Skip to content
This repository was archived by the owner on Jan 4, 2023. It is now read-only.

chore(deps): update dependency fastify to 4.10.2 [security]#95

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-fastify-vulnerability
Open

chore(deps): update dependency fastify to 4.10.2 [security]#95
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-fastify-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Nov 14, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
fastify 4.9.2 -> 4.10.2

GitHub Vulnerability Alerts

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate Bot added the security label Nov 14, 2022
@renovate renovate Bot force-pushed the renovate/npm-fastify-vulnerability branch from ed80a20 to 3d0cf01 Compare November 16, 2022 07:06
@renovate renovate Bot changed the title chore(deps): update dependency fastify to 4.8.1 [security] chore(deps): update dependency fastify to 4.8.1 [security] - autoclosed Nov 21, 2022
@renovate renovate Bot closed this Nov 21, 2022
@renovate renovate Bot deleted the renovate/npm-fastify-vulnerability branch November 21, 2022 10:22
@renovate renovate Bot changed the title chore(deps): update dependency fastify to 4.8.1 [security] - autoclosed chore(deps): update dependency fastify to 4.8.1 [security] Nov 22, 2022
@renovate renovate Bot reopened this Nov 22, 2022
@renovate renovate Bot restored the renovate/npm-fastify-vulnerability branch November 22, 2022 00:01
@renovate renovate Bot changed the title chore(deps): update dependency fastify to 4.8.1 [security] chore(deps): update dependency fastify to 4.10.2 [security] Nov 22, 2022
@renovate renovate Bot force-pushed the renovate/npm-fastify-vulnerability branch from 3d0cf01 to 3a3f786 Compare November 29, 2022 17:25
@renovate renovate Bot changed the title chore(deps): update dependency fastify to 4.10.2 [security] Update dependency fastify to 4.10.2 [SECURITY] Dec 17, 2022
@renovate renovate Bot changed the title Update dependency fastify to 4.10.2 [SECURITY] chore(deps): update dependency fastify to 4.10.2 [security] Dec 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants