Skip to content

chore(fastify): Update dependency fastify to v5.8.4 [SECURITY]#8254

Merged
jacekradko merged 3 commits intomainfrom
renovate/npm-fastify-vulnerability
Apr 8, 2026
Merged

chore(fastify): Update dependency fastify to v5.8.4 [SECURITY]#8254
jacekradko merged 3 commits intomainfrom
renovate/npm-fastify-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 7, 2026
edited by jacekradko
Loading

Summary

Updates the fastify devDependency in @clerk/fastify from 5.7.2 to 5.8.4, pulling in security fixes for two CVEs:

  • CVE-2026-3419 — Malformed Content-Type header validation bypass (fixed in 5.8.1)
  • CVE-2026-25224 — DoS via Web Streams response handling (fixed in 5.7.3)

Changes

  • packages/fastify/package.jsonfastify devDependency range bumped to ^5.8.4
  • integration/templates/fastify-vite/package.jsonfastify bumped to ^5.8.4 for the integration test template
  • pnpm-lock.yaml — refreshed so fastify resolves to 5.8.4
  • pnpm-workspace.yamlfastify@5.8.1 added to minimumReleaseAgeExclude to allow the security update through the release-age gate (from the original Renovate PR)

Scope

fastify is a devDependency (+ peerDependency: ">=5") of @clerk/fastify. Consumers bring their own fastify, so this change only affects Clerk's own dev and test environment — the published @clerk/fastify package is unchanged. No changeset needed.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 7, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 7, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 696edb5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Apr 8, 2026 1:37am

Request Review

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 7, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8254

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8254

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8254

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8254

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8254

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8254

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8254

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8254

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8254

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8254

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8254

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8254

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8254

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8254

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8254

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8254

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8254

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8254

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8254

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8254

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8254

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8254

commit: 696edb5

@renovate renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from 1eb569e to aa6eef4 Compare April 7, 2026 14:48
@renovate renovate bot force-pushed the renovate/npm-fastify-vulnerability branch from aa6eef4 to eaf8805 Compare April 7, 2026 15:18
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Apr 7, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[918:0x1b872000]   337167 ms: Scavenge (reduce) (interleaved) 1476.0 (1509.7) -> 1476.0 (1510.2) MB, pooled: 0 MB, 4.73 / 0.00 ms  (average mu = 0.338, current mu = 0.349) allocation failure; 
[918:0x1b872000]   337214 ms: Mark-Compact (reduce) 1476.5 (1510.6) -> 1461.9 (1491.1) MB, pooled: 0 MB, 43.85 / 0.00 ms  (+ 1063.3 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 1297 ms) (average mu = 0.344, cu

<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0xe42d60 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.2/bin/node]
 2: 0x121ded0 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.2/bin/node]
 3: 0x121e1a7 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.2/bin/node]
 4: 0x144d015  [/opt/containerbase/tools/node/22.22.2/bin/node]
 5: 0x144d043  [/opt/containerbase/tools/node/22.22.2/bin/node]
 6: 0x146611a  [/opt/containerbase/tools/node/22.22.2/bin/node]
 7: 0x14692e8  [/opt/containerbase/tools/node/22.22.2/bin/node]
 8: 0x1cd07a1  [/opt/containerbase/tools/node/22.22.2/bin/node]
/usr/local/bin/node: line 18:   918 Aborted                 /opt/containerbase/tools/node/22.22.2/bin/node "$@"

@jacekradko jacekradko changed the title chore(fastify): Update dependency fastify to v5.8.1 [SECURITY] chore(fastify): Update dependency fastify to v5.8.4 [SECURITY] Apr 8, 2026
@jacekradko jacekradko merged commit c54e3df into main Apr 8, 2026
41 checks passed
@jacekradko jacekradko deleted the renovate/npm-fastify-vulnerability branch April 8, 2026 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacekradko jacekradko jacekradko approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file fastify integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jacekradko