fix(deps): update dependency fastify to v5 - autoclosed

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	4.29.1 → 5.7.3

---

Release Notes

fastify/fastify (fastify)

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #​6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in #​6447
• chore: update sponsor url by @​Eomm in #​6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in #​6442
• docs: fix invalid shorten form schema example by @​climba03003 in #​6448
• docs: Simplify and tighten decorators example by @​smith558 in #​6451
• docs: Fix incorrect variable use by @​smith558 in #​6455
• chore: update sponsor link by @​Eomm in #​6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in #​6464
• docs: move querystringParser option under routerOptions by @​inyourtime in #​6463
• chore: Updated content-type header parsing by @​jsumners in #​6414

New Contributors

• @​bhouston made their first contribution in #​6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

Compare Source

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​6434
• chore: updated version in the fastify.js by @​Tony133 in #​6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in #​6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in #​6110
• chore: remove test file by @​Eomm in #​6384
• feat: speed up loading with custom compiler by @​Eomm in #​6383
• docs: replace all instances of twitter.com with x.com by @​cseas in #​6355
• docs: correct logger option in example by @​inyourtime in #​6391
• docs: fix links by @​Shriti507 in #​6394
• chore: skip unnecessary object creation by @​Eomm in #​6400
• docs: Update JSON Schema link in documentation by @​jon23d in #​6402
• docs(ecosystem): add fastify-ses-mailer by @​KaranHotwani in #​6395
• docs: add security note about validation errors in response by @​mcollina in #​6407
• docs: add security threat model by @​mcollina in #​6406
• chore: update onboarding and offboarding instructions by @​Eomm in #​6403
• fix: set status code before publishing diagnostics error channel by @​tt-a1i in #​6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @​mcollina in #​6420
• chore: fix type test by @​mrazauskas in #​6418
• docs: improve Validation-and-Serialization.md by @​twentytwo777 in #​6423
• test: skip IPv6 test if its support is not present by @​LiviaMedeiros in #​6428
• test: fix test when localhost has multiple addresses by @​LiviaMedeiros in #​6427
• docs: add security warning for requestIdHeader by @​mcollina in #​6425
• docs(ecosystem): add elements-fastify by @​rohitsoni007 in #​6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @​dependabot[bot] in #​6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @​dependabot[bot] in #​6436
• chore: Bump @​types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @​AnkanMisra in #​6392
• fix(types): require send() payload when Reply type is specified by @​tt-a1i in #​6432
• fix: ajv options type validation by @​gianmarco27 in #​6437
• docs: add non-vulnerability examples to threat model by @​RafaelGSS in #​6431
• feat: implement conditional request logging by @​kibertoad in #​5732
• docs(sponsor): add serpapi by @​Eomm in #​6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @​mcollina in #​6444

New Contributors

• @​craftsman01 made their first contribution in #​6110
• @​cseas made their first contribution in #​6355
• @​Shriti507 made their first contribution in #​6394
• @​jon23d made their first contribution in #​6402
• @​KaranHotwani made their first contribution in #​6395
• @​tt-a1i made their first contribution in #​6412
• @​mrazauskas made their first contribution in #​6418
• @​twentytwo777 made their first contribution in #​6423
• @​rohitsoni007 made their first contribution in #​6416
• @​AnkanMisra made their first contribution in #​6392
• @​gianmarco27 made their first contribution in #​6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

v5.6.2

Compare Source

v5.6.1

Compare Source

What's Changed

• fix: fix typo of deprecation warning FSTDEP022 by @​Uzlopak in #​6313
• docs(decorators): fix TypeScript inconsistency by @​emicovi in #​6224
• chore: fix typos by @​deining in #​6316
• docs(security): add secondary contact/security escalation policy by @​UlisesGascon in #​6315
• chore(gha): remove benchmark github workflows by @​Eomm in #​6322
• chore(sponsor): add lambdatest by @​Eomm in #​6324
• fix: (types) allow FastifySchemaValidationError[] as an error by @​gurgunday in #​6326
• fix: correct session.close() context in http2 timeout handler by @​David-van-der-Sluijs in #​6327
• fix: close http2 sessions on close server by @​kostyak127 in #​6137

New Contributors

• @​deining made their first contribution in #​6316
• @​UlisesGascon made their first contribution in #​6315
• @​David-van-der-Sluijs made their first contribution in #​6327
• @​kostyak127 made their first contribution in #​6137

Full Changelog: fastify/fastify@v5.6.0...v5.6.1

v5.6.0

Compare Source

What's Changed

• fix: update typescript pino type to pick by @​dancastillo in #​6287
• feat(types): router option types by @​dancastillo in #​6282
• fix(types): Fix use of "esModuleInterop: false" by @​joshkel in #​6292
• docs: fix typo in Reference: TypeScript.md by @​hmanzoni in #​6302
• docs: clarify router performance note by @​Prasad2604 in #​6306

New Contributors

• @​joshkel made their first contribution in #​6292
• @​hmanzoni made their first contribution in #​6302
• @​Prasad2604 made their first contribution in #​6306

Full Changelog: fastify/fastify@v5.5.0...v5.6.0

v5.5.0

Compare Source

What's Changed

• docs: fix markdown linting issue by @​Uzlopak in #​6175
• chore: removed simple-get from mkcalendar tests by @​ilteoood in #​6199
• chore: removed simple-get from versioned-routes tests by @​ilteoood in #​6202
• chore: removed simple-get from hooks tests by @​ilteoood in #​6210
• fix: close pipelining test by @​ilteoood in #​6204
• chore: removed simple-get from unlock test by @​ilteoood in #​6178
• chore: removed simple-get from use-semicolon-delimiter tests by @​ilteoood in #​6203
• chore: removed simple-get from custom-https-server tests by @​ilteoood in #​6201
• chore: remove simple-get from custom parser 5 by @​ilteoood in #​6172
• chore: removed simple-get from head tests by @​ilteoood in #​6196
• chore: removed simple-get from request id tests by @​ilteoood in #​6193
• chore: remove simple get from custom parser 1 by @​ilteoood in #​6167
• chore: removed simple-get from custom-parser-0 by @​ilteoood in #​6168
• chore: remove simple-get from custom parser 2 by @​ilteoood in #​6169
• chore: remove simple-get from custom parser 4 by @​ilteoood in #​6171
• chore: removed simple-get from promises test by @​ilteoood in #​6183
• chore: removed simple-get from move test by @​ilteoood in #​6179
• chore: remove simple-get from custom querystring parser by @​ilteoood in #​6166
• chore: remove simple-get from propfind by @​ilteoood in #​6174
• chore: removed simple-get from case insensitive test by @​ilteoood in #​6188
• chore: remove simple get from async-await tests by @​ilteoood in #​6165
• chore: removed simple-get from header overflow test by @​ilteoood in #​6190
• chore: removed simple-get from check test by @​ilteoood in #​6176
• chore: removed simple-get from async hooks test by @​ilteoood in #​6189
• feat(types): export more schema related types by @​marcalexiei in #​6207
• chore: removed simple-get from copy tests by @​ilteoood in #​6198
• chore: removed simple-get from request-error test by @​ilteoood in #​6184
• chore: removed simple-get from decorator tests by @​ilteoood in #​6192
• ci: pin third-party actions to commit-hash by @​Fdawgs in #​6218
• fix: close fastify instance by @​ilteoood in #​6177
• chore(license): replace date range by @​Fdawgs in #​6219
• chore: removed simple-get from plugin-1 test by @​ilteoood in #​6180
• chore: removed simple-get from plugin-2 test by @​ilteoood in #​6181
• chore: removed simple-get from plugin-3 test by @​ilteoood in #​6182
• chore: remove simple get from reply test by @​ilteoood in #​6160
• feat(types): add missing error types by @​davidwood in #​6217
• docs: setErrorHandler description by @​AlvesJorge in #​6227
• docs: fix onError hook execution order documentation by @​emicovi in #​6225
• fix: handle abort signal in fastify.listen by @​climba03003 in #​6235
• feat: prepare to use Promise.withResolvers by @​climba03003 in #​6232
• docs: updated SECURITY.md by @​Eomm in #​6233
• fix(docs): fix markdown to exclude leading parenthesis by @​IanWoodard in #​6238
• ci: fix thollander/actions-comment-pull-request commit-hash by @​Fdawgs in #​6244
• docs(routes): add payload to preParsing signature by @​callmehiphop in #​6240
• docs(ecosystem): add fastify-route-preset plugin by @​inyourtime in #​6220
• chore: remove simple get from async request, get and register... by @​ilteoood in #​6246
• docs: improve custom validator documentation for async hooks by @​emicovi in #​6228
• chore: remove simple get from route shorthand by @​ilteoood in #​6245
• chore: Bump @​stylistic/eslint-plugin from 4.4.1 to 5.1.0 in the dev-dependencies-eslint group by @​dependabot[bot] in #​6242
• chore: Bump @​types/node from 22.15.34 to 24.0.8 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6243
• chore(tests): remove simple get by @​ilteoood in #​6249
• chore: finally remove simple get by @​ilteoood in #​6251
• chore: remove undici from schema-validation.test.js by @​Uzlopak in #​6252
• test: fix flakyness of close-pipelining-test, upgrade undici to v7 by @​Uzlopak in #​6256
• fix: account for EPIPE fetch errors in tests by @​gurgunday in #​6255
• docs: correct parameter name in frameworkErrors handler by @​inyourtime in #​6257
• docs: fix server page headings level by @​golopot in #​6258
• fix: add FST_ERR_CTP_INVALID_JSON_BODY by @​Uzlopak in #​5925
• feat: optimize content type parser by using AsyncResource.bind() by @​gurgunday in #​6262
• fix: remove unnecessary body length check in contentTypeParser by @​gurgunday in #​6266
• docs(ecosystem): add fastify-multilingual by @​gbrugger in #​6268
• chore: fix docs Request.md by @​ts0307 in #​6270
• chore: Bump typescript from 5.8.3 to 5.9.2 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6273
• chore: Bump cross-env from 7.0.3 to 10.0.0 by @​dependabot[bot] in #​6274
• feat(types): enforce reply status code types with type providers by @​samchungy in #​6250
• feat: move router options to own key by @​dancastillo in #​5985
• docs: refine CONTRIBUTING.md for better readability by @​Dipali127 in #​6277
• chore: refactor reply.send and prioritize kReplyIsError by @​gurgunday in #​6267
• docs(ecosystem): add fastify-permissions plugin by @​pckrishnadas88 in #​6265
• docs: Add Hey API to ecosystem by @​mrlubos in #​6280
• fix: OPTIONS Content-Type handling by @​gurgunday in #​6263

New Contributors

• @​marcalexiei made their first contribution in #​6207
• @​davidwood made their first contribution in #​6217
• @​AlvesJorge made their first contribution in #​6227
• @​emicovi made their first contribution in #​6225
• @​IanWoodard made their first contribution in #​6238
• @​callmehiphop made their first contribution in #​6240
• @​golopot made their first contribution in #​6258
• @​gbrugger made their first contribution in #​6268
• @​ts0307 made their first contribution in #​6270
• @​Dipali127 made their first contribution in #​6277
• @​pckrishnadas88 made their first contribution in #​6265
• @​mrlubos made their first contribution in #​6280

Full Changelog: fastify/fastify@v5.4.0...v5.5.0

v5.4.0

Compare Source

What's Changed

• test: mv routes-* from tap by @​jean-michelet in #​6092
• test: mv skip-reply-send from tap by @​jean-michelet in #​6094
• test: mv plugins from tap by @​jean-michelet in #​6088
• fix(ci): ignore alternative runtime result by @​Eomm in #​6125
• test: mv schema-* from tap by @​jean-michelet in #​6093
• test: mv hooks-async from tap by @​jean-michelet in #​6084
• fix(types): add missing version to request.routeOptions by @​inyourtime in #​6126
• docs: remove fastify-sentry plugin by @​dnlup in #​6131
• docs: add community plugins disclaimer by @​jean-michelet in #​6132
• docs: use cross-platform compatible info emoji by @​Fdawgs in #​6134
• perf: nits in reply.js by @​Cangit in #​6136
• docs: join core team by @​jean-michelet in #​6142
• docs: fix typo in hash.digest function by @​piotr-cz in #​6145
• test: mv hooks from tap by @​jean-michelet in #​6087
• test: improve issue 4959 unit test by @​Uzlopak in #​6147
• chore: Bump markdownlint-cli2 from 0.17.2 to 0.18.1 by @​dependabot in #​6150
• chore: remove dependencie tap and others updated by @​Tony133 in #​6148
• fix: hook async flaky by @​ilteoood in #​6155
• chore: Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @​dependabot in #​6151
• chore: removing simple-get from allow-unsafe-regex by @​ilteoood in #​6154
• chore: remove simple get on 404s test file by @​ilteoood in #​6153
• chore: remove simple-get in handle-request.test.js by @​ilteoood in #​6159
• chore: remove simple-get from url-rewriting by @​ilteoood in #​6163
• chore: remove simple-get in report.test.js by @​ilteoood in #​6157
• chore: remove simple-get from custom parser async by @​ilteoood in #​6164
• chore: removed simple-get from mkcol tests by @​ilteoood in #​6194
• chore: removed simple-get from proto-poisoning test by @​ilteoood in #​6185
• ci: Added Node.js v24 by @​mcollina in #​6113
• chore: removed simple-get from nullable validation test by @​ilteoood in #​6191
• feat: configure errorhandler override by @​jean-michelet in #​6104
• chore: remove simple-get from search test by @​ilteoood in #​6158
• chore: remove simple get from secure with fallback test by @​ilteoood in #​6162
• chore: removed simple-get from als test by @​ilteoood in #​6187
• chore: remove simple-get from listen 4 by @​ilteoood in #​6173
• fix: do not freeze request.routeOptions by @​mcollina in #​6141
• chore: removed simple-get from sync-delay-request tests by @​ilteoood in #​6212
• chore: removed simple-get from output-validation tests by @​ilteoood in #​6213
• chore: removed simple-get from async-delay-request tests by @​ilteoood in #​6211
• chore: removed simple-get from body-limit tests by @​ilteoood in #​6209
• chore: removed simple-get from trust-proxy tests by @​ilteoood in #​6205
• chore: removed simple-get from proppatch tests by @​ilteoood in #​6200
• chore(ci): cleanup citgm.yml by @​Eomm in #​6195
• chore: removed simple-get from https tests by @​ilteoood in #​6197
• chore: removed simple-get from lock test by @​ilteoood in #​6186

Full Changelog: fastify/fastify@v5.3.3...v5.4.0

v5.3.3

Compare Source

What's Changed

• docs: update Vercel section by @​leerob in #​6046
• docs(ecosystem): add fastify-papr plugin by @​inaiat in #​6051
• test: migrated helper and input validation to node test runner by @​ilteoood in #​6074
• style: add "no comma-dangle" rule to eslint config and remove trailing commas by @​cecia234 in #​6069
• test: migrate stream tests to node test runner by @​ilteoood in #​6065
• test: logger response by @​ilteoood in #​6055
• test: migrate schema feature to node test runner by @​ilteoood in #​6066
• fix: Added more cases for JSON schema validation by @​mcollina in #​6067
• test: migrated inject.test.js from tap to node:test by @​Tony133 in #​6068
• test: migrated plugin 1 to node test runner by @​ilteoood in #​6075
• ci: fix branch pattern by @​Eomm in #​6090
• docs: added Jeasx to Ecosystem.md by @​jablonski in #​6082
• test: mv promises from tap by @​jean-michelet in #​6085
• refactor: node:http2 is always available by @​Cangit in #​6073
• fix: update borp to 0.20.0. by @​lholmquist in #​6091
• chore: Bump fluent-json-schema from 5.0.0 to 6.0.0 by @​dependabot in #​6101
• chore: Bump tsd from 0.31.2 to 0.32.0 in the dev-dependencies-typescript group by @​dependabot in #​6100
• test: migrated decorator.test.js from tap to node:test by @​Tony133 in #​5957
• test: stabilize pipelining shutdown test with controlled close timing by @​jean-michelet in #​6099
• test: migrated output-validation.test.js from tap to node:test by @​Tony133 in #​6076
• test: remove tap from hooks-on ready file by @​IcaroSilvaFK in #​6080
• test: mv hooks.on-listen from tap by @​jean-michelet in #​6086
• ci: ignore scripts by @​Fdawgs in #​6108
• docs: add a warning about setErrorHandler overriding a previously defined error handler on an encapsulated context by @​jean-michelet in #​6097
• docs(ecosystem): remove fastify-diagnostics-channel by @​inyourtime in #​6117
• fix: internal function _addHook failure should be turned into the rejection app.ready is waiting for by @​jean-michelet in #​6105
• test: replace removed request properties and update docs by @​inyourtime in #​6111
• test: mv reply from tap by @​jean-michelet in #​6089
• test: updated promises.test.js re-added the plan() method by @​Tony133 in #​6057
• ci: add support to test release candidates by @​RafaelGSS in #​6103

New Contributors

• @​leerob made their first contribution in #​6046
• @​inaiat made their first contribution in #​6051
• @​cecia234 made their first contribution in #​6069
• @​jablonski made their first contribution in #​6082
• @​lholmquist made their first contribution in #​6091
• @​IcaroSilvaFK made their first contribution in #​6080

Full Changelog: fastify/fastify@v5.3.2...v5.3.3

v5.3.2

Compare Source

⚠️ Security Release ⚠️

Unfortunately, v5.3.1 did not include a complete fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442. This is a follow-up patch to cover an edge case.

What's Changed

• docs: fix archived concurrently link to point to active repo by @​TimTeylor in #​6063
• fix: treat space as a delimiter in content-type parsing by @​mcollina in #​6064

New Contributors

• @​TimTeylor made their first contribution in #​6063

Full Changelog: fastify/fastify@v5.3.1...v5.3.2

v5.3.1

Compare Source

⚠️ Security Release ⚠️

• Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442

What's Changed

• test: migrate logger options to node test runner by @​ilteoood in #​6059
• test: migrate logger logging to node test runner by @​ilteoood in #​6060
• test: convert custom parser 1 to node test runner by @​ilteoood in #​6053
• test: custom querystring parser by @​ilteoood in #​6054
• test: migrate stream 4 to node test runner by @​ilteoood in #​6062
• test: migrate request logger to node test runner by @​ilteoood in #​6058
• test: migrate custom parser 0 to node test runner by @​ilteoood in #​6052
• test: migrate logger instantiation to node test runner by @​ilteoood in #​6061

New Contributors

• @​ilteoood made their first contribution in #​6059

Full Changelog: fastify/fastify@v5.3.0...v5.3.1

v5.3.0

Compare Source

What's Changed

• fix: wrong reply return type by @​dangkyokhoang in #​6026
• feat: allow to access decorators by @​jean-michelet in #​5768
• ci: continue-on-error on alternative runtime by @​Eomm in #​6031
• fix: clear [kState].readyPromise for garbage collection by @​LiviaMedeiros in #​6030
• ci: set workflow permissions to read-only by default by @​Fdawgs in #​6035
• chore: Bump the dependencies-major group with 2 updates by @​dependabot in #​6036
• chore: Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @​dependabot in #​6037
• chore: remove sponsort by @​Eomm in #​6040
• test: fix skip in upgrade test by @​LiviaMedeiros in #​6044
• chore: migrate custom-parser.4.test.js to node:test by @​Matthew-Mallimo in #​6042
• docs: add fastify-lm to Ecosystem.md by @​galiprandi in #​6032
• test: skip IPv6 tests if its support is not present by @​LiviaMedeiros in #​6048

New Contributors

• @​dangkyokhoang made their first contribution in #​6026
• @​Matthew-Mallimo made their first contribution in #​6042
• @​galiprandi made their first contribution in #​6032

Full Changelog: fastify/fastify@v5.2.2...v5.3.0

v5.2.2

Compare Source

What's Changed

• build: use static path instead of __filename by @​climba03003 in #​5922
• fix(linting): fix linting error in error-handler.js by @​Uzlopak in #​5926
• chore: Bump the dev-dependencies group across 1 directory with 6 updates by @​dependabot in #​5930
• fix: don't check for payload type in default json parser by @​gurgunday in #​5933
• docs: Include req.hostname change in upgrade guide by @​tmcw in #​5935
• build(dependabot): regroup dev dependencies by @​Fdawgs in #​5931
• chore: Bump borp from 0.18.0 to 0.19.0 by @​dependabot in #​5936
• chore: don't return the done function by @​gurgunday in #​5937
• ci(workflows): unpin node 22 version by @​Fdawgs in #​5941
• perf: don't use optional chaining for typeof .then checks by @​gurgunday in #​5942
• docs: the no floating promise guide is not needed anymore by @​mcollina in #​5946
• docs: grammar and spelling fixes by @​Fdawgs in #​5944
• perf(lib/pluginutils): cache rc version regex by @​Fdawgs in #​5940
• build(dependabot): reduce npm updates to monthly by @​Fdawgs in #​5939
• docs(guides): grammar and spelling fixes by @​Fdawgs in #​5947
• test: migrated genReqId.test.js from tap to node:test by @​Tony133 in #​5943
• chore: Bump lycheeverse/lychee-action

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📊 Benchmark results

Comparing with e5df3bf

• Dependency count: 1,054 ⬇️ 0.09% decrease vs. e5df3bf
• Package size: 317 MB ⬆️ 0.01% increase vs. e5df3bf
• Number of ts-expect-error directives: 365 (no change)