chore(deps): update dependency @fastify/static to v9.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/static	9.0.0 → 9.1.1

---

@​fastify/static vulnerable to route guard bypass via encoded path separators

CVE-2026-6414 / GHSA-x428-ghpx-8j92

More information

Details

Impact

@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @​fastify/static decodes it to /admin/secret.html and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @​fastify/static can be bypassed with encoded path separators.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
• https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
• https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
• https://nvd.nist.gov/vuln/detail/CVE-2026-6414
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-x428-ghpx-8j92

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/static vulnerable to path traversal in directory listing

CVE-2026-6410 / GHSA-pr96-94w5-mx2h

More information

Details

Impact

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

Disable directory listing by removing the list option from the plugin configuration.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6410
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-pr96-94w5-mx2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify-static (@​fastify/static)

v9.1.1

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h.
This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

• ci: add lock-threads workflow by @​Fdawgs in #​570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

Compare Source

What's Changed

• build(deps-dev): bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in #​552
• test: move ignoreTrailingSlash under routerOptions by @​lraveri in #​553
• build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @​dependabot[bot] in #​543
• chore: bump pino and borp dependencies, delete stale.yml by @​Tony133 in #​557
• chore: update syntax typescript by @​Tony133 in #​558
• chore(license): standardise license notice by @​Fdawgs in #​560
• fix: sendFile ignoring option overrides in some cases by @​bakugo in #​559
• chore: upgrade c8 to v11.0.0 and improvements test by @​Tony133 in #​564
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​566

New Contributors

• @​lraveri made their first contribution in #​553
• @​Tony133 made their first contribution in #​557
• @​bakugo made their first contribution in #​559

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 45b6027

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.21%. Comparing base (3653df2) to head (45b6027).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #571   +/-   ##
=======================================
  Coverage   46.21%   46.21%           
=======================================
  Files          70       70           
  Lines        1216     1216           
  Branches       75       81    +6     
=======================================
  Hits          562      562           
  Misses        643      643           
  Partials       11       11           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.