You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Installing nestjs/sample/10-fastify packages with npm install doesn't work as expected - installation reports CSRF attack
report:
fastify 4.0.0 - 4.10.1
Severity: high
fastify vulnerable to denial of service via malicious Content-Type - GHSA-455w-c45v-86rg
Fastify: Incorrect Content-Type parsing can lead to CSRF attack - GHSA-3fjj-p79j-c9hh
fix available via npm audit fix --force
Will install @nestjs/platform-fastify@9.2.0, which is outside the stated dependency range
node_modules/fastify
@nestjs/platform-fastify 9.0.0-next.1 - 9.1.4
Depends on vulnerable versions of fastify
node_modules/@nestjs/platform-fastify
Is there an existing issue for this?
Current behavior
Installing nestjs/sample/10-fastify packages with
npm install
doesn't work as expected - installation reports CSRF attackreport:
fastify 4.0.0 - 4.10.1
Severity: high
fastify vulnerable to denial of service via malicious Content-Type - GHSA-455w-c45v-86rg
Fastify: Incorrect Content-Type parsing can lead to CSRF attack - GHSA-3fjj-p79j-c9hh
fix available via
npm audit fix --force
Will install @nestjs/platform-fastify@9.2.0, which is outside the stated dependency range
node_modules/fastify
@nestjs/platform-fastify 9.0.0-next.1 - 9.1.4
Depends on vulnerable versions of fastify
node_modules/@nestjs/platform-fastify
2 high severity vulnerabilities
Minimum reproduction code
https://github.com/nestjs/nest/tree/master/sample/10-fastify
Steps to reproduce
Expected behavior
Installs node modules
Package
@nestjs/common
@nestjs/core
@nestjs/microservices
@nestjs/platform-express
@nestjs/platform-fastify
@nestjs/platform-socket.io
@nestjs/platform-ws
@nestjs/testing
@nestjs/websockets
Other package
No response
NestJS version
9.0.1
Packages versions
{
"name": "nest-typescript-starter",
"version": "1.0.0",
"description": "Nest TypeScript starter repository",
"license": "MIT",
"scripts": {
"prebuild": "rimraf dist",
"build": "nest build",
"format": "prettier --write "src//*.ts" "test//.ts"",
"start": "nest start",
"start:dev": "nest start --watch",
"start:debug": "nest start --debug --watch",
"start:prod": "node dist/main",
"lint": "eslint '{src,apps,libs,test}/**/.ts' --fix",
"test": "jest",
"test:watch": "jest --watch",
"test:cov": "jest --coverage",
"test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
"test:e2e": "echo 'No e2e tests implemented yet.'"
},
"dependencies": {
"@nestjs/common": "9.0.1",
"@nestjs/core": "9.0.1",
"@nestjs/platform-fastify": "9.0.1",
"class-transformer": "0.5.1",
"class-validator": "0.13.2",
"reflect-metadata": "0.1.13",
"rimraf": "3.0.2",
"rxjs": "7.5.5"
},
"devDependencies": {
"@nestjs/cli": "9.0.0",
"@nestjs/schematics": "9.0.1",
"@nestjs/testing": "9.0.1",
"@types/express": "4.17.13",
"@types/node": "18.0.3",
"@types/supertest": "2.0.12",
"@typescript-eslint/eslint-plugin": "5.30.5",
"@typescript-eslint/parser": "5.30.5",
"eslint": "8.19.0",
"eslint-config-prettier": "8.5.0",
"eslint-plugin-import": "2.26.0",
"jest": "28.1.2",
"prettier": "2.7.1",
"supertest": "6.2.4",
"ts-jest": "28.0.5",
"ts-loader": "9.3.1",
"ts-node": "10.8.2",
"tsconfig-paths": "4.0.0",
"typescript": "4.7.4"
}
}
Node.js version
No response
In which operating systems have you tested?
Other
No response
The text was updated successfully, but these errors were encountered: