fastify 5.4.0 → 5.6.0

package/lib/contentTypeParser.js

@@ -24,7 +24,8 @@ const {
   FST_ERR_CTP_INVALID_MEDIA_TYPE,
   FST_ERR_CTP_INVALID_CONTENT_LENGTH,
   FST_ERR_CTP_EMPTY_JSON_BODY,
-  FST_ERR_CTP_INSTANCE_ALREADY_STARTED
+  FST_ERR_CTP_INSTANCE_ALREADY_STARTED,
+  FST_ERR_CTP_INVALID_JSON_BODY
 } = require('./errors')
 const { FSTSEC001 } = require('./warnings')
 
@@ -174,17 +175,18 @@ ContentTypeParser.prototype.run = function (contentType, handler, request, reply
   const parser = this.getParser(contentType)
 
   if (parser === undefined) {
-    if (request.is404) {
+    if (request.is404 === true) {
       handler(request, reply)
-    } else {
-      reply.send(new FST_ERR_CTP_INVALID_MEDIA_TYPE(contentType || undefined))
+      return
     }
 
-    // Early return to avoid allocating an AsyncResource if it's not needed
+    reply[kReplyIsError] = true
+    reply.send(new FST_ERR_CTP_INVALID_MEDIA_TYPE(contentType || undefined))
     return
   }
 
   const resource = new AsyncResource('content-type-parser:run', request)
+  const done = resource.bind(onDone)
 
   if (parser.asString === true || parser.asBuffer === true) {
     rawBody(
@@ -194,48 +196,44 @@ ContentTypeParser.prototype.run = function (contentType, handler, request, reply
       parser,
       done
     )
-  } else {
-    const result = parser.fn(request, request[kRequestPayloadStream], done)
+    return
+  }
 
-    if (result && typeof result.then === 'function') {
-      result.then(body => done(null, body), done)
-    }
+  const result = parser.fn(request, request[kRequestPayloadStream], done)
+  if (result && typeof result.then === 'function') {
+    result.then(body => { done(null, body) }, done)
   }
 
-  function done (error, body) {
-    // We cannot use resource.bind() because it is broken in node v12 and v14
-    resource.runInAsyncScope(() => {
-      resource.emitDestroy()
-      if (error) {
-        reply[kReplyIsError] = true
-        reply.send(error)
-      } else {
-        request.body = body
-        handler(request, reply)
-      }
-    })
+  function onDone (error, body) {
+    resource.emitDestroy()
+    if (error != null) {
+      // We must close the connection as the client may
+      // send more data
+      reply.header('connection', 'close')
+      reply[kReplyIsError] = true
+      reply.send(error)
+      return
+    }
+    request.body = body
+    handler(request, reply)
   }
 }
 
 function rawBody (request, reply, options, parser, done) {
-  const asString = parser.asString
+  const asString = parser.asString === true
   const limit = options.limit === null ? parser.bodyLimit : options.limit
   const contentLength = Number(request.headers['content-length'])
 
   if (contentLength > limit) {
-    // We must close the connection as the client is going
-    // to send this data anyway
-    reply.header('connection', 'close')
-    reply.send(new FST_ERR_CTP_BODY_TOO_LARGE())
+    done(new FST_ERR_CTP_BODY_TOO_LARGE(), undefined)
     return
   }
 
   let receivedLength = 0
-  let body = asString === true ? '' : []
-
+  let body = asString ? '' : []
   const payload = request[kRequestPayloadStream] || request.raw
 
-  if (asString === true) {
+  if (asString) {
     payload.setEncoding('utf8')
   }
 
@@ -245,7 +243,7 @@ function rawBody (request, reply, options, parser, done) {
   payload.resume()
 
   function onData (chunk) {
-    receivedLength += chunk.length
+    receivedLength += asString ? Buffer.byteLength(chunk) : chunk.length
     const { receivedEncodedLength = 0 } = payload
     // The resulting body length must not exceed bodyLimit (see "zip bomb").
     // The case when encoded length is larger than received length is rather theoretical,
@@ -254,11 +252,11 @@ function rawBody (request, reply, options, parser, done) {
       payload.removeListener('data', onData)
       payload.removeListener('end', onEnd)
       payload.removeListener('error', onEnd)
-      reply.send(new FST_ERR_CTP_BODY_TOO_LARGE())
+      done(new FST_ERR_CTP_BODY_TOO_LARGE(), undefined)
       return
     }
 
-    if (asString === true) {
+    if (asString) {
       body += chunk
     } else {
       body.push(chunk)
@@ -270,37 +268,33 @@ function rawBody (request, reply, options, parser, done) {
     payload.removeListener('end', onEnd)
     payload.removeListener('error', onEnd)
 
-    if (err !== undefined) {
+    if (err != null) {
       if (!(typeof err.statusCode === 'number' && err.statusCode >= 400)) {
         err.statusCode = 400
       }
-      reply[kReplyIsError] = true
-      reply.code(err.statusCode).send(err)
+      done(err, undefined)
       return
     }
 
-    if (asString === true) {
-      receivedLength = Buffer.byteLength(body)
-    }
-
     if (!Number.isNaN(contentLength) && (payload.receivedEncodedLength || receivedLength) !== contentLength) {
-      reply.header('connection', 'close')
-      reply.send(new FST_ERR_CTP_INVALID_CONTENT_LENGTH())
+      done(new FST_ERR_CTP_INVALID_CONTENT_LENGTH(), undefined)
       return
     }
 
-    if (asString === false) {
+    if (!asString) {
       body = Buffer.concat(body)
     }
 
     const result = parser.fn(request, body, done)
     if (result && typeof result.then === 'function') {
-      result.then(body => done(null, body), done)
+      result.then(body => { done(null, body) }, done)
     }
   }
 }
 
 function getDefaultJsonParser (onProtoPoisoning, onConstructorPoisoning) {
+  const parseOptions = { protoAction: onProtoPoisoning, constructorAction: onConstructorPoisoning }
+
   return defaultJsonParser
 
   function defaultJsonParser (req, body, done) {
@@ -309,10 +303,9 @@ function getDefaultJsonParser (onProtoPoisoning, onConstructorPoisoning) {
       return
     }
     try {
-      done(null, secureJsonParse(body, { protoAction: onProtoPoisoning, constructorAction: onConstructorPoisoning }))
-    } catch (err) {
-      err.statusCode = 400
-      done(err, undefined)
+      done(null, secureJsonParse(body, parseOptions))
+    } catch {
+      done(new FST_ERR_CTP_INVALID_JSON_BODY(), undefined)
     }
   }
 }

package/lib/error-handler.js

@@ -39,7 +39,7 @@ function handleError (reply, error, cb) {
         if (!reply.log[kDisableRequestLogging]) {
           reply.log.warn(
             { req: reply.request, res: reply, err: error },
-            error && error.message
+            error?.message
           )
         }
         reply.raw.writeHead(reply.raw.statusCode)
@@ -89,14 +89,14 @@ function defaultErrorHandler (error, request, reply) {
     if (!reply.log[kDisableRequestLogging]) {
       reply.log.info(
         { res: reply, err: error },
-        error && error.message
+        error?.message
       )
     }
   } else {
     if (!reply.log[kDisableRequestLogging]) {
       reply.log.error(
         { req: request, res: reply, err: error },
-        error && error.message
+        error?.message
       )
     }
   }

package/lib/errors.js

@@ -124,6 +124,11 @@ const codes = {
     "Body cannot be empty when content-type is set to 'application/json'",
     400
   ),
+  FST_ERR_CTP_INVALID_JSON_BODY: createError(
+    'FST_ERR_CTP_INVALID_JSON_BODY',
+    "Body is not valid JSON but content-type is set to 'application/json'",
+    400
+  ),
   FST_ERR_CTP_INSTANCE_ALREADY_STARTED: createError(
     'FST_ERR_CTP_INSTANCE_ALREADY_STARTED',
     'Cannot call "%s" when fastify instance is already started!',

package/lib/handleRequest.js

@@ -21,9 +21,7 @@ function handleRequest (err, request, reply) {
     return
   }
 
-  const method = request.raw.method
-  const headers = request.headers
-  const context = request[kRouteContext]
+  const method = request.method
 
   if (this[kSupportedHTTPMethods].bodyless.has(method)) {
     handler(request, reply)
@@ -31,28 +29,26 @@ function handleRequest (err, request, reply) {
   }
 
   if (this[kSupportedHTTPMethods].bodywith.has(method)) {
+    const headers = request.headers
     const contentType = headers['content-type']
-    const contentLength = headers['content-length']
-    const transferEncoding = headers['transfer-encoding']
 
     if (contentType === undefined) {
-      if (
-        (contentLength === undefined || contentLength === '0') &&
-        transferEncoding === undefined
-      ) {
+      const contentLength = headers['content-length']
+      const transferEncoding = headers['transfer-encoding']
+      const isEmptyBody = transferEncoding === undefined &&
+        (contentLength === undefined || contentLength === '0')
+
+      if (isEmptyBody) {
         // Request has no body to parse
         handler(request, reply)
-      } else {
-        context.contentTypeParser.run('', handler, request, reply)
-      }
-    } else {
-      if (contentLength === undefined && transferEncoding === undefined && method === 'OPTIONS') {
-        // OPTIONS can have a Content-Type header without a body
-        handler(request, reply)
         return
       }
-      context.contentTypeParser.run(contentType, handler, request, reply)
+
+      request[kRouteContext].contentTypeParser.run('', handler, request, reply)
+      return
     }
+
+    request[kRouteContext].contentTypeParser.run(contentType, handler, request, reply)
     return
   }
 

package/lib/promise.js

@@ -0,0 +1,23 @@
+'use strict'
+
+const { kTestInternals } = require('./symbols')
+
+function withResolvers () {
+  let res, rej
+  const promise = new Promise((resolve, reject) => {
+    res = resolve
+    rej = reject
+  })
+  return { promise, resolve: res, reject: rej }
+}
+
+module.exports = {
+  // TODO(20.x): remove when node@20 is not supported
+  withResolvers: typeof Promise.withResolvers === 'function'
+    ? Promise.withResolvers.bind(Promise) // Promise.withResolvers must bind to itself
+    /* c8 ignore next */
+    : withResolvers, // Tested using the kTestInternals
+  [kTestInternals]: {
+    withResolvers
+  }
+}

package/lib/reply.js

@@ -126,16 +126,16 @@ Reply.prototype.hijack = function () {
 }
 
 Reply.prototype.send = function (payload) {
-  if (this[kReplyIsRunningOnErrorHook] === true) {
+  if (this[kReplyIsRunningOnErrorHook]) {
     throw new FST_ERR_SEND_INSIDE_ONERR()
   }
 
-  if (this.sent) {
+  if (this.sent === true) {
     this.log.warn({ err: new FST_ERR_REP_ALREADY_SENT(this.request.url, this.request.method) })
     return this
   }
 
-  if (payload instanceof Error || this[kReplyIsError] === true) {
+  if (this[kReplyIsError] || payload instanceof Error) {
     this[kReplyIsError] = false
     onErrorHook(this, payload, onSendHook)
     return this
@@ -162,8 +162,8 @@ Reply.prototype.send = function (payload) {
       return this
     }
 
-    if (payload?.buffer instanceof ArrayBuffer) {
-      if (hasContentType === false) {
+    if (payload.buffer instanceof ArrayBuffer) {
+      if (!hasContentType) {
         this[kReplyHeaders]['content-type'] = CONTENT_TYPE.OCTET
       }
       const payloadToSend = Buffer.isBuffer(payload) ? payload : Buffer.from(payload.buffer, payload.byteOffset, payload.byteLength)
@@ -171,7 +171,7 @@ Reply.prototype.send = function (payload) {
       return this
     }
 
-    if (hasContentType === false && typeof payload === 'string') {
+    if (!hasContentType && typeof payload === 'string') {
       this[kReplyHeaders]['content-type'] = CONTENT_TYPE.PLAIN
       onSendHook(this, payload)
       return this
@@ -182,26 +182,24 @@ Reply.prototype.send = function (payload) {
     if (typeof payload !== 'string') {
       preSerializationHook(this, payload)
       return this
-    } else {
-      payload = this[kReplySerializer](payload)
     }
+    payload = this[kReplySerializer](payload)
 
     // The indexOf below also matches custom json mimetypes such as 'application/hal+json' or 'application/ld+json'
-  } else if (hasContentType === false || contentType.indexOf('json') > -1) {
-    if (hasContentType === false) {
+  } else if (!hasContentType || contentType.indexOf('json') !== -1) {
+    if (!hasContentType) {
       this[kReplyHeaders]['content-type'] = CONTENT_TYPE.JSON
-    } else {
+    } else if (contentType.indexOf('charset') === -1) {
       // If user doesn't set charset, we will set charset to utf-8
-      if (contentType.indexOf('charset') === -1) {
-        const customContentType = contentType.trim()
-        if (customContentType.endsWith(';')) {
-          // custom content-type is ended with ';'
-          this[kReplyHeaders]['content-type'] = `${customContentType} charset=utf-8`
-        } else {
-          this[kReplyHeaders]['content-type'] = `${customContentType}; charset=utf-8`
-        }
+      const customContentType = contentType.trim()
+      if (customContentType.endsWith(';')) {
+        // custom content-type is ended with ';'
+        this[kReplyHeaders]['content-type'] = `${customContentType} charset=utf-8`
+      } else {
+        this[kReplyHeaders]['content-type'] = `${customContentType}; charset=utf-8`
       }
     }
+
     if (typeof payload !== 'string') {
       preSerializationHook(this, payload)
       return this

package/lib/route.js

@@ -29,6 +29,8 @@ const {
   FST_ERR_HOOK_INVALID_ASYNC_HANDLER
 } = require('./errors')
 
+const { FSTDEP022 } = require('./warnings')
+
 const {
   kRoutePrefix,
   kSupportedHTTPMethods,
@@ -52,6 +54,20 @@ const { buildErrorHandler } = require('./error-handler')
 const { createChildLogger } = require('./logger-factory.js')
 const { getGenReqId } = require('./reqIdGenFactory.js')
 
+const routerKeys = [
+  'allowUnsafeRegex',
+  'buildPrettyMeta',
+  'caseSensitive',
+  'constraints',
+  'defaultRoute',
+  'ignoreDuplicateSlashes',
+  'ignoreTrailingSlash',
+  'maxParamLength',
+  'onBadUrl',
+  'querystringParser',
+  'useSemicolonDelimiter'
+]
+
 function buildRouting (options) {
   const router = FindMyWay(options.config)
 
@@ -85,8 +101,8 @@ function buildRouting (options) {
 
       globalExposeHeadRoutes = options.exposeHeadRoutes
       disableRequestLogging = options.disableRequestLogging
-      ignoreTrailingSlash = options.ignoreTrailingSlash
-      ignoreDuplicateSlashes = options.ignoreDuplicateSlashes
+      ignoreTrailingSlash = options.routerOptions.ignoreTrailingSlash
+      ignoreDuplicateSlashes = options.routerOptions.ignoreDuplicateSlashes
       return503OnClosing = Object.hasOwn(options, 'return503OnClosing') ? options.return503OnClosing : true
       keepAliveConnections = fastifyArgs.keepAliveConnections
     },
@@ -572,6 +588,24 @@ function runPreParsing (err, request, reply) {
   }
 }
 
+function buildRouterOptions (options, defaultOptions) {
+  const routerOptions = options.routerOptions || Object.create(null)
+
+  const usedDeprecatedOptions = routerKeys.filter(key => Object.hasOwn(options, key))
+
+  if (usedDeprecatedOptions.length > 0) {
+    FSTDEP022(usedDeprecatedOptions.join(', '))
+  }
+
+  for (const key of routerKeys) {
+    if (!Object.hasOwn(routerOptions, key)) {
+      routerOptions[key] = options[key] ?? defaultOptions[key]
+    }
+  }
+
+  return routerOptions
+}
+
 /**
  * Used within the route handler as a `net.Socket.close` event handler.
  * The purpose is to remove a socket from the tracked sockets collection when
@@ -583,4 +617,4 @@ function removeTrackedSocket () {
 
 function noop () { }
 
-module.exports = { buildRouting, validateBodyLimitOption }
+module.exports = { buildRouting, validateBodyLimitOption, buildRouterOptions }

package/lib/server.js

@@ -14,6 +14,7 @@ const {
   FST_ERR_REOPENED_SERVER,
   FST_ERR_LISTEN_OPTIONS_INVALID
 } = require('./errors')
+const PonyPromise = require('./promise')
 
 module.exports.createServer = createServer
 
@@ -41,10 +42,14 @@ function createServer (options, httpHandler) {
         throw new FST_ERR_LISTEN_OPTIONS_INVALID('Invalid options.signal')
       }
 
-      if (listenOptions.signal.aborted) {
-        this.close()
+      // copy the current signal state
+      this[kState].aborted = listenOptions.signal.aborted
+
+      if (this[kState].aborted) {
+        return this.close()
       } else {
         const onAborted = () => {
+          this[kState].aborted = true
           this.close()
         }
         listenOptions.signal.addEventListener('abort', onAborted, { once: true })
@@ -99,18 +104,18 @@ function createServer (options, httpHandler) {
     if (cb === undefined) {
       const listening = listenPromise.call(this, server, listenOptions)
       return listening.then(address => {
-        return new Promise((resolve, reject) => {
-          if (host === 'localhost') {
-            multipleBindings.call(this, server, httpHandler, options, listenOptions, () => {
-              this[kState].listening = true
-              resolve(address)
-              onListenHookRunner(this)
-            })
-          } else {
+        const { promise, resolve } = PonyPromise.withResolvers()
+        if (host === 'localhost') {
+          multipleBindings.call(this, server, httpHandler, options, listenOptions, () => {
+            this[kState].listening = true
             resolve(address)
             onListenHookRunner(this)
-          }
-        })
+          })
+        } else {
+          resolve(address)
+          onListenHookRunner(this)
+        }
+        return promise
       })
     }
 
@@ -126,7 +131,7 @@ function multipleBindings (mainServer, httpHandler, serverOpts, listenOptions, o
 
   // let's check if we need to bind additional addresses
   dns.lookup(listenOptions.host, { all: true }, (dnsErr, addresses) => {
-    if (dnsErr) {
+    if (dnsErr || this[kState].aborted) {
       // not blocking the main server listening
       // this.log.warn('dns.lookup error:', dnsErr)
       onListen()
@@ -239,35 +244,31 @@ function listenPromise (server, listenOptions) {
   }
 
   return this.ready().then(() => {
-    let errEventHandler
-    let listeningEventHandler
+    // skip listen when aborted during ready
+    if (this[kState].aborted) return
+
+    const { promise, resolve, reject } = PonyPromise.withResolvers()
+
+    const errEventHandler = (err) => {
+      cleanup()
+      this[kState].listening = false
+      reject(err)
+    }
+    const listeningEventHandler = () => {
+      cleanup()
+      this[kState].listening = true
+      resolve(logServerAddress.call(this, server, listenOptions.listenTextResolver || defaultResolveServerListeningText))
+    }
     function cleanup () {
       server.removeListener('error', errEventHandler)
       server.removeListener('listening', listeningEventHandler)
     }
-    const errEvent = new Promise((resolve, reject) => {
-      errEventHandler = (err) => {
-        cleanup()
-        this[kState].listening = false
-        reject(err)
-      }
-      server.once('error', errEventHandler)
-    })
-    const listeningEvent = new Promise((resolve, reject) => {
-      listeningEventHandler = () => {
-        cleanup()
-        this[kState].listening = true
-        resolve(logServerAddress.call(this, server, listenOptions.listenTextResolver || defaultResolveServerListeningText))
-      }
-      server.once('listening', listeningEventHandler)
-    })
+    server.once('error', errEventHandler)
+    server.once('listening', listeningEventHandler)
 
     server.listen(listenOptions)
 
-    return Promise.race([
-      errEvent, // e.g invalid port range error is always emitted before the server listening
-      listeningEvent
-    ])
+    return promise
   })
 }
 

package/lib/warnings.js

@@ -6,8 +6,10 @@ const { createWarning } = require('process-warning')
  * Deprecation codes:
  *   - FSTWRN001
  *   - FSTSEC001
+ *   - FSTDEP022
  *
  * Deprecation Codes FSTDEP001 - FSTDEP021 were used by v4 and MUST NOT not be reused.
+ *                             - FSTDEP022 is used by v5 and MUST NOT be reused.
  * Warning Codes FSTWRN001 - FSTWRN002 were used by v4 and MUST NOT not be reused.
  */
 
@@ -39,9 +41,17 @@ const FSTSEC001 = createWarning({
   unlimited: true
 })
 
+const FSTDEP022 = createWarning({
+  name: 'FastifyWarning',
+  code: 'FSTDPE022',
+  message: 'The router options for %s property access is deprecated. Please use "options.routerOptions" instead for accessing router options. The router options will be removed in `fastify@6`.',
+  unlimited: true
+})
+
 module.exports = {
   FSTWRN001,
   FSTWRN003,
   FSTWRN004,
-  FSTSEC001
+  FSTSEC001,
+  FSTDEP022
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastify",
-  "version": "5.4.0",
+  "version": "5.6.0",
   "description": "Fast and low overhead web framework, for Node.js",
   "main": "fastify.js",
   "type": "commonjs",
@@ -9,6 +9,7 @@
     "bench": "branchcmp -r 2 -g -s \"npm run benchmark\"",
     "benchmark": "concurrently -k -s first \"node ./examples/benchmark/simple.js\" \"autocannon -c 100 -d 30 -p 10 localhost:3000/\"",
     "benchmark:parser": "concurrently -k -s first \"node ./examples/benchmark/parser.js\" \"autocannon -c 100 -d 30 -p 10 -i ./examples/benchmark/body.json -H \"content-type:application/jsoff\" -m POST localhost:3000/\"",
+    "benchmark:parser:error": "concurrently -k -s first \"node ./examples/benchmark/parser.js\" \"autocannon -c 100 -d 30 -p 10 -i ./examples/benchmark/body.json -H \"content-type:application/jsoff\" -H \"content-length:123\" -m POST localhost:3000/\"",
     "build:validation": "node build/build-error-serializer.js && node build/build-validation.js",
     "coverage": "c8 --reporter html borp --reporter=@jsumners/line-reporter --coverage --check-coverage --lines 100 ",
     "coverage:ci-check-coverage": "borp --reporter=@jsumners/line-reporter --coverage --check-coverage --lines 100",
@@ -168,9 +169,9 @@
     "@jsumners/line-reporter": "^1.0.1",
     "@sinclair/typebox": "^0.34.13",
     "@sinonjs/fake-timers": "^11.2.2",
-    "@stylistic/eslint-plugin": "^4.1.0",
+    "@stylistic/eslint-plugin": "^5.1.0",
     "@stylistic/eslint-plugin-js": "^4.1.0",
-    "@types/node": "^22.0.0",
+    "@types/node": "^24.0.12",
     "ajv": "^8.12.0",
     "ajv-errors": "^3.0.0",
     "ajv-formats": "^3.0.1",
@@ -180,7 +181,7 @@
     "borp": "^0.20.0",
     "branch-comparer": "^1.1.0",
     "concurrently": "^9.1.2",
-    "cross-env": "^7.0.3",
+    "cross-env": "^10.0.0",
     "eslint": "^9.0.0",
     "fast-json-body": "^1.1.0",
     "fastify-plugin": "^5.0.0",
@@ -194,11 +195,10 @@
     "neostandard": "^0.12.0",
     "node-forge": "^1.3.1",
     "proxyquire": "^2.1.3",
-    "simple-get": "^4.0.1",
     "split2": "^4.2.0",
     "tsd": "^0.32.0",
-    "typescript": "~5.8.2",
-    "undici": "^6.13.0",
+    "typescript": "~5.9.2",
+    "undici": "^7.11.0",
     "vary": "^1.1.2",
     "yup": "^1.4.0"
   },