Fastify Release Notes

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @Tony133 to plugin team by @Tony133 in #6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in #6566
• test: use fastify.test in test case by @climba03003 in #6568
• docs: use fastify.example in documentation by @climba03003 in #6567
• docs: add common performance degradation guidance by @maxpetrusenko in #6520
• docs(server): fix camelCase anchor links in TOC by @Deepvamja in #6530
• ci(link-checker): fix root-relative links resolution by @barba-rossa in #6535
• docs: update syntax markdown, absolute paths and links by @Tony133 in #6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in #6537
• docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in #6582
• docs: replace redirected npm.im http-errors link by @mcollina in #6588
• types: Allow port to be null in request type definition by @TristanBarlow in #6589
• docs: update links by @Tony133 in #6593
• ci(lock-threads): use shared lock-threads workflow by @Fdawgs in #6592

New Contributors

• @kyrylchenko made their first contribution in #6566
• @maxpetrusenko made their first contribution in #6520
• @Deepvamja made their first contribution in #6530
• @barba-rossa made their first contribution in #6535
• @mahmoodhamdi made their first contribution in #6582
• @TristanBarlow made their first contribution in #6589

Full Changelog: v5.8.2...v5.8.3

What's Changed

• docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in #6546
• Revert "chore: upgrade borp to v1.0.0" by @climba03003 in #6564
• docs: document body validation with custom content type parsers by @mcollina in #6556
• docs(ecosystem): add fastify-file-router by @bhouston in #6441
• docs: add fastify-svelte-view to Ecosystem list by @matths in #6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in #6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in #5661
• docs(guides): update codemod links by @OluchiEzeifedikwa in #6479
• docs: add @glidemq/fastify to community plugins by @avifenesh in #6560

New Contributors

• @yeliex made their first contribution in #6546
• @matths made their first contribution in #6453
• @leftieFriele made their first contribution in #5661
• @OluchiEzeifedikwa made their first contribution in #6479
• @avifenesh made their first contribution in #6560

Full Changelog: v5.8.1...v5.8.2

What's Changed

• docs(request): add host security warning references by @mcollina in #6476
• docs: fix note style by @Fdawgs in #6487
• chore: rename deploy website ci by @Eomm in #6492
• chore: support pino v9 and v10 by @mcollina in #6496
• chore: update logger types and fix TODO comment by @Tony133 in #6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @Tony133 in #6472
• docs: fix markdown typo in README.md by @droppingbeans in #6491
• test: cover non-numeric content-length client error path by @mcollina in #6500
• ci: remove tests-checker workflow by @Tony133 in #6481
• ci: remove stale.yml file by @Tony133 in #6504
• docs(security): remove hackerone references; change note style by @Fdawgs in #6501
• chore: rename @sinclair/typebox to typebox by @Tony133 in #6494
• ci(links-check): add external link checker using linkinator-action by @umxr in #6386
• chore: upgrade borp to v1.0.0 by @Tony133 in #6510
• docs: Add OpenJS CNA reference to SECURITY.md by @mcollina in #6516
• fix: avoid mutating shared routerOptions across instances by @mcollina in #6515
• fix(types): accept async route hooks in shorthand options by @mcollina in #6514
• docs: Improve shutdown lifecycle documentation by @kibertoad in #6517
• chore: remove unused tsconfig.eslint.json by @mrazauskas in #6524
• feat: First-class support for handler-level timeouts by @kibertoad in #6521
• docs(security): clarify insecureHTTPParser threat model scope by @mcollina in #6533
• chore(license): standardise license notice by @Fdawgs in #6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @slegarraga in #6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @super-mcgin in #6528
• docs(reference/hooks): fix note style by @Fdawgs in #6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @dependabot[bot] in #6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @dependabot[bot] in #6542
• ci: remove broken links and add ecosystem link validator by @mcollina in #6421
• ci(validate-ecoystem-links): add job level permission by @Fdawgs in #6545
• style: remove trailing whitespace by @Fdawgs in #6543

New Contributors

• @droppingbeans made their first contribution in #6491

• @umxr made their first contribution in #6386

• @slegarraga made their first contribution in #6531

• @super-mcgin made their first contribution in #6528

• Full Changelog: v5.7.4...v5.8.0

Notice

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @climba03003 in #6447
• chore: update sponsor url by @Eomm in #6450
• docs: add fastify-http-exceptions to Ecosystem.md by @bhouston in #6442
• docs: fix invalid shorten form schema example by @climba03003 in #6448
• docs: Simplify and tighten decorators example by @smith558 in #6451
• docs: Fix incorrect variable use by @smith558 in #6455
• chore: update sponsor link by @Eomm in #6460
• fix: Fix MIT Licence file to conform to standard by @smith558 in #6464
• docs: move querystringParser option under routerOptions by @inyourtime in #6463
• chore: Updated content-type header parsing by @jsumners in #6414

New Contributors

• @bhouston made their first contribution in #6442

Full Changelog

v5.7.1...v5.7.2

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @alexandercerutti in #6380
• docs: update migration guide with date-time breaking change by @craftsman01 in #6110
• chore: remove test file by @Eomm in #6384
• feat: speed up loading with custom compiler by @Eomm in #6383
• docs: replace all instances of twitter.com with x.com by @cseas in #6355
• docs: correct logger option in example by @inyourtime in #6391
• docs: fix links by @Shriti507 in #6394
• chore: skip unnecessary object creation by @Eomm in #6400
• docs: Update JSON Schema link in documentation by @jon23d in #6402
• docs(ecosystem): add fastify-ses-mailer by @KaranHotwani in #6395
• docs: add security note about validation errors in response by @mcollina in #6407
• docs: add security threat model by @mcollina in #6406
• chore: update onboarding and offboarding instructions by @Eomm in #6403
• fix: set status code before publishing diagnostics error channel by @tt-a1i in #6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @mcollina in #6420
• chore: fix type test by @mrazauskas in #6418
• docs: improve Validation-and-Serialization.md by @twentytwo777 in #6423
• test: skip IPv6 test if its support is not present by @LiviaMedeiros in #6428
• test: fix test when localhost has multiple addresses by @LiviaMedeiros in #6427
• docs: add security warning for requestIdHeader by @mcollina in #6425
• docs(ecosystem): add elements-fastify by @rohitsoni007 in #6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @dependabot[bot] in #6436
• chore: Bump @types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @dependabot[bot] in #6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @AnkanMisra in #6392
• fix(types): require send() payload when Reply type is specified by @tt-a1i in #6432
• fix: ajv options type validation by @gianmarco27 in #6437
• docs: add non-vulnerability examples to threat model by @RafaelGSS in #6431
• feat: implement conditional request logging by @kibertoad in #5732
• docs(sponsor): add serpapi by @Eomm in #6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @mcollina in #6444

New Contributors

• @craftsman01 made their first contribution in #6110
• @cseas made their first contribution in #6355
• @Shriti507 made their first contribution in #6394
• @jon23d made their first contribution in #6402
• @KaranHotwani made their first contribution in #6395
• @tt-a1i made their first contribution in #6412
• @mrazauskas made their first contribution in #6418
• @twentytwo777 made their first contribution in #6423
• @rohitsoni007 made their first contribution in #6416
• @AnkanMisra made their first contribution in #6392
• @gianmarco27 made their first contribution in #6437

Full Changelog: v5.6.2...v5.7.0