Bump the prod-deps group across 1 directory with 5 updates by dependabot[bot] · Pull Request #64 · nyxCore-Systems/DeviceRouter

dependabot · 2026-05-19T09:45:26Z

Bumps the prod-deps group with 5 updates in the / directory:

Package	From	To
fastify	`5.7.4`	`5.8.5`
hono	`4.12.3`	`4.12.19`
koa	`3.1.2`	`3.2.0`
@types/koa	`3.0.1`	`3.0.2`
ioredis	`5.10.0`	`5.10.1`

Updates fastify from 5.7.4 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

chore: Fix port parsing by @jsumners in fastify/fastify#6603

chore: upgrade to typescript v6.0.2 by @Tony133 in fastify/fastify#6605

fix: restore trustProxy function for number and string types, add null check for socketAddr by @mcollina in fastify/fastify#6613

ci: reduce cron scheduled workflows from daily/weekly to monthly by @Fdawgs in fastify/fastify#6623

chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @dependabot[bot] in fastify/fastify#6629

chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @dependabot[bot] in fastify/fastify#6632

chore: Bump borp from 0.21.0 to 1.0.0 by @dependabot[bot] in fastify/fastify#6633

chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @dependabot[bot] in fastify/fastify#6630

docs(ecosystem): add @pompelmi/fastify-plugin by @SonoTommy in fastify/fastify#6610

New Contributors

@SonoTommy made their first contribution in fastify/fastify#6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

v5.8.4

Full Changelog: fastify/fastify@v5.8.3...v5.8.4

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

docs(readme): add @Tony133 to plugin team by @Tony133 in fastify/fastify#6565

Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in fastify/fastify#6566

test: use fastify.test in test case by @climba03003 in fastify/fastify#6568

docs: use fastify.example in documentation by @climba03003 in fastify/fastify#6567

docs: add common performance degradation guidance by @maxpetrusenko in fastify/fastify#6520

docs(server): fix camelCase anchor links in TOC by @Deepvamja in fastify/fastify#6530

ci(link-checker): fix root-relative links resolution by @barba-rossa in fastify/fastify#6535

docs: update syntax markdown, absolute paths and links by @Tony133 in fastify/fastify#6569

docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in fastify/fastify#6537

docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in fastify/fastify#6582

docs: replace redirected npm.im http-errors link by @mcollina in fastify/fastify#6588

types: Allow port to be null in request type definition by @TristanBarlow in fastify/fastify#6589

docs: update links by @Tony133 in fastify/fastify#6593

ci(lock-threads): use shared lock-threads workflow by @Fdawgs in fastify/fastify#6592

New Contributors

@kyrylchenko made their first contribution in fastify/fastify#6566

@maxpetrusenko made their first contribution in fastify/fastify#6520

@Deepvamja made their first contribution in fastify/fastify#6530

@barba-rossa made their first contribution in fastify/fastify#6535

... (truncated)

Commits

3983cce Bumped v5.8.5
3ce3ae6 Merge commit from fork
b06a196 docs(ecosystem): add @pompelmi/fastify-plugin (#6610)
909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
8dee9be fix: restore trustProxy function for number and string types, add null check ...
d457aed chore: upgrade to typescript v6.0.2 (#6605)
Additional commits viewable in compare view

Updates hono from 4.12.3 to 4.12.19

Release notes

Sourced from hono's releases.

v4.12.19

What's Changed

ci: pin GitHub Actions to SHAs by @yusukebe in honojs/hono#4932

fix(serveStatic): make options parameter optional in all adapters by @mixelburg in honojs/hono#4934

fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in honojs/hono#4922

feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in honojs/hono#4913

feat(cache): key cache entries by configured vary headers by @usualoma in honojs/hono#4915

feat(request): add bytes() by @yusukebe in honojs/hono#4921

fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in honojs/hono#4940

New Contributors

@justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

... (truncated)

Commits

7e62bcd 4.12.19
e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
54f2f0c feat(request): add bytes() (#4921)
e59db59 feat(cache): key cache entries by configured vary headers (#4915)
48a7ccb feat(bearer-auth): make bearerAuth generic for typed context in verifyToken (...
ff7522f fix(cookie): return the first cookie when there are multiple cookies with the...
26f8c33 fix(serveStatic): make options parameter optional in all adapters (#4934)
16c4e38 ci: pin GitHub Actions to SHAs (#4932)
f10dee8 4.12.18
a5bd9eb Merge commit from fork
Additional commits viewable in compare view

Updates koa from 3.1.2 to 3.2.0

Release notes

Sourced from koa's releases.

v3.2.0

What's Changed

docs: remove dead Job Board links by @Jerry-CodeHub in koajs/koa#1926

build(deps-dev): bump qs from 6.14.1 to 6.14.2 by @dependabot[bot] in koajs/koa#1927

chore: Add workflow_dispatch trigger to npm-publish workflow by @Copilot in koajs/koa#1930

feat: defer AsyncLocalStorage creation for v8 startup snapshots by @killagu in koajs/koa#1946

New Contributors

@Jerry-CodeHub made their first contribution in koajs/koa#1926

@killagu made their first contribution in koajs/koa#1946

Full Changelog: koajs/koa@v3.1.2...v3.2.0

Commits

e0ba8ef 3.2.0
2503a1f feat: defer AsyncLocalStorage creation for v8 startup snapshots (#1946)
d3ea8bf chore: Add workflow_dispatch trigger to npm-publish workflow (#1930)
3b0508e build(deps-dev): bump qs from 6.14.1 to 6.14.2 (#1927)
fd11140 docs: remove dead Job Board links (#1926)
See full diff in compare view

Updates @types/koa from 3.0.1 to 3.0.2

Commits

See full diff in compare view

Updates ioredis from 5.10.0 to 5.10.1

Release notes

Sourced from ioredis's releases.

v5.10.1

5.10.1 (2026-03-19)

Bug Fixes

cluster: lazily start sharded subscribers (#2090) (4f167bb)

Changelog

Sourced from ioredis's changelog.

5.10.1 (2026-03-19)

Bug Fixes

cluster: lazily start sharded subscribers (#2090) (4f167bb)

Commits

9e26f8b chore(release): 5.10.1 [skip ci]
4f167bb fix(cluster): lazily start sharded subscribers (#2090)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the prod-deps group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [fastify](https://github.com/fastify/fastify) | `5.7.4` | `5.8.5` | | [hono](https://github.com/honojs/hono) | `4.12.3` | `4.12.19` | | [koa](https://github.com/koajs/koa) | `3.1.2` | `3.2.0` | | [@types/koa](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/koa) | `3.0.1` | `3.0.2` | | [ioredis](https://github.com/luin/ioredis) | `5.10.0` | `5.10.1` | Updates `fastify` from 5.7.4 to 5.8.5 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.7.4...v5.8.5) Updates `hono` from 4.12.3 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.3...v4.12.19) Updates `koa` from 3.1.2 to 3.2.0 - [Release notes](https://github.com/koajs/koa/releases) - [Changelog](https://github.com/koajs/koa/blob/master/History.md) - [Commits](koajs/koa@v3.1.2...v3.2.0) Updates `@types/koa` from 3.0.1 to 3.0.2 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/koa) Updates `ioredis` from 5.10.0 to 5.10.1 - [Release notes](https://github.com/luin/ioredis/releases) - [Changelog](https://github.com/redis/ioredis/blob/main/CHANGELOG.md) - [Commits](redis/ioredis@v5.10.0...v5.10.1) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.8.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: hono dependency-version: 4.12.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-deps - dependency-name: koa dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: "@types/koa" dependency-version: 3.0.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: prod-deps - dependency-name: ioredis dependency-version: 5.10.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-deps ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot · 2026-05-26T05:01:20Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 19, 2026

dependabot Bot closed this May 26, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/develop/prod-deps-4b782ea8b3 branch May 26, 2026 05:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the prod-deps group across 1 directory with 5 updates#64

Bump the prod-deps group across 1 directory with 5 updates#64
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/develop/prod-deps-4b782ea8b3

dependabot Bot commented on behalf of github May 19, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.8.5

⚠️ Security Release

What's Changed

New Contributors

v5.8.4

v5.8.3

⚠️ Security Release

What's Changed

New Contributors

v4.12.19

What's Changed

New Contributors

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

v4.12.17

What's Changed

New Contributors

v4.12.16

v3.2.0

What's Changed

New Contributors

v5.10.1

5.10.1 (2026-03-19)

Bug Fixes

5.10.1 (2026-03-19)

Bug Fixes

Uh oh!

dependabot Bot commented on behalf of github May 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 19, 2026 •

edited

Loading