Skip to content

fix(deps): update dependency @fastify/multipart to v8.3.1 [security]#879

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-fastify-multipart-vulnerability
Open

fix(deps): update dependency @fastify/multipart to v8.3.1 [security]#879
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-fastify-multipart-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 23, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@fastify/multipart 8.0.08.3.1 age adoption passing confidence

Unlimited consumption of resources in @​fastify/multipart

CVE-2025-24033 / GHSA-27c6-mcxv-x3fh

More information

Details

Impact

The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request.

Patches

Fixed in version 8.3.1 and 9.0.3

Workarounds

Do not use saveRequestFiles.

References

This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

fastify/fastify-multipart (@​fastify/multipart)

v8.3.1

Compare Source

What's Changed

Full Changelog: fastify/fastify-multipart@v8.3.0...v8.3.1

v8.3.0

Compare Source

What's Changed

Full Changelog: fastify/fastify-multipart@v8.2.0...v8.3.0

v8.2.0

Compare Source

What's Changed

Full Changelog: fastify/fastify-multipart@v8.1.0...v8.2.0

v8.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-multipart@v8.0.0...v8.1.0


Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label Jan 23, 2025
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from 292b440 to ecad99a Compare August 10, 2025 13:57
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from ecad99a to 292f6d2 Compare August 19, 2025 18:51
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from 292f6d2 to 7606440 Compare December 31, 2025 15:16
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from 7606440 to 74bedc2 Compare January 19, 2026 16:36
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from 74bedc2 to 3b83421 Compare February 2, 2026 16:31
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from 3b83421 to 8a33e7d Compare February 12, 2026 12:07
@renovate renovate Bot changed the title fix(deps): update dependency @fastify/multipart to v8.3.1 [security] fix(deps): update dependency @fastify/multipart to v8.3.1 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-fastify-multipart-vulnerability branch March 27, 2026 01:40
@renovate renovate Bot changed the title fix(deps): update dependency @fastify/multipart to v8.3.1 [security] - autoclosed fix(deps): update dependency @fastify/multipart to v8.3.1 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch 2 times, most recently from 8a33e7d to ab92865 Compare March 30, 2026 21:23
@renovate renovate Bot changed the title fix(deps): update dependency @fastify/multipart to v8.3.1 [security] fix(deps): update dependency @fastify/multipart to v8.3.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @fastify/multipart to v8.3.1 [security] - autoclosed fix(deps): update dependency @fastify/multipart to v8.3.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch 3 times, most recently from 0e5d701 to b9d24de Compare April 29, 2026 20:11
@renovate renovate Bot force-pushed the renovate/npm-fastify-multipart-vulnerability branch from b9d24de to b96de8d Compare May 12, 2026 10:33
@renovate

renovate Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
[WARN] The "pnpm" field in package.json is no longer read by pnpm. The following keys were ignored: "pnpm.overrides". See https://pnpm.io/settings for the new home of each setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants