node-fastify 5.8.3

package/SECURITY.md

@@ -0,0 +1,220 @@
+# Security Policy
+
+This document describes the management of vulnerabilities for the Fastify
+project and its official plugins.
+
+## Threat Model
+
+Fastify's threat model extends the
+[Node.js security policy](https://github.com/nodejs/node/blob/main/SECURITY.md).
+
+**Trusted:** Application code (plugins, handlers, hooks, schemas), configuration,
+and the runtime environment.
+
+**Untrusted:** All network input (HTTP headers, body, query strings, URL
+parameters).
+
+Fastify assumes Node.js is running with `insecureHTTPParser: false` (the
+secure default). Deployments that enable `insecureHTTPParser: true` are
+outside Fastify's threat model.
+
+### Examples of Vulnerabilities
+
+- Parsing flaws that bypass validation or security controls
+- DoS through malformed input to Fastify's core
+- Bypasses of built-in protections (prototype poisoning, schema validation)
+
+### Examples of Non-Vulnerabilities
+
+The following are **not** considered vulnerabilities in Fastify:
+
+- **Application code vulnerabilities**: XSS, SQL injection, or other flaws in
+user-written route handlers, hooks, or plugins
+- **Malicious application code**: Issues caused by intentionally malicious
+plugins or handlers (application code is trusted)
+- **Validation schema issues**: Weak or incorrect schemas provided by developers
+(schemas are trusted)
+- **ReDoS in user patterns**: Regular expression DoS in user-provided regex
+patterns for routes or validation
+- **Missing security features**: Lack of rate limiting, authentication, or
+authorization (these are application-level concerns)
+- **Configuration mistakes**: Security issues arising from developer
+misconfiguration (configuration is trusted)
+- **Content-type parser/schema mismatches**: When a custom content-type parser
+registered with a regular expression (e.g., `/^application\/.*json$/`) matches
+incoming requests that do not have a corresponding key in the route's
+`schema.body.content` map, validation is skipped for that request. It is the
+application's responsibility to ensure that every content type accepted by a
+parser has a matching validation schema entry. This is a configuration concern,
+not a framework vulnerability (see
+[Validation and Serialization](./docs/Reference/Validation-and-Serialization.md)
+and [Content-Type Parser](./docs/Reference/ContentTypeParser.md))
+- **`insecureHTTPParser: true` deployments**: Reports that rely on enabling
+Node.js `insecureHTTPParser` are out of scope; Fastify assumes this flag is
+`false`
+- **Third-party dependencies**: Vulnerabilities in npm packages used by the
+application (not Fastify core dependencies)
+- **Resource exhaustion from handlers**: DoS caused by expensive operations in
+user route handlers
+- **Information disclosure by design**: Exposing error details or stack traces
+explicitly enabled via configuration options
+
+## Reporting vulnerabilities
+
+Individuals who find potential vulnerabilities in Fastify are invited to
+complete a vulnerability report via the
+[GitHub Security page](https://github.com/fastify/fastify/security/advisories/new).
+
+Do not assign or request a CVE directly.
+CVE assignment is handled by the Fastify Security Team.
+Fastify falls under the [OpenJS CNA](https://cna.openjsf.org/).
+A CVE will be assigned as part of our responsible disclosure process.
+
+> ℹ️ Note:
+> Fastify's [HackerOne](https://hackerone.com/fastify) program is now closed.
+
+### Strict measures when reporting vulnerabilities
+
+It is of the utmost importance that you read carefully and follow these
+guidelines to ensure the ecosystem as a whole isn't disrupted due to improperly
+reported vulnerabilities:
+
+* Avoid creating new "informative" reports. Only create new
+  reports on a vulnerability if you are absolutely sure this should be
+  tagged as an actual vulnerability. Third-party vendors and individuals are
+  tracking any new vulnerabilities reported on GitHub and will flag
+  them as such for their customers (think about snyk, npm audit, ...).
+* Security reports should never be created and triaged by the same person. If
+  you are creating a report for a vulnerability that you found, or on
+  behalf of someone else, there should always be a 2nd Security Team member who
+  triages it. If in doubt, invite more Fastify Collaborators to help triage the
+  validity of the report. In any case, the report should follow the same process
+  as outlined below of inviting the maintainers to review and accept the
+  vulnerability.
+* ***Do not*** attempt to show CI/CD vulnerabilities by creating new pull
+  requests to any of the Fastify organization's repositories. Doing so will
+  result in a [content report][cr] to GitHub as an unsolicited exploit.
+  The proper way to provide such reports is by creating a new repository,
+  configured in the same manner as the repository you would like to submit
+  a report about, and with a pull request to your own repository showing
+  the proof of concept.
+
+[cr]: https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam#reporting-an-issue-or-pull-request
+
+### Vulnerabilities found outside this process
+
+⚠ The Fastify project does not support any reporting outside the process mentioned
+in this document.
+
+## Handling vulnerability reports
+
+When a potential vulnerability is reported, the following actions are taken:
+
+### Triage
+
+**Delay:** 4 business days
+
+Within 4 business days, a member of the security team provides a first answer to
+the individual who submitted the potential vulnerability. The possible responses
+can be:
+
+* **Acceptance**: what was reported is considered as a new vulnerability
+* **Rejection**: what was reported is not considered as a new vulnerability
+* **Need more information**: the security team needs more information in order to
+  evaluate what was reported.
+
+Triaging should include updating issue fields:
+* Asset - set/create the module affected by the report
+* Severity - TBD, currently left empty
+
+### Correction follow-up
+
+**Delay:** 90 days
+
+When a vulnerability is confirmed, a member of the security team volunteers to
+follow up on this report.
+
+With the help of the individual who reported the vulnerability, they contact the
+maintainers of the vulnerable package to make them aware of the vulnerability.
+The maintainers can be invited as participants to the reported issue.
+
+With the package maintainer, they define a release date for the publication of
+the vulnerability. Ideally, this release date should not happen before the
+package has been patched.
+
+The report's vulnerable versions upper limit should be set to:
+* `*` if there is no fixed version available by the time of publishing the
+  report.
+* the last vulnerable version. For example: `<=1.2.3` if a fix exists in `1.2.4`
+
+### Publication
+
+**Delay:** 90 days
+
+Within 90 days after the triage date, the vulnerability must be made public.
+
+**Severity**: Vulnerability severity is assessed using [CVSS
+v.3](https://www.first.org/cvss/user-guide).
+
+If the package maintainer is actively developing a patch, an additional delay
+can be added with the approval of the security team and the individual who
+reported the vulnerability.
+
+### Secondary Contact
+
+If you do not receive an acknowledgment of your report within 6 business days,
+or if you cannot find a private security contact for the project, you may
+contact the OpenJS Foundation CNA at <https://cna.openjsf.org/> (or
+`security@lists.openjsf.org`) for assistance.
+
+The CNA can help ensure your report is properly acknowledged, assist with
+coordinating disclosure timelines, and assign CVEs when necessary. This is a
+support mechanism to ensure security reports are handled appropriately across
+all OpenJS Foundation projects.
+
+## The Fastify Security team
+
+The core team is responsible for the management of the security program and
+this policy and process.
+
+Members of this team are expected to keep all information that they have
+privileged access to by being on the team completely private to the team. This
+includes agreeing to not notify anyone outside the team of issues that have not
+yet been disclosed publicly, including the existence of issues, expectations of
+upcoming releases, and patching of any issues other than in the process of their
+work as a member of the Fastify Core team.
+
+### Members
+
+* [__Matteo Collina__](https://github.com/mcollina),
+  <https://x.com/matteocollina>, <https://www.npmjs.com/~matteo.collina>
+* [__Tomas Della Vedova__](https://github.com/delvedor),
+  <https://x.com/delvedor>, <https://www.npmjs.com/~delvedor>
+* [__Vincent Le Goff__](https://github.com/zekth)
+* [__KaKa Ng__](https://github.com/climba03003)
+* [__James Sumners__](https://github.com/jsumners),
+  <https://x.com/jsumners79>, <https://www.npmjs.com/~jsumners>
+
+## OpenSSF CII Best Practices
+
+[![CII Best Practices](https://www.bestpractices.dev/projects/7585/badge)](https://www.bestpractices.dev/en/projects/7585/passing)
+
+There are three “tiers”: passing, silver, and gold.
+
+### Passing
+We meet 100% of the “passing” criteria.
+
+### Silver
+We meet 87% of the "silver" criteria. The gaps are as follows:
+  - we do not have a DCO or a CLA process for contributions.
+  - we do not currently document "the architecture (aka high-level design)"
+    for our project.
+
+### Gold
+We meet 70% of the “gold” criteria. The gaps are as follows:
+  - we do not yet have the “silver” badge; see all the gaps above.
+  - We do not include a copyright or license statement in each source file.
+    Efforts are underway to change this archaic practice into a
+    suggestion instead of a hard requirement.
+  - There are a few unanswered questions around cryptography that are
+    waiting for clarification.

package/SPONSORS.md

@@ -0,0 +1,24 @@
+# Sponsors
+
+All active sponsors of Fastify are listed here, in order of contribution!
+Our sponsors are the reason why we can work on some issues or features
+that otherwise would be impossible to do.
+
+If you want to become a sponsor, please check out our [Open Collective page](https://opencollective.com/fastify)
+or [GitHub Sponsors](https://github.com/sponsors/fastify)!
+
+## Tier 4
+
+- [SerpApi](https://serpapi.com/?utm_source=fastify)
+
+## Tier 3
+
+- [Mercedes-Benz Group](https://github.com/mercedes-benz)
+- [Val Town, Inc.](https://opencollective.com/valtown)
+- [Handsontable - JavaScript Data Grid](https://handsontable.com/docs/react-data-grid/?utm_source=Fastify_GH&utm_medium=sponsorship&utm_campaign=library_sponsorship_2024)
+- [Lokalise - A Localization and Translation Software Tool](https://lokalise.com/?utm_source=Fastify_GH&utm_medium=sponsorship)
+- [TestMu AI](https://www.testmu.ai/)
+
+## Tier 2
+
+_Be the first!_

package/build/build-error-serializer.js

@@ -0,0 +1,35 @@
+/* istanbul ignore file */
+'use strict'
+
+const FJS = require('fast-json-stringify')
+const path = require('node:path')
+const fs = require('node:fs')
+
+const code = FJS({
+  type: 'object',
+  properties: {
+    statusCode: { type: 'number' },
+    code: { type: 'string' },
+    error: { type: 'string' },
+    message: { type: 'string' }
+  }
+}, { mode: 'standalone' })
+
+const file = path.join(__dirname, '..', 'lib', 'error-serializer.js')
+
+const moduleCode = `// This file is autogenerated by build/build-error-serializer.js, do not edit
+/* c8 ignore start */
+${code}
+/* c8 ignore stop */
+`
+
+/* c8 ignore start */
+if (require.main === module) {
+  fs.writeFileSync(file, moduleCode)
+  console.log(`Saved ${file} file successfully`)
+} else {
+  module.exports = {
+    code: moduleCode
+  }
+}
+/* c8 ignore stop */

package/build/build-validation.js

@@ -0,0 +1,169 @@
+'use strict'
+
+const AjvStandaloneCompiler = require('@fastify/ajv-compiler/standalone')
+const { _ } = require('ajv')
+const fs = require('node:fs')
+const path = require('node:path')
+
+const factory = AjvStandaloneCompiler({
+  readMode: false,
+  storeFunction (routeOpts, schemaValidationCode) {
+    const moduleCode = `// This file is autogenerated by build/build-validation.js, do not edit
+/* c8 ignore start */
+${schemaValidationCode}
+
+module.exports.defaultInitOptions = ${JSON.stringify(defaultInitOptions)}
+/* c8 ignore stop */
+`
+
+    const file = path.join(__dirname, '..', 'lib', 'config-validator.js')
+    fs.writeFileSync(file, moduleCode)
+    console.log(`Saved ${file} file successfully`)
+  }
+})
+
+const defaultInitOptions = {
+  connectionTimeout: 0, // 0 sec
+  keepAliveTimeout: 72000, // 72 seconds
+  forceCloseConnections: undefined, // keep-alive connections
+  maxRequestsPerSocket: 0, // no limit
+  requestTimeout: 0, // no limit
+  handlerTimeout: 0, // no timeout (disabled by default)
+  bodyLimit: 1024 * 1024, // 1 MiB
+  caseSensitive: true,
+  allowUnsafeRegex: false,
+  disableRequestLogging: false,
+  ignoreTrailingSlash: false,
+  ignoreDuplicateSlashes: false,
+  maxParamLength: 100,
+  onProtoPoisoning: 'error',
+  onConstructorPoisoning: 'error',
+  pluginTimeout: 10000,
+  requestIdHeader: false,
+  requestIdLogLabel: 'reqId',
+  http2SessionTimeout: 72000, // 72 seconds
+  exposeHeadRoutes: true,
+  useSemicolonDelimiter: false,
+  allowErrorHandlerOverride: true, // TODO: set to false in v6
+  routerOptions: {
+    ignoreTrailingSlash: false,
+    ignoreDuplicateSlashes: false,
+    maxParamLength: 100,
+    allowUnsafeRegex: false,
+    useSemicolonDelimiter: false
+  }
+}
+
+const schema = {
+  type: 'object',
+  additionalProperties: false,
+  properties: {
+    connectionTimeout: { type: 'integer', default: defaultInitOptions.connectionTimeout },
+    keepAliveTimeout: { type: 'integer', default: defaultInitOptions.keepAliveTimeout },
+    forceCloseConnections: {
+      oneOf: [
+        {
+          type: 'string',
+          pattern: 'idle'
+        },
+        {
+          type: 'boolean'
+        }
+      ]
+    },
+    maxRequestsPerSocket: { type: 'integer', default: defaultInitOptions.maxRequestsPerSocket, nullable: true },
+    requestTimeout: { type: 'integer', default: defaultInitOptions.requestTimeout },
+    handlerTimeout: { type: 'integer', default: defaultInitOptions.handlerTimeout },
+    bodyLimit: { type: 'integer', default: defaultInitOptions.bodyLimit },
+    caseSensitive: { type: 'boolean', default: defaultInitOptions.caseSensitive },
+    allowUnsafeRegex: { type: 'boolean', default: defaultInitOptions.allowUnsafeRegex },
+    http2: { type: 'boolean' },
+    https: {
+      if: {
+        not: {
+          oneOf: [
+            { type: 'boolean' },
+            { type: 'null' },
+            {
+              type: 'object',
+              additionalProperties: false,
+              required: ['allowHTTP1'],
+              properties: {
+                allowHTTP1: { type: 'boolean' }
+              }
+            }
+          ]
+        }
+      },
+      then: { setDefaultValue: true }
+    },
+    ignoreTrailingSlash: { type: 'boolean', default: defaultInitOptions.ignoreTrailingSlash },
+    ignoreDuplicateSlashes: { type: 'boolean', default: defaultInitOptions.ignoreDuplicateSlashes },
+    disableRequestLogging: {
+      default: false
+    },
+    maxParamLength: { type: 'integer', default: defaultInitOptions.maxParamLength },
+    onProtoPoisoning: { type: 'string', default: defaultInitOptions.onProtoPoisoning },
+    onConstructorPoisoning: { type: 'string', default: defaultInitOptions.onConstructorPoisoning },
+    pluginTimeout: { type: 'integer', default: defaultInitOptions.pluginTimeout },
+    requestIdHeader: { anyOf: [{ type: 'boolean' }, { type: 'string' }], default: defaultInitOptions.requestIdHeader },
+    requestIdLogLabel: { type: 'string', default: defaultInitOptions.requestIdLogLabel },
+    http2SessionTimeout: { type: 'integer', default: defaultInitOptions.http2SessionTimeout },
+    exposeHeadRoutes: { type: 'boolean', default: defaultInitOptions.exposeHeadRoutes },
+    useSemicolonDelimiter: { type: 'boolean', default: defaultInitOptions.useSemicolonDelimiter },
+    routerOptions: {
+      type: 'object',
+      additionalProperties: true,
+      properties: {
+        ignoreTrailingSlash: { type: 'boolean', default: defaultInitOptions.routerOptions.ignoreTrailingSlash },
+        ignoreDuplicateSlashes: { type: 'boolean', default: defaultInitOptions.routerOptions.ignoreDuplicateSlashes },
+        maxParamLength: { type: 'integer', default: defaultInitOptions.routerOptions.maxParamLength },
+        allowUnsafeRegex: { type: 'boolean', default: defaultInitOptions.routerOptions.allowUnsafeRegex },
+        useSemicolonDelimiter: { type: 'boolean', default: defaultInitOptions.routerOptions.useSemicolonDelimiter }
+      }
+    },
+    constraints: {
+      type: 'object',
+      additionalProperties: {
+        type: 'object',
+        required: ['name', 'storage', 'validate', 'deriveConstraint'],
+        additionalProperties: true,
+        properties: {
+          name: { type: 'string' },
+          storage: {},
+          validate: {},
+          deriveConstraint: {}
+        }
+      }
+    }
+  }
+}
+
+const compiler = factory({}, {
+  customOptions: {
+    code: {
+      source: true,
+      lines: true,
+      optimize: 3
+    },
+    removeAdditional: true,
+    useDefaults: true,
+    coerceTypes: true,
+    keywords: [
+      {
+        keyword: 'setDefaultValue',
+        $data: true,
+        // error: false,
+        modifying: true,
+        valid: true,
+        code (keywordCxt) {
+          const { gen, it, schemaValue } = keywordCxt
+          const logicCode = gen.assign(_`${it.parentData}[${it.parentDataProperty}]`, schemaValue)
+          return logicCode
+        }
+      }
+    ]
+  }
+})
+
+compiler({ schema })

package/build/sync-version.js

@@ -0,0 +1,11 @@
+'use strict'
+
+const fs = require('node:fs')
+const path = require('node:path')
+
+// package.json:version -> fastify.js:VERSION
+const { version } = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json')).toString('utf8'))
+
+const fastifyJs = path.join(__dirname, '..', 'fastify.js')
+
+fs.writeFileSync(fastifyJs, fs.readFileSync(fastifyJs).toString('utf8').replace(/const\s*VERSION\s*=.*/, `const VERSION = '${version}'`))

package/docs/Guides/Benchmarking.md

@@ -0,0 +1,60 @@
+<h1 align="center">Fastify</h1>
+
+## Benchmarking
+Benchmarking is important if you want to measure how a change can affect your
+application's performance. We provide a simple way to benchmark your
+application from the point of view of a user and contributor. The setup allows
+you to automate benchmarks in different branches and on different Node.js
+versions.
+
+The modules we will use:
+- [Autocannon](https://github.com/mcollina/autocannon): An HTTP/1.1 benchmarking
+  tool written in node.
+- [Branch-comparer](https://github.com/StarpTech/branch-comparer): Checkout
+  multiple git branches, execute scripts, and log the results.
+- [Concurrently](https://github.com/open-cli-tools/concurrently): Run commands
+  concurrently.
+- [Npx](https://github.com/npm/npx): NPM package runner used to run scripts
+  against different Node.js Versions and execute local binaries. Shipped with
+  npm@5.2.0.
+
+## Simple
+
+### Run the test in the current branch
+```sh
+npm run benchmark
+```
+
+### Run the test against different Node.js versions ✨
+```sh
+npx -p node@10 -- npm run benchmark
+```
+
+## Advanced
+
+### Run the test in different branches
+```sh
+branchcmp --rounds 2 --script "npm run benchmark"
+```
+
+### Run the test in different branches against different Node.js versions ✨
+```sh
+branchcmp --rounds 2 --script "npm run benchmark"
+```
+
+### Compare current branch with main (Gitflow)
+```sh
+branchcmp --rounds 2 --gitflow --script "npm run benchmark"
+```
+or
+```sh
+npm run bench
+```
+
+### Run different examples
+
+<!-- markdownlint-disable -->
+```sh
+branchcmp --rounds 2 -s "node ./node_modules/concurrently -k -s first \"node ./examples/asyncawait.js\" \"node ./node_modules/autocannon -c 100 -d 5 -p 10 localhost:3000/\""
+```
+<!-- markdownlint-enable -->