[Snyk] Upgrade fastify from 4.21.0 to 5.4.0

[lholmquist]

Snyk has created this PR to upgrade fastify from 4.21.0 to 5.4.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 35 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Validation of Specified Type of Input SNYK-JS-FASTIFY-9788069	315	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	315	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FINDMYWAY-8055229	315	No Known Exploit

Release notes

Package name: fastify

• 5.4.0 - 2025-06-12
  

  What's Changed

  • test: mv routes-* from tap by @ jean-michelet in #6092
  • test: mv skip-reply-send from tap by @ jean-michelet in #6094
  • test: mv plugins from tap by @ jean-michelet in #6088
  • fix(ci): ignore alternative runtime result by @ Eomm in #6125
  • test: mv schema-* from tap by @ jean-michelet in #6093
  • test: mv hooks-async from tap by @ jean-michelet in #6084
  • fix(types): add missing version to request.routeOptions by @ inyourtime in #6126
  • docs: remove fastify-sentry plugin by @ dnlup in #6131
  • docs: add community plugins disclaimer by @ jean-michelet in #6132
  • docs: use cross-platform compatible info emoji by @ Fdawgs in #6134
  • perf: nits in reply.js by @ Cangit in #6136
  • docs: join core team by @ jean-michelet in #6142
  • docs: fix typo in hash.digest function by @ piotr-cz in #6145
  • test: mv hooks from tap by @ jean-michelet in #6087
  • test: improve issue 4959 unit test by @ Uzlopak in #6147
  • chore: Bump markdownlint-cli2 from 0.17.2 to 0.18.1 by @ dependabot in #6150
  • chore: remove dependencie tap and others updated by @ Tony133 in #6148
  • fix: hook async flaky by @ ilteoood in #6155
  • chore: Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @ dependabot in #6151
  • chore: removing simple-get from allow-unsafe-regex by @ ilteoood in #6154
  • chore: remove simple get on 404s test file by @ ilteoood in #6153
  • chore: remove simple-get in handle-request.test.js by @ ilteoood in #6159
  • chore: remove simple-get from url-rewriting by @ ilteoood in #6163
  • chore: remove simple-get in report.test.js by @ ilteoood in #6157
  • chore: remove simple-get from custom parser async by @ ilteoood in #6164
  • chore: removed simple-get from mkcol tests by @ ilteoood in #6194
  • chore: removed simple-get from proto-poisoning test by @ ilteoood in #6185
  • ci: Added Node.js v24 by @ mcollina in #6113
  • chore: removed simple-get from nullable validation test by @ ilteoood in #6191
  • feat: configure errorhandler override by @ jean-michelet in #6104
  • chore: remove simple-get from search test by @ ilteoood in #6158
  • chore: remove simple get from secure with fallback test by @ ilteoood in #6162
  • chore: removed simple-get from als test by @ ilteoood in #6187
  • chore: remove simple-get from listen 4 by @ ilteoood in #6173
  • fix: do not freeze request.routeOptions by @ mcollina in #6141
  • chore: removed simple-get from sync-delay-request tests by @ ilteoood in #6212
  • chore: removed simple-get from output-validation tests by @ ilteoood in #6213
  • chore: removed simple-get from async-delay-request tests by @ ilteoood in #6211
  • chore: removed simple-get from body-limit tests by @ ilteoood in #6209
  • chore: removed simple-get from trust-proxy tests by @ ilteoood in #6205
  • chore: removed simple-get from proppatch tests by @ ilteoood in #6200
  • chore(ci): cleanup citgm.yml by @ Eomm in #6195
  • chore: removed simple-get from https tests by @ ilteoood in #6197
  • chore: removed simple-get from lock test by @ ilteoood in #6186

  Full Changelog: v5.3.3...v5.4.0

• 5.3.3 - 2025-05-13
  

  What's Changed

  • docs: update Vercel section by @ leerob in #6046
  • docs(ecosystem): add fastify-papr plugin by @ inaiat in #6051
  • test: migrated helper and input validation to node test runner by @ ilteoood in #6074
  • style: add "no comma-dangle" rule to eslint config and remove trailing commas by @ cecia234 in #6069
  • test: migrate stream tests to node test runner by @ ilteoood in #6065
  • test: logger response by @ ilteoood in #6055
  • test: migrate schema feature to node test runner by @ ilteoood in #6066
  • fix: Added more cases for JSON schema validation by @ mcollina in #6067
  • test: migrated inject.test.js from tap to node:test by @ Tony133 in #6068
  • test: migrated plugin 1 to node test runner by @ ilteoood in #6075
  • ci: fix branch pattern by @ Eomm in #6090
  • docs: added Jeasx to Ecosystem.md by @ jablonski in #6082
  • test: mv promises from tap by @ jean-michelet in #6085
  • refactor: node:http2 is always available by @ Cangit in #6073
  • fix: update borp to 0.20.0. by @ lholmquist in #6091
  • chore: Bump fluent-json-schema from 5.0.0 to 6.0.0 by @ dependabot in #6101
  • chore: Bump tsd from 0.31.2 to 0.32.0 in the dev-dependencies-typescript group by @ dependabot in #6100
  • test: migrated decorator.test.js from tap to node:test by @ Tony133 in #5957
  • test: stabilize pipelining shutdown test with controlled close timing by @ jean-michelet in #6099
  • test: migrated output-validation.test.js from tap to node:test by @ Tony133 in #6076
  • test: remove tap from hooks-on ready file by @ IcaroSilvaFK in #6080
  • test: mv hooks.on-listen from tap by @ jean-michelet in #6086
  • ci: ignore scripts by @ Fdawgs in #6108
  • docs: add a warning about setErrorHandler overriding a previously defined error handler on an encapsulated context by @ jean-michelet in #6097
  • docs(ecosystem): remove fastify-diagnostics-channel by @ inyourtime in #6117
  • fix: internal function _addHook failure should be turned into the rejection app.ready is waiting for by @ jean-michelet in #6105
  • test: replace removed request properties and update docs by @ inyourtime in #6111
  • test: mv reply from tap by @ jean-michelet in #6089
  • test: updated promises.test.js re-added the plan() method by @ Tony133 in #6057
  • ci: add support to test release candidates by @ RafaelGSS in #6103

  New Contributors

  • @ leerob made their first contribution in #6046
  • @ inaiat made their first contribution in #6051
  • @ cecia234 made their first contribution in #6069
  • @ jablonski made their first contribution in #6082
  • @ lholmquist made their first contribution in #6091
  • @ IcaroSilvaFK made their first contribution in #6080

  Full Changelog: v5.3.2...v5.3.3

• 5.3.2 - 2025-04-18
  

  ⚠️ Security Release ⚠️

  Unfortunately, v5.3.1 did not include a complete fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442. This is a follow-up patch to cover an edge case.

  What's Changed

  • docs: fix archived concurrently link to point to active repo by @ TimTeylor in #6063
  • fix: treat space as a delimiter in content-type parsing by @ mcollina in #6064

  New Contributors

  • @ TimTeylor made their first contribution in #6063

  Full Changelog: v5.3.1...v5.3.2

• 5.3.1 - 2025-04-18
  

  ⚠️ Security Release ⚠️

  • Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442

  What's Changed

  • test: migrate logger options to node test runner by @ ilteoood in #6059
  • test: migrate logger logging to node test runner by @ ilteoood in #6060
  • test: convert custom parser 1 to node test runner by @ ilteoood in #6053
  • test: custom querystring parser by @ ilteoood in #6054
  • test: migrate stream 4 to node test runner by @ ilteoood in #6062
  • test: migrate request logger to node test runner by @ ilteoood in #6058
  • test: migrate custom parser 0 to node test runner by @ ilteoood in #6052
  • test: migrate logger instantiation to node test runner by @ ilteoood in #6061

  New Contributors

  • @ ilteoood made their first contribution in #6059

  Full Changelog

[lholmquist]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)