Hi folks,
Last week has been incredibly busy with all the security updates as well as new content, and a new Platformatic release. As usual, let me know what you think!
Last Monday, I paired with Matthew Phillips of the Astro team to build together fastify-astro. We got almost all the features of the development mode working! Check out the video; there are quite a few tricks that you can use in your code too!
Last Thursday, we started cleaning up the Unscalable Queue System codebase, and we also fixed a bug in Platformatic.
We have opened the following pull requests together: - https://github.com/platformatic/platformatic/pull/692 - https://github.com/platformatic/unscalable-queue-system/pull/24 - https://github.com/platformatic/unscalable-queue-system/pull/23
You can watch the full video at: https://youtu.be/cAyzpu309Po.
@fastify/multipart
security releaseI’ve released @fastify/multipart
v7.4.1 and v6.0.1, respectively, for Fastify v4.x and v3.x.
They contain the fix for a Denial of Service attack based on crashing the server using an unlimited amount of very tiny parts. You can find the advisory at GHSA-hpp2-2cr5-pf6g.
v7.4.1:
https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
v6.0.1:
https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
The security releases for Node.js v19.x, 18.x, v16.x and v14.x are all out, read more at: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/. Here is a summary of the vulnerabilities:
Doing security releases is exceptionally hard. I want to thank Micheal Dawson for being the security steward, and Richard Lau, Rafael Gonzaga, Juna José, Bradley Farias, Rich Trott, Robert Nagi to work on the fixes and releases itself.
Two of the fixes in the latest Node.js security release are Undici fixes, as they are part of the WHATWG fetch()
standard and bundled in from Node.js. Therefore we had to issue a security release for Undici, go update! Here you can find the release notes for v5.19.1.
But there was a problem.
A few days earlier, I shipped Undici v5.19.0. Given that this release did not get the massive amount of testing undici release gets, it shipped with two regressions:
Set-Cookie
· Issue #1935 · nodejs/undici · GitHubThese have been fixed in v5.20.0, which will be released as part of Node v19.7.0 and v18.14.2.
uri-js
with fast-uri
; v5.3.1 uses X-Forwarded-Host
when trustProxy is set on fastify instance.id
in the onSubscriptionEnd
hook.swagger-initializer.js
file.core-js
is one of the most controversial projects in the npm ecosystem to its maintainer, and this time, he is asking for more funds.