Open
Conversation
KANE-99
reviewed
Feb 20, 2026
Comment on lines
+25
to
+33
| "@fastify/cors": "^11.0.0", | ||
| "@fastify/rate-limit": "^10.0.0", | ||
| "@fastify/swagger": "^9.0.0", | ||
| "@fastify/swagger-ui": "^5.0.0", | ||
| "adm-zip": "^0.5.10", | ||
| "axios": "^1.9.0", | ||
| "dotenv": "^16.5.0", | ||
| "fastify": "^4.21.0", | ||
| "fastify-plugin": "^4.5.1", | ||
| "fastify": "^5.7.4", | ||
| "fastify-plugin": "^5.0.0", |
There was a problem hiding this comment.
Since we are upgrading some major versions here, it is advised to check if there are some migration changes related to how the options are passed or any change in their default nature
Contributor
Author
There was a problem hiding this comment.
Mainly, the version update was in fastify but because there are other packages that depend on that, I've updated the other packages too. I've also verified if any other code is required after these major bumps in packages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fastifyfrom^4.21.0to^5.7.4to address known vulnerabilities in the v4 release line@fastify/*plugins andfastify-pluginto their Fastify v5-compatible major versions, as the v4-era plugins declarefastify: '4.x'in their metadata and are rejected at startup by Fastify v5 (FST_ERR_PLUGIN_VERSION_MISMATCH)fastify^4.21.0^5.7.4@fastify/cors^8.3.0^11.0.0@fastify/rate-limit^9.1.0^10.0.0@fastify/swagger^8.8.0^9.0.0@fastify/swagger-ui^3.0.0^5.0.0fastify-plugin^4.5.1^5.0.0No source code changes were required -- all existing API patterns (
.listen()signature, JSON schemas, logger config, reply handling) were already compatible with Fastify v5.Note:
@fastify/corsv11 changed default allowed methods toGET,HEAD,POST(previously all methods). This has no impact on our current routes (all GET/POST), but any future PUT/PATCH/DELETE routes will require explicitmethodsconfiguration in the CORS options.Test Plan
/health,/health/views,/sync-github-repo,/get-preview-data)/documentationnpm auditreports 0 vulnerabilitiesUpdated Vulnerabilities Fixes 24-02-2026
What was vulnerable
The minimatch vulnerability cascaded through 31 transitive paths across eslint, jest, glob, rimraf, test-exclude, and their related packages --- all devDependencies.
Fix applied
Added an overrides block to package.json:
ajv --- Scoped only to eslint's dependency subtree. eslint and @eslint/eslintrc both required ^6.12.4 and resolved to the vulnerable 6.12.6; the override pins them to the patched 6.14.0. Fastify's production dependencies (@fastify/ajv-compiler, fast-json-stringify, ajv-formats) continue to use their required ajv@8.18.0 --- untouched.
minimatch --- Applied globally. All affected packages (glob@7.2.3 copies used by jest/eslint, @eslint/eslintrc, @humanwhocodes/config-array, test-exclude, etc.) resolve to the patched 10.2.2. Verified API compatibility: the five APIs glob@7.x uses (minimatch(), .Minimatch, .GLOBSTAR, .set, .negate) are all present and compatible in 10.x.