Skip to content
This repository has been archived by the owner on Feb 6, 2025. It is now read-only.

fix(deps): update dependency @fastify/reply-from to v9.6.0 [security] #699

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@fastify/reply-from 9.4.0 -> 9.6.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-51701

Impact

The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split.

The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won't trim.

As a result, a reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks.

Patches

@fastify/reply-from v9.6.0 include the fix.

Workarounds

There are no known workarounds.

References

Hackerone Report: https://hackerone.com/reports/2295770.


Release Notes

fastify/fastify-reply-from (@​fastify/reply-from)

v9.6.0

Compare Source

⚠️ Security Release ⚠️

Fixes CVE-2023-51701, see GHSA-v2v2-hph8-q5xp for more details. Severity: moderate.

Full Changelog: fastify/fastify-reply-from@v9.5.0...v9.6.0

v9.5.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-reply-from@v4.18.0...v9.5.0


Configuration

📅 Schedule: Branch creation - "" in timezone Africa/Johannesburg, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
@renovate renovate bot added the renovate label Aug 6, 2024
@renovate renovate bot enabled auto-merge (rebase) August 6, 2024 06:40
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@fastify/reply-from@9.6.0 Transitive: environment, filesystem, network, unsafe +12 1.58 MB matteo.collina

🚮 Removed packages: npm/@fastify/reply-from@9.4.0

View full report↗︎

@renovate renovate bot assigned Asjas Aug 6, 2024
@renovate renovate bot requested a review from Asjas August 6, 2024 11:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant