Skip to content

Merge pull request #281 from ducktors/dependabot/github_actions/githu… #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Merge pull request #281 from ducktors/dependabot/github_actions/githu… #292

wants to merge 2 commits into from

Conversation

@alemagio
Copy link
Collaborator

@alemagio alemagio commented Sep 13, 2025

…b/codeql-action-3.29.9

chore(actions): bump github/codeql-action from 3.29.8 to 3.29.9

In this PR:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Issues reference:

Checklist:

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you lint your code with pnpm lint locally prior to submission?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully ran build with pnpm build of your changes locally?
  • Have you successfully ran tests with pnpm test of your changes locally?
  • Have you commit using Conventional Commits?

@kodiakhq @alemagio
Merge pull request #281 from ducktors/dependabot/github_actions/githu…
79e1d82 
…b/codeql-action-3.29.9

chore(actions): bump github/codeql-action from 3.29.8 to 3.29.9
@socket-security
Copy link

socket-security bot commented Sep 13, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​biomejs/​biome@​2.2.010010010099100

View full report

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 13, 2025
View reviewed changes
examples/basic/server.js
Comment on lines +10 to +14
app.get("/", async (_req, reply) => {
const data = await readFile(join(__dirname, "..", "index.html"));
reply.header("content-type", "text/html; charset=utf-8");
reply.send(data);
});

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
a file system access
Loading
, but is not rate-limited.

Copilot Autofix

AI about 2 months ago

The best way to fix this problem is to add a rate-limiting middleware to the Fastify app, ensuring the / route cannot be abused by clients sending requests rapidly. The standard package for this in the Fastify ecosystem is @fastify/rate-limit.

  • To fix:
    • Install @fastify/rate-limit.
    • Add the plugin registration before route definitions.
    • Apply a global or route-specific rate limit. Here, we will apply a global rate limit for simplicity but it could be made route-specific if needed.
  • The fix only requires adding app.register(require('@fastify/rate-limit'), { ...opts }); before app.get definition.
  • Add the required import (via require) inline as appropriate.
  • The code for the fix must go in examples/basic/server.js.
Suggested changeset 2
examples/basic/server.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/examples/basic/server.js b/examples/basic/server.js
--- a/examples/basic/server.js
+++ b/examples/basic/server.js
@@ -5,6 +5,12 @@
 
 const app = fastify({ logger: true });
 
+// Add basic rate limiting to prevent abuse
+app.register(require('@fastify/rate-limit'), {
+  max: 100, // max 100 requests
+  timeWindow: '15 minutes' // per 15 minutes per source IP
+});
+
 app.register(socketio);
 
 app.get("/", async (_req, reply) => {
EOF
@@ -5,6 +5,12 @@

const app = fastify({ logger: true });

// Add basic rate limiting to prevent abuse
app.register(require('@fastify/rate-limit'), {
max: 100, // max 100 requests
timeWindow: '15 minutes' // per 15 minutes per source IP
});

app.register(socketio);

app.get("/", async (_req, reply) => {
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -21,7 +21,8 @@
   },
   "dependencies": {
     "fastify-plugin": "^4.5.1",
-    "tslib": "^2.6.1"
+    "tslib": "^2.6.1",
+    "@fastify/rate-limit": "^10.3.0"
   },
   "devDependencies": {
     "@biomejs/biome": "2.2.0",
EOF
@@ -21,7 +21,8 @@
},
"dependencies": {
"fastify-plugin": "^4.5.1",
"tslib": "^2.6.1"
"tslib": "^2.6.1",
"@fastify/rate-limit": "^10.3.0"
},
"devDependencies": {
"@biomejs/biome": "2.2.0",
This fix introduces these dependencies
Package Version Security advisories
@fastify/rate-limit (npm) 10.3.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alemagio