Bump the prod-deps group with 4 updates by dependabot[bot] · Pull Request #74 · nyxCore-Systems/DeviceRouter

dependabot · 2026-06-29T23:37:10Z

Bumps the prod-deps group with 4 updates: fastify, hono, koa and ioredis.

Updates fastify from 5.7.4 to 5.9.0

Release notes

v5.9.0

What's Changed

feat: add request.mediaType by @climba03003 in fastify/fastify#6653

docs: remove deprecated leveldb plugin and update ecosystem by @Tony133 in fastify/fastify#6661

chore(sponsor): add bestforandroid by @Eomm in fastify/fastify#6659

ci: drop Node.js 20 from yarn matrix in package-manager-ci.yml by @Tony133 in fastify/fastify#6662

fix: prevent duplicate res.end in sendTrailer with sync callbacks by @climba03003 in fastify/fastify#6676

fix: avoid duplicate closeIdleConnections call on native servers by @trivikr in fastify/fastify#6669

fix: error.code not present on some routing errors by @mcollina in fastify/fastify#6678

fix: correct isCustomSerializerCompiler flag check by @eddieran in fastify/fastify#6657

fix: validate invalid route logLevel at registration by @maxpetrusenko in fastify/fastify#6523

docs: update contribution rules by @Tony133 in fastify/fastify#6670

fix: use ContentType parser for response schema lookup by @UlisesGascon in fastify/fastify#6685

ci(ci): use shared quality workflow by @Fdawgs in fastify/fastify#6688

fix(types): allow request.getValidationFunction() to return undefined by @trivikr in fastify/fastify#6665

fix: do not trust forwarded host/proto when socket is missing by @mcollina in fastify/fastify#6684

perf: defer ContentType parsing in getSchemaSerializer until needed by @aquie00t in fastify/fastify#6692

perf: cache parsed ContentType objects in ContentTypeParser by @aquie00t in fastify/fastify#6694

perf: add typeof guard before toString.call in send and onSendEnd by @aquie00t in fastify/fastify#6693

chore: Bump pnpm/action-setup from 5.0.0 to 6.0.4 by @dependabot[bot] in fastify/fastify#6704

chore: Bump actions/github-script from 8 to 9 by @dependabot[bot] in fastify/fastify#6705

chore: Bump JustinBeckwith/linkinator-action from 2.4.0 to 2.4.2 by @dependabot[bot] in fastify/fastify#6706

docs: correct return503OnClosing comment in route.js by @mcollina in fastify/fastify#6712

fix: enable diagnostics tracking for async error handlers by @irzix in fastify/fastify#6458

fix: ignore duplicate trailer completions by @mcollina in fastify/fastify#6714

feat: add support of onMaxParamLength by @climba03003 in fastify/fastify#6716

chore: introduce TSTyche for type testing by @mrazauskas in fastify/fastify#6532

docs(reference): grammar and readability fixes by @Fdawgs in fastify/fastify#6710

chore: update depedabot setting by @climba03003 in fastify/fastify#6715

fix: include hint and docs URL in FSTWRN004 warning message by @aquie00t in fastify/fastify#6723

ci(ci): do not pass secrets to reusable workflow by @Fdawgs in fastify/fastify#6744

docs: add fastify-intlayer to ecosystem documentation by @aymericzip in fastify/fastify#6594

chore: Bump concurrently from 9.2.1 to 10.0.0 by @dependabot[bot] in fastify/fastify#6752

docs(Errors): fix incorrect usage of root fastify inside plugin scope by @Rpaudel379 in fastify/fastify#6731

ci: add node 26 to test matrices by @Fdawgs in fastify/fastify#6728

docs(Warnings): remove retired FSTWRN002 warning code by @leestana01 in fastify/fastify#6754

fix: chunk large HTTP/2 buffer replies by @mcollina in fastify/fastify#6746

chore: migrate type tests to TSTyche assertions (part one) by @mrazauskas in fastify/fastify#6726

chore: migrate type tests to TSTyche assertions (part two) by @mrazauskas in fastify/fastify#6727

docs: fix doubled braces in serializerCompiler signature by @DucMinhNe in fastify/fastify#6747

docs: remove HackerOne reporting link by @jhcpeixoto in fastify/fastify#6735

refactor(decorate): replace find with some in hasKey for correct boolean semantics by @aquie00t in fastify/fastify#6759

fix: replace AssertionError with FST_ERR_PLUGIN_DEPENDENCY_NOT_REGISTERED in checkDependencies by @aquie00t in fastify/fastify#6774

docs(ecosystem): add @inferdi/fastify by @maxrendel in fastify/fastify#6742

docs(typo): Write-Plugin.md by @zakirimadullahprogrammer-tech in fastify/fastify#6776

docs: fix duplicate anchor IDs causing broken TOC links by @AliMahmoudDev in fastify/fastify#6770

docs: add fastify-ata as a JSON Schema validator option by @mertcanaltin in fastify/fastify#6733

chore: rename type test files by @mrazauskas in fastify/fastify#6762

docs: update ajv-errors guidance by @Herrtian in fastify/fastify#6741

chore(warnings): correct duplicate 'not' typos in inline comments by @mixelburg in fastify/fastify#6713

... (truncated)

Commits

2e45a44 Bumped v5.9.0
630715d docs(types): mark request metadata accessors as untrusted input (#6572)
ff993e8 docs: update Serverless guide Dockerfile to a supported Node.js version (#6789)
458f104 docs: fix incorrect code examples in Hooks and Server reference (#6622)
ea454d0 docs: add warning about empty string coercion with nullable types (#6452)
121895b docs: migrate Zod type provider to official @fastify package (#6686)
cc8d9a3 fix: make hasRequestDecorator/hasReplyDecorator recognize constructor-assigne...
6e6be15 chore: Bump actions/checkout from 6 to 7 (#6812)
88bf134 chore: add new sponsor (#6813)
fabd964 chore: replace http with https in urls (#6809)
Additional commits viewable in compare view

Updates hono from 4.12.3 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @yusukebe in honojs/hono#5013

ci: publish to npm from CI with OIDC trusted publishing by @yusukebe in honojs/hono#5028

chore: remove unused devcontainer and gitpod configs by @yusukebe in honojs/hono#5029

chore: replace arg and glob with Bun native APIs in build script by @yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

... (truncated)

Commits

97c6fe1 4.12.27
aa92177 Merge commit from fork
cd3f6f7 Merge commit from fork
d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
fab3b13 Merge commit from fork
9f0dadf ci: use npm Staged publishing (#5035)
27b7992 4.12.26
d29982c chore: replace arg and glob with Bun native APIs in build script
16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

Updates koa from 3.1.2 to 3.2.1

Release notes

Sourced from koa's releases.

v3.2.1

What's Changed

fix: request.length overflows on Content-Length > 2GB by @tejgokani in koajs/koa#1961

New Contributors

@tejgokani made their first contribution in koajs/koa#1961

Full Changelog: koajs/koa@v3.2.0...v3.2.1

v3.2.0

What's Changed

docs: remove dead Job Board links by @Jerry-CodeHub in koajs/koa#1926

build(deps-dev): bump qs from 6.14.1 to 6.14.2 by @dependabot[bot] in koajs/koa#1927

chore: Add workflow_dispatch trigger to npm-publish workflow by @Copilot in koajs/koa#1930

feat: defer AsyncLocalStorage creation for v8 startup snapshots by @killagu in koajs/koa#1946

New Contributors

@Jerry-CodeHub made their first contribution in koajs/koa#1926

@killagu made their first contribution in koajs/koa#1946

Full Changelog: koajs/koa@v3.1.2...v3.2.0

Commits

6984592 3.2.1
3f3ac48 fix: request.length overflows on Content-Length > 2GB (#1961)
e0ba8ef 3.2.0
2503a1f feat: defer AsyncLocalStorage creation for v8 startup snapshots (#1946)
d3ea8bf chore: Add workflow_dispatch trigger to npm-publish workflow (#1930)
3b0508e build(deps-dev): bump qs from 6.14.1 to 6.14.2 (#1927)
fd11140 docs: remove dead Job Board links (#1926)
See full diff in compare view

Updates ioredis from 5.10.0 to 5.11.1

Release notes

Sourced from ioredis's releases.

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)

parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

v5.11.0

5.11.0 (2026-05-26)

Bug Fixes

prevent RangeError from string accumulation in pipeline (#2088) (defc077)

replace deprecated url.parse() with WHATWG URL API (#2081) (0021a45), closes redis/ioredis#1747

Features

add array commands, typings and tests (#2114) (baf68d6)

add increx command (#2115) (37d0695)

add Redis MSETEX support (#2111) (04a4615)

add typed GCRA command support and functional tests (#2094) (468a802)

add vector set command support (#2116) (b7b3def)

Add xnack command (#2103) (187d29b)

Add zinter zunion count (#2104) (0d510bb)

Implement TracingChannel support (#2089) (4760e0a)

v5.10.1

5.10.1 (2026-03-19)

Bug Fixes

cluster: lazily start sharded subscribers (#2090) (4f167bb)

Changelog

Sourced from ioredis's changelog.

5.11.1 (2026-06-04)

Bug Fixes

cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)

parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

5.11.0 (2026-05-26)

Bug Fixes

prevent RangeError from string accumulation in pipeline (#2088) (defc077)

replace deprecated url.parse() with WHATWG URL API (#2081) (0021a45), closes redis/ioredis#1747

Features

add array commands, typings and tests (#2114) (baf68d6)

add increx command (#2115) (37d0695)

add Redis MSETEX support (#2111) (04a4615)

add typed GCRA command support and functional tests (#2094) (468a802)

add vector set command support (#2116) (b7b3def)

Add xnack command (#2103) (187d29b)

Add zinter zunion count (#2104) (0d510bb)

Implement TracingChannel support (#2089) (4760e0a)

5.10.1 (2026-03-19)

Bug Fixes

cluster: lazily start sharded subscribers (#2090) (4f167bb)

Commits

fb224a7 chore(release): 5.11.1 [skip ci]
131ee24 fix: parse protocol-relative Redis URLs as TCP connections (#2125)
c84b2ee fix(cluster): reconnect to nodes that restart without slot changes (#2096)
1490432 chore(release): 5.11.0 [skip ci]
5359d4d refactor(utils): inline defaults and isArguments helpers (#2107)
b7b3def feat: add vector set command support (#2116)
faa53fd ci: update Node.js and Redis test matrix (#2119)
37d0695 feat: add increx command (#2115)
612ee9d chore: update Redis 8.8 test image to custom (#2118)
baf68d6 feat: add array commands, typings and tests (#2114)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the prod-deps group with 4 updates: [fastify](https://github.com/fastify/fastify), [hono](https://github.com/honojs/hono), [koa](https://github.com/koajs/koa) and [ioredis](https://github.com/luin/ioredis). Updates `fastify` from 5.7.4 to 5.9.0 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.7.4...v5.9.0) Updates `hono` from 4.12.3 to 4.12.27 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.3...v4.12.27) Updates `koa` from 3.1.2 to 3.2.1 - [Release notes](https://github.com/koajs/koa/releases) - [Changelog](https://github.com/koajs/koa/blob/master/History.md) - [Commits](koajs/koa@v3.1.2...v3.2.1) Updates `ioredis` from 5.10.0 to 5.11.1 - [Release notes](https://github.com/luin/ioredis/releases) - [Changelog](https://github.com/redis/ioredis/blob/main/CHANGELOG.md) - [Commits](redis/ioredis@v5.10.0...v5.11.1) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: hono dependency-version: 4.12.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-deps - dependency-name: koa dependency-version: 3.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: ioredis dependency-version: 5.11.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the prod-deps group with 4 updates#74

Bump the prod-deps group with 4 updates#74
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/develop/prod-deps-1accd2dfdd

dependabot Bot commented on behalf of github Jun 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 29, 2026

v5.9.0

What's Changed

v4.12.27

Security fixes

hono/jsx does not isolate context per request

Server-Side XSS via JSX escaping bypass in cx()

API Gateway v1 adapter can drop a repeated request header value

v4.12.26

What's Changed

v4.12.25

Security fixes

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Path traversal in serve-static on Windows via encoded backslash (%5C)

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

v3.2.1

What's Changed

New Contributors

v3.2.0

What's Changed

New Contributors

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

v5.11.0

5.11.0 (2026-05-26)

Bug Fixes

Features

v5.10.1

5.10.1 (2026-03-19)

Bug Fixes

5.11.1 (2026-06-04)

Bug Fixes

5.11.0 (2026-05-26)

Bug Fixes

Features

5.10.1 (2026-03-19)

Bug Fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice