Bump fastify from 5.8.1 to 5.8.3 in the npm-security group across 1 directory by dependabot[bot] · Pull Request #2846 · shakacode/react_on_rails

dependabot · 2026-03-25T20:49:24Z

Bumps the npm-security group with 1 update in the / directory: fastify.

Updates fastify from 5.8.1 to 5.8.3

Release notes

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

docs(readme): add @Tony133 to plugin team by @Tony133 in fastify/fastify#6565

Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in fastify/fastify#6566

test: use fastify.test in test case by @climba03003 in fastify/fastify#6568

docs: use fastify.example in documentation by @climba03003 in fastify/fastify#6567

docs: add common performance degradation guidance by @maxpetrusenko in fastify/fastify#6520

docs(server): fix camelCase anchor links in TOC by @Deepvamja in fastify/fastify#6530

ci(link-checker): fix root-relative links resolution by @barba-rossa in fastify/fastify#6535

docs: update syntax markdown, absolute paths and links by @Tony133 in fastify/fastify#6569

docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in fastify/fastify#6537

docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in fastify/fastify#6582

docs: replace redirected npm.im http-errors link by @mcollina in fastify/fastify#6588

types: Allow port to be null in request type definition by @TristanBarlow in fastify/fastify#6589

docs: update links by @Tony133 in fastify/fastify#6593

ci(lock-threads): use shared lock-threads workflow by @Fdawgs in fastify/fastify#6592

New Contributors

@kyrylchenko made their first contribution in fastify/fastify#6566

@maxpetrusenko made their first contribution in fastify/fastify#6520

@Deepvamja made their first contribution in fastify/fastify#6530

@barba-rossa made their first contribution in fastify/fastify#6535

@mahmoodhamdi made their first contribution in fastify/fastify#6582

@TristanBarlow made their first contribution in fastify/fastify#6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

What's Changed

docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in fastify/fastify#6546

Revert "chore: upgrade borp to v1.0.0" by @climba03003 in fastify/fastify#6564

docs: document body validation with custom content type parsers by @mcollina in fastify/fastify#6556

docs(ecosystem): add fastify-file-router by @bhouston in fastify/fastify#6441

docs: add fastify-svelte-view to Ecosystem list by @matths in fastify/fastify#6453

fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in fastify/fastify#6558

docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in fastify/fastify#5661

docs(guides): update codemod links by @OluchiEzeifedikwa in fastify/fastify#6479

docs: add @glidemq/fastify to community plugins by @avifenesh in fastify/fastify#6560

New Contributors

@yeliex made their first contribution in fastify/fastify#6546

@matths made their first contribution in fastify/fastify#6453

@leftieFriele made their first contribution in fastify/fastify#5661

@OluchiEzeifedikwa made their first contribution in fastify/fastify#6479

@avifenesh made their first contribution in fastify/fastify#6560

... (truncated)

Commits

a3e77ce Bumped v5.8.3
4e1db5b fix: gate host and protocol getters on proxy trust function
a22217f ci(lock-threads): use shared lock-threads workflow (#6592)
1851f20 docs: update links (#6593)
9cc5187 types: Allow port to be null in request type definition (#6589)
722d83b docs: replace redirected npm.im http-errors link (#6588)
a1413de docs: fix incorrect code examples in Reply and Request reference (#6582)
d7f01b6 docs: clarify content-type parser/schema mismatch is outside threat model (#6...
a0649e9 docs: update syntax markdown, absolute paths and links (#6569)
d477915 ci(link-checker): fix root-relative links resolution (#6535)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm-security group with 1 update in the / directory: [fastify](https://github.com/fastify/fastify). Updates `fastify` from 5.8.1 to 5.8.3 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.8.1...v5.8.3) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.8.3 dependency-type: direct:production dependency-group: npm-security ... Signed-off-by: dependabot[bot] <[email protected]>

chatgpt-codex-connector · 2026-03-25T20:49:30Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Repo admins can enable using credits for code reviews in their settings.

github-actions · 2026-03-25T20:52:37Z

size-limit report 📦

Path	Size
react-on-rails/client bundled (gzip)	62.63 KB (0%)
react-on-rails/client bundled (gzip) (time)	62.63 KB (0%)
react-on-rails/client bundled (brotli)	53.7 KB (0%)
react-on-rails/client bundled (brotli) (time)	53.7 KB (0%)
react-on-rails-pro/client bundled (gzip)	63.65 KB (0%)
react-on-rails-pro/client bundled (gzip) (time)	63.65 KB (0%)
react-on-rails-pro/client bundled (brotli)	54.67 KB (0%)
react-on-rails-pro/client bundled (brotli) (time)	54.67 KB (0%)
registerServerComponent/client bundled (gzip)	127.46 KB (0%)
registerServerComponent/client bundled (gzip) (time)	127.46 KB (0%)
registerServerComponent/client bundled (brotli)	61.65 KB (0%)
registerServerComponent/client bundled (brotli) (time)	61.55 KB (-0.17% 🔽)
wrapServerComponentRenderer/client bundled (gzip)	122.02 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) (time)	122.02 KB (0%)
wrapServerComponentRenderer/client bundled (brotli)	56.77 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) (time)	56.77 KB (0%)

claude · 2026-03-27T07:53:27Z

PR Review: Bump fastify 5.8.1 → 5.8.3

Verdict: Approve and merge

Security Fix (Primary Reason)

This is a security release fixing CVE-2026-3635 (GHSA-444r-cwp2-x5xf). The fix gates host and protocol request getters on the proxy trust function — without this, an attacker who can control the X-Forwarded-Host header could spoof the host/protocol values used by application logic (e.g., URL generation, redirect targets, CORS checks). This affects deployments of the Node Renderer that sit behind a proxy.

Scope of Changes

File	Change
`packages/react-on-rails-pro-node-renderer/package.json`	Version specifier bumped to `^5.8.3`
`pnpm-lock.yaml`	Fastify pinned at 5.8.3; transitive bumps to `[email protected]`, `[email protected]`, `[email protected]`, `[email protected]`
docs (3 files)	Minor Markdown formatting only (blank lines before fenced code blocks, table alignment)

Assessment

The transitive dependency bumps (safe-regex2, terser, tapable, acorn) are all patch/minor updates pulled in by fastify's new dependency tree — no concerns.
No application logic changes; purely a dependency pin update.
Documentation changes are cosmetic and correct.

This should be merged promptly given the security nature of the fix.

claude · 2026-03-27T08:09:47Z

Security dependency update review: fastify 5.8.1 to 5.8.3. Changes look correct and safe to merge.

Security Fix: CVE-2026-3635 - fastify host and protocol request getters were not properly gated on the proxy trust function, potentially allowing request forgery via manipulated X-Forwarded-Host / X-Forwarded-Proto headers.

Changes in this PR:

packages/react-on-rails-pro-node-renderer/package.json - bumps fastify from ^5.8.1 to ^5.8.3
pnpm-lock.yaml - updated with fastify 5.8.3 and minor transitive bumps: safe-regex2 5.0.0 to 5.1.0, acorn 8.15.0 to 8.16.0, tapable 2.3.0 to 2.3.2, terser 5.46.0 to 5.46.1
Documentation - cosmetic Markdown formatting improvements and a broken link fix (shakacode.gitbooks.io to reactonrails.com/docs/)
.lychee.toml - adds a diva-portal.org PDF URL to link-checker exclusions to avoid intermittent CI timeouts

Assessment: All changes are appropriate for a security patch. No logic changes, no API surface changes, no new top-level dependencies. The fastify security fix is relevant to any deployment of the node renderer behind a reverse proxy.

Recommendation: approve and merge.

claude · 2026-03-27T08:16:31Z

Security Dependency Bump: fastify 5.8.1 to 5.8.3

This is a clean security-motivated dependency update.

Security Fix (Primary Reason for This PR)

CVE-2026-3635 (GHSA-444r-cwp2-x5xf): Fixed in v5.8.3 by gating the host and protocol request getters on the proxy trust function. Without this fix, a malicious client behind an untrusted proxy could forge X-Forwarded-Host / X-Forwarded-Proto headers and influence URL construction inside the application. This is worth patching promptly.

Transitive Dependency Changes

The lock file also picks up minor bumps:

safe-regex2 5.0.0 to 5.1.0 (fastify transitive dep, adds hasBin, otherwise cosmetic)
acorn 8.15.0 to 8.16.0, tapable 2.3.0 to 2.3.2, terser 5.46.0 to 5.46.1 (both old and new snapshots retained for different consumers, no regressions expected)

Unrelated Changes Bundled In

Several documentation/link fixes are also included:

.lychee.toml: Adds a CI link-checker exclusion for an intermittently timing-out PDF URL (reasonable housekeeping)
NEWS.md: Updates two stale Gitbook links to reactonrails.com/docs/
docs/: Formatting improvements (blank lines before code blocks, Markdown table alignment, minor JSX style fix)

These doc changes are harmless and correct, but worth noting since they were not generated by dependabot.

Verdict

LGTM - recommend merging. The CVE fix is important for any deployment using the Node renderer behind a reverse proxy. No regressions are expected from the transitive bumps.

…ew-fixes * origin/main: Remove dependency on internal TanStack Router router.ssr flag (#2833) Revert "Eliminate double JSON.stringify in RSC payload embedding (#2835)" (#2878) Eliminate double JSON.stringify in RSC payload embedding (#2835) docs: align Pro references with canonical docs routes (#2866) docs: make Pro route entry points explicit (#2867) Bump fastify from 5.8.1 to 5.8.3 in the npm-security group across 1 directory (#2846) docs: add RoR-specific competitive landscape and template refs (#2869) Clarify streaming narrative in RSC docs (#2813) (#2814)

dependabot Bot added dependencies Pull requests that update a dependency file full-ci javascript Pull requests that update Javascript code labels Mar 25, 2026

justin808 added 2 commits March 26, 2026 17:05

Fix PR 2846 CI failures

fa81c8f

Align claude workflow file with main

b803221

justin808 added 2 commits March 26, 2026 21:58

Exclude flaky diva-portal PDF from lychee checks

c01eafe

Replace legacy Gitbook URL in NEWS

a0ff875

justin808 merged commit 9407924 into main Mar 28, 2026
40 checks passed

justin808 deleted the dependabot/npm_and_yarn/npm-security-371a9f96ec branch March 28, 2026 09:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump fastify from 5.8.1 to 5.8.3 in the npm-security group across 1 directory#2846

Bump fastify from 5.8.1 to 5.8.3 in the npm-security group across 1 directory#2846
justin808 merged 5 commits intomainfrom
dependabot/npm_and_yarn/npm-security-371a9f96ec

dependabot Bot commented on behalf of github Mar 25, 2026

Uh oh!

chatgpt-codex-connector Bot commented Mar 25, 2026

Uh oh!

github-actions Bot commented Mar 25, 2026 •

edited

Loading

Uh oh!

claude Bot commented Mar 27, 2026

Uh oh!

claude Bot commented Mar 27, 2026

Uh oh!

claude Bot commented Mar 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github Mar 25, 2026

v5.8.3

⚠️ Security Release

What's Changed

New Contributors

v5.8.2

What's Changed

New Contributors

Uh oh!

chatgpt-codex-connector Bot commented Mar 25, 2026

Uh oh!

github-actions Bot commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

claude Bot commented Mar 27, 2026

PR Review: Bump fastify 5.8.1 → 5.8.3

Security Fix (Primary Reason)

Scope of Changes

Assessment

Uh oh!

claude Bot commented Mar 27, 2026

Uh oh!

claude Bot commented Mar 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions Bot commented Mar 25, 2026 •

edited

Loading