chore(fastify): Update dependency fastify to v5.8.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	5.7.2 → 5.8.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-25224

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

CVE-2026-3419

Description

Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact

An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds

Deploy a WAF rule to protect against this

Fix

The fix is available starting with v5.8.1.

---

Release Notes

fastify/fastify (fastify)

v5.8.1

Compare Source

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

Compare Source

What's Changed

• docs(request): add host security warning references by @​mcollina in #​6476
• docs: fix note style by @​Fdawgs in #​6487
• chore: rename deploy website ci by @​Eomm in #​6492
• chore: support pino v9 and v10 by @​mcollina in #​6496
• chore: update logger types and fix TODO comment by @​Tony133 in #​6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @​Tony133 in #​6472
• docs: fix markdown typo in README.md by @​droppingbeans in #​6491
• test: cover non-numeric content-length client error path by @​mcollina in #​6500
• ci: remove tests-checker workflow by @​Tony133 in #​6481
• ci: remove stale.yml file by @​Tony133 in #​6504
• docs(security): remove hackerone references; change note style by @​Fdawgs in #​6501
• chore: rename @​sinclair/typebox to typebox by @​Tony133 in #​6494
• ci(links-check): add external link checker using linkinator-action by @​umxr in #​6386
• chore: upgrade borp to v1.0.0 by @​Tony133 in #​6510
• docs: Add OpenJS CNA reference to SECURITY.md by @​mcollina in #​6516
• fix: avoid mutating shared routerOptions across instances by @​mcollina in #​6515
• fix(types): accept async route hooks in shorthand options by @​mcollina in #​6514
• docs: Improve shutdown lifecycle documentation by @​kibertoad in #​6517
• chore: remove unused tsconfig.eslint.json by @​mrazauskas in #​6524
• feat: First-class support for handler-level timeouts by @​kibertoad in #​6521
• docs(security): clarify insecureHTTPParser threat model scope by @​mcollina in #​6533
• chore(license): standardise license notice by @​Fdawgs in #​6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @​slegarraga in #​6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @​super-mcgin in #​6528
• docs(reference/hooks): fix note style by @​Fdawgs in #​6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in #​6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in #​6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​6542
• ci: remove broken links and add ecosystem link validator by @​mcollina in #​6421
• ci(validate-ecoystem-links): add job level permission by @​Fdawgs in #​6545
• style: remove trailing whitespace by @​Fdawgs in #​6543

New Contributors

• @​droppingbeans made their first contribution in #​6491
• @​umxr made their first contribution in #​6386
• @​slegarraga made their first contribution in #​6531
• @​super-mcgin made their first contribution in #​6528

Full Changelog: fastify/fastify@v5.7.4...v5.8.0

v5.7.4

Compare Source

Full Changelog: fastify/fastify@v5.7.3...v5.7.4

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

---

Configuration

📅 Schedule: Branch creation - "" in timezone GMT, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: eaf8805

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 7, 2026 3:19pm

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8254

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8254

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8254

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8254

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8254

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8254

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8254

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8254

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8254

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8254

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8254

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8254

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8254

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8254

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8254

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8254

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8254

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8254

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8254

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8254

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8254

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8254

commit: eaf8805

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[918:0x1b872000]   337167 ms: Scavenge (reduce) (interleaved) 1476.0 (1509.7) -> 1476.0 (1510.2) MB, pooled: 0 MB, 4.73 / 0.00 ms  (average mu = 0.338, current mu = 0.349) allocation failure; 
[918:0x1b872000]   337214 ms: Mark-Compact (reduce) 1476.5 (1510.6) -> 1461.9 (1491.1) MB, pooled: 0 MB, 43.85 / 0.00 ms  (+ 1063.3 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 1297 ms) (average mu = 0.344, cu

<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0xe42d60 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.2/bin/node]
 2: 0x121ded0 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.2/bin/node]
 3: 0x121e1a7 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.2/bin/node]
 4: 0x144d015  [/opt/containerbase/tools/node/22.22.2/bin/node]
 5: 0x144d043  [/opt/containerbase/tools/node/22.22.2/bin/node]
 6: 0x146611a  [/opt/containerbase/tools/node/22.22.2/bin/node]
 7: 0x14692e8  [/opt/containerbase/tools/node/22.22.2/bin/node]
 8: 0x1cd07a1  [/opt/containerbase/tools/node/22.22.2/bin/node]
/usr/local/bin/node: line 18:   918 Aborted                 /opt/containerbase/tools/node/22.22.2/bin/node "$@"