chore(deps): bump fastify from 4.29.1 to 5.7.3

[dependabot]

Bumps fastify from 4.29.1 to 5.7.3.

Release notes

Sourced from fastify's releases.

v5.7.3

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in fastify/fastify#6466
• chore: ignore agents config files by @​mcollina in fastify/fastify#6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in fastify/fastify#6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in fastify/fastify#6447
• chore: update sponsor url by @​Eomm in fastify/fastify#6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in fastify/fastify#6442
• docs: fix invalid shorten form schema example by @​climba03003 in fastify/fastify#6448
• docs: Simplify and tighten decorators example by @​smith558 in fastify/fastify#6451
• docs: Fix incorrect variable use by @​smith558 in fastify/fastify#6455
• chore: update sponsor link by @​Eomm in fastify/fastify#6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in fastify/fastify#6464
• docs: move querystringParser option under routerOptions by @​inyourtime in fastify/fastify#6463
• chore: Updated content-type header parsing by @​jsumners in fastify/fastify#6414

New Contributors

• @​bhouston made their first contribution in fastify/fastify#6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fastify#6434
• chore: updated version in the fastify.js by @​Tony133 in fastify/fastify#6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in fastify/fastify#6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in fastify/fastify#6110
• chore: remove test file by @​Eomm in fastify/fastify#6384
• feat: speed up loading with custom compiler by @​Eomm in fastify/fastify#6383
• docs: replace all instances of twitter.com with x.com by @​cseas in fastify/fastify#6355

... (truncated)

Commits

• 49468ed Bumped v5.7.3
• eb11156 Merge commit from fork
• d98ce2a docs: update vulnerability reporting to use GitHub Security (#6475)
• 17172c4 Ignore agents config files (#6474)
• b48826f docs: update Reply.send() documentation for string serialization (#6466)
• e1e4fe7 v5.7.2
• 32d7b6a chore: Updated content-type header parsing (#6414)
• f4a6ac1 docs: move querystringParser example under routerOptions (#6463)
• 2af83d6 fix: Fix MIT Licence file to conform to standard (#6464)
• 5c14e05 chore: update sponsor link (#6460)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade Fastify from 4.29.1 to 5.7.3 to fix a security vulnerability and align with the v5 ecosystem. This includes stricter Content-Type parsing and updates to key server dependencies.

• Dependencies

  • fastify ^5.7.3 (fixes CVE-2026-25224).
  • Ecosystem bumps: avvio 9, find-my-way 9, light-my-request 6, pino 10, secure-json-parse 4, fast-json-stringify 6.
  • Uses @fastify/proxy-addr for proxy header handling.

• Migration

  • Ensure Content-Type headers comply with RFC 9110; invalid values are now rejected.
  • Review proxy trust settings with @fastify/proxy-addr if you rely on X-Forwarded-*.
  • Check logging setup for pino v10 compatibility.
  • Run tests to catch schema or serialization differences.

^{Written for commit 1c18581. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 2 files

[dependabot]

Superseded by #8.