This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [fastify](https://fastify.dev/) ([source](https://redirect.github.com/fastify/fastify)) | [`5.8.1` → `5.8.3`](https://renovatebot.com/diffs/npm/fastify/5.8.1/5.8.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/fastify/5.8.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/fastify/5.8.1/5.8.3?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2026-3635](https://redirect.github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf) ## Summary When `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: '10.0.0.1'`, a subnet, a hop count, or a custom function), the `request.protocol` and `request.host` getters read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. ## Affected Versions fastify <= 5.8.2 ## Impact Applications using `request.protocol` or `request.host` for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when `trustProxy` is configured with a restrictive trust function. When `trustProxy: true` (trust everything), both `host` and `protocol` trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations. --- ### Release Notes <details> <summary>fastify/fastify (fastify)</summary> ### [`v5.8.3`](https://redirect.github.com/fastify/fastify/releases/tag/v5.8.3) [Compare Source](https://redirect.github.com/fastify/fastify/compare/v5.8.2...v5.8.3) #### ⚠️ Security Release This fixes CVE CVE-2026-3635 <GHSA-444r-cwp2-x5xf>. #### What's Changed - docs(readme): add [@Tony133](https://redirect.github.com/Tony133) to plugin team by [@Tony133](https://redirect.github.com/Tony133) in [#6565](https://redirect.github.com/fastify/fastify/pull/6565) - Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by [@kyrylchenko](https://redirect.github.com/kyrylchenko) in [#6566](https://redirect.github.com/fastify/fastify/pull/6566) - test: use fastify.test in test case by [@climba03003](https://redirect.github.com/climba03003) in [#6568](https://redirect.github.com/fastify/fastify/pull/6568) - docs: use fastify.example in documentation by [@climba03003](https://redirect.github.com/climba03003) in [#6567](https://redirect.github.com/fastify/fastify/pull/6567) - docs: add common performance degradation guidance by [@maxpetrusenko](https://redirect.github.com/maxpetrusenko) in [#6520](https://redirect.github.com/fastify/fastify/pull/6520) - docs(server): fix camelCase anchor links in TOC by [@Deepvamja](https://redirect.github.com/Deepvamja) in [#6530](https://redirect.github.com/fastify/fastify/pull/6530) - ci(link-checker): fix root-relative links resolution by [@barba-rossa](https://redirect.github.com/barba-rossa) in [#6535](https://redirect.github.com/fastify/fastify/pull/6535) - docs: update syntax markdown, absolute paths and links by [@Tony133](https://redirect.github.com/Tony133) in [#6569](https://redirect.github.com/fastify/fastify/pull/6569) - docs: clarify content-type parser/schema mismatch is outside threat model by [@mcollina](https://redirect.github.com/mcollina) in [#6537](https://redirect.github.com/fastify/fastify/pull/6537) - docs: fix incorrect code examples in Reply and Request reference by [@mahmoodhamdi](https://redirect.github.com/mahmoodhamdi) in [#6582](https://redirect.github.com/fastify/fastify/pull/6582) - docs: replace redirected npm.im http-errors link by [@mcollina](https://redirect.github.com/mcollina) in [#6588](https://redirect.github.com/fastify/fastify/pull/6588) - types: Allow port to be null in request type definition by [@TristanBarlow](https://redirect.github.com/TristanBarlow) in [#6589](https://redirect.github.com/fastify/fastify/pull/6589) - docs: update links by [@Tony133](https://redirect.github.com/Tony133) in [#6593](https://redirect.github.com/fastify/fastify/pull/6593) - ci(lock-threads): use shared lock-threads workflow by [@Fdawgs](https://redirect.github.com/Fdawgs) in [#6592](https://redirect.github.com/fastify/fastify/pull/6592) #### New Contributors - [@kyrylchenko](https://redirect.github.com/kyrylchenko) made their first contribution in [#6566](https://redirect.github.com/fastify/fastify/pull/6566) - [@maxpetrusenko](https://redirect.github.com/maxpetrusenko) made their first contribution in [#6520](https://redirect.github.com/fastify/fastify/pull/6520) - [@Deepvamja](https://redirect.github.com/Deepvamja) made their first contribution in [#6530](https://redirect.github.com/fastify/fastify/pull/6530) - [@barba-rossa](https://redirect.github.com/barba-rossa) made their first contribution in [#6535](https://redirect.github.com/fastify/fastify/pull/6535) - [@mahmoodhamdi](https://redirect.github.com/mahmoodhamdi) made their first contribution in [#6582](https://redirect.github.com/fastify/fastify/pull/6582) - [@TristanBarlow](https://redirect.github.com/TristanBarlow) made their first contribution in [#6589](https://redirect.github.com/fastify/fastify/pull/6589) **Full Changelog**: <fastify/fastify@v5.8.2...v5.8.3> ### [`v5.8.2`](https://redirect.github.com/fastify/fastify/releases/tag/v5.8.2) [Compare Source](https://redirect.github.com/fastify/fastify/compare/v5.8.1...v5.8.2) #### What's Changed - docs(ecosystem): add [@yeliex/fastify-problem-details](https://redirect.github.com/yeliex/fastify-problem-details) by [@yeliex](https://redirect.github.com/yeliex) in [#6546](https://redirect.github.com/fastify/fastify/pull/6546) - Revert "chore: upgrade borp to v1.0.0" by [@climba03003](https://redirect.github.com/climba03003) in [#6564](https://redirect.github.com/fastify/fastify/pull/6564) - docs: document body validation with custom content type parsers by [@mcollina](https://redirect.github.com/mcollina) in [#6556](https://redirect.github.com/fastify/fastify/pull/6556) - docs(ecosystem): add fastify-file-router by [@bhouston](https://redirect.github.com/bhouston) in [#6441](https://redirect.github.com/fastify/fastify/pull/6441) - docs: add fastify-svelte-view to Ecosystem list by [@matths](https://redirect.github.com/matths) in [#6453](https://redirect.github.com/fastify/fastify/pull/6453) - fix: anchor keyValuePairsReg to prevent quadratic backtracking by [@mcollina](https://redirect.github.com/mcollina) in [#6558](https://redirect.github.com/fastify/fastify/pull/6558) - docs: added note on handling of invalid URLs in setNotFoundHandler by [@leftieFriele](https://redirect.github.com/leftieFriele) in [#5661](https://redirect.github.com/fastify/fastify/pull/5661) - docs(guides): update codemod links by [@OluchiEzeifedikwa](https://redirect.github.com/OluchiEzeifedikwa) in [#6479](https://redirect.github.com/fastify/fastify/pull/6479) - docs: add [@glidemq/fastify](https://redirect.github.com/glidemq/fastify) to community plugins by [@avifenesh](https://redirect.github.com/avifenesh) in [#6560](https://redirect.github.com/fastify/fastify/pull/6560) #### New Contributors - [@yeliex](https://redirect.github.com/yeliex) made their first contribution in [#6546](https://redirect.github.com/fastify/fastify/pull/6546) - [@matths](https://redirect.github.com/matths) made their first contribution in [#6453](https://redirect.github.com/fastify/fastify/pull/6453) - [@leftieFriele](https://redirect.github.com/leftieFriele) made their first contribution in [#5661](https://redirect.github.com/fastify/fastify/pull/5661) - [@OluchiEzeifedikwa](https://redirect.github.com/OluchiEzeifedikwa) made their first contribution in [#6479](https://redirect.github.com/fastify/fastify/pull/6479) - [@avifenesh](https://redirect.github.com/avifenesh) made their first contribution in [#6560](https://redirect.github.com/fastify/fastify/pull/6560) **Full Changelog**: <fastify/fastify@v5.8.1...v5.8.2> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/wolfstar-project/ring).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>