chore(deps): update dependency fastify to v3.29.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	3.27.0 -> 3.29.4

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

---

Release Notes

fastify/fastify (fastify)

v3.29.4

Compare Source

⚠️ Security Release ⚠️

• Fix for "Incorrect Content-Type parsing can lead to CSRF attack"
  and CVE-2022-41919

Full Changelog: fastify/fastify@v3.29.3...v3.29.4

v3.29.3

Compare Source

⚠️ Security Release ⚠️

This release backport the fixes of GHSA-455w-c45v-86rg for the v3.x line.
While not being a vulnerability for this line, a backport is still welcome due to the problems highlighted in the report.

Full Changelog: fastify/fastify@v3.29.2...v3.29.3

v3.29.2

Compare Source

What's Changed

• fix: backport reused connection fix by @​salzhrani in #​4217

New Contributors

• @​salzhrani made their first contribution in #​4217

Full Changelog: fastify/fastify@v3.29.1...v3.29.2

v3.29.1

Compare Source

What's Changed

• docs: reference new @fastify/* modules by @​Fdawgs in #​3860
• Child log level in bindings is deprecated by @​orov-io in #​3896
• Handle aborted requests (#​215) by @​TimotejR in #​4103

New Contributors

• @​orov-io made their first contribution in #​3896
• @​TimotejR made their first contribution in #​4103

Full Changelog: fastify/fastify@v3.29.0...v3.29.1

v3.29.0

Compare Source

What's Changed

• Update fastify-error dependency by @​jsumners in #​3859

Full Changelog: fastify/fastify@v3.28.0...v3.29.0

v3.28.0

Compare Source

What's Changed

• (v3.x) Allow custom Context Config types for hooks' request properties by @​sumbad in #​3787
• add generic logger to route handler & FastifyRequest by @​MarcoLeko in #​3782
• (v3.x) fix: handle invalid url by @​climba03003 in #​3806
• (v3.x) feat: reply trailers support by @​climba03003 in #​3807

Full Changelog: fastify/fastify@v3.27.4...v3.28.0

v3.27.4

Compare Source

What's Changed

• [Backport v3.x] Fixed Node.js v18/master support by @​github-actions in #​3761

Full Changelog: fastify/fastify@v3.27.3...v3.27.4

v3.27.3

Compare Source

What's Changed

• Drop @​typescript-eslint/no-misused-promises (#​3741) by @​mcollina in #​3757

Full Changelog: fastify/fastify@v3.27.2...v3.27.3

v3.27.2

Compare Source

What's Changed

• fix: added jsonShorthand in FastifyServerOptions by @​DanieleFedeli in #​3681
• fix: calling reply.callNotFound uncaught exception by @​VigneshMurugan in #​3661
• style: fix new standard linting by @​Divlo in #​3682
• docs(ecosystem): update fastify-jwt plugin with the new internal library it uses by @​rluvaton in #​3689
• ci(package-manager): run test:ci instead of test by @​Divlo in #​3692
• docs(ecosystem): adds @​immobiliarelabs/fastify-sentry by @​simonecorsi in #​3693
• chore: fix plugin labeler by @​Eomm in #​3694
• Add reference to FST_ERR_CTP_INVALID_MEDIA_TYPE error in the docs for validation & content type parser by @​AWare in #​3697
• fix(types): add opts param to onRegister hook handler signature by @​bmenant in #​3641
• update Server docs by @​matthyk in #​3699
• Update middleware docs link by @​JamieGrimwood in #​3706
• build(deps): bump tiny-lru from 7.0.6 to 8.0.1 by @​dependabot in #​3700
• build(deps-dev): bump @​sinonjs/fake-timers from 8.1.0 to 9.1.0 by @​dependabot in #​3683

New Contributors

• @​Divlo made their first contribution in #​3682
• @​AWare made their first contribution in #​3697
• @​bmenant made their first contribution in #​3641
• @​JamieGrimwood made their first contribution in #​3706

Full Changelog: fastify/fastify@v3.27.1...v3.27.2

v3.27.1

Compare Source

What's Changed

• docs: fix link to forceCloseConnections option by @​RafaelGSS in #​3638
• docs(Prototype-Poisoning): invalid content link by @​RafaelGSS in #​3639
• doc(Guides): fix grammar issue in the Prototype Poisoning file by @​rluvaton in #​3640
• types: add forceCloseConnection type def by @​RafaelGSS in #​3646
• Fixes #​3648 - URL must be a string by @​VigneshMurugan in #​3653
• build: reduce dependabot update frequency by @​Fdawgs in #​3659
• build: correct dependabot config by @​Fdawgs in #​3662
• add missing types workflow by @​KiraPC in #​3668
• Serialization errors will be send to errorHandler by @​int1ch in #​3674
• Add Documentation and TS Types missed for FastifyInstance#setSchemaController by @​Grubba27 in #​3480
• Add action to lock threads by @​jsumners in #​3679

New Contributors

• @​rluvaton made their first contribution in #​3640
• @​int1ch made their first contribution in #​3674
• @​Grubba27 made their first contribution in #​3480

Full Changelog: fastify/fastify@v3.27.0...v3.27.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0002: │ @commitlint/load@npm:16.1.0 doesn't provide @types/node (p28edd), requested by cosmiconfig-typescript-loader
➤ YN0002: │ @drizzle-http/example-nestjs@workspace:examples/nestjs doesn't provide typescript (p59e73), requested by @nestjs/schematics
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (p1ed42), requested by babel-loader
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (p43d50), requested by clean-webpack-plugin
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (pd3749), requested by html-webpack-plugin
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (pc82c0), requested by webpack-dev-server
➤ YN0002: │ webpack-dev-server@npm:4.7.3 [1cf60] doesn't provide @types/express (p93524), requested by http-proxy-middleware
➤ YN0002: │ webpack-dev-server@npm:4.7.3 [ee916] doesn't provide @types/express (pf59c4), requested by http-proxy-middleware
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 0s 509ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ TypeError: resolve@patch:resolve@npm%3A1.19.0#~builtin<compat/resolve>::version=1.19.0&hash=07638b: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: resolve@patch:resolve@npm%3A1.22.0#~builtin<compat/resolve>::version=1.22.0&hash=07638b: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: typescript@patch:typescript@npm%3A4.5.4#~builtin<compat/typescript>::version=4.5.4&hash=493e53: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: typescript@patch:typescript@npm%3A4.5.5#~builtin<compat/typescript>::version=4.5.5&hash=493e53: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0013: │ 2009 packages were already cached, 8 had to be fetched
➤ YN0000: └ Completed in 0s 736ms
➤ YN0000: Failed with errors in 1s 246ms