Skip to content

Bump fast-uri from 3.0.3 to 3.1.2#1462

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/fast-uri-3.1.2
Open

Bump fast-uri from 3.0.3 to 3.1.2#1462
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/fast-uri-3.1.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Bumps fast-uri from 3.0.3 to 3.1.2.

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

... (truncated)

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump fast-uri from 3.0.3 to 3.1.2
40aa168 
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.0.3 to 3.1.2.
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.0.3...v3.1.2)

---
updated-dependencies:
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 8, 2026
Copilot AI review requested due to automatic review settings May 8, 2026 21:59
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 8, 2026
@dependabot dependabot Bot review requested due to automatic review settings May 8, 2026 21:59
@dependabot dependabot Bot added the javascript Pull requests that update javascript code label May 8, 2026
cursor[bot]
cursor Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

No blocking issues found in this Dependabot update.

Security

This PR is a lockfile-only bump of the indirect dependency fast-uri from 3.0.3 to 3.1.2, pulled in via ajv 8.

It resolves two newly published high-severity advisories in fast-uri:

  • GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 (CVSS 7.5): percent-encoded dot segments could let normalize() / equal() collapse attacker-controlled paths such as %2e%2e into unintended locations.
  • GHSA-v39h-62p7-jpjc / CVE-2026-6322 (CVSS 7.5): percent-encoded authority delimiters such as %40 / %3A could cause host confusion after normalization.

Supply-chain-wise, I didn’t see anything suspicious in this bump: it stays on the same fastify/fast-uri package, the published npm tarball is signed, and there are no install hooks being introduced by this update.

Safety Of Merging

yarn.lock is the only file changed. In this repository, fast-uri is not imported directly from application code; it is present under ajv, which is reached through build/lint tooling such as webpack/schema-utils and related packages. That keeps behavioral risk low for the shipped web component.

The only meaningful runtime behavior change in 3.1.1 / 3.1.2 is that malformed or specially encoded URIs are handled more strictly during normalization/comparison. That is exactly the security fix, and I found no direct repository code that depends on the old vulnerable behavior.

Test Results

Local checks on this branch:

  • yarn install --immutable
  • yarn lint
  • CI=true yarn test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites passed, 816 tests passed)

End-to-end:

  • Local yarn exec cypress run could not be completed in this environment because the Cypress binary was not preinstalled and downloading it from download.cypress.io failed with SSL_ERROR_SYSCALL.
  • GitHub checks currently show lint, test, and deploy/build checks passing, while test-cypress is still in progress.

Recommendation

Merge with caution.

This is a worthwhile security update with low expected repo impact, but I recommend waiting for the PR's test-cypress check to finish successfully before merging, since that is the one test layer I could not fully reproduce locally in this agent environment.

Open in Web View Automation 

Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs

cursor[bot]
cursor Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking findings.

Security

fast-uri@3.0.3 is affected by two upstream high-severity advisories:

  • GHSA-q3j6-qgpj-74h6 / CVE-2026-6321: path traversal via percent-encoded dot segments, affecting <= 3.1.0.
  • GHSA-v39h-62p7-jpjc / CVE-2026-6322: host confusion via percent-encoded authority delimiters, affecting <= 3.1.1.

This bump to 3.1.2 resolves both. From a supply-chain perspective, this PR only updates the existing fast-uri tarball entry in yarn.lock; it does not introduce a new package name, extra transitive dependencies, or a maintainer/source change.

Safety Of Merging

fast-uri is indirect in this repo: yarn why fast-uri resolves it through ajv@8.17.1, which is brought in by tooling such as webpack schema-utils and lint-related packages. I found no direct imports of fast-uri or ajv in the application code.

The meaningful behavior changes between 3.0.3 and 3.1.2 are the security fixes to URI normalize() / equal() handling for percent-encoded path and authority characters. In theory, that could affect consumers relying on the old buggy normalization of unusual schema URIs, but in this repository the practical exposure looks low because usage is via tooling rather than app runtime logic.

Open Questions / Residual Risk

I could not complete Cypress locally because this runner did not have the Cypress desktop binary cached, and downloading it from download.cypress.io failed from this environment with SSL_ERROR_SYSCALL. That leaves local e2e status inconclusive for environmental reasons, not because I found a code-level regression.

Test Results

  • yarn install --immutable: passed, with the repo's pre-existing peer dependency warnings only.
  • yarn lint: passed.
  • CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter: passed (92 suites, 816 tests).
  • yarn start: compiled successfully locally.
  • yarn exec cypress run: could not be executed locally because the Cypress binary download was blocked in this runner.

At the time of review, GitHub Actions lint, test, and deploy/build checks were green; test-cypress was still running.

Recommendation

Merge with caution: this is a worthwhile security update and appears low-risk for this repository, but I recommend waiting for the PR's test-cypress check to finish green before merging.

Open in Web View Automation 

Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants