build(deps): update dependency @fastify/static to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/static	8.2.0 → 9.1.1

---

@​fastify/static vulnerable to route guard bypass via encoded path separators

CVE-2026-6414 / GHSA-x428-ghpx-8j92

More information

Details

Impact

@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @​fastify/static decodes it to /admin/secret.html and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @​fastify/static can be bypassed with encoded path separators.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
• https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
• https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
• https://nvd.nist.gov/vuln/detail/CVE-2026-6414
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-x428-ghpx-8j92

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/static vulnerable to path traversal in directory listing

CVE-2026-6410 / GHSA-pr96-94w5-mx2h

More information

Details

Impact

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

Disable directory listing by removing the list option from the plugin configuration.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6410
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-pr96-94w5-mx2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify-static (@​fastify/static)

v9.1.1

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h.
This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

• ci: add lock-threads workflow by @​Fdawgs in #​570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

Compare Source

What's Changed

• build(deps-dev): bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in #​552
• test: move ignoreTrailingSlash under routerOptions by @​lraveri in #​553
• build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @​dependabot[bot] in #​543
• chore: bump pino and borp dependencies, delete stale.yml by @​Tony133 in #​557
• chore: update syntax typescript by @​Tony133 in #​558
• chore(license): standardise license notice by @​Fdawgs in #​560
• fix: sendFile ignoring option overrides in some cases by @​bakugo in #​559
• chore: upgrade c8 to v11.0.0 and improvements test by @​Tony133 in #​564
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​566

New Contributors

• @​lraveri made their first contribution in #​553
• @​Tony133 made their first contribution in #​557
• @​bakugo made their first contribution in #​559

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

v9.0.0

Compare Source

What's Changed

• build(deps): bump content-disposition from 0.5.4 to 1.0.1 by @​dependabot[bot] in #​547
• Update glob@​13 by @​mcollina in #​550

Full Changelog: fastify/fastify-static@v8.3.0...v9.0.0

v8.3.0

Compare Source

What's Changed

• docs: use cross-platform compatible info emoji by @​Fdawgs in #​522
• docs: fix typo by @​9w in #​523
• chore(license): update date ranges; standardise style by @​Fdawgs in #​525
• chore: remove reference to simple-get by @​ilteoood in #​528
• build(deps-dev): bump @​types/node from 22.15.34 to 24.0.8 by @​dependabot[bot] in #​527
• test(types): add missing anchors by @​Fdawgs in #​529
• docs(readme): correct compatibility table by @​Fdawgs in #​531
• refactor: remove usage of deprecated request.routeConfig by @​inyourtime in #​530
• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​532
• chore(.npmrc): ignore scripts by @​Fdawgs in #​533
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in #​534
• chore(index): add jsdoc comments for static code analysis by @​Fdawgs in #​535
• chore: Replace substr with slice for URL manipulation by @​Uzlopak in #​538
• refactor: small improvements by @​ilteoood in #​539
• fix: if serve: false and root is not defined, only allow sending files with absolute path by @​Uzlopak in #​540
• ci(ci): add concurrency config by @​Fdawgs in #​541

New Contributors

• @​9w made their first contribution in #​523
• @​inyourtime made their first contribution in #​530

Full Changelog: fastify/fastify-static@v8.2.0...v8.3.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.06%. Comparing base (1351342) to head (59c08c6).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #628   +/-   ##
=======================================
  Coverage   81.06%   81.06%           
=======================================
  Files          19       19           
  Lines         301      301           
=======================================
  Hits          244      244           
  Misses         57       57           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.