fix: upgrade Fastify to v5 to resolve CVE-2026-25223 (#1346)

Author: jbroma

.changeset/upgrade-fastify-v5.md

@@ -0,0 +1,5 @@
+---
+"@callstack/repack-dev-server": patch
+---
+
+Upgrade Fastify to v5 to resolve CVE-2026-25223 (HIGH severity). Updated `fastify`, `@fastify/middie`, `@fastify/sensible`, `fastify-plugin`, and `fastify-favicon` to their v5-compatible versions.

packages/dev-server/package.json

@@ -29,11 +29,11 @@
   },
   "dependencies": {
     "@babel/code-frame": "^7.26.2",
-    "@fastify/middie": "^8.3.0",
-    "@fastify/sensible": "^5.5.0",
-    "fastify": "^4.24.3",
-    "fastify-favicon": "^4.3.0",
-    "fastify-plugin": "^4.5.1",
+    "@fastify/middie": "^9.0.0",
+    "@fastify/sensible": "^6.0.0",
+    "fastify": "^5.7.2",
+    "fastify-favicon": "^5.0.0",
+    "fastify-plugin": "^5.0.0",
     "http-proxy-middleware": "^3.0.3",
     "launch-editor": "^2.10.0",
     "open": "^10.1.0",

packages/dev-server/src/plugins/symbolicate/Symbolicator.ts

@@ -1,6 +1,6 @@
 import { URL } from 'node:url';
 import { codeFrameColumns } from '@babel/code-frame';
-import type { FastifyLoggerInstance } from 'fastify';
+import type { FastifyBaseLogger } from 'fastify';
 import { SourceMapConsumer } from 'source-map';
 import type {
   CodeFrame,
@@ -70,7 +70,7 @@ export class Symbolicator {
    * @returns Symbolicated stack frames.
    */
   async process(
-    logger: FastifyLoggerInstance,
+    logger: FastifyBaseLogger,
     stack: ReactNativeStackFrame[]
   ): Promise<SymbolicatorResults> {
     logger.debug({ msg: 'Filtering out unnecessary frames' });
@@ -195,7 +195,7 @@ export class Symbolicator {
   }
 
   private async getCodeFrame(
-    logger: FastifyLoggerInstance,
+    logger: FastifyBaseLogger,
     processedFrames: StackFrame[]
   ): Promise<CodeFrame | undefined> {
     for (const frame of processedFrames) {

packages/dev-server/src/plugins/wss/servers/WebSocketMessageServer.ts

@@ -182,11 +182,10 @@ export class WebSocketMessageServer extends WebSocketServer {
           })
         );
       } catch (error) {
-        this.fastify.log.error('Failed to reply', {
-          clientId,
-          error,
-          errorMessage,
-        });
+        this.fastify.log.error(
+          { clientId, error, errorMessage },
+          'Failed to reply'
+        );
       }
     }
   }