fix(deps): update dependency fastify to v5.8.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.8.2 → 5.8.3

---

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

CVE-2026-3635 / GHSA-444r-cwp2-x5xf

More information

Details

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
• https://nvd.nist.gov/vuln/detail/CVE-2026-3635
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify
• https://github.com/fastify/fastify/releases/tag/v5.8.3
• https://www.cve.org/CVERecord?id=CVE-2026-3635

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify (fastify)

v5.8.3

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in #​6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in #​6566
• test: use fastify.test in test case by @​climba03003 in #​6568
• docs: use fastify.example in documentation by @​climba03003 in #​6567
• docs: add common performance degradation guidance by @​maxpetrusenko in #​6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in #​6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in #​6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in #​6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in #​6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in #​6582
• docs: replace redirected npm.im http-errors link by @​mcollina in #​6588
• types: Allow port to be null in request type definition by @​TristanBarlow in #​6589
• docs: update links by @​Tony133 in #​6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in #​6592

New Contributors

• @​kyrylchenko made their first contribution in #​6566
• @​maxpetrusenko made their first contribution in #​6520
• @​Deepvamja made their first contribution in #​6530
• @​barba-rossa made their first contribution in #​6535
• @​mahmoodhamdi made their first contribution in #​6582
• @​TristanBarlow made their first contribution in #​6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

このPRによるapi.jsonの差分
差分はありません。
Get diff files from Workflow Page

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.52%. Comparing base (9377e94) to head (842d257).
⚠️ Report is 18 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #17262      +/-   ##
===========================================
- Coverage    63.57%   63.52%   -0.05%     
===========================================
  Files         1161     1161              
  Lines       116244   116309      +65     
  Branches      8371     8355      -16     
===========================================
- Hits         73900    73885      -15     
- Misses       40159    40218      +59     
- Partials      2185     2206      +21     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Backend memory usage comparison

Before GC

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	321.84 MB	316.78 MB	-5.05 MB	-1.57%
VmHWM	321.84 MB	316.78 MB	-5.05 MB	-1.57%
VmSize	23115.80 MB	23109.82 MB	-5.98 MB	-0.02%
VmData	1386.33 MB	1380.15 MB	-6.17 MB	-0.44%

After GC

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	321.84 MB	316.79 MB	-5.05 MB	-1.57%
VmHWM	321.84 MB	316.79 MB	-5.05 MB	-1.57%
VmSize	23115.80 MB	23109.82 MB	-5.98 MB	-0.02%
VmData	1386.33 MB	1380.15 MB	-6.17 MB	-0.44%

After Request

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	322.11 MB	317.07 MB	-5.03 MB	-1.56%
VmHWM	322.15 MB	317.07 MB	-5.08 MB	-1.57%
VmSize	23115.80 MB	23109.82 MB	-5.98 MB	-0.02%
VmData	1386.33 MB	1380.07 MB	-6.25 MB	-0.45%

See workflow logs for details