Changelog
v1.1.1 - 2026-06-12
Security Fixes
-
Fastify: Updated from
v4.29.1tov5.8.5to address multiple security vulnerabilities:- Fixed DoS via unbounded memory allocation in sendWebStream (Low severity)
- Fixed Content-Type header tab character validation bypass (High severity - CVE-2026-25223)
- Fixed request.protocol and request.host spoofing via X-Forwarded headers (Moderate severity - CVE-2026-3635)
- Reference: Fastify Security Advisories
-
fast-uri: Resolved path traversal and host confusion vulnerabilities in transitive dependencies:
- Fixed path traversal via percent-encoded dot segments (High severity - CVE-2026-6321)
- Fixed host confusion via percent-encoded authority delimiters (High severity)
- Reference: fast-uri Security Advisories
-
Next.js: Updated from
v15.1.7tov16.2.9for latest security patches
Bug Fixes
- Hapi Middleware: Fixed TypeScript compatibility issue with
authorizationheader type (string | string[]) - NestJS Middleware: Fixed constructor parameters not being properly referenced
in
canActivatemethod - TypeScript: Added
isolatedModules: truetotsconfig.jsonfor better module compatibility - Documentation: Updated typedoc from
v0.27.6tov0.28.0for compatibility
Improvements
- Updated ESLint configuration to ignore underscore-prefixed unused parameters
- Improved test configuration with better ts-jest setup
- All 74 tests passing
v1.0.0 - 2025-03-07
- Initial release
v1.0.1 - 2025-05-30
- Security: Patched a schema validation bypass vulnerability in Fastify by
upgrading from
v4.29.0tov4.29.1.- Issue: Non-standard
Content-Typeheaders (e.g.,Application/Json,application/json;) could bypass validation when usingschema.body.content. - Resolution: Validation is now enforced with normalized
Content-Typeheaders after upgrading Fastify. - CVE: Pending Assignment
- Reference: fastify/fastify GitHub Release v4.29.1
- Issue: Non-standard