Update dependency @fastify/reply-from to v12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/reply-from	11.0.2 → 12.5.0

GitHub Vulnerability Alerts

CVE-2025-66415

Summary

By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.

Details

An attacker can bypass the route defined by the @fastify/reply-from package by adding a .. symbol, which, for curl version 8.7.1, is %2e%2e.

Impact

Everyone is using this package with the routes option to protect a 3rd-party resource.

---

Release Notes

fastify/fastify-reply-from (@​fastify/reply-from)

v12.5.0

Compare Source

⚠️ Security Release ⚠️

By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @​fastify/reply-from.

Read more at GHSA-2q7r-29rg-6m5h. This is catalogued as CVE-2025-66415.

What's Changed

• Add test for text/event-stream proxying with custom parser by @​mcollina in #​438

Full Changelog: fastify/fastify-reply-from@v12.4.0...v12.5.0

v12.4.0

Compare Source

What's Changed

• build(deps-dev): Bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​435
• docs: fix README line breaks by @​mitrvlr in #​434
• Add support for multipart proxying with custom parser by @​mcollina in #​436
• chore(.npmrc): ignore scripts by @​Fdawgs in #​437
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in #​439
• ci(ci): add concurrency config by @​Fdawgs in #​442
• do not strip TE headers if trailing by @​gunters63 in #​443

New Contributors

• @​mitrvlr made their first contribution in #​434

Full Changelog: fastify/fastify-reply-from@v12.3.1...v12.4.0

v12.3.1

Compare Source

What's Changed

• Improve typing and usage of getDefaultDelay by @​Antiavanti in #​432
• test: migrated utils-filter-pseudo-headers.test.js from tap to node:test by @​Tony133 in #​427
• Use isHttp2 check to detect we are canceling an HTTP2 request by @​mcollina in #​433

New Contributors

• @​Antiavanti made their first contribution in #​432
• @​Tony133 made their first contribution in #​427

Full Changelog: fastify/fastify-reply-from@v12.3.0...v12.3.1

v12.3.0

Compare Source

What's Changed

• fix: handle closed HTTP/2 sessions after GOAWAY by @​mcollina in #​431

Full Changelog: fastify/fastify-reply-from@v12.2.0...v12.3.0

v12.2.0

Compare Source

What's Changed

• ci: set permissions at workflow level by @​Fdawgs in #​415
• ci: restore job level permissions by @​Fdawgs in #​416
• build(deps): Bump fast-content-type-parse from 2.0.1 to 3.0.0 by @​dependabot[bot] in #​417
• tests: remove simple get and got by @​ilteoood in #​410
• build(deps-dev): Bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in #​420
• test: remove tap by @​ilteoood in #​418
• chore(license): update date ranges; standardise style by @​Fdawgs in #​422
• Feat/ balancedPool add by @​gulbaki in #​421
• types: improve onResponse hook typing by @​t-tajiri in #​423
• bug fix for #​424 with test by @​gunters63 in #​426
• build(deps-dev): Bump @​types/node from 22.15.34 to 24.0.8 by @​dependabot[bot] in #​425

New Contributors

• @​ilteoood made their first contribution in #​410
• @​gulbaki made their first contribution in #​421
• @​t-tajiri made their first contribution in #​423

Full Changelog: fastify/fastify-reply-from@v12.1.0...v12.2.0

v12.1.0

Compare Source

What's Changed

• ci(ci): set job permissions by @​Fdawgs in #​411
• perf: use node: prefix to bypass require.cache call for builtins by @​Fdawgs in #​412
• feat: add specific timeout for request by @​leonied7 in #​414

New Contributors

• @​leonied7 made their first contribution in #​414

Full Changelog: fastify/fastify-reply-from@v12.0.2...v12.1.0

v12.0.2

Compare Source

What's Changed

• build(dependabot): reduce npm updates to monthly by @​Fdawgs in #​403
• build(deps-dev): Bump nock from 13.5.6 to 14.0.0 by @​dependabot in #​407
• chore: rename master to main by @​Fdawgs in #​406
• types: Allow to pass any requestable undici instance by @​g12i in #​405

New Contributors

• @​g12i made their first contribution in #​405

Full Changelog: fastify/fastify-reply-from@v12.0.1...v12.0.2

v12.0.1

Compare Source

What's Changed

• docs(readme): update ci badge syntax by @​Fdawgs in #​388
• build(deps-dev): Bump @​types/tap from 15.0.12 to 18.0.0 by @​dependabot in #​390
• types: use node: prefix for builtins by @​Fdawgs in #​391
• build(deps-dev): replace standard with neostandard by @​Fdawgs in #​389
• build(deps-dev): add eslint, peer dep of neostandard by @​Fdawgs in #​393
• chore(package): add funding and contribs by @​Fdawgs in #​394
• chore: remove semver by @​Uzlopak in #​395
• build(deps-dev): Bump @​sinonjs/fake-timers from 13.0.5 to 14.0.0 by @​dependabot in #​392
• chore: remove msgpack5 by @​Uzlopak in #​397
• chore: try to fix ci issue by @​Uzlopak in #​396
• perf: use optional chaining by @​Fdawgs in #​398
• refactor: prefix unused params with underscores by @​Fdawgs in #​399
• refactor(index): return directly in arrow function by @​Fdawgs in #​400
• docs(readme): spelling and grammar fixes by @​Fdawgs in #​401

Full Changelog: fastify/fastify-reply-from@v12.0.0...v12.0.1

v12.0.0

Compare Source

What's Changed

• Update to Undici v7 by @​mcollina in #​387

Full Changelog: fastify/fastify-reply-from@v11.0.2...v12.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}