​5028
• chore: add gurgunday and uzlopak as contributors by @​Uzlopak in #​5029
• chore: add a citgm command to customize what we run in CITGM by @​mcollina in #​5030

New Contributors

• @​BrendenInhelder made their first contribution in #​4899
• @​antoineneff made their first contribution in #​5014
• @​turnerran made their first contribution in #​5015
• @​Menkveld-24 made their first contribution in #​5027

**Full Change

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Stockholm, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.